Finite Fields, with Applications to Combinatorics 1470469308, 9781470469306

This book uses finite field theory as a hook to introduce the reader to a range of ideas from algebra and number theory.

244 32 8MB

English Pages 185 [187] Year 2022

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Cover
Title page
Copyright
Contents
Preface
Chapter 1. Primes and factorization
1.1. Groups
1.2. Rings
1.3. Integral domains and fields
1.4. Divisibility: primes and irreducibles
1.5. Ideals and Principal Ideal Domains (PIDs)
1.6. Greatest common divisors
1.7. Unique factorization
1.8. Euclidean domains
1.9. Exercises
Chapter 2. Primes in the integers
2.1. The infinitude of primes
2.2. Bertrandโ€™s postulate
2.3. How many primes are there?
2.4. Exercises
Chapter 3. Congruences in rings
3.1. Congruences and quotient rings
3.2. The ring โ„ค/๐•Ÿโ„ค
3.3. Prime ideals and maximal ideals
3.4. Primes in the Gaussian integers
3.5. Exercises
Chapter 4. Primes in polynomial rings: constructing finite fields
4.1. Primes in the polynomial ring over a field
4.2. An analogue of the proof of Bertrandโ€™s postulate
4.3. An analogue of Eulerโ€™s proof
4.4. Mรถbius inversion and a formula for ๐œ‹(๐‘›;๐”ฝ_{๐•ข})
4.5. Exercises
Chapter 5. The additive and multiplicative structures of finite fields
5.1. More about groups: cyclic groups
5.2. More about groups: Lagrangeโ€™s theorem
5.3. The additive structure of finite fields
5.4. The multiplicative structure of finite fields
5.5. Exercises
Chapter 6. Understanding the structure of โ„ค/๐•Ÿโ„ค
6.1. The Chinese Remainder Theorem
6.2. The structure of the multiplicative group (โ„ค/๐•Ÿโ„ค)^{ร—}
6.3. Existence of primitive roots ๐‘š๐‘œ๐‘‘ ๐‘^{๐‘’}: Proof of Theorem 6.10
6.4. Exercises
Chapter 7. Combinatorial applications of finite fields
7.1. Sidon sets and perfect difference sets
7.2. Proof of Theorem 7.3
7.3. The Erdล‘s-Turรกn boundโ€”Proof of Theorem 7.4
7.4. Perfect difference setsโ€”Proof of Theorem 7.8
7.5. A little more on finite fields
7.6. De Bruijn sequences
7.7. A magic trick
7.8. Exercises
Chapter 8. The AKS Primality Test
8.1. What is a rapid algorithm?
8.2. Primality and factoring
8.3. The basic idea behind AKS
8.4. The algorithm
8.5. Running time analysis
8.6. Proof of Lemma 8.8
8.7. Generating new relations from old
8.8. Proof of Theorem 8.9
8.9. Exercises
Chapter 9. Synopsis of finite fields
9.1. Exercises
Bibliography
Index
Back Cover
Recommend Papers

Finite Fields, with Applications to Combinatorics
 1470469308, 9781470469306

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

STUDENT MATHEMATICAL LIBRARY Volume 99

Finite Fields, with Applications to Combinatorics Kannan Soundararajan

Finite Fields, with Applications to Combinatorics

STUDENT MATHEMATICAL LIBRARY Volume 99

Finite Fields, with Applications to Combinatorics Kannan Soundararajan

EDITORIAL COMMITTEE John McCleary Rosa C. Orellana (Chair)

Paul Pollack Kavita Ramanan

2020 Mathematics Subject Classi๏ฌcation. Primary 11-01, 05-01, 12-01, 11A07, 11A51, 05B10, 12E20. For additional information and updates on this book, visit www.ams.org/bookpages/stml-99 Library of Congress Cataloging-in-Publication Data Cataloging-in-Publication Data has been applied for by the AMS. See http://www.loc.gov/publish/cip/. DOI: https://doi.org/10.1090/stml/99 Copying and reprinting. Individual readers of this publication, and nonpro๏ฌt libraries acting for them, are permitted to make fair use of the material, such as to copy select pages for use in teaching or research. Permission is granted to quote brief passages from this publication in reviews, provided the customary acknowledgment of the source is given. Republication, systematic copying, or multiple reproduction of any material in this publication is permitted only under license from the American Mathematical Society. Requests for permission to reuse portions of AMS publication content are handled by the Copyright Clearance Center. For more information, please visit www.ams.org/ publications/pubpermissions. Send requests for translation rights and licensed reprints to reprint-permission@ ams.org.

c 2022 by the author. All rights reserved.  Printed in the United States of America. โˆž The paper used in this book is acid-free and falls within the guidelines 

established to ensure permanence and durability. Visit the AMS home page at https://www.ams.org/ 10 9 8 7 6 5 4 3 2 1

27 26 25 24 23 22

To Waheeda and Kesi

Contents

Preface Chapter 1.

xi Primes and factorization

1

ยง1.1. Groups

1

ยง1.2. Rings

4

ยง1.3. Integral domains and fields

6

ยง1.4. Divisibility: primes and irreducibles

9

ยง1.5. Ideals and Principal Ideal Domains (PIDs)

12

ยง1.6. Greatest common divisors

13

ยง1.7. Unique factorization

15

ยง1.8. Euclidean domains

17

ยง1.9. Exercises

21

Chapter 2.

Primes in the integers

27

ยง2.1. The infinitude of primes

27

ยง2.2. Bertrandโ€™s postulate

32

ยง2.3. How many primes are there?

38

ยง2.4. Exercises

41

Chapter 3.

Congruences in rings

ยง3.1. Congruences and quotient rings

45 45 vii

viii

Contents

ยง3.2. The ring โ„ค/๐‘›โ„ค

49

ยง3.3. Prime ideals and maximal ideals

51

ยง3.4. Primes in the Gaussian integers

55

ยง3.5. Exercises

58

Chapter 4.

Primes in polynomial rings: constructing finite fields

63

ยง4.1. Primes in the polynomial ring over a field

63

ยง4.2. An analogue of the proof of Bertrandโ€™s postulate

68

ยง4.3. An analogue of Eulerโ€™s proof

71

ยง4.4. Mรถbius inversion and a formula for ๐œ‹(๐‘›; ๐”ฝ๐‘ž )

74

ยง4.5. Exercises

79

Chapter 5.

The additive and multiplicative structures of finite fields

83

ยง5.1. More about groups: cyclic groups

83

ยง5.2. More about groups: Lagrangeโ€™s theorem

87

ยง5.3. The additive structure of finite fields

90

ยง5.4. The multiplicative structure of finite fields

95

ยง5.5. Exercises

97

Chapter 6.

Understanding the structure of โ„ค/๐‘›โ„ค

ยง6.1. The Chinese Remainder Theorem ยง6.2. The structure of the multiplicative group (โ„ค/๐‘›โ„ค)ร—

99 99 103

ยง6.3. Existence of primitive roots mod ๐‘๐‘’ : Proof of Theorem 6.10 105 ยง6.4. Exercises Chapter 7.

Combinatorial applications of finite fields

108 111

ยง7.1. Sidon sets and perfect difference sets

111

ยง7.2. Proof of Theorem 7.3

116

ยง7.3. The Erdล‘s-Turรกn boundโ€”Proof of Theorem 7.4

117

ยง7.4. Perfect difference setsโ€”Proof of Theorem 7.8

121

ยง7.5. A little more on finite fields

124

ยง7.6. De Bruijn sequences

126

ยง7.7. A magic trick

129

Contents

ix

ยง7.8. Exercises Chapter 8.

130

The AKS Primality Test

135

ยง8.1. What is a rapid algorithm?

135

ยง8.2. Primality and factoring

137

ยง8.3. The basic idea behind AKS

141

ยง8.4. The algorithm

143

ยง8.5. Running time analysis

144

ยง8.6. Proof of Lemma 8.8

145

ยง8.7. Generating new relations from old

146

ยง8.8. Proof of Theorem 8.9

147

ยง8.9. Exercises

152

Chapter 9.

Synopsis of finite fields

ยง9.1. Exercises

155 161

Bibliography

165

Index

169

Preface

This book arose out of my experiences with teaching Math 62DM at Stanford, a course which I developed in 2016 and have taught over the last several years. The course is aimed primarily at highly motivated firstyear students at Stanford who were potential honors math majors. The traditional first-year honors sequence targeted to these undergraduates was a year-long three quarter sequence covering multivariable calculus and linear algebra, differential forms, and ordinary differential equations. Some years back, together with several colleagues, we felt that an alternative sequence aimed at introducing ideas of modern mathematics with a discrete flavor might also be welcome to incoming students, especially those with an interest in computer science. This alternative sequence focuses on linear algebra (lectures shared with the traditional sequence students) with applications to combinatorics in the first quarter, finite fields and applications (the subject of this book, and the middle quarter of the sequence), and probability and random processes in the third quarter. The prerequisites for reading this book are minimal: familiarity with proof writing, some linear algebra (mainly a little familiarity with vector spaces over a field), and one variable calculus is assumed. The book then develops from scratch the theory of finite fields, constructing all of these, and showing why these are unique (up to isomorphism). The

xi

xii

Preface

topic of finite fields is used to introduce the student to ideas from algebra and number theory. As a payoff, several combinatorial applications of finite fields are given: Sidon sets and perfect difference sets, De Bruijn sequences and a magic trick of Persi Diaconis, and the polynomial time algorithm for primality testing due to Agrawal, Kayal and Saxena. The book forms the basis for a one quarter (ten weeks) intensive course at Stanford, with students meeting five days a week (four lectures plus a discussion session). Students can expect to develop familiarity with ideas in algebra (groups, rings and fields), and elementary number theory, which would help with later classes where these are developed in greater detail. Past students of the course have enjoyed seeing the marquee primality test application tying together the many disparate topics from the course. I am grateful to the many students at Stanford who took this course. This book was shaped by my interactions with them. I am also grateful to the wonderful TAโ€™s who helped with the course, including Jonathan Love, Graham White, Sarah Peluse, Vivian Kuperberg, and Max Xu. I am especially indebted to Vineet Gupta, Emmanuel Kowalski, Vivian Kuperberg, and Jonathan Love who read drafts of the book, and offered detailed and extremely helpful suggestions. Thanks are due to Ina Mette for her patience, and to the STML series editorial board for their valuable feedback on early drafts of this project. While writing this book, I have been supported by grants from the National Science Foundation, and a Simons Investigator award from the Simons Foundation. Finally, I am grateful to the Staats- und Universitรคts Bibliothek (SUB) Gรถttingen for kindly permitting me to use the table from Gaussโ€™s Nachlass that appears on page 39 (call number SUB Gรถttingen, Cod. Ms. Gauss Math. 18, fol. 2r.). Kannan Soundararajan

Chapter 1

Primes and factorization

This chapter gives a brief introduction to some ideas in algebra and number theory. The central objects of study in number theory are the integers โ„ค = {. . . , โˆ’3, โˆ’2, โˆ’1, 0, 1, 2, 3, . . .}, the natural numbers โ„• = {1, 2, 3, . . .}, and the rational numbers โ„š = {๐‘Ž/๐‘ โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค, ๐‘ โ‰  0}. These objects are among the simplest examples of algebraic structures that we shall study throughout the book. The integers are one of the simplest examples of a group (under the operation of addition), and they also form a ring under addition and multiplication. The rationals are one of the simplest examples of a field. We shall begin by defining these notions carefully. Our immediate goal after that will be to discuss prime numbers and factorization. In particular, we shall show that integers admit a unique factorization into prime numbers, but we will develop the notions and proofs so that they generalize to other interesting rings as wellโ€”for example, to the ring of Gaussian integers โ„ค[๐‘–], and to the ring of polynomials over a field (both defined below).

1.1. Groups Definition 1.1. A group is a set ๐บ with a binary operation, denoted โ‹… (or โˆ—, or +, or ร—, or just omitted), satisfying the following properties: โ€ข If ๐‘Ž and ๐‘ are in ๐บ then ๐‘Ž โ‹… ๐‘ is also in ๐บ. โ€ข Associativity: For any ๐‘Ž, ๐‘, ๐‘ in ๐บ we have ๐‘Ž โ‹… (๐‘ โ‹… ๐‘) = (๐‘Ž โ‹… ๐‘) โ‹… ๐‘. 1

2

1. Primes and factorization

โ€ข There is an identity element (denoted ๐‘’) with the property that for any ๐‘Ž โˆˆ ๐บ one has ๐‘Ž โ‹… ๐‘’ = ๐‘’ โ‹… ๐‘Ž = ๐‘Ž. โ€ข For every ๐‘Ž โˆˆ ๐บ there is an inverse element ๐‘Žโˆ’1 such that ๐‘Ž โ‹… ๐‘Žโˆ’1 = ๐‘Žโˆ’1 โ‹… ๐‘Ž = ๐‘’. Note that in our definition we do not insist that ๐‘Ž โ‹… ๐‘ = ๐‘ โ‹… ๐‘Ž for all ๐‘Ž and ๐‘. Groups in which ๐‘Ž โ‹… ๐‘ = ๐‘ โ‹… ๐‘Ž are called commutative (or abelian) groups. In our definition of a group, we only required the existence of an identity element ๐‘’, but in fact one can see that such an identity element must be unique. For, if ๐‘’ 1 and ๐‘’ 2 were two identity elements for a group ๐บ, then we must have ๐‘’ 1 โ‹… ๐‘’ 2 = ๐‘’ 1 (since ๐‘’ 2 is an identity), and also that ๐‘’ 1 โ‹… ๐‘’ 2 = ๐‘’ 2 (since ๐‘’ 1 is an identity), and therefore ๐‘’ 1 = ๐‘’ 2 . Similarly you should check that there is a unique inverse for any element ๐‘Ž โˆˆ ๐บ (see Exercise 1(i) below). Another useful property that follows from the definition is the cancellation law. If ๐‘Ž, ๐‘, ๐‘ are any elements of a group ๐บ with ๐‘Ž๐‘ = ๐‘Ž๐‘, then we can โ€œcancel ๐‘Ž on both sidesโ€ and conclude that ๐‘ = ๐‘. Precisely, multiply both sides of the relation ๐‘Ž๐‘ = ๐‘Ž๐‘ (on the left) with ๐‘Žโˆ’1 , obtaining ๐‘Žโˆ’1 (๐‘Ž๐‘) = ๐‘Žโˆ’1 (๐‘Ž๐‘). Using the associative property we find ๐‘Žโˆ’1 (๐‘Ž๐‘) = (๐‘Žโˆ’1 ๐‘Ž)๐‘ = ๐‘’๐‘ = ๐‘ and similarly ๐‘Žโˆ’1 (๐‘Ž๐‘) = (๐‘Žโˆ’1 ๐‘Ž)๐‘ = ๐‘’๐‘ = ๐‘, and thus the cancellation law is justified. Example 1.2. The set of integers โ„ค with the usual addition operation forms an abelian group. The identity is 0 and the inverse of a number ๐‘› is โˆ’๐‘›. The rational numbers โ„š, the real numbers โ„, and the complex numbers โ„‚ are all examples of abelian groups under the usual addition operation. The non-zero rational numbers (denoted โ„šร— ), non-zero real numbers โ„ร— , and non-zero complex numbers โ„‚ร— are groups under the usual multiplication operation (with the identity being 1 now). Example 1.3. Let ๐บ be a group with the operation denoted by โ‹…. If ๐‘” is an element of ๐บ, then we can โ€œmultiplyโ€ ๐‘” with itself (precisely, we are using the operation โ‹… on ๐‘” repeatedly), arriving at elements ๐‘” โ‹… ๐‘” which we denote naturally by ๐‘”2 , ๐‘” โ‹… ๐‘” โ‹… ๐‘” = ๐‘”3 , and so on. Considering also the inverse of ๐‘”, namely ๐‘”โˆ’1 , we are led to elements ๐‘”โˆ’2 , ๐‘”โˆ’3 , and so on.

1.1. Groups

3

Note that the inverse of ๐‘”๐‘› is simply ๐‘”โˆ’๐‘› , and that the โ€œlaw of exponentsโ€ holds: ๐‘”๐‘– โ‹… ๐‘”๐‘— = ๐‘”๐‘–+๐‘— . Consider the set ๐ป = {๐‘”๐‘› โˆถ ๐‘› โˆˆ โ„ค}, which is a subset of ๐บ, and in fact is also a group in its own right under the same operation โ‹… (check that the properties in the definition hold). The set ๐ป is an example of a subgroup of ๐บ, and is known as the cyclic group generated by the element ๐‘”. For example, if we consider the group โ„ค under addition, then the subgroup generated by 2 consists of all the even numbers {2๐‘› โˆถ ๐‘› โˆˆ โ„ค}. For other examples, consider the group โ„‚โˆ— of non-zero complex numbers under multiplication. The group generated by ๐œ‹ consists of the infinite set {๐œ‹๐‘› โˆถ ๐‘› โˆˆ โ„ค}. We can also obtain finite subgroups: the group generated by 1 is simply {1}, while the group generated by โˆ’1 has two elements {1, โˆ’1}. More generally, for any natural number ๐‘› we can start with the complex number ๐‘’2๐œ‹๐‘–/๐‘› (an ๐‘›-th root of unity), and this generates the ๐‘›element group {๐‘’2๐œ‹๐‘–/๐‘› , ๐‘’4๐œ‹๐‘–/๐‘› , ๐‘’6๐œ‹๐‘–/๐‘› , . . . ๐‘’2๐œ‹๐‘–๐‘›/๐‘› = 1}. This gives one way of thinking about the cyclic group of size ๐‘›.

Example 1.4. While we will only be concerned with the simplest groups (like โ„ค) and most of our discussions will involve abelian groups, we give a few important examples of non-abelian groups. As one example of a group that is not abelian, (and which you might have encountered before in linear algebra) look at 2ร—2 matrices with real entries and determinant not equal to zero. The group operation here is matrix multiplication, and the identity element of the group is the identity matrix. The condition that the determinant is not zero allows one to invert matrices. This group is denoted as ๐บ๐ฟ2 (โ„) (here ๐บ๐ฟ stands for General Linear), and you can similarly think of ๐‘› ร— ๐‘› matrices with real entries and non-zero determinant obtaining the group ๐บ๐ฟ๐‘› (โ„). Another related example is to look at ๐‘› ร— ๐‘› matrices with real entries and determinant equal to 1, and again with matrix multiplication as the group operationโ€”this group is denoted by ๐‘†๐ฟ๐‘› (โ„) (with ๐‘†๐ฟ standing for Special Linear, and โ€œspecialโ€ indicating here the specification that the determinant is 1). A third example is the symmetric group ๐‘†๐‘› of all permutations of an ๐‘›-element set (usually thought of as {1, 2, . . . , ๐‘›}). By a โ€œpermutationโ€ we mean a bijective function on the ๐‘›-element set, and the group operation here is composition of functions. You may have encountered permutations while discussing the determinant in linear algebra.

4

1. Primes and factorization

1.2. Rings Definition 1.5. A ring ๐‘… is a set together with two binary operations, usually denoted by + and ร—, and satisfying the following properties: โ€ข Under the operation +, the set ๐‘… forms an abelian group. The (additive) identity of this group is denoted by 0. โ€ข The operation ร— is associative ๐‘Ž ร— (๐‘ ร— ๐‘) = (๐‘Ž ร— ๐‘) ร— ๐‘. โ€ข Multiplication is distributive over addition: ๐‘Ž ร— (๐‘ + ๐‘) = ๐‘Ž ร— ๐‘ + ๐‘Ž ร— ๐‘,

and

(๐‘Ž + ๐‘) ร— ๐‘ = ๐‘Ž ร— ๐‘ + ๐‘ ร— ๐‘.

Two other desirable properties, which need not be satisfied by general rings, are: โ€ข Commutativity of multiplication: ๐‘Ž ร— ๐‘ = ๐‘ ร— ๐‘Ž. โ€ข Existence of a multiplicative identity: There exists an element 1 with ๐‘Ž ร— 1 = 1 ร— ๐‘Ž = ๐‘Ž for all ๐‘Ž โˆˆ ๐‘…. A ring which satisfies the last two properties above is called a commutative ring with identity. We will only be interested in such commutative rings with identity, but it may be useful to have one example of a non-commutative ring. A natural example, related to Example 1.4 for groups, is the ring ๐‘€๐‘› (โ„) of ๐‘› ร— ๐‘› matrices with real entries with the usual operations of matrix addition and multiplication. From now on, ring will always mean, for us, a commutative ring with identity. We will remind you of this assumption from time to time, but it is assumed throughout the text. In any ring ๐‘…, 0 ร— ๐‘Ž = 0 for all ๐‘Ž โˆˆ ๐‘…. To see this, note that 0 ร— ๐‘Ž = (0 + 0) ร— ๐‘Ž = 0 ร— ๐‘Ž + 0 ร— ๐‘Ž by the distributive law. Canceling one 0 ร— ๐‘Ž from both sides of the relation 0 ร— ๐‘Ž = 0 ร— ๐‘Ž + 0 ร— ๐‘Ž (recall that we are allowed to cancel in a group), we obtain 0 ร— ๐‘Ž = 0. Example 1.6. If the multiplicative identity 1 is the same as the additive identity 0, then the ring can have only one element 0: indeed, we must have 1 ร— ๐‘Ž = ๐‘Ž = 0 ร— ๐‘Ž = 0. This is a trivial example of a ring, called the zero ring; it consists of one element 0, and is described by the boring properties 0 + 0 = 0 ร— 0 = 0. We shall henceforth assume that 0 โ‰  1, to avoid this example.

1.2. Rings

5

Example 1.7. Note that โ„ค is a commutative ring with identity for the usual addition and multiplication operations. The additive identity is 0 and the multiplicative identity is 1. Example 1.8. The Gaussian integers are defined by โ„ค[๐‘–] = {๐‘Ž + ๐‘๐‘– โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค}, and this forms a commutative ring with identity under the usual operations of addition and multiplication. Precisely, here ๐‘– is a symbol denoting โˆšโˆ’1, so that any occurrence of ๐‘– ร— ๐‘– may be replaced with โˆ’1. Adding ๐‘Ž+๐‘๐‘– to ๐‘+๐‘‘๐‘– results in (๐‘Ž+๐‘)+(๐‘+๐‘‘)๐‘–, and multiplying (๐‘Ž + ๐‘๐‘–) and (๐‘ + ๐‘‘๐‘–) results in ๐‘Ž๐‘ + ๐‘Ž๐‘‘๐‘– + ๐‘๐‘๐‘– + ๐‘๐‘‘๐‘– ร— ๐‘– (as demanded by the distributive law), which simplifies to (๐‘Ž๐‘ โˆ’ ๐‘๐‘‘) + (๐‘Ž๐‘‘ + ๐‘๐‘)๐‘–. Similarly you may check that โ„ค[โˆšโˆ’5] = {๐‘Ž + ๐‘โˆšโˆ’5 โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค} (for example) is also a ring, under usual addition and multiplication. Again, think of โˆšโˆ’5 as standing for some symbol which when multiplied with itself yields โˆ’5. Later on, while discussing quotient rings, we shall give a more precise description of what exactly we are doing in these two examples. Example 1.9. You may have seen something about congruences in the integers, which we will discuss in more detail and generality later. Let ๐‘› โ‰ฅ 2 be a natural number. We say that two integers ๐‘Ž and ๐‘ are congruent mod ๐‘› if ๐‘› divides their difference ๐‘Ž โˆ’ ๐‘. By a congruence class ๐‘Ž mod ๐‘› we mean the set of all integers that are congruent to ๐‘Ž mod ๐‘›. Any integer lies in precisely one of the congruence classes 0 mod ๐‘›, 1 mod ๐‘›, . . ., ๐‘› โˆ’ 1 mod ๐‘› (the remainder obtained upon dividing by ๐‘›). These ๐‘› congruence classes inherit operations + and ร— from addition and subtraction in the integers. By this we mean that if we add any two integers in the congruence classes ๐‘Ž mod ๐‘› and ๐‘ mod ๐‘›, then we will obtain an integer in the congruence class (๐‘Ž + ๐‘) mod ๐‘›; and similarly if we multiply two such integers, we would obtain an integer in the congruence class ๐‘Ž๐‘ mod ๐‘›. The ring obtained in this way is denoted by โ„ค/๐‘›โ„ค and is a finite ring of size ๐‘›. As mentioned already, we will discuss this notion more precisely later (see Section 3.2), and work towards understanding the structure of this ring. For the present, you may wish to consider special cases such as ๐‘› = 2, 3, or 6 and check how the ring operations work in these cases. Example 1.10. Given a ring ๐‘…, we can form an important example of a ring by considering polynomials in a variable ๐‘ฅ with coefficients in the ring ๐‘…. This is known as the polynomial ring over ๐‘… and is denoted by

6

1. Primes and factorization

๐‘…[๐‘ฅ]. The elements of ๐‘…[๐‘ฅ] are polynomials of the form ๐‘“(๐‘ฅ) = ๐‘Ž0 + ๐‘Ž1 ๐‘ฅ + . . . + ๐‘Ž๐‘› ๐‘ฅ๐‘› , where ๐‘› is a non-negative integer, and ๐‘Ž0 , . . ., ๐‘Ž๐‘› are elements of the ring ๐‘…. Usually one has in mind that ๐‘Ž๐‘› โ‰  0, so that ๐‘ฅ๐‘› is the leading power of ๐‘ฅ in the polynomial ๐‘“(๐‘ฅ), but be careful to allow for the zero polynomial ๐‘“(๐‘ฅ) = 0 where all the coefficients are 0. If ๐‘”(๐‘ฅ) = ๐‘0 +๐‘1 ๐‘ฅ+. . .+๐‘๐‘š ๐‘ฅ๐‘š is another polynomial with coefficients in ๐‘…, then their sum (๐‘“ + ๐‘”) is defined as the polynomial (๐‘“ + ๐‘”)(๐‘ฅ) = โˆ‘๐‘— ๐‘๐‘— ๐‘ฅ๐‘— with ๐‘๐‘— = ๐‘Ž๐‘— + ๐‘๐‘— (with the understanding that ๐‘Ž๐‘— = 0 for ๐‘— > ๐‘›, and ๐‘๐‘— = 0 for ๐‘— > ๐‘š); although we havenโ€™t specified the range of values for ๐‘—, clearly ๐‘๐‘— = 0 if ๐‘— > max(๐‘š, ๐‘›). Similarly the product of the two polynomials ๐‘“ and ๐‘” is given by (๐‘“๐‘”)(๐‘ฅ) = ๐‘Ž0 ๐‘0 + (๐‘Ž1 ๐‘0 + ๐‘Ž0 ๐‘1 )๐‘ฅ + . . . + ๐‘Ž๐‘› ๐‘๐‘š ๐‘ฅ๐‘š+๐‘› . You would already be familiar with polynomials whose coefficients are real numbers (the polynomial ring โ„[๐‘ฅ]) or complex numbers (the ring โ„‚[๐‘ฅ]), and we can now consider further examples such as โ„ค[๐‘ฅ], or the more exotic (โ„ค/6โ„ค)[๐‘ฅ].

1.3. Integral domains and fields Let ๐‘… be a ring (as always, commutative with identity and with 0 โ‰  1). Since ๐‘… forms a group under addition, we have the cancellation law ๐‘Ž + ๐‘ = ๐‘Ž + ๐‘ implies ๐‘ = ๐‘. Is there a cancellation law for multiplication? Since 0 ร— ๐‘Ž = 0 for all elements ๐‘Ž โˆˆ ๐‘…, we may have 0 ร— ๐‘ = 0 ร— ๐‘ without necessarily having ๐‘ = ๐‘. Less trivially, even if ๐‘Ž โ‰  0 it may happen that ๐‘Ž๐‘ = ๐‘Ž๐‘ without ๐‘ being equal to ๐‘. For example, in the ring โ„ค/6โ„ค we have 2 mod 6 ร— 3 mod 6 = 4 mod 6 ร— 3 mod 6 (both are 0 mod 6) but 2 mod 6 โ‰  4 mod 6. The problem is that it is possible for rings ๐‘… to have non-zero elements ๐‘Ž and ๐‘ such that the product ๐‘Ž๐‘ equals 0. Indeed in โ„ค/6โ„ค we have 2 mod 6 ร— 3 mod 6 = 0 mod 6. We isolate this undesired behavior, and define a class of rings that are better behaved and permit cancellation with respect to multiplication. Definition 1.11. Let ๐‘… be a commutative ring with identity, and with 0 โ‰  1. A non-zero element ๐‘Ž of ๐‘… is called a zero divisor if there is a nonzero element ๐‘ with ๐‘Ž๐‘ = 0. A ring ๐‘… that has no zero divisors is called an integral domain. Example 1.12. The ring โ„ค, and the ring of Gaussian integers โ„ค[๐‘–] are both integral domains. To see why โ„ค[๐‘–] is an integral domain, note that

1.3. Integral domains and fields

7

(๐‘Ž + ๐‘๐‘–) ร— (๐‘ + ๐‘‘๐‘–) = 0 implies that (๐‘Ž โˆ’ ๐‘๐‘–)(๐‘Ž + ๐‘๐‘–)(๐‘ + ๐‘‘๐‘–)(๐‘ โˆ’ ๐‘‘๐‘–) = (๐‘Ž2 + ๐‘2 )(๐‘2 + ๐‘‘ 2 ) = 0. The last relation gives that a product of nonnegative integers is 0, so that either ๐‘Ž2 + ๐‘2 = 0 (so that ๐‘Ž = ๐‘ = 0) or ๐‘2 + ๐‘‘ 2 = 0 (so that ๐‘ = ๐‘‘ = 0). Lemma 1.13. Let ๐‘… be an integral domain, and let ๐‘Ž be a non-zero element of ๐‘…. If ๐‘Ž๐‘ = ๐‘Ž๐‘ then ๐‘ = ๐‘. Proof. Rewrite the relation ๐‘Ž๐‘ = ๐‘Ž๐‘ as ๐‘Ž๐‘ โˆ’ ๐‘Ž๐‘ = 0, or ๐‘Ž(๐‘ โˆ’ ๐‘) = 0 (here by ๐‘ โˆ’ ๐‘ we naturally mean ๐‘ + (โˆ’๐‘)). Since ๐‘… is an integral domain, the relation ๐‘Ž(๐‘โˆ’๐‘) = 0 implies that either ๐‘Ž = 0 or ๐‘โˆ’๐‘ = 0. By assumption ๐‘Ž โ‰  0, and so we must have ๐‘ โˆ’ ๐‘ = 0, or ๐‘ = ๐‘. โ–ก Note that this proof is different from that of the cancellation law in a group, because the element ๐‘Ž โˆˆ ๐‘… may not have a multiplicative inverse; nevertheless, ruling out zero divisors is sufficient to make the cancellation law work. Definition 1.14. Let ๐‘… be a ring, and ๐‘“ be a non-zero polynomial in ๐‘…[๐‘ฅ]. Write ๐‘“ = ๐‘Ž0 + ๐‘Ž1 ๐‘ฅ + . . . + ๐‘Ž๐‘› ๐‘ฅ๐‘› , with ๐‘Ž๐‘› โ‰  0. Then we call ๐‘› the degree of the polynomial ๐‘“, and denote it by deg(๐‘“). Note that the degree of the zero polynomial is left undefined; one convention is to define it to be โˆ’โˆž. We may expect that if two non-zero polynomials ๐‘“ and ๐‘” are multiplied, then the degree of ๐‘“๐‘” should be the sum of the degree of ๐‘“ and the degree of ๐‘”. But this may fail owing to zero divisors in ๐‘…: for example the polynomials 2๐‘ฅ and 3๐‘ฅ in (โ„ค/6โ„ค)[๐‘ฅ] both have degree 1, but their product is the zero polynomial of undefined degree. For integral domains, our expectation about degrees is true. Proposition 1.15. Let ๐‘… be an integral domain. Then the polynomial ring ๐‘…[๐‘ฅ] is also an integral domain. Moreover, if ๐‘“ and ๐‘” are non-zero polynomials in ๐‘…[๐‘ฅ] then the degree of ๐‘“๐‘” equals the sum of the degrees of ๐‘“ and ๐‘”. Proof. Let ๐‘“ be a non-zero polynomial. Then we may write ๐‘“(๐‘ฅ) = ๐‘Ž๐‘› ๐‘ฅ๐‘› + ๐‘Ž๐‘›โˆ’1 ๐‘ฅ๐‘›โˆ’1 + . . . + ๐‘Ž0 , where ๐‘Ž๐‘— โˆˆ ๐‘…, and ๐‘Ž๐‘› โ‰  0. The degree of ๐‘“ is then ๐‘›, which is a non-negative integer. Let ๐‘” be another non-zero polynomial ๐‘„(๐‘ฅ) = ๐‘๐‘š ๐‘ฅ๐‘š + . . . + ๐‘0 with ๐‘๐‘š โ‰  0, so that ๐‘” has degree ๐‘š. Then ๐‘“(๐‘ฅ)๐‘”(๐‘ฅ) = ๐‘Ž๐‘› ๐‘๐‘š ๐‘ฅ๐‘š+๐‘› + lower powers of ๐‘ฅ, and since ๐‘… is an

8

1. Primes and factorization

integral domain ๐‘Ž๐‘› ๐‘๐‘š โ‰  0. Thus ๐‘“(๐‘ฅ)๐‘”(๐‘ฅ) is a non-zero polynomial of degree ๐‘š + ๐‘›, proving our proposition. โ–ก Example 1.16. Thus โ„ค[๐‘ฅ], โ„š[๐‘ฅ], โ„‚[๐‘ฅ], โ„ค[๐‘ฅ, ๐‘ฆ] = (โ„ค[๐‘ฅ])[๐‘ฆ] are all integral domains. Definition 1.17. In a ring ๐‘…, elements that have multiplicative inverses are called units. Thus, ๐‘ข โˆˆ ๐‘… is a unit if there exists ๐‘ฃ โˆˆ ๐‘… with ๐‘ข๐‘ฃ = 1. Since 0 ร— ๐‘Ž = 0 for all ๐‘Ž โˆˆ ๐‘…, we cannot expect 0 to be a unit (recall that we are ignoring the zero ring where 0 = 1). Further, if ๐‘Ž is a zero divisor, then ๐‘Ž cannot be a unit. To see this, suppose there is a multiplicative inverse ๐‘Žโˆ’1 of ๐‘Ž (thus ๐‘Ž๐‘Žโˆ’1 = 1), and also a non-zero element ๐‘ โˆˆ ๐‘… with ๐‘Ž๐‘ = 0. Then we must have 0 = ๐‘Žโˆ’1 ร— 0 = ๐‘Žโˆ’1 ร— ๐‘Ž๐‘ = ๐‘, which contradicts ๐‘ being non-zero. Check that the units of a ring ๐‘… (always commutative with identity) form a group under multiplication: this group is denoted by ๐‘…ร— . Example 1.18. The units of โ„ค are just ยฑ1. For instance, we may see this by considering the size, or absolute value, of integers. If ๐‘Ž is a non-zero integer, with an inverse ๐‘Žโˆ’1 , then 1 = ๐‘Ž๐‘Žโˆ’1 and so 1 = |๐‘Ž| ร— |๐‘Žโˆ’1 |. Thus either ๐‘Ž or ๐‘Žโˆ’1 must have absolute value at most 1, but the only non-zero integers with absolute value at most 1 are ยฑ1. The units in the Gaussian integers โ„ค[๐‘–] are ยฑ1, and ยฑ๐‘–. Again we may see this by using a notion of size, or absolute value; this time using the absolute value of complex numbers, or more precisely the square of the absolute value in the complex numbers. Consider ๐‘ โˆถ โ„ค[๐‘–] โ†’ โ„คโ‰ฅ0 defined by ๐‘(๐‘Ž + ๐‘๐‘–) = ๐‘Ž2 + ๐‘2 , and ๐‘ is often called a norm function. You should check that the norm is multiplicative, by which we mean that ๐‘(๐›ผ๐›ฝ) = ๐‘(๐›ผ)๐‘(๐›ฝ). Therefore if ๐‘ข is a unit then ๐‘(๐‘ข) = 1 (for ๐‘ข๐‘ฃ = 1 and so ๐‘(๐‘ข)๐‘(๐‘ฃ) = 1, and both ๐‘(๐‘ข) and ๐‘(๐‘ฃ) are non-negative integers). Since ๐‘Ž2 + ๐‘2 = 1 only if ๐‘Ž = ยฑ1 and ๐‘ = 0, or ๐‘Ž = 0 and ๐‘ = ยฑ1, it follows that the units in โ„ค[๐‘–] are ยฑ1 and ยฑ๐‘–. Definition 1.19. A field is an integral domain ๐‘… where all non-zero elements are units. Example 1.20. You would already be familiar with the field of rational numbers โ„š, real numbers โ„, and complex numbers โ„‚.

1.4. Divisibility: primes and irreducibles

9

Example 1.21. A less familiar example may be โ„š(๐‘–) = {๐‘Ž + ๐‘๐‘– โˆถ ๐‘Ž, ๐‘ โˆˆ โ„š}. You should check that this is a field (see Exercise 7 below), and note that this field bears the same relation to the ring of Gaussian integers โ„ค[๐‘–] that the field of rational numbers โ„š bears to the ring โ„ค. Recall โ„š is obtained from โ„ค by considering fractions ๐‘Ž/๐‘ (with ๐‘Ž, ๐‘ โˆˆ โ„ค, and ๐‘ โ‰  0) with the understanding that two fractions ๐‘Ž1 /๐‘1 and ๐‘Ž2 /๐‘2 are equal if ๐‘Ž1 ๐‘2 = ๐‘Ž2 ๐‘1 . Similarly โ„š(๐‘–) may be obtained from โ„ค[๐‘–] by considering fractions (๐‘Ž + ๐‘๐‘–)/(๐‘ + ๐‘‘๐‘–), with ๐‘ + ๐‘‘๐‘– โ‰  0. More generally, starting with an integral domain ๐‘… we may construct a field of fractions by considering expressions ๐‘Ž/๐‘ with ๐‘Ž, ๐‘ โˆˆ ๐‘… and ๐‘ โ‰  0, with the understanding that ๐‘Ž1 /๐‘1 and ๐‘Ž2 /๐‘2 are the same if ๐‘Ž1 ๐‘2 = ๐‘Ž2 ๐‘1 (as in the familiar example โ„š). One adds and multiplies such fractions in the usual way ๐‘Ž1 /๐‘1 + ๐‘Ž2 /๐‘2 = (๐‘Ž1 ๐‘2 + ๐‘Ž2 ๐‘1 )/(๐‘1 ๐‘2 ), and ๐‘Ž1 /๐‘1 ร— ๐‘Ž2 /๐‘2 = (๐‘Ž1 ๐‘Ž2 )/(๐‘1 ๐‘2 ). You may be familiar with another example of this construction: Starting with the polynomial ring โ„[๐‘ฅ], which is an integral domain, we obtain the field of rational functions โ„(๐‘ฅ) which consists of expressions ๐‘“(๐‘ฅ)/๐‘”(๐‘ฅ) where ๐‘“, ๐‘” are elements of โ„[๐‘ฅ] with ๐‘” โ‰  0. Example 1.22. Check that โ„ค/2โ„ค and โ„ค/3โ„ค are fields, but โ„ค/6โ„ค is not a field (indeed, it is not an integral domain). These give our first examples of finite fields, and one of our goals in this book is to determine and describe all such finite fields. Example 1.23. If ๐”ฝ is a field, then the units of the polynomial ring ๐”ฝ[๐‘ฅ] are the non-zero constants in ๐”ฝ.

1.4. Divisibility: primes and irreducibles With these preliminaries in place, we turn to the main goal of this chapter, which is to develop ideas of divisibility and factorization in rings, generalizing the familiar notion of prime numbers in the integers and the factorization of integers into prime numbers. Let us begin with the definition (and notation) for divisibility. Definition 1.24. Let ๐‘… be a ring, and let ๐‘Ž and ๐‘ be elements of ๐‘…. We say that ๐‘Ž divides ๐‘, and write ๐‘Ž|๐‘, if there is an element ๐‘ โˆˆ ๐‘… such that ๐‘ = ๐‘Ž๐‘.

10

1. Primes and factorization

Example 1.25. Since all our rings have a multiplicative identity 1, note that ๐‘Ž|๐‘Ž for any ๐‘Ž โˆˆ ๐‘…. If ๐‘Ž|๐‘ and ๐‘|๐‘ then check that ๐‘Ž|๐‘. Further note that ๐‘Ž|0 for any ๐‘Ž โˆˆ ๐‘…. Example 1.26. If ๐‘Ž in ๐‘… is a unit, then ๐‘Ž|๐‘ for any ๐‘ โˆˆ ๐‘… (since we can write ๐‘ = ๐‘Ž(๐‘Žโˆ’1 ๐‘)). This remark implies that the notion of divisibility is not interesting in a field. Indeed, in a field every non-zero element is a unit, and therefore all non-zero elements divide all elements of a field. Example 1.27. A natural question that arises from our definition is whether ๐‘ is unique when we write ๐‘ = ๐‘Ž๐‘. Note that if ๐‘Ž = 0, then ๐‘ must also be 0, but ๐‘ may be an arbitrary element of the ring. Let us avoid this pathological case, and ask what happens when ๐‘Ž โ‰  0. Consider the ring ๐‘… = โ„ค/15โ„ค, and take ๐‘Ž = 3 mod 15 and ๐‘ = 0 mod 15. Note that ๐‘Ž|๐‘ here, but we may write ๐‘ = ๐‘Ž๐‘ with ๐‘ = 0, 5, or 10 mod 15. Another weird feature of this ring is that 3 mod 15 divides 6 mod 15, but also 6 mod 15 divides 3 mod 15 = 3 ร— 6 mod 15. This allows us to factor 3 mod 15 indefinitely: 3 mod 15 = 3 ร— 6 mod 15 = 3 ร— 6 ร— 6 mod 15, and so on. The weirdness in this example arises from zero divisors, and to avoid such pitfalls, we shall develop ideas of divisibility and factorizations in the context of integral domains. If ๐‘… is an integral domain, and ๐‘Ž|๐‘ with ๐‘Ž โ‰  0, then there is a unique way to write ๐‘ = ๐‘Ž๐‘. Indeed, if ๐‘ = ๐‘Ž๐‘ 1 = ๐‘Ž๐‘ 2 , then we may use Lemma 1.13 to cancel ๐‘Ž and conclude that ๐‘ 1 = ๐‘ 2 . Lemma 1.28. Let ๐‘… be an integral domain. If ๐‘Ž and ๐‘ are non-zero elements of ๐‘… and ๐‘Ž|๐‘ and ๐‘|๐‘Ž then ๐‘Ž = ๐‘๐‘ข for a unit ๐‘ข. Proof. Since ๐‘Ž|๐‘ we may write ๐‘ = ๐‘Ž๐‘. Since ๐‘|๐‘Ž we may write ๐‘Ž = ๐‘๐‘‘. Therefore ๐‘Ž = ๐‘๐‘‘ = ๐‘Ž๐‘๐‘‘. Since ๐‘… is an integral domain, and ๐‘Ž โ‰  0 we may use Lemma 1.13 to cancel ๐‘Ž from both sides of the relation ๐‘Ž = ๐‘Ž๐‘๐‘‘. Thus we obtain 1 = ๐‘๐‘‘, so that ๐‘ and ๐‘‘ are units. This proves the lemma. โ–ก If ๐‘Ž and ๐‘ are elements of a ring ๐‘… with ๐‘Ž = ๐‘๐‘ข for a unit ๐‘ข, then ๐‘Ž and ๐‘ are called associates. Our observations so far suggest that to develop ideas of factorization and irreducibility in rings, we should focus on integral domains: the theory for fields is uninteresting, while the presence of zero divisors leads to pathologies as in Example 1.27. In the next few sections we will develop

1.4. Divisibility: primes and irreducibles

11

a satisfactory theory of factorization into primes or irreducibles, which will cover important examples such as the integers โ„ค, the Gaussian integers โ„ค[๐‘–], and the polynomial ring ๐”ฝ[๐‘ฅ] over any field ๐”ฝ. We begin by defining the notions of prime and irreducible, which will turn out to be the same in some important examples (such as the integers), but which in general are different notions. Definition 1.29. Let ๐‘… be an integral domain. An element ๐‘Ž, not zero and not a unit, is called irreducible if ๐‘Ž = ๐‘๐‘ implies that either ๐‘ or ๐‘ is a unit. An element ๐‘Ž (not zero or a unit) is called reducible if it is not irreducible. In other words, an irreducible element cannot be factored as a product of two elements in ๐‘…, except in trivial ways writing it as a unit times an associate. In the integers, this definition of an irreducible gives numbers ๐‘› that are only divisible by ยฑ1 and ยฑ๐‘›. Definition 1.30. Let ๐‘… be an integral domain. An element ๐‘, not zero and not a unit, is called prime if ๐‘|๐‘Ž๐‘ implies ๐‘|๐‘Ž or ๐‘|๐‘. Lemma 1.31. In any integral domain, all primes are irreducibles. Proof. Suppose ๐‘ is prime, and write ๐‘ = ๐‘Ž๐‘. We will show that ๐‘Ž or ๐‘ must necessarily be a unit, so that ๐‘ would be irreducible. Since ๐‘ is prime and ๐‘|๐‘Ž๐‘, either ๐‘|๐‘Ž or ๐‘|๐‘. Say ๐‘|๐‘Ž, so that ๐‘Ž = ๐‘๐‘. Then ๐‘ = ๐‘Ž๐‘ = ๐‘๐‘๐‘, and cancelling ๐‘ from both sides of ๐‘ = ๐‘๐‘๐‘ we obtain ๐‘๐‘ = 1. Therefore ๐‘ is a unit, completing our proof. โ–ก Example 1.32. The converse to Lemma 1.31 is not true in general, and there are integral domains in which not all irreducibles are primes. For instance, in the integral domain โ„ค[โˆšโˆ’5] one can show that 2, 3, (1 + โˆšโˆ’5) and (1โˆ’โˆšโˆ’5) are all irreducible (see Exercise 11 below). However, 2 divides (1+ โˆšโˆ’5)ร—(1โˆ’ โˆšโˆ’5) = 6 but 2 does not divide either (1+ โˆšโˆ’5) or (1 โˆ’ โˆšโˆ’5). In other words, in โ„ค[โˆšโˆ’5] the element 2 is irreducible but not prime. In the next section we shall describe a particularly nice class of integral domains in which the notions of primes and irreducibles match. The point of the two definitions (as we shall soon see) is that it is often easy to prove the existence of a factorization of elements into irreducibles, and it is often easy to prove that a factorization into primes is unique. So it would indeed be nice if the two notions were the same!

12

1. Primes and factorization

1.5. Ideals and Principal Ideal Domains (PIDs) We begin with the definition of an ideal which will be a key concept in our later discussions. Definition 1.33. Let ๐‘… be a ring (as always commutative with identity). A non-empty subset ๐ผ of ๐‘… is called an ideal if (i) ๐‘Ž + ๐‘ belongs to ๐ผ for all ๐‘Ž and ๐‘ in ๐ผ, and (ii) ๐‘Ž๐‘Ÿ belongs to ๐ผ for all ๐‘Ž โˆˆ ๐ผ and all ๐‘Ÿ โˆˆ ๐‘…. Example 1.34. Since ideals are non-empty, every ideal contains some element ๐‘Ž, and therefore contains 0 ร— ๐‘Ž = 0. Thus every ideal contains 0, and the set {0} itself forms an ideal, called the zero ideal. Further, the whole ring ๐‘… is also an ideal. If an ideal ๐ผ contains a unit ๐‘ข, then it must contain ๐‘ข๐‘ขโˆ’1 = 1, and hence must contain all elements in ๐‘… (upon using property (ii)). Thus if ๐‘… is a field, then there are only two ideals in ๐‘…, namely {0} and ๐‘…. Example 1.35. If ๐‘Ž is any element in ๐‘…, then the set of multiples of ๐‘Ž, namely {๐‘Ž๐‘Ÿ โˆถ ๐‘Ÿ โˆˆ ๐‘…}, forms an ideal. We denote this ideal by (๐‘Ž), and call this the ideal generated by ๐‘Ž. More generally, if ๐‘Ž1 , . . ., ๐‘Ž๐‘› are elements of ๐‘…, then the ideal generated by them is (๐‘Ž1 , . . . , ๐‘Ž๐‘› ) = {๐‘Ž1 ๐‘Ÿ1 + ๐‘Ž2 ๐‘Ÿ2 + . . . + ๐‘Ž๐‘› ๐‘Ÿ๐‘› โˆถ ๐‘Ÿ1 , . . . , ๐‘Ÿ๐‘› โˆˆ ๐‘…}. You should check that this is indeed an ideal. Definition 1.36. In any ring ๐‘… an ideal (๐‘Ž) generated by one element is called a principal ideal. An integral domain where every ideal is principal is called a Principal Ideal Domain (abbreviated PID). Example 1.37. The integers form a basic example of a PID. To see this, suppose ๐ผ is an ideal in โ„ค. If ๐ผ = {0} then it is clearly principal. Suppose then that ๐ผ contains non-zero elements, and let ๐‘› be the smallest positive integer in ๐ผ. We claim that ๐ผ = (๐‘›) is the set of multiples of ๐‘›. If this is not true then there must be some integer ๐‘š โˆˆ ๐ผ which is not a multiple of ๐‘›. Divide ๐‘š by ๐‘› to extract a quotient and remainder: thus ๐‘š = ๐‘›๐‘ž + ๐‘Ÿ with 1 โ‰ค ๐‘Ÿ < ๐‘›. Since ๐‘š and ๐‘›๐‘ž are in the ideal ๐ผ, it follows that ๐‘Ÿ must also be in ๐ผ. But this contradicts the assumption that ๐‘› was the smallest positive integer in ๐ผ. In Section 1.8 we shall generalize this idea and give further examples of PIDs.

1.6. Greatest common divisors

13

Example 1.38. The polynomial ring over the integers โ„ค[๐‘ฅ] gives an example of a familiar integral domain that is not a PID. Consider the ideal ๐ผ generated by 2 and ๐‘ฅ. Thus ๐ผ consists of all polynomials of the form 2๐‘“ + ๐‘ฅ๐‘” with ๐‘“ and ๐‘” โˆˆ โ„ค[๐‘ฅ]. Or, in other words, the elements of ๐ผ are all polynomials ๐‘Ž0 + ๐‘Ž1 ๐‘ฅ + . . . + ๐‘Ž๐‘› ๐‘ฅ๐‘› with ๐‘Ž๐‘– โˆˆ โ„ค and satisfying the extra condition that the constant coefficient ๐‘Ž0 is even. Suppose ๐ผ is principal, and generated by โ„Ž โˆˆ โ„ค[๐‘ฅ]. Since 2 โˆˆ ๐ผ, we must have โ„Ž|2, forcing โ„Ž to be ยฑ1, or ยฑ2. But โ„Ž = ยฑ1 is not possible since ๐ผ is not all of โ„ค[๐‘ฅ] (for instance 1 โˆ‰ ๐ผ), and โ„Ž = ยฑ2 is not possible since 2 + ๐‘ฅ โˆˆ ๐ผ.

1.6. Greatest common divisors Definition 1.39. Let ๐‘Ž and ๐‘ be two elements in an integral domain ๐‘…, with at least one of ๐‘Ž or ๐‘ being non-zero. An element ๐‘‘ โˆˆ ๐‘… that divides both ๐‘Ž and ๐‘ is called a common divisor of ๐‘Ž and ๐‘. A common divisor ๐‘” of ๐‘Ž and ๐‘ is called a greatest common divisor if every common divisor of ๐‘Ž and ๐‘ also divides ๐‘”. Note, we have not said anything about the existence or uniqueness of the greatest common divisor. Indeed in Exercise 11 below, you will find an example of an integral domain where there are are elements that do not have a greatest common divisor. Further, if a greatest common divisor ๐‘” exists, then you should check that ๐‘”๐‘ข is also a greatest common divisor for any unit ๐‘ข. But apart from this, the greatest common divisor (if it exists) is uniqueโ€”for if ๐‘”1 and ๐‘”2 are two greatest common divisors then ๐‘”1 |๐‘”2 (since ๐‘”1 is a common divisor and ๐‘”2 is a greatest common divisor) and similarly ๐‘”2 |๐‘”1 , and now use Lemma 1.28 to conclude that ๐‘”1 and ๐‘”2 are associates. We may sometimes refer to โ€œthe greatest common divisorโ€ (when a greatest common divisor exists), but this refers to an arbitrary choice among the associates. We now show that in a PID, the greatest common divisor of two elements can always be found, and moreover it is a linear combination of the two elements. Proposition 1.40. If ๐‘… is a PID then there exists a greatest common divisor ๐‘” for any two elements ๐‘Ž and ๐‘ (not both zero). Further we may write ๐‘” = ๐‘Ž๐‘ฅ + ๐‘๐‘ฆ for some elements ๐‘ฅ, ๐‘ฆ in ๐‘….

14

1. Primes and factorization

Proof. Given ๐‘Ž and ๐‘ consider the ideal ๐ผ = (๐‘Ž, ๐‘) generated by ๐‘Ž and ๐‘. That is, ๐ผ = {๐‘Ž๐‘ฅ + ๐‘๐‘ฆ โˆถ ๐‘ฅ, ๐‘ฆ โˆˆ ๐‘…}. Since ๐‘… is a PID, the ideal ๐ผ must be principal. Say ๐ผ = (๐‘‘). We claim that ๐‘‘ is a gcd of ๐‘Ž and ๐‘ (and all other gcdโ€™s are associates of ๐‘‘). Note that ๐ผ consists of the multiples of ๐‘‘, and since ๐ผ contains ๐‘Ž and ๐‘, it follows that ๐‘Ž and ๐‘ are both multiples of ๐‘‘. Thus ๐‘‘ is a common divisor of ๐‘Ž and ๐‘. If ๐‘“ is a common divisor of ๐‘Ž and ๐‘, then ๐‘“ divides all elements of the form ๐‘Ž๐‘ฅ + ๐‘๐‘ฆ; that is, ๐‘“ divides all elements of ๐ผ. Therefore ๐‘“ must divide ๐‘‘. This proves that ๐‘‘ is a gcd, and the proposition follows. โ–ก Example 1.41. In the integral domain โ„ค[๐‘ฅ] the only common divisors of 2 and ๐‘ฅ are the units ยฑ1. Therefore their gcd may be taken as 1. However note that 1 cannot be written as a linear combination 2๐‘“ + ๐‘ฅ๐‘” with ๐‘“, ๐‘” โˆˆ โ„ค[๐‘ฅ]. This is in keeping with what we already saw in Example 1.38: โ„ค[๐‘ฅ] is not a PID. Recall that in Lemma 1.31 we established that in any integral domain all primes are irreducible. We now establish a partial converse, showing that in a PID all irreducibles are prime. Proposition 1.42. Let ๐‘… be a principal ideal domain. An element of ๐‘… is irreducible if and only if it is prime. Proof. We already know that primes are irreducible, so what remains is to show that irrreducibles are prime. Let ๐‘ be an irreducible in ๐‘…, and we wish to show that ๐‘ is prime. Suppose ๐‘ divides ๐‘Ž๐‘ and ๐‘ does not divide ๐‘Ž; we now show that ๐‘ must divide ๐‘, which will complete the proof. Consider the gcd of ๐‘ and ๐‘Ž. Since ๐‘ is irreducible, it has no factors besides units and associates of ๐‘. Since ๐‘ does not divide ๐‘Ž, it follows that the gcd of ๐‘ and ๐‘Ž can only be a unit, and so we may take the gcd to be 1 (which is associate to all units). Therefore Proposition 1.40 tells us that 1 = ๐‘Ž๐‘ฅ + ๐‘๐‘ฆ for some elements ๐‘ฅ and ๐‘ฆ in ๐‘…. Multiplying both sides by ๐‘ we find that ๐‘ = ๐‘Ž๐‘๐‘ฅ + ๐‘๐‘๐‘ฆ. Since ๐‘|๐‘Ž๐‘, we have ๐‘|๐‘Ž๐‘๐‘ฅ, and obviously ๐‘ divides ๐‘๐‘๐‘ฆ. Therefore ๐‘ must divide ๐‘ = ๐‘Ž๐‘๐‘ฅ + ๐‘๐‘๐‘ฆ, which is what we wanted. โ–ก

1.7. Unique factorization

15

1.7. Unique factorization We are now ready to address the questions of the existence and uniqueness of factorization into irreducibles in integral domains. Let us begin by defining the problem precisely. Let ๐‘… be an integral domain. By factoring an element ๐‘Ž โˆˆ ๐‘… (nonzero) into irreducibles, we mean writing ๐‘Ž = ๐‘ข๐‘1 ๐‘2 โ‹ฏ ๐‘ ๐‘˜ , where ๐‘ข is a unit, and the ๐‘ ๐‘– are irreducibles (possibly with repetitions). The first question is whether such a factorization exists. If it does, the next question is whether it is unique. To clarify what uniqueness means, suppose ๐‘Ž = ๐‘ข๐‘1 ๐‘2 โ‹ฏ ๐‘ ๐‘˜ = ๐‘ฃ๐‘ž1 ๐‘ž2 โ‹ฏ ๐‘žโ„“ are two factorizations. Then we would like to assert that ๐‘˜ = โ„“, and that each ๐‘ ๐‘– can be paired with an associate ๐‘ž๐‘— โ€”that is, apart from units/associates the ๐‘ ๐‘– โ€™s and ๐‘ž๐‘— โ€™s are just permutations of the same list of elements. Definition 1.43. An integral domain where every non-zero element has a unique factorization into irreducibles as above is called a Unique Factorization Domain (UFD). Proposition 1.44. In a UFD, primes and irreducibles are the same. Further, any two elements ๐‘Ž and ๐‘ (not both 0) have a gcd. Proof. Suppose ๐‘… is a UFD, and let ๐‘ โˆˆ ๐‘… be irreducible. We wish to show that ๐‘ is prime. Suppose ๐‘ divides ๐‘Ž๐‘. Factor ๐‘Ž into irreducibles ๐‘Ž = ๐‘ข๐‘1 โ‹ฏ ๐‘ ๐‘˜ , and ๐‘ into irreducibles ๐‘ = ๐‘ฃ๐‘ž1 โ‹ฏ ๐‘žโ„“ . Thus ๐‘Ž๐‘ = ๐‘ข๐‘ฃ๐‘1 โ‹ฏ ๐‘ ๐‘˜ ๐‘ž1 โ‹ฏ ๐‘žโ„“ is the unique factorization of ๐‘Ž๐‘ into irreducibles. Since ๐‘ is an irreducible dividing ๐‘Ž๐‘, it must be the case that ๐‘ is an associate of one of ๐‘1 , . . ., ๐‘ ๐‘˜ , ๐‘ž1 , . . ., ๐‘žโ„“ . If it is an associate of one of the ๐‘ ๐‘– โ€™s then ๐‘|๐‘Ž, and if it is an associate of one of the ๐‘ž๐‘— โ€™s then ๐‘|๐‘. Thus we have shown that ๐‘|๐‘Ž๐‘ implies ๐‘|๐‘Ž or ๐‘|๐‘; in other words, ๐‘ is prime. To show that the gcd of any two elements ๐‘Ž and ๐‘ exists, factor ๐‘Ž and ๐‘ into irreducibles (or, what we now know to be the same, ๐‘’ ๐‘’ ๐‘’ primes). Let us express these factorizations as ๐‘Ž = ๐‘ข๐‘11 ๐‘22 โ‹ฏ ๐‘๐‘˜๐‘˜ and ๐‘“๐‘˜ ๐‘“1 ๐‘“2 ๐‘ = ๐‘ฃ๐‘1 ๐‘2 โ‹ฏ ๐‘๐‘˜ where the ๐‘1 , . . ., ๐‘ ๐‘˜ are distinct primes (all the

16

1. Primes and factorization

primes appearing in the factorization of either ๐‘Ž or ๐‘) and the exponents ๐‘’ ๐‘– and ๐‘“๐‘– are non-negative integers. Then you should check that min(๐‘’๐‘˜ ,๐‘“๐‘˜ ) min(๐‘’1 ,๐‘“1 ) min(๐‘’2 ,๐‘“2 ) ๐‘1 ๐‘2 . . . ๐‘๐‘˜ is the gcd of ๐‘Ž and ๐‘. โ–ก Theorem 1.45. Every PID is a UFD. Proof of the existence of a factorization. Let ๐‘… be a PID, and take a non-zero element ๐‘Ž in ๐‘…. If ๐‘Ž is a unit or is irreducible, then we may stop. Else we can find a factor ๐‘Ž1 of ๐‘Ž with ๐‘Ž1 not being a unit, and ๐‘Ž1 not an associate of ๐‘Ž (that is, ๐‘Ž = ๐‘Ž1 ๐‘1 with both ๐‘Ž1 and ๐‘1 not being units). If ๐‘Ž1 is irreducible, then look at whether ๐‘1 is irreducible. Else extract a factor ๐‘Ž2 of ๐‘Ž1 , which again is neither a unit nor an associate of ๐‘Ž1 . Keep proceeding in this manner. If the process terminates then we would have found a factorization into irreducibles. If the process does not terminate, then we must have a chain ๐‘Ž, ๐‘Ž1 , ๐‘Ž2 , . . . with ๐‘Ž๐‘–+1 |๐‘Ž๐‘– , and ๐‘Ž๐‘–+1 not a unit, and not an associate of ๐‘Ž๐‘– . We need to show that this last situation cannot happen. Since ๐‘Ž1 |๐‘Ž, it follows that the ideal (๐‘Ž) (being the set of multiples of ๐‘Ž) is contained in the ideal (๐‘Ž1 ) (because a multiple of ๐‘Ž is automatically a multiple of ๐‘Ž1 ). Thus the discussion above gives a chain of ideals (๐‘Ž) โŠ‚ (๐‘Ž1 ) โŠ‚ (๐‘Ž2 ) . . . . We will now show that this chain stabilizes and gives the same ideal from some point onwards. Let ๐ผ denote the union โˆช๐‘› (๐‘Ž๐‘› ). We claim that ๐ผ is an ideal. Indeed if ๐‘ โˆˆ ๐ผ then for some ๐‘› we must have ๐‘ โˆˆ (๐‘Ž๐‘› ), and therefore ๐‘Ÿ๐‘ โˆˆ (๐‘Ž๐‘› ) for any element ๐‘Ÿ โˆˆ ๐‘…, which implies ๐‘Ÿ๐‘ โˆˆ ๐ผ. Similarly if ๐‘ and ๐‘‘ are in ๐ผ then ๐‘ โˆˆ (๐‘Ž๐‘› ) and ๐‘‘ โˆˆ (๐‘Ž๐‘š ) for some ๐‘› and ๐‘š, and if ๐‘› โ‰ค ๐‘š (say) then both are contained in (๐‘Ž๐‘š ), and therefore so is their sum, which must now also be in ๐ผ. This verifies that ๐ผ is an ideal. Since ๐‘… is a PID it follows that ๐ผ = (๐‘Ÿ) from some ๐‘Ÿ โˆˆ ๐ผ. But then ๐‘Ÿ must be contained in some (๐‘Ž๐‘› ). So for any ๐‘š โ‰ฅ ๐‘›, we have (๐‘Ÿ) โŠ‚ (๐‘Ž๐‘› ) โŠ‚ (๐‘Ž๐‘š ) โŠ‚ ๐ผ = (๐‘Ÿ), and so all ideals from (๐‘Ž๐‘› ) onwards are equal to ๐ผ = (๐‘Ÿ), and the chain has stabilized. Once the chain stabilizes we have (๐‘Ž๐‘› ) = (๐‘Ž๐‘›+1 ), which means that ๐‘Ž๐‘› and ๐‘Ž๐‘›+1 are multiplies of each other, and therefore must be associates. But this contradicts our assumption, and thus completes the proof of the existence of a factorization. โ–ก

1.8. Euclidean domains

17

The same proof of the existence of a factorization into irreducibles would work in integral domains where every ideal is generated by finitely many elements โ€” such rings are called Noetherian, after the mathematician Emmy Noether.

Proof of the uniqueness of factorization. Suppose that ๐‘Ž can be factored into irreducibles as ๐‘ข๐‘1 โ‹ฏ ๐‘ ๐‘˜ and also as ๐‘ฃ๐‘ž1 โ‹ฏ ๐‘žโ„“ where the ๐‘ ๐‘– and ๐‘ž๐‘— are irreducibles. By Proposition 1.42 we know that the irreducibles ๐‘ ๐‘– and ๐‘ž๐‘— are also primes. Now ๐‘1 divides ๐‘ž1 โ‹ฏ ๐‘žโ„“ , and since ๐‘1 is prime we must have ๐‘1 divides ๐‘ž๐‘— for some ๐‘—. Since ๐‘ž๐‘— is irreducible, this forces ๐‘1 to be an associate of ๐‘ž๐‘— . Since weโ€™re in an integral domain, we can โ€œcancelโ€ (but recall how we did this in Lemma 1.13) ๐‘1 and ๐‘ž๐‘— from both sides of the equation ๐‘ข๐‘1 โ‹ฏ ๐‘ ๐‘˜ = ๐‘ฃ๐‘ž1 โ‹ฏ ๐‘žโ„“ , and repeat the argument. This proves the uniqueness part. โ–ก At present, we know from Example 1.37 that the integers โ„ค form a PID and are therefore a UFD. In the next section, we shall see more examples of PIDs by generalizing the ideas in Example 1.37. There is no converse to Theorem 1.45: there are UFDs that are not PIDs. Without going into details, let us point out that the polynomial ring โ„ค[๐‘ฅ] is a UFD (this may not be surprising to you, but does require proof), but we saw already in Example 1.38 that โ„ค[๐‘ฅ] is not a PID.

1.8. Euclidean domains A particularly nice family of rings (which will all be PIDs) are Euclidean domains, which generalize the idea in Example 1.37. Definition 1.46. An integral domain ๐‘… is said to have a division algorithm if there is a โ€œnorm functionโ€ ๐‘ โˆถ ๐‘… โˆ’ {0} โ†’ โ„คโ‰ฅ0 with the following property: If ๐‘Ž and ๐‘ are elements of ๐‘… with ๐‘ โ‰  0, then there exists a โ€œquotientโ€ ๐‘ž and a โ€œremainderโ€ ๐‘Ÿ such that ๐‘Ž = ๐‘ž๐‘ + ๐‘Ÿ, and either ๐‘Ÿ = 0, or ๐‘(๐‘Ÿ) < ๐‘(๐‘). An integral domain ๐‘… is called Euclidean if it possesses a division algorithm.

18

1. Primes and factorization

The key fact in the division algorithm is that the remainder ๐‘Ÿ can be made smaller in size (using the norm function ๐‘ as a notion of size) than ๐‘. Example 1.47. The integers โ„ค satisfy a division algorithm with the norm ๐‘ being the absolute value of an integer ๐‘Ž. One way to form the remainder when dividing ๐‘Ž by ๐‘ is to subtract an appropriate multiple of ๐‘ so that one lands inside the interval [0, |๐‘|). This is what we discussed in Example 1.37. Another possibility is to use signed remainders, and ensure that โˆ’|๐‘|/2 โ‰ค ๐‘Ÿ < |๐‘|/2, so that here |๐‘Ÿ| โ‰ค |๐‘|/2. One way to think of the division algorithm is that we are looking at the rational number ๐‘Ž/๐‘ and the quotient ๐‘ž is the largest integer below ๐‘Ž/๐‘ (also known as the floor โŒŠ๐‘Ž/๐‘โŒ‹). For the signed remainder case take instead the quotient to be the integer nearest to ๐‘Ž/๐‘. Example 1.48. We now show that the Gaussian integers โ„ค[๐‘–] are also a Euclidean domain. The norm map is ๐‘(๐‘Ž + ๐‘๐‘–) = ๐‘Ž2 + ๐‘2 , which is the square of the absolute value of the complex number ๐‘Ž + ๐‘๐‘–, and we claim that with this map the Gaussian integers satisfy a division algorithm. To see this, suppose ๐›ผ and ๐›ฝ โ‰  0 are in โ„ค[๐‘–]. Note that we can divide ๐›ผ by ๐›ฝ in the field โ„š(๐‘–) = {๐‘ฅ + ๐‘–๐‘ฆ โˆถ ๐‘ฅ, ๐‘ฆ โˆˆ โ„š} (see Example 1.21): one does this by โ€œrationalizing the denominatorโ€, that is, multiplying numerator and denominator by the complex conjugate ๐›ฝ. So we can find rational numbers ๐‘ฅ and ๐‘ฆ such that ๐›ผ = ๐‘ฅ + ๐‘–๐‘ฆ. ๐›ฝ Now take the nearest integer ๐‘Ÿ to ๐‘ฅ, and ๐‘  to ๐‘ฆ and set ๐œŒ = ๐‘Ÿ + ๐‘ ๐‘– โˆˆ โ„ค[๐‘–]. Note that ๐›ผ ๐›ผ ๐›ผ = ๐›ฝ = ๐œŒ๐›ฝ + ( โˆ’ ๐œŒ)๐›ฝ, ๐›ฝ ๐›ฝ and we are thinking of ๐œŒ โˆˆ โ„ค[๐‘–] as the quotient and ๐›ผ ๐›ผ โˆ’ ๐œŒ๐›ฝ = ( โˆ’ ๐œŒ)๐›ฝ = ((๐‘ฅ โˆ’ ๐‘Ÿ) + ๐‘–(๐‘ฆ โˆ’ ๐‘ ))๐›ฝ โˆˆ โ„ค[๐‘–] ๐›ฝ as the remainder. Since |๐‘Ÿ โˆ’ ๐‘ฅ| โ‰ค 1/2 and |๐‘  โˆ’ ๐‘ฆ| โ‰ค 1/2, we obtain ๐‘(๐›ฝ) 1 1 . ๐‘(๐›ผ โˆ’ ๐œŒ๐›ฝ) = ๐‘(๐›ฝ)((๐‘Ÿ โˆ’ ๐‘ฅ)2 + (๐‘  โˆ’ ๐‘ฆ)2 ) โ‰ค ( + )๐‘(๐›ฝ) = 4 4 2 Thus we have found a remainder with smaller norm than ๐›ฝ, and so the division algorithm holds. Note that above we made use of the fact that the norm ๐‘(๐‘ฅ + ๐‘–๐‘ฆ) = ๐‘ฅ2 + ๐‘ฆ2 may be thought of also as a function on

1.8. Euclidean domains

19

โ„š(๐‘–) and satisfies the multiplicative property that ๐‘(๐›ผ๐›ฝ) = ๐‘(๐›ผ)๐‘(๐›ฝ) (see Example 1.18). We should add a warning here that even though the same word โ€œnormโ€ is used in Example 1.18 and in the definition of the division algorithm, the two notions are distinct. In particular, the norm in the definition of the division algorithm need not be multiplicative (see the next example). Exercises 17 and 18 will give further examples of Euclidean domains where variants of this technique work. It can be quite difficult to determine whether a given integral domain is Euclidean or not. For instance, for a long time it was unknown whether the ring โ„ค[โˆš14] is Euclidean, and only recently has this been determined to be Euclidean (due to M. Harper [13]). Example 1.49. The polynomial ring over a field ๐”ฝ, namely ๐”ฝ[๐‘ฅ], is our third (and important) example of a Euclidean domain. The Euclidean norm function here is the degree of a polynomial. The division algorithm is given by long division of polynomials. Suppose we want to divide ๐‘“(๐‘ฅ) = ๐‘Ž๐‘› ๐‘ฅ๐‘› + . . . + ๐‘Ž0 by ๐‘”(๐‘ฅ) = ๐‘๐‘š ๐‘ฅ๐‘š + . . . + ๐‘0 (with ๐‘”(๐‘ฅ) โ‰  0) and extract a remainder of degree < ๐‘š. If ๐‘› < ๐‘š, then simply write ๐‘“(๐‘ฅ) = 0 โ‹… ๐‘”(๐‘ฅ) + ๐‘“(๐‘ฅ). If ๐‘› โ‰ฅ ๐‘š, then note that ๐‘“(๐‘ฅ) โˆ’ (๐‘Ž๐‘› /๐‘๐‘š )๐‘ฅ๐‘›โˆ’๐‘š ๐‘”(๐‘ฅ) is a polynomial of degree โ‰ค (๐‘› โˆ’ 1), and we can now try to divide this polynomial by ๐‘”(๐‘ฅ) and extract a remainder. So by induction the proof goes through. Notice that the norm used here, the degree of a polynomial, is not multiplicative. Indeed the degree of the product of two polynomials is the sum of the degrees of the factors. Note that the key property used here is that (๐‘Ž๐‘› /๐‘๐‘š ) makes sense because we are working over a field ๐”ฝ. It would not be enough to work just over an integral domain. For example in the polynomial ring โ„ค[๐‘ฅ] we cannot divide ๐‘ฅ2 by 2๐‘ฅ and get a remainder of degree < 1. In fact, we shall see shortly that โ„ค[๐‘ฅ] is not a Euclidean domain. Proposition 1.50. Every Euclidean domain is a principal ideal domain. Proof. The proof follows closely the argument in Example 1.37. Suppose ๐‘… is a Euclidean domain, and let ๐ผ be an ideal in ๐‘…. If ๐ผ = {0} there is nothing to prove. Suppose then that ๐ผ is larger, and look at the norms

20

1. Primes and factorization

of all the non-zero elements of ๐ผ. All these norms lie in the set of nonnegative integers, and so we may find an element ๐‘ โˆˆ ๐ผ (with ๐‘ โ‰  0) of smallest norm. We claim that the ideal ๐ผ is the set of multiples of ๐‘. Suppose instead that ๐‘Ž is an element of ๐ผ with ๐‘ not dividing ๐‘Ž. Then we may write (by the division algorithm) ๐‘Ž = ๐‘๐‘ž + ๐‘Ÿ with ๐‘Ÿ โ‰  0 and ๐‘(๐‘Ÿ) < ๐‘(๐‘). Since ๐‘Ÿ = ๐‘Ž โˆ’ ๐‘๐‘ž, we must also have ๐‘Ÿ โˆˆ ๐ผ, but this contradicts the minimality of ๐‘(๐‘). Therefore ๐ผ is the principal ideal (๐‘). โ–ก Example 1.51. The ring โ„ค[๐‘ฅ] is not a principal ideal domain, and therefore not a Euclidean domain. Exercise 19 shows that the ring ๐‘… = โ„ค[(1+ โˆšโˆ’19)/2] is not a Euclidean domain. However one can show that this ring is a PID; thus the converse to Proposition 1.50 does not hold. Since every Euclidean domain is a PID, and every PID is a UFD, we conclude that the Gaussian integers and the polynomial ring over a field are both UFDs. In the next chapter, we shall discuss primes in the usual integers. Later in ยง3.4 we shall discuss what primes look like in the Gaussian integers, and in ยง4.1 we shall discuss primes in the polynomial ring over a field, which will be of importance in our construction of finite fields. Integral domains: โ„ค[โˆšโˆ’5], โ„ค[โˆš15], โ„ค[โˆšโˆ’13] UFD: โ„ค[๐‘ฅ], โ„[๐‘ฅ, ๐‘ฆ] PID: โ„ค[(1 + โˆšโˆ’19)/2], โ„ค[(1 + โˆšโˆ’163)/2] Euclidean domains: โ„ค, โ„ค[๐‘–], ๐”ฝ[๐‘ฅ], โ„ค[โˆš14], โ„ค[โˆš2]

The figure above depicts the inclusions among our notions of integral domains, UFDโ€™s, PIDโ€™s, and Euclidean domains, and also gives examples (just for information, and not with complete proofs) to show that

1.9. Exercises

21

these inclusions are strict. Some, but by no means all, of these examples will be discussed further in the exercises. We end this chapter with one last remark on gcdโ€™s. In a UFD we saw that the gcd of any two elements ๐‘Ž and ๐‘ (not both zero) exists, and in a PID we saw that the gcd may be expressed as a linear combination ๐‘Ž๐‘ฅ + ๐‘๐‘ฆ with ๐‘ฅ, ๐‘ฆ โˆˆ ๐‘…. In a Euclidean domain, we can go one step better and give an algorithm to compute the gcd, and to find ๐‘ฅ and ๐‘ฆ as well. This is known as the Euclidean algorithm. The Euclidean algorithm. Let ๐‘Ž and ๐‘ be two elements (not both zero) in a Euclidean domain ๐‘…. If ๐‘ = 0 then the gcd is ๐‘Ž (or an associate of ๐‘Ž), and clearly the gcd is ๐‘Ž ร— 1 + ๐‘ ร— 0. If ๐‘ โ‰  0, then use the division algorithm to write ๐‘Ž = ๐‘ž๐‘ + ๐‘Ÿ; if ๐‘Ÿ = 0 then ๐‘ is the gcd. If ๐‘Ÿ โ‰  0, then ๐‘(๐‘Ÿ) < ๐‘(๐‘) (by the division algorithm), and now note that the gcd of ๐‘Ž and ๐‘ is the same as the gcd of ๐‘ and ๐‘Ÿ (check this carefully!). Said differently, the ideal (๐‘Ž, ๐‘) is the same as the ideal (๐‘, ๐‘Ÿ). Now use the same procedure with the pair ๐‘Ž, ๐‘ replaced by the pair ๐‘, ๐‘Ÿ. Note that if you have an expression for the gcd of ๐‘ and ๐‘Ÿ as ๐‘๐‘ฃ + ๐‘Ÿ๐‘ค then substituting ๐‘Ÿ = ๐‘Ž โˆ’ ๐‘ž๐‘ we obtain a linear combination of ๐‘Ž and ๐‘, namely ๐‘๐‘ฃ + (๐‘Ž โˆ’ ๐‘๐‘ž)๐‘ค = ๐‘Ž๐‘ค + ๐‘(๐‘ฃ โˆ’ ๐‘ž๐‘ค). Note that the Euclidean algorithm works by progressively finding elements of smaller norm in the ideal (๐‘Ž, ๐‘) until we find a non-zero element with smallest norm. Compare this with the proof of Proposition 1.50. Finally note that in โ„ค (use signed remainders), or โ„ค[๐‘–], the Euclidean algorithm is very rapid since at each step the norm decreases (at least) by a factor of 2. We havenโ€™t discussed precisely what it means to be a rapid algorithm, but we will turn to this in Chapter 8.

1.9. Exercises 1. Let ๐บ be a group. (i) Show that every element ๐‘” โˆˆ ๐บ has a unique inverse. (ii) Suppose that for any two elements ๐‘ฅ and ๐‘ฆ in ๐บ we have (๐‘ฅ๐‘ฆ)โˆ’1 = ๐‘ฅ ๐‘ฆ . Show that ๐บ is abelian. โˆ’1 โˆ’1

22

1. Primes and factorization

2. Consider โ„2 = {(๐‘ฅ, ๐‘ฆ) โˆถ ๐‘ฅ, ๐‘ฆ โˆˆ โ„} with operations of + and ร— defined by component-wise addition and multiplication. Give a brief explanation of why โ„2 is a ring with these operations. Is this ring an integral domain? Describe the units and zero divisors (if any) in this ring. 3. Let ๐œ– โ‰  0 denote a symbol with ๐œ–2 = 0. Define a ring โ„ค[๐œ–] = {๐‘Ž + ๐‘๐œ– โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค} with the natural way of adding and multiplying (subject to the ๐œ– ร— ๐œ– = 0 requirement). This is vague, but what I really want is for you to work out what is intended, and it should remind you of calculus and โ€œinfinitesimalsโ€. Is this ring an integral domain? Describe the units in this ring. 4. In any ring ๐‘…, show that if ๐‘ข is a unit then so are the powers ๐‘ข๐‘› for any ๐‘› โˆˆ โ„ค. (Interpret ๐‘ข๐‘› as ๐‘ข multiplied by itself ๐‘› times, for positive integers ๐‘›; interpret ๐‘ข0 as 1; and ๐‘ขโˆ’๐‘› as (๐‘ขโˆ’1 )๐‘› .) 5. Show that โ„ค[โˆš2] = {๐‘Ž + ๐‘โˆš2 โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค}, โ„ค[โˆš3] = {๐‘Ž + ๐‘โˆš3 โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค} and โ„ค[โˆš7] = {๐‘Ž + ๐‘โˆš7 โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค} are all rings, and indeed integral domains (with usual addition and multiplication). In explaining why these are integral domains, you may assume that โˆš2, โˆš3 and โˆš7 are irrational, but you must explain why that is relevant. In this problem, I donโ€™t want you to think of โˆš2, โˆš3, โˆš7 as real numbers (and therefore of these rings as subrings of the real numbers), but instead as just symbols whose squares equal 2, 3 and 7, rather like ๐œ– in Problem 3 which we could have thought of as โˆš0. 6. Show that the rings โ„ค[โˆš2], โ„ค[โˆš3] and โ„ค[โˆš7] all have infinitely many units. 7. Define โ„š(๐‘–) = {๐‘Ž + ๐‘๐‘– โˆถ ๐‘Ž, ๐‘ โˆˆ โ„š} and โ„š(โˆš7) = {๐‘Ž + ๐‘โˆš7 โˆถ ๐‘Ž, ๐‘ โˆˆ โ„š}. Show that these are examples of fields. 8. Let ๐‘… be a finite ring. Let ๐‘Ž be an element of ๐‘…, and assume that ๐‘Ž โ‰  0 and that ๐‘Ž is not a zero divisor. Show that the map ๐‘š๐‘Ž โˆถ ๐‘… โ†’ ๐‘… defined by ๐‘š๐‘Ž (๐‘Ÿ) = ๐‘Ž๐‘Ÿ (thus ๐‘š๐‘Ž is the map โ€œmultiplication by ๐‘Žโ€) is a bijection. Conclude that ๐‘Ž is a unit. 9. Let ๐ผ and ๐ฝ be two ideals in a ring ๐‘…. Prove that ๐ผ โˆฉ ๐ฝ is also an ideal in ๐‘….

1.9. Exercises

23

10. Given two ideals (๐‘š) and (๐‘›) in the integers โ„ค, describe the ideal (๐‘š) โˆฉ (๐‘›). Is (๐‘š) โˆช (๐‘›) necessarily an ideal? Describe the smallest ideal that contains both (๐‘š) and (๐‘›). 11. Consider the ring โ„ค[โˆšโˆ’5] = {๐‘Ž + ๐‘โˆšโˆ’5 โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค} and define the norm ๐‘(๐‘Ž+๐‘โˆšโˆ’5) = ๐‘Ž2 +5๐‘2 . (Note: we are only calling this function a norm, but it is not required to satisfy the properties of a (Euclidean) norm as in Definition 1.46. Indeed the point of this exercise is to show that โ„ค[โˆšโˆ’5] is not a UFD, and hence not a PID, and hence not a Euclidean domain.) (i) Prove that the norm is multiplicative: that is, ๐‘(๐›ผ๐›ฝ) = ๐‘(๐›ผ)๐‘(๐›ฝ) for any ๐›ผ, ๐›ฝ in the ring. Determine the units in the ring. Show that if the norm of an element is prime (as an integer) then that element is irreducible. (ii) Prove that 2, 3, 1 + โˆšโˆ’5 and 1 โˆ’ โˆšโˆ’5 are all irreducibles, and so 6 = 2 ร— 3 = (1 + โˆšโˆ’5)(1 โˆ’ โˆšโˆ’5) is a genuine failure of uniqueness of factorization into irreducibles. Thus โ„ค[โˆšโˆ’5] is not a UFD. (iii) Give two elements ๐‘Ž, ๐‘ in this ring for which no greatest common divisor exists. (iv) Give an example of an ideal in this ring that is not principal. 12. Using the norm in Exercise 11 as a notion of size, show that every non-zero element in โ„ค[โˆšโˆ’5] can be factored into irreducibles. 13. Let ๐‘… be a ring, and ๐ด and ๐ต be two ideals in ๐‘…. Define ๐ด๐ต to be the ๐‘› set of all elements in ๐‘… of the form โˆ‘๐‘—=1 ๐‘Ž๐‘— ๐‘๐‘— for any natural number ๐‘›, and with ๐‘Ž๐‘— โˆˆ ๐ด and ๐‘๐‘— โˆˆ ๐ต. Show that ๐ด๐ต is an ideal of ๐‘…. 14. Let ๐‘… be the ring โ„ค[โˆšโˆ’5] and define the four ideals ๐ด = (2, 1 + โˆšโˆ’5), ๐ต = (3, 1 + โˆšโˆ’5), ๐ถ = (2, 1 โˆ’ โˆšโˆ’5), ๐ท = (3, 1 โˆ’ โˆšโˆ’5). (i) Show that ๐ด = ๐ถ, and compute the products (as defined in Exercise 13) ๐ด๐ต, ๐ด๐ถ, ๐ต๐ท, and ๐ถ๐ท. (ii) As ideals in ๐‘…, note the factorizations (6) = (2) ร— (3) = (1 + โˆšโˆ’5) ร— (1 โˆ’ โˆšโˆ’5).

24

1. Primes and factorization

How does your work in part (i) suggest a way to restore unique factorization (at the level of ideals)? Explain briefly. Historically, ideals originated in attempts to rectify the failure of unique factorization that was observed in rings such as โ„ค[โˆšโˆ’5]. Nineteenth century mathematicians were motivated by problems such as Fermatโ€™s last theorem to study factorization in general integral domains, and recognized that the failure of unique factorization foiled many attempts at proving Fermatโ€™s last theorem. This story is part of algebraic number theory, and see [17] for an introduction. 15. A ring (commutative with identity, as usual) is called Noetherian if every ideal can be generated by finitely many elements in the ring. Let ๐‘… be an integral domain, and suppose ๐‘… is Noetherian. Show that all non-zero elements in ๐‘… admit a factorization into irreducibles. 16. Let ๐‘… be a Euclidean domain with associated โ€œnorm functionโ€ ๐‘. If ๐‘(๐‘Ž) = 0 for some non-zero element ๐‘Ž of ๐‘…, show that ๐‘Ž must be a unit. 17. (i) Let ๐‘˜ be a positive integer congruent to 3 (mod 4). Show that โ„ค[(1 + โˆšโˆ’๐‘˜)/2] = {๐‘Ž + ๐‘(1 + โˆšโˆ’๐‘˜)/2 โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค} is an integral domain. (ii) Define the norm ๐‘ 2 ๐‘˜๐‘2 ๐‘(๐‘Ž + ๐‘(1 + โˆšโˆ’๐‘˜)/2) = (๐‘Ž + ) + . 2 4 Prove that this function takes values in the non-negative integers, and is multiplicative ๐‘(๐›ผ๐›ฝ) = ๐‘(๐›ผ)๐‘(๐›ฝ) for any two elements in the ring. (iii) Prove that when ๐‘˜ = 3, 7, and 11 these rings are Euclidean. 18. Show that the rings โ„ค[โˆš2] = {๐‘Ž + ๐‘โˆš2 โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค}, โ„ค[โˆš3] = {๐‘Ž + ๐‘โˆš3 โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค}, and โ„ค[โˆšโˆ’2] = {๐‘Ž+๐‘โˆšโˆ’2 โˆถ ๐‘Ž, ๐‘ โˆˆ โ„ค} are all Euclidean domains. Hint: Try to generalize the notion of norm from Exercise 17 (multiply by an appropriate โ€œconjugateโ€) and see whether it satisfies the division algorithm. 19. This exercise shows that the ring ๐‘… = โ„ค[(1 + โˆšโˆ’19)/2] is not Euclidean. (i) Prove that the only units of ๐‘… are ยฑ1.

1.9. Exercises

25

(ii) Suppose there is a norm function on ๐‘… that makes ๐‘… Euclidean (this need not be the same function as in Exercise 17). Let ๐‘  be an element in ๐‘… with ๐‘  โ‰  0, ยฑ1 and having smallest norm. Prove that for any ๐‘Ž โˆˆ ๐‘…, we must have ๐‘ |๐‘Ž or ๐‘ |(๐‘Ž + 1) or ๐‘ |(๐‘Ž โˆ’ 1). (iii) Taking ๐‘Ž = 2, and now using the norm in Exercise 17 (or otherwise), show that ๐‘  must be ยฑ2 or ยฑ3. Show that neither ยฑ2 nor ยฑ3 has the property given in (ii) above, completing the proof.

Chapter 2

Primes in the integers

In this chapter, we discuss in more detail the prime elements in the ring of integers โ„ค. Multiplying by one of the units ยฑ1, we may restrict attention to the positive integers that are prime, which is the familiar sequence that begins with 2, 3, 5, 7, . . . . The existence and uniqueness of factorization of integers into primes is sometimes called the Fundamental Theorem of Arithmetic, and we know this already from our work in Chapter 1. After giving a few different proofs of the infinitude of primes, the main result of this chapter establishes Bertrandโ€™s postulate that there is always a prime between ๐‘› and 2๐‘›.

2.1. The infinitude of primes 2.1.1. Euclidโ€™s proof. You may already be familiar with the classical proof of Euclid. Suppose ๐‘1 , . . ., ๐‘๐‘› are distinct primes (which we will take to be positive integers), and consider ๐‘ = ๐‘1 โ‹ฏ ๐‘๐‘› + 1. Then ๐‘ is a natural number which is not divisible by the primes ๐‘1 , . . ., ๐‘๐‘› (since it leaves a remainder 1 when divided by any of these primes). If ๐‘ (which is larger than 1 and therefore not a unit) is factored into primes, the primes appearing in this factorization cannot be among ๐‘1 , . . ., ๐‘๐‘› . Therefore there is at least one prime different from ๐‘1 , . . ., ๐‘๐‘› , and so there are infinitely many primes. Here is a variant of Euclidโ€™s argument. For each ๐‘› โ‰ฅ 1 we claim that there is a prime larger than ๐‘›, and so there are infinitely many primes. 27

28

2. Primes in the integers

Just look at ๐‘›! +1; it cannot be divisible by any prime โ‰ค ๐‘›, and therefore any prime factor of ๐‘›! +1 is an example of a prime larger than ๐‘›. 2.1.2. Primes and the natural numbers. In this second proof, we will use some easy counting ideas to show that there must be infinitely many primes. The idea is simple: all natural numbers are built out of primes, and we know there are lots of natural numbers. If there are only finitely many primes, we can then show that there cannot be too many natural numbers, which would be a contradiction. Suppose there are only finitely many primes ๐‘1 , . . ., ๐‘๐‘› . Then every ๐‘Ž ๐‘Ž natural number ๐‘š can be expressed as ๐‘1 1 โ‹ฏ ๐‘๐‘›๐‘› by the fundamental theorem, where the exponents ๐‘Ž1 , . . ., ๐‘Ž๐‘› are non-negative integers. Now each exponent ๐‘Ž๐‘— is either even or odd, and so we can express it as ๐‘Ž๐‘— = 2๐‘๐‘— + ๐‘๐‘— where ๐‘๐‘— = 0 or 1, and ๐‘๐‘— is non-negative. With this notation, ๐‘ ๐‘ we see that ๐‘š can be written as ๐‘‘๐‘Ÿ2 , where ๐‘‘ = ๐‘11 โ‹ฏ ๐‘๐‘›๐‘› is a square-free number (composed of the primes ๐‘1 , . . ., ๐‘๐‘› each appearing to exponent ๐‘ ๐‘ at most 1), and ๐‘Ÿ = ๐‘1 1 โ‹ฏ ๐‘๐‘›๐‘› . Now let us count how many natural numbers there are up to ๐‘ (which is assumed to be a large natural number). Obviously the answer is ๐‘. However, by our analysis above, this is also the same as counting numbers of the form ๐‘‘๐‘Ÿ2 below ๐‘ with ๐‘‘ square-free. The number of possible choices for ๐‘‘ is 2๐‘› , since there are only ๐‘› primes and for each prime there are two choices for the exponent. For each ๐‘‘, there are at most โˆš๐‘ permissible choices for ๐‘Ÿ. Therefore, counted this way, there can only be โ‰ค 2๐‘› โˆš๐‘ natural numbers below ๐‘. Thus we must have ๐‘ โ‰ค 2๐‘› โˆš๐‘, which is plainly nonsense by choosing ๐‘ = 4๐‘› + 1 say. Therefore there must be infinitely many primes. For any real number ๐‘ฅ, we denote by ๐œ‹(๐‘ฅ) the number of primes below ๐‘ฅ. We have now seen two proofs that ๐œ‹(๐‘ฅ) โ†’ โˆž as ๐‘ฅ โ†’ โˆž. The second proof gives us a little more precise information. Namely, it shows that for any natural number ๐‘ we must have ๐‘ โ‰ค 2๐œ‹(๐‘) โˆš๐‘. Rearranging, we obtain that ๐œ‹(๐‘) โ‰ฅ log2 โˆš๐‘ =

log ๐‘ , 2 log 2

2.1. The infinitude of primes

29

where for us log will always mean the natural logarithm (that is, logarithm to the base ๐‘’). This is not a very good bound, but it is a small first step in quantifying how ๐œ‹(๐‘) tends to infinity with ๐‘. 2.1.3. Primes and information. This is a small variant of our previous proof, but it admits an amusing interpretation. Suppose ๐‘1 , . . ., ๐‘๐‘› are all the primes. Then how many positive integers can there be less ๐‘’ ๐‘Ž than 2๐‘ ? Each such integer may be written as ๐‘1 1 โ‹ฏ ๐‘๐‘›๐‘› , where the exponents ๐‘Ž๐‘— must be integers satisfying 0 โ‰ค ๐‘Ž๐‘— < ๐‘ (since the primes are all at least 2). Therefore each exponent has at most ๐‘ possibilities, and so there can be at most ๐‘ ๐‘› positive integers below 2๐‘ . But the true answer is 2๐‘ โˆ’ 1, and if ๐‘ is chosen to be very large in comparison to ๐‘›, the exponential growth of 2๐‘ โˆ’ 1 will overwhelm the polynomial bound ๐‘ ๐‘›. Now for the interpretation. How many bits of information are needed to specify all the positive integers up to 2๐‘ ? Clearly at least ๐‘ bits are needed. If there were only finitely many primes ๐‘1 , . . ., ๐‘๐‘› , then the numbers below 2๐‘ may be specified by giving the exponents ๐‘Ž1 , . . ., ๐‘Ž๐‘› appearing in their prime factorization. But the exponents are nonnegative integers below ๐‘, and each such exponent may be specified using โŒˆlog2 ๐‘โŒ‰ bits using the binary expansion. It follows that all numbers up to 2๐‘ may be specified using โ‰ค ๐‘›โŒˆlog2 ๐‘โŒ‰ bits, which is absurd because for large ๐‘ the function ๐‘› log2 ๐‘ (note that ๐‘› is a constant here) grows much more slowly than ๐‘. 2.1.4. Eulerโ€™s proof of the infinitude of primes. Our next proof is due to Euler, and this proof is notable as the first to introduce ideas from analysis to study primes. Throughout the letter ๐‘ will be used to denote prime numbers. The idea is to consider for any natural number ๐‘, the following product over all the primes below ๐‘, 1 โˆ’1 โˆ (1 โˆ’ ) . ๐‘ ๐‘โ‰ค๐‘ By the geometric series the above equals โˆ (1 + ๐‘โ‰ค๐‘

1 1 1 + + + . . . ). ๐‘ ๐‘2 ๐‘3

30

2. Primes in the integers

Multiply out the terms in this product (try it for ๐‘ = 3 say). Many terms will arise; for example, if ๐‘ โ‰ฅ 3 then we will get terms like 1/(2๐‘Ž 3๐‘ ) by taking the 1/2๐‘Ž term in the ๐‘ = 2 expression, and the 1/3๐‘ term in the ๐‘ = 3 expression. Explain why if the factorization of ๐‘› is composed only of primes below ๐‘ then 1/๐‘› will appear as a term when expanding out the product. Explain why such a term 1/๐‘› will appear exactly once. Therefore (2.1)

โˆ (1 + ๐‘โ‰ค๐‘

1 1 + ... ) = + ๐‘ ๐‘2

โˆ‘ ๐‘› ๐‘|๐‘› โŸน ๐‘โ‰ค๐‘

1 , ๐‘›

where the sum is over all natural numbers ๐‘› whose prime factors are all at most ๐‘. Note that ๐‘› = 1 is included in the sum, since the condition ๐‘|๐‘› โŸน ๐‘ โ‰ค ๐‘ is then vacuously true. Now consider the sum on the right side of (2.1). All the terms that appear there are positive. Moreover, any ๐‘› โ‰ค ๐‘ must appear on the right side of (2.1), since all the primes dividing such ๐‘› are necessarily at most ๐‘. Therefore, the right side of (2.1) is at least the harmonic sum ๐‘

1 . ๐‘› ๐‘›=1

๐ป๐‘ โ‰” โˆ‘

(2.2)

So far our argument gives that for any ๐‘ โ‰ฅ 1 one has ๐‘

(2.3)

โˆ (1 โˆ’ ๐‘โ‰ค๐‘

1 โˆ’1 1 ) โ‰ฅ โˆ‘ . ๐‘ ๐‘› ๐‘›=1

You may already know that the harmonic sum ๐ป๐‘ tends to infinity as ๐‘ โ†’ โˆž, and we shall make this more precise soon. If you grant that, then (2.3) gives another proof of the infinitude of primes: If there were only finitely many primes, then the left side of (2.3) would remain bounded (after some point the product wonโ€™t change) as ๐‘ โ†’ โˆž, whereas we know that the right side goes to infinity. We now work out good bounds for ๐ป๐‘ , and extract a little bit more out of our work in (2.3). Lemma 2.1. For all natural numbers ๐‘ โ‰ฅ 1 we have ๐‘

1 โ‰ค log ๐‘ + 1. ๐‘› ๐‘›=1

log(๐‘ + 1) โ‰ค ๐ป๐‘ = โˆ‘

2.1. The infinitude of primes

31

Proof. The lemma makes two assertions: the lower bound that ๐ป๐‘ โ‰ฅ log(๐‘ + 1), and the upper bound that ๐ป๐‘ โ‰ค log ๐‘ + 1. To prove both of these, let us note the intermediate set of inequalities ๐‘›+1

1 โ‰คโˆซ ๐‘›+1 ๐‘›

(2.4)

๐‘‘๐‘ก 1 โ‰ค , ๐‘ก ๐‘›

for all natural numbers ๐‘› โ‰ฅ 1. These inequalities follow because for ๐‘› โ‰ค ๐‘ก โ‰ค ๐‘› + 1, one has 1/(๐‘› + 1) โ‰ค 1/๐‘ก โ‰ค 1/๐‘›. Using the lower bound for 1/๐‘› in (2.4) for ๐‘› = 1, . . ., ๐‘ we obtain ๐‘

๐‘

1 โ‰ฅ โˆ‘โˆซ ๐‘› ๐‘›=1 ๐‘›=1 ๐‘› โˆ‘

๐‘›+1

๐‘‘๐‘ก =โˆซ ๐‘ก 1

๐‘+1

๐‘‘๐‘ก = log(๐‘ + 1), ๐‘ก

which is the lower bound for ๐ป๐‘ that we want. Using the upper bound for 1/(๐‘› + 1) in (2.4) for ๐‘› = 1, . . ., ๐‘ โˆ’ 1, we obtain ๐‘โˆ’1

๐‘โˆ’1

1 โ‰ค1+ โˆ‘ โˆซ ๐‘›+1 ๐‘›=1 ๐‘›

๐ป๐‘ = 1 + โˆ‘ ๐‘›=1

๐‘›+1

๐‘

๐‘‘๐‘ก ๐‘‘๐‘ก =1+โˆซ = 1 + log ๐‘. ๐‘ก ๐‘ก 1

This gives our upper bound for ๐ป๐‘ , and completes the proof.

โ–ก

Putting everything together, we have shown that โˆ (1 โˆ’

(2.5)

๐‘โ‰ค๐‘

1 โˆ’1 1 ) โ‰ฅ โˆ‘ โ‰ฅ log(๐‘ + 1). ๐‘ ๐‘› ๐‘›โ‰ค๐‘

As we noted already, this proves the infinitude of primes, since the right side of (2.5) visibly tends to infinity as ๐‘ โ†’ โˆž. We now refine this proof, and show that the sum of reciprocals of the primes diverges. Taking logarithms on both sides of (2.5), we obtain (2.6)

log โˆ (1 โˆ’ ๐‘โ‰ค๐‘

1 โˆ’1 1 โˆ’1 ) = โˆ‘ log (1 โˆ’ ) โ‰ฅ log log(๐‘ + 1). ๐‘ ๐‘ ๐‘โ‰ค๐‘

Now observe that for any ๐‘ฅ โ‰ฅ 0 one has 1+๐‘ฅ

log(1 + ๐‘ฅ) = โˆซ 1

๐‘‘๐‘ก โ‰คโˆซ ๐‘ก 1

1+๐‘ฅ

๐‘‘๐‘ก = ๐‘ฅ.

Therefore log (1 โˆ’

๐‘ 1 โˆ’1 1 1 = log (1 + , ) = log )โ‰ค ๐‘ ๐‘โˆ’1 ๐‘โˆ’1 ๐‘โˆ’1

32

2. Primes in the integers

and inputting this estimate in (2.6), we conclude that โˆ‘

(2.7)

๐‘โ‰ค๐‘

1 โ‰ฅ log log(๐‘ + 1). ๐‘โˆ’1

This is almost what we want, except that weโ€™d prefer to obtain a bound for the closely related โˆ‘๐‘โ‰ค๐‘ 1/๐‘ instead. Observe that โˆ‘ ๐‘โ‰ค๐‘

1 1 1 , = โˆ‘ + โˆ‘ ๐‘ โˆ’ 1 ๐‘โ‰ค๐‘ ๐‘ ๐‘โ‰ค๐‘ ๐‘(๐‘ โˆ’ 1)

and the second sum in the right side above may be bounded by โ‰ค โˆ‘ 2โ‰ค๐‘›โ‰ค๐‘

1 1 1 1 = โˆ‘ ( โˆ’ )=1โˆ’ , ๐‘ ๐‘›(๐‘› โˆ’ 1) 2โ‰ค๐‘›โ‰ค๐‘ ๐‘› โˆ’ 1 ๐‘›

where the last equality holds by โ€œtelescoping.โ€ Using this in (2.7), we finally obtain 1 โˆ‘ + 1 โ‰ฅ log log(๐‘ + 1), ๐‘ ๐‘โ‰ค๐‘ or in other words (2.8)

โˆ‘ ๐‘โ‰ค๐‘

1 โ‰ฅ log log(๐‘ + 1) โˆ’ 1. ๐‘

We know that the harmonic sum ๐ป๐‘ grows to infinity with ๐‘, and Lemma 2.1 gives a quantification of how it grows. Similarly, from (2.8) we know that the sum of the reciprocals of the primes diverges, and moreover we can quantify the rate at which โˆ‘๐‘โ‰ค๐‘ 1/๐‘ tends to infinity. Note that there can be infinite sequences of natural numbers, whose sum of reciprocals is nevertheless convergent. For example, the perfect squares are an infinite sequence, but the sum of their reciprocals converges. Indeed, another famous achievement of Euler was to show that โˆž โˆ‘๐‘›=1 1/๐‘›2 = ๐œ‹2 /6. In a sense, the divergence of the sum of reciprocals of primes indicates that there are more primes than squares. Weโ€™ll discuss in Section 2.3 a little bit more about how ๐œ‹(๐‘ฅ) (the number of primes below ๐‘ฅ) grows with ๐‘ฅ.

2.2. Bertrandโ€™s postulate The goal of this section is to prove the main result of this chapter, Bertrandโ€™s postulate.

2.2. Bertrandโ€™s postulate

33

Theorem 2.2. For every natural number ๐‘› โ‰ฅ 1, there is a prime ๐‘ with (๐‘› + 1) โ‰ค ๐‘ โ‰ค 2๐‘›. Although the result is named after Bertrand, it was first proved by the Russian mathematician Chebyshev in 1850. We give a proof due to Paul Erdล‘s which builds upon an idea of Ramanujan. The central idea in this proof is to consider the middle binomial coefficients (2๐‘›)! 2๐‘› , ( )= ๐‘› ๐‘›! ๐‘›! which we know combinatorially to be an integer since it counts the number of ways of choosing ๐‘› objects out of 2๐‘›. We approach this binomial coefficient in two different ways: (i) by computing its prime factorization (giving in passing a different proof that it is an integer), and (ii) by using that it is the largest of the binomial coefficients (2๐‘› ) to give lower ๐‘˜ bounds on its size. If there are no primes ๐‘ in the range ๐‘› + 1 โ‰ค ๐‘ โ‰ค 2๐‘›, then from the prime factorization we can obtain upper bounds for the size of (2๐‘› ) which will be seen to contradict the lower bounds obtained ๐‘› in (ii). Let us begin our understanding of the factorization of (2๐‘› ) by first ๐‘› determining the prime factorization of ๐‘›!. Lemma 2.3. For any ๐‘› โˆˆ โ„• we may factor ๐‘›! as ๐‘›! = โˆ ๐‘๐‘’๐‘ ๐‘โ‰ค๐‘›

where the exponents ๐‘’๐‘ are given by โˆž

๐‘› ๐‘› ๐‘› ๐‘’๐‘ = โŒŠ โŒ‹ + โŒŠ 2 โŒ‹ + . . . = โˆ‘ โŒŠ ๐‘˜ โŒ‹. ๐‘ ๐‘ ๐‘ ๐‘˜=1 Note that the sum in the lemma is really just a finite sum: once ๐‘๐‘˜ exceeds ๐‘›, we have โŒŠ๐‘›/๐‘๐‘˜ โŒ‹ = 0. Thus only the terms ๐‘˜ up to log๐‘ ๐‘› = (log ๐‘›)/(log ๐‘) are relevant. Proof. Since ๐‘›! = 1 ร— 2 ร— โ‹ฏ ร— ๐‘›, the prime factorization of ๐‘›! can only involve the primes below ๐‘›. So what really needs proving is the formula for the exponents ๐‘’๐‘ . How many natural numbers up to ๐‘› are multiples of ๐‘? Since the multiples of ๐‘ below ๐‘› are of the form ๐‘š๐‘ with 1 โ‰ค ๐‘š โ‰ค ๐‘›/๐‘, the answer

34

2. Primes in the integers

is clearly โŒŠ๐‘›/๐‘โŒ‹. Each of these multiples of ๐‘ will contribute 1 towards the exponent ๐‘’๐‘ , but some may contribute more than 1. The multiples of ๐‘2 will contribute at least 2, and there are โŒŠ๐‘›/๐‘2 โŒ‹ of these. And then the multiples of ๐‘3 will contribute at least 3, and these will be counted thrice in our formula: once from being a multiple of ๐‘, once from being a multiple of ๐‘2 and once from being a multiple of ๐‘3 . And so on. โ–ก Lemma 2.3 allows us to compute the prime factorization of (2๐‘› ). ๐‘› Proposition 2.4. The prime factorization of (2๐‘› ) is given by ๐‘› (

2๐‘› ) = โˆ ๐‘๐‘“๐‘ , ๐‘› ๐‘โ‰ค2๐‘›

where the exponents ๐‘“๐‘ are determined by โˆž

(2.9)

๐‘“๐‘ = โˆ‘ (โŒŠ ๐‘˜=1

2๐‘› ๐‘› โŒ‹ โˆ’ 2โŒŠ ๐‘˜ โŒ‹). ๐‘๐‘˜ ๐‘

The exponents ๐‘“๐‘ satisfy the following properties: (i) For all ๐‘ we have 0 โ‰ค ๐‘“๐‘ โ‰ค โŒŠlog(2๐‘›)/ log ๐‘โŒ‹. (ii) If ๐‘ > โˆš2๐‘› then ๐‘“๐‘ = 0 or 1. (iii) If ๐‘› โ‰ฅ 5 and 2๐‘›/3 < ๐‘ โ‰ค ๐‘› then ๐‘“๐‘ = 0. (iv) If (๐‘› + 1) โ‰ค ๐‘ โ‰ค 2๐‘› then ๐‘“๐‘ = 1. Proof. Applying Lemma 2.3, we see that the power of ๐‘ that divides โˆž (2๐‘›)! is โˆ‘๐‘˜=1 โŒŠ2๐‘›/๐‘๐‘˜ โŒ‹, while the power of ๐‘ that divides (๐‘›! )2 is โˆž 2 โˆ‘๐‘˜=1 โŒŠ๐‘›/๐‘๐‘˜ โŒ‹. Subtracting the second quantity from the first gives the power of ๐‘ dividing (2๐‘› ), and this establishes the formula (2.9) for ๐‘“๐‘ . ๐‘› Let us define a function ๐œ“ by setting ๐œ“(๐‘ฅ) = โŒŠ2๐‘ฅโŒ‹ โˆ’ 2โŒŠ๐‘ฅโŒ‹ โˆž

so that the formula for ๐‘“๐‘ may be written as ๐‘“๐‘ = โˆ‘๐‘˜=1 ๐œ“(๐‘›/๐‘๐‘˜ ). Note that ๐œ“(๐‘ฅ + 1) = โŒŠ2(๐‘ฅ + 1)โŒ‹ โˆ’ 2โŒŠ๐‘ฅ + 1โŒ‹ = โŒŠ2๐‘ฅโŒ‹ + 2 โˆ’ 2(โŒŠ๐‘ฅโŒ‹ + 1) = ๐œ“(๐‘ฅ).

2.2. Bertrandโ€™s postulate

35

Thus ๐œ“ is periodic in ๐‘ฅ with period 1, and so it is enough to understand what ๐œ“ does for 0 โ‰ค ๐‘ฅ < 1. Here we may quickly check that 0 ๐œ“(๐‘ฅ) = { 1

if 0 โ‰ค ๐‘ฅ < if

1 2

1 2

โ‰ค ๐‘ฅ < 1.

In other words, ๐œ“(๐‘ฅ) takes only the values 0 (if the โ€œfractional partโ€ of ๐‘ฅ is < 1/2) and 1 (if the โ€œfractional partโ€ is โ‰ฅ 1/2). We now establish the four assertions on ๐‘“๐‘ . Note that the sum in (2.9) is really finite, and we need only consider terms ๐‘๐‘˜ โ‰ค 2๐‘›, or in other words ๐‘˜ โ‰ค (log(2๐‘›))/ log ๐‘. Therefore, for all ๐‘ we have โˆ‘

๐‘“๐‘ =

๐œ“(๐‘›/๐‘๐‘˜ ) โ‰ค

โˆ‘ ๐‘˜โ‰ค(log 2๐‘›)/ log ๐‘

๐‘˜โ‰ค(log(2๐‘›))/ log ๐‘

1=โŒŠ

log(2๐‘›) โŒ‹, log ๐‘

which gives the first assertion (i). Further, if ๐‘ > โˆš2๐‘› then only the term ๐‘˜ = 1 in (2.9) can be non-zero, and so ๐‘“๐‘ = ๐œ“(๐‘›/๐‘) = 0 or 1, which proves (ii). If ๐‘› โ‰ฅ 5 then 2๐‘›/3 > โˆš2๐‘›, and therefore in the range 2๐‘›/3 < ๐‘ โ‰ค ๐‘› we have ๐‘“๐‘ = ๐œ“(๐‘›/๐‘) = 0 because 1 โ‰ค ๐‘›/๐‘ < 3/2. This proves assertion (iii). Finally, if (๐‘› + 1) โ‰ค ๐‘ โ‰ค 2๐‘›, then automatically ๐‘ > โˆš2๐‘› and so 1 โ–ก ๐‘“๐‘ = ๐œ“(๐‘›/๐‘) = 1 since 2 โ‰ค ๐‘›/๐‘ < 1. This yields assertion (iv). Next we give a lower bound for the size of the middle binomial coefficient (2๐‘› ). ๐‘› Proposition 2.5. For ๐‘› โ‰ฅ 1 we have (

2๐‘› 22๐‘› . )โ‰ฅ 2๐‘› ๐‘›

Proof. If ๐‘› โ‰ฅ 1 then the middle binomial coefficient is the largest of the binomial coefficients (2๐‘› ) (check!), and moreover it is at least 2 = ๐‘— ). Thus ) + (2๐‘› (2๐‘› 2๐‘› 0 (

1 2๐‘› 2๐‘› 2๐‘› 2๐‘› 2๐‘› )โ‰ฅ ({( ) + ( )} + ( ) + . . . + ( )), ๐‘› 2๐‘› 0 2๐‘› 1 2๐‘› โˆ’ 1

and since 2๐‘› 2๐‘› 2๐‘› ( ) + ( ) + . . . + ( ) = (1 + 1)2๐‘› = 22๐‘› , 0 1 2๐‘›

36

2. Primes in the integers โ–ก

the stated lower bound follows. Proposition 2.6. For all real numbers ๐‘ฅ โ‰ฅ 1 we have โˆ ๐‘ โ‰ค 4๐‘ฅ . ๐‘โ‰ค๐‘ฅ

We now prove Bertrandโ€™s postulate, assuming the validity of Proposition 2.6. We shall prove Proposition 2.6 immediately afterwards. Proof of Theorem 2.2. Observe that 2, 3, 5, 7, 13, 23, 43, 83, 163, 317, 631 is a sequence of prime numbers with each successive term being less than twice the previous one. Do you see why this verifies Bertrandโ€™s postulate for ๐‘› up to 630? It remains to consider larger values of ๐‘›. Let us suppose that ๐‘› โ‰ฅ 631 is such that there is no prime in [๐‘› + 1, 2๐‘›]. By Proposition 2.4 and the assumption that there is no prime in [๐‘› + 1, 2๐‘›] it follows that 2๐‘› ( ) = โˆ ๐‘๐‘“๐‘ โ‰ค โˆ ๐‘log(2๐‘›)/ log ๐‘ ๐‘› ๐‘โ‰ค2๐‘›/3 ๐‘โ‰คโˆš2๐‘›

โˆ

๐‘.

โˆš2๐‘› 6/ log 2 = 8.656 . . ., and therefore for all ๐‘ฆ โ‰ฅ 32 we have ๐‘”(๐‘ฆ) โ‰ฅ ๐‘”(32) = 32 โˆ’ 6 ร— 5 = 2 > 0. Since ๐‘ฅ = โˆš2๐‘› โ‰ฅ โˆš2 ร— 631 > โˆš1024 = 32, we have arrived at a contradiction! Therefore for ๐‘› โ‰ฅ 631 there must be a prime in the interval [๐‘› + 1, 2๐‘›], and our proof of Bertrandโ€™s postulate is complete. โ–ก It remains lastly to establish Proposition 2.6. Proof of Proposition 2.6. It suffices to establish the proposition when ๐‘ฅ is an integer. To establish the integer case, we argue by (strong) induction. Clearly the result is true for ๐‘ฅ = 1 and ๐‘ฅ = 2. Now suppose the result holds for all integers 1, 2, . . ., ๐‘ฅ โˆ’ 1 and we want to establish it for ๐‘ฅ. If ๐‘ฅ โ‰ฅ 4 is even, then ๐‘ฅ is not prime, and using the induction hypothesis we find โˆ ๐‘ = โˆ ๐‘ โ‰ค 4๐‘ฅโˆ’1 < 4๐‘ฅ . ๐‘โ‰ค๐‘ฅ

๐‘โ‰ค๐‘ฅโˆ’1

Therefore we may suppose that ๐‘ฅ = 2๐‘›+1 is odd. Observe that every prime ๐‘ in the range ๐‘› + 2 โ‰ค ๐‘ โ‰ค 2๐‘› + 1 divides the binomial coefficient (2๐‘›+1)! (2๐‘›+1 ) = ๐‘›!(๐‘›+1)! , since such primes visibly divide the numerator but not ๐‘› the denominator. Therefore โˆ

๐‘โ‰ค(

๐‘›+2โ‰ค๐‘โ‰ค2๐‘›+1

2๐‘› + 1 ), ๐‘›

and combining this with our induction hypothesis we find (2.10)

โˆ ๐‘= โˆ ๐‘ร— ๐‘โ‰ค2๐‘›+1

๐‘โ‰ค๐‘›+1

โˆ ๐‘›+2โ‰ค๐‘โ‰ค2๐‘›+1

๐‘ โ‰ค 4๐‘›+1 ร— (

2๐‘› + 1 ). ๐‘›

38

2. Primes in the integers

Now (2๐‘›+1 ) and so ) = (2๐‘›+1 ๐‘›+1 ๐‘› 2(

2๐‘› + 1 2๐‘› + 1 2๐‘› + 1 )=( )+( ) ๐‘› ๐‘› ๐‘›+1 1. Riemann showed that one can extend the definition of ๐œ(๐‘ ), by a process known as analytic continuation, to the entire complex plane (apart from a singularity at ๐‘  = 1). He then gave a marvelous explicit formula connecting prime numbers with the zeros of the zeta function. Riemann realized that Gaussโ€™s conjecture for ๐œ‹(๐‘ฅ) could be resolved if ๐œ(๐‘ ) โ‰  0 for complex numbers ๐‘  with Re(๐‘ ) โ‰ฅ 1. Based in part on numerical investigations, Riemann conjectured that all non1 trivial zeros of ๐œ(๐‘ ) lie on a line with Re(๐‘ ) = 2 โ€” this is the famous Riemann Hypothesis. Eventually in 1895 the prime number theorem was established by Hadamard and de la Vallรฉe Poussin, by pushing through Riemannโ€™s plan. The Riemann Hypothesis however is still unsolved, and has become one of the most important open problems in mathematics. Here is an easily understandable equivalent form of the Riemann Hypothesis, stated just

2.4. Exercises

41

in terms of prime numbers: For all ๐‘ฅ โ‰ฅ 2657, ๐‘ฅ

|๐œ‹(๐‘ฅ) โˆ’ โˆซ | 0

๐‘‘๐‘ก | 1 โˆš๐‘ฅ log ๐‘ฅ. โ‰ค log ๐‘ก | 8๐œ‹

10

For example, up to 10 there are 455052511 primes, and the difference between this and the approximation li(1010 ) is only about 3100. For more information on prime numbers and number theory, take a look at [18, 21, 27].

2.4. Exercises ๐‘Ž

1. Prove that ๐‘Ž|๐‘๐‘ if and only if (๐‘Ž,๐‘) |๐‘. Here, and elsewhere, (๐‘Ž, ๐‘) denotes the gcd of the integers ๐‘Ž and ๐‘. The notation (๐‘Ž, ๐‘) is identical to the notation for the ideal generated by ๐‘Ž and ๐‘; this is apt because the ideal generated by ๐‘Ž and ๐‘ is a principal ideal generated by their gcd. 2. Show that ๐‘›|(๐‘› โˆ’ 1)! for every composite number ๐‘› > 4. (A natural number bigger than 1 is called composite if it is not prime.) 3. For every ๐‘› > 1 show that ๐‘›4 + ๐‘›2 + 1 is not prime. 4. Irrational numbers. The following are in ascending order of difficulty: although the last part contains all others, you may want to do the parts in order to get an idea of how to prove that. (i) Show that โˆš๐‘ is irrational for any prime ๐‘. (ii) Show that โˆš๐‘› is irrational unless ๐‘› is the square of an integer. (iii) Suppose ๐›ผ is a solution to the polynomial equation ๐‘ฅ๐‘› +๐‘Ž1 ๐‘ฅ๐‘›โˆ’1 + ๐‘Ž2 ๐‘ฅ + . . . + ๐‘Ž๐‘› = 0 where ๐‘Ž1 , . . ., ๐‘Ž๐‘› are integers. Show that either ๐›ผ is an integer or ๐›ผ is irrational. ๐‘›โˆ’2

5. Show that for all ๐‘› โˆˆ โ„• we have (๐‘›! +1, (๐‘› + 1)! +1) = 1. 6. Let ๐น๐‘› denote the Fibonacci sequence defined by ๐น1 = 1, ๐น2 = 1, and ๐น๐‘› + ๐น๐‘›+1 = ๐น๐‘›+2 . Prove that for all ๐‘› โˆˆ โ„• the two consecutive Fibonacci numbers ๐น๐‘› and ๐น๐‘›+1 are coprime (that is, (๐น๐‘› , ๐น๐‘›+1 ) = 1). By working out examples, and generalizing, determine explicitly (with proof) integers ๐‘ฅ and ๐‘ฆ such that ๐น๐‘› ๐‘ฅ + ๐น๐‘›+1 ๐‘ฆ = 1.

42

2. Primes in the integers ๐‘›

7. The ๐‘›th Fermat number is ๐น๐‘› โ‰” 22 + 1. If ๐‘š > ๐‘› show that ๐น๐‘› divides ๐น๐‘š โˆ’ 2. Conclude that any two different Fermat numbers are coprime. Use this observation to give another proof that there are infinitely many primes. 8. Adapt Euclidโ€™s proof to show that there are infinitely many primes in โ„ค[๐‘–] and ๐”ฝ[๐‘ฅ] for any field ๐”ฝ. 9. (i) Let ๐‘“ be a polynomial with integer coefficients. Suppose ๐‘š and ๐‘› are integers with ๐‘ dividing ๐‘š โˆ’ ๐‘›. Prove that ๐‘ divides ๐‘“(๐‘š) โˆ’ ๐‘“(๐‘›). (ii) Let ๐‘“(๐‘ฅ) = ๐‘ฅ(๐‘ฅ โˆ’ 2) + 2. Let ๐‘Ž0 = 3, and let ๐‘Ž๐‘›+1 = ๐‘“(๐‘Ž๐‘› ), so that ๐‘Ž1 = 5, ๐‘Ž2 = 17 etc. Show that if a prime ๐‘ divides ๐‘Ž๐‘› , then ๐‘ cannot divide ๐‘Ž๐‘š for all ๐‘š > ๐‘›. (iii) Conclude that (๐‘Ž๐‘š , ๐‘Ž๐‘› ) = 1 if ๐‘š and ๐‘› are distinct, and deduce that there are infinitely many primes. Exercise 9 comes from [11], which has much more on related proofs of the infinitude of primes. 10. The ring of formal power series โ„[[๐‘ฅ]] is defined as the set โˆž

{ โˆ‘ ๐‘Ž๐‘› ๐‘ฅ๐‘› โˆถ ๐‘Ž๐‘› โˆˆ โ„} ๐‘›=0

with the operations of addition and multiplication defined as follows: โˆž

โˆž

โˆž

โˆ‘ ๐‘Ž๐‘› ๐‘ฅ๐‘› + โˆ‘ ๐‘๐‘› ๐‘ฅ๐‘› = โˆ‘ (๐‘Ž๐‘› + ๐‘๐‘› )๐‘ฅ๐‘› ๐‘›=0

๐‘›=0

๐‘›=0

and โˆž

โˆž

โˆž

( โˆ‘ ๐‘Ž๐‘› ๐‘ฅ๐‘› ) ร— ( โˆ‘ ๐‘๐‘› ๐‘ฅ๐‘› ) = โˆ‘ ๐‘๐‘› ๐‘ฅ๐‘› , ๐‘›=0

๐‘›=0

๐‘›

with ๐‘๐‘› = โˆ‘ ๐‘Ž๐‘– ๐‘๐‘›โˆ’๐‘– .

๐‘›=0

๐‘–=0

Convince yourself that this is indeed a ring. (i) Explain why โ„[[๐‘ฅ]] is an integral domain. โˆž

(ii) Prove that โˆ‘๐‘›=0 ๐‘Ž๐‘› ๐‘ฅ๐‘› is a unit if and only if ๐‘Ž0 โ‰  0. (iii) Prove that โ„[[๐‘ฅ]] is a PID, and that every ideal is generated by ๐‘ฅ๐‘˜ for some non-negative integer ๐‘˜. (iv) Prove that, apart from associates, there is exactly one prime in โ„[[๐‘ฅ]]; namely ๐‘ฅ. (v) Why doesnโ€™t Euclidโ€™s proof work here?

2.4. Exercises

43

11. Write the natural number ๐‘› in base ๐‘ notation. Say ๐‘› = ๐‘Ž0 + ๐‘Ž1 ๐‘ + ๐‘Ž2 ๐‘2 + . . . + ๐‘Ž๐‘Ÿ ๐‘๐‘Ÿ where each ๐‘Ž๐‘– is between 0 and ๐‘ โˆ’ 1. (i) Show that ๐‘Ž๐‘– = โŒŠ๐‘›/๐‘๐‘– โŒ‹ โˆ’ ๐‘โŒŠ๐‘›/๐‘๐‘–+1 โŒ‹. (ii) Prove that the largest power of ๐‘ dividing ๐‘›! equals (๐‘› โˆ’ ๐‘†(๐‘›)) , (๐‘ โˆ’ 1) where ๐‘†(๐‘›) = ๐‘Ž0 + ๐‘Ž1 + . . . + ๐‘Ž๐‘Ÿ denotes the sum of the base ๐‘-digits of ๐‘›. 12. Let ๐‘ฅ be a positive real number, and let ๐‘› be a positive integer. Prove that ๐‘›โˆ’1 ๐‘— โˆ‘ โŒŠ๐‘ฅ + โŒ‹ = โŒŠ๐‘›๐‘ฅโŒ‹. ๐‘› ๐‘—=0 13. (Chebyshev) Prove that (30๐‘›)! ๐‘›! (15๐‘›)! (10๐‘›)! (6๐‘›)! is a natural number for every ๐‘› โˆˆ โ„•. 14. Prove that

(9๐‘›)! (2๐‘›)! (6๐‘›)! (4๐‘›)! ๐‘›! is a natural number for every ๐‘› โˆˆ โ„•. 15. Prove that

(12๐‘›)! (2๐‘›)! (7๐‘›)! (4๐‘›)! (3๐‘›)! is a natural number for every ๐‘› โˆˆ โ„•.

Exercises 13, 14, 15 give three examples out of 52 such โ€œsporadicโ€ examples of integral factorial ratios; see [4, 26] for this classification, and related problems. 16. Prove that the Catalan number ๐ถ๐‘› =

1 2๐‘› ( ) ๐‘›+1 ๐‘›

is an integer for all ๐‘› โˆˆ โ„•. Note: this is easy if you realize that ๐ถ๐‘› = 2๐‘› ), but I would like you to show (using Lemma 2.3 for instance) )โˆ’(๐‘›+1 (2๐‘› ๐‘› that the power of a prime ๐‘ dividing ๐ถ๐‘› is non-negative.

44

2. Primes in the integers

17. By contemplating the middle binomial coefficient (2๐‘› ), prove that for ๐‘› any ๐‘› โ‰ฅ 1 2๐‘› ๐œ‹(2๐‘›) โ‰ฅ log 2 โˆ’ 1. log(2๐‘›) 18. Prove that for all ๐‘› โ‰ฅ 2 we have ๐œ‹(2๐‘›) โˆ’ ๐œ‹(๐‘›) โ‰ค

2๐‘› log 2 . log ๐‘›

19. Let ๐‘‘๐‘ denote the least common multiple of the first ๐‘ natural numbers 1, 2, . . ., ๐‘. (i) What is the power of ๐‘ dividing ๐‘‘๐‘ ? Prove that log ๐‘ log ๐‘‘๐‘ = โˆ‘ log ๐‘โŒŠ โŒ‹ โ‰ค (log ๐‘)๐œ‹(๐‘). log ๐‘ ๐‘โ‰ค๐‘ (ii) Let ๐‘“(๐‘ฅ) = โˆ‘๐‘– ๐‘Ž๐‘– ๐‘ฅ๐‘– be a polynomial with integer coefficients and with degree โ‰ค ๐‘ โˆ’ 1. Prove that 1

๐‘‘๐‘ โˆซ ๐‘“(๐‘ฅ)๐‘‘๐‘ฅ โˆˆ โ„ค. 0 ๐‘

(iii) Take ๐‘“๐‘ (๐‘ฅ) = ๐‘ฅ (1 โˆ’ ๐‘ฅ)๐‘ and use (b) to show that 1

๐‘‘2๐‘+1 โˆซ ๐‘“๐‘ (๐‘ฅ)๐‘‘๐‘ฅ โ‰ฅ 1. 0

(iv) Show that

1 โˆซ0 ๐‘“๐‘ (๐‘ฅ)๐‘‘๐‘ฅ

โ‰ค 4โˆ’๐‘ and deduce that

๐‘‘2๐‘+1 โ‰ฅ 4๐‘ and ๐œ‹(2๐‘ + 1) โ‰ฅ

(2 log 2)๐‘ . log(2๐‘ + 1)

This approach to the Chebyshev bounds for ๐œ‹(๐‘) was first discovered by Gelfond and Schnirelman, and rediscovered by Nair [20]; for more on its history, and improvements, see Chapter 10 of Montgomery [19].

Chapter 3

Congruences in rings

The main goal of this chapter is to introduce the notion of a quotient ring, which will play a key role in our construction of finite fields. Given a ring ๐‘… and an ideal ๐ผ in ๐‘…, we shall describe how to construct a quotient ring ๐‘…/๐ผ. This construction generalizes the notion of congruences in the integers, which we discussed briefly in Example 1.9 and which corresponds to the situation ๐‘… = โ„ค, ๐ผ = ๐‘›โ„ค leading to the quotient ring โ„ค/๐‘›โ„ค. After describing the general construction, we shall discuss the case of โ„ค/๐‘›โ„ค in a little more detail. When ๐‘› = ๐‘ is a prime in the integers, the rings โ„ค/๐‘โ„ค will give our first examples of finite fields. When is the quotient ring ๐‘…/๐ผ an integral domain? When is it a field? In ยง3.3 we characterize these properties of ๐‘…/๐ผ in terms of properties of the ideal ๐ผ. Finally as an application of these ideas we determine in ยง3.4 the primes in the Gaussian integers โ„ค[๐‘–]. This will give a classical result of Fermat that every prime of the form 4๐‘˜ + 1 can be written as a sum of two squares, and also yield interesting finite fields of size ๐‘2 when ๐‘ is of the form 4๐‘˜ + 3.

3.1. Congruences and quotient rings Let ๐‘… be a ring (commutative as always, with identity 1). While we will be especially interested in examples like ๐‘… = โ„ค, or โ„ค[๐‘–], or the polynomial ring ๐”ฝ[๐‘ฅ] over a field ๐”ฝ, for the present ๐‘… could be any ring (not necessarily an integral domain for instance). Let ๐ผ be an ideal of ๐‘…. 45

46

3. Congruences in rings

Definition 3.1. We say that two elements ๐‘Ž and ๐‘ are congruent modulo ๐ผ if ๐‘Ž โˆ’ ๐‘ belongs to the ideal ๐ผ, and we will write this as ๐‘Ž โ‰ก ๐‘ mod ๐ผ. By ๐‘Ž mod ๐ผ (which we call a congruence class) we mean the set of all elements in ๐‘… that are congruent to ๐‘Ž mod ๐ผ: ๐‘Ž mod ๐ผ = {๐‘ โˆˆ ๐‘… โˆถ ๐‘ โ‰ก ๐‘Ž mod ๐ผ}. Since ๐‘Ž mod ๐ผ consists of elements ๐‘Ž + ๐‘– with ๐‘– โˆˆ ๐ผ, we may sometimes also denote ๐‘Ž mod ๐ผ by ๐‘Ž + ๐ผ. The notion of a congruence is an example of an equivalence relation. Let us recall quickly what this means. Definition 3.2. Let ๐‘† be a set, and let โˆผ be a binary relation on ๐‘† (that is, given two elements ๐‘Ž and ๐‘, either the relation ๐‘Ž โˆผ ๐‘ holds, or it does not hold). The relation โˆผ is called an equivalence relation if the following three properties hold: (i) The relation is reflexive, which means ๐‘Ž โˆผ ๐‘Ž for all ๐‘Ž โˆˆ ๐‘†. (ii) The relation is symmetric, which means that ๐‘Ž โˆผ ๐‘ holds if and only if ๐‘ โˆผ ๐‘Ž holds, for any two elements ๐‘Ž, ๐‘ โˆˆ ๐‘†. (iii) The relation is transitive: If ๐‘Ž โˆผ ๐‘ and ๐‘ โˆผ ๐‘ hold, then it follows that ๐‘Ž โˆผ ๐‘ holds. The notion of an equivalence relation generalizes the notion of equality, which clearly satisfies the reflexive, symmetry and transitive properties. You may easily check that our definition of congruence mod ๐ผ satisfies the criteria for being an equivalence relation. For example, let us check the transitive property. Note that ๐‘Ž โ‰ก ๐‘ mod ๐ผ means that ๐‘Ž โˆ’ ๐‘ โˆˆ ๐ผ, and ๐‘ โ‰ก ๐‘ mod ๐ผ means that ๐‘ โˆ’ ๐‘ โˆˆ ๐ผ. Therefore if ๐‘Ž โˆผ ๐‘ and ๐‘ โˆผ ๐‘ hold, then ๐‘Ž โˆ’ ๐‘ = (๐‘Ž โˆ’ ๐‘) + (๐‘ โˆ’ ๐‘) must be in ๐ผ which establishes that ๐‘Ž โ‰ก ๐‘ mod ๐ผ. In general, given a set ๐‘† with an equivalence relation โˆผ, for any element ๐‘Ž โˆˆ ๐‘† we can consider the set [๐‘Ž] of all elements ๐‘ โˆˆ ๐‘† with ๐‘ โˆผ ๐‘Ž. Such sets [๐‘Ž] are called equivalence classes. If [๐‘Ž] and [๐‘] are two equivalence classes, then either they are identical sets, or they are disjoint. Indeed if an element ๐‘ belonged to both [๐‘Ž] and [๐‘] then ๐‘ โˆผ ๐‘Ž and ๐‘ โˆผ ๐‘, which by symmetry and transitivity forces ๐‘Ž โˆผ ๐‘. If ๐‘Ž โˆผ ๐‘ then note that any element ๐‘ฅ with ๐‘Ž โˆผ ๐‘ฅ will also satisfy ๐‘ โˆผ ๐‘ฅ (check), and similarly any element ๐‘ฆ with ๐‘ โˆผ ๐‘ฆ will satisfy ๐‘Ž โˆผ ๐‘ฆ, so that [๐‘Ž] = [๐‘].

3.1. Congruences and quotient rings

47

The set ๐‘† can then be decomposed as a union of equivalence classes, ๐‘† = โˆช๐‘Žโˆˆ๐‘† [๐‘Ž], and since two distinct equivalence classes are disjoint, we in fact obtain a partition of the set ๐‘† into disjoint equivalence classes. With these preliminary observations in place, we are ready to define the quotient ring ๐‘…/๐ผ. Definition 3.3. Let ๐‘… be a ring, and ๐ผ an ideal in ๐‘…. The quotient ring ๐‘…/๐ผ consists of the set of all congruence classes mod ๐ผ {๐‘Ž mod ๐ผ โˆถ ๐‘Ž โˆˆ ๐‘…} together with binary operations +, ร— on such congruence classes defined by (3.1)

๐‘Ž mod ๐ผ + ๐‘ mod ๐ผ = (๐‘Ž + ๐‘) mod ๐ผ,

and (3.2)

(๐‘Ž mod ๐ผ) ร— (๐‘ mod ๐ผ) = (๐‘Ž ร— ๐‘) mod ๐ผ.

To clarify, the left sides of (3.1) and (3.2) are defining the operations of + and ร— on congruence classes mod ๐ผ using the known definitions of + and ร— in the ring ๐‘…, which are found in the expressions ๐‘Ž + ๐‘ and ๐‘Ž ร— ๐‘ on the right sides of (3.1) and (3.2). There is a further point that requires careful thinking through: we must check that the operations described in (3.1) and (3.2) are well defined. What does this mean? Suppose ๐‘Žโ€ฒ and ๐‘โ€ฒ are elements of ๐‘… with ๐‘Žโ€ฒ โ‰ก ๐‘Ž mod ๐ผ and ๐‘โ€ฒ โ‰ก ๐‘ mod ๐ผ. Then the congruence classes ๐‘Ž mod ๐ผ and ๐‘Žโ€ฒ mod ๐ผ are identical, and similarly so are ๐‘ mod ๐ผ and ๐‘โ€ฒ mod ๐ผ. In order for (3.1) and (3.2) to be well defined we must check that ๐‘Žโ€ฒ + ๐‘โ€ฒ โ‰ก ๐‘Ž + ๐‘ mod ๐ผ and that ๐‘Žโ€ฒ ๐‘โ€ฒ โ‰ก ๐‘Ž๐‘ mod ๐ผ, so that there is no inconsistency. To check this, suppose ๐‘Žโ€ฒ = ๐‘Ž + ๐‘– and ๐‘โ€ฒ = ๐‘ + ๐‘— where ๐‘– and ๐‘— are in the ideal ๐ผ. Then ๐‘Žโ€ฒ + ๐‘โ€ฒ = (๐‘Ž + ๐‘) + (๐‘– + ๐‘—), and since ๐‘– + ๐‘— is in the ideal ๐ผ it follows that ๐‘Žโ€ฒ + ๐‘โ€ฒ โ‰ก ๐‘Ž + ๐‘ mod ๐ผ as we wanted. Similarly ๐‘Žโ€ฒ ๐‘โ€ฒ = (๐‘Ž + ๐‘–)(๐‘ + ๐‘—) = ๐‘Ž๐‘ + ๐‘–๐‘ + ๐‘Ž๐‘— + ๐‘–๐‘—, and note that ๐‘–๐‘, ๐‘Ž๐‘—, ๐‘–๐‘— are all in ๐ผ and therefore so is ๐‘–๐‘ + ๐‘Ž๐‘— + ๐‘–๐‘—. This shows that ๐‘Žโ€ฒ ๐‘โ€ฒ โ‰ก ๐‘Ž๐‘ mod ๐ผ as needed. Now that the definitions of + and ร— in ๐‘…/๐ผ have been clarified, and shown to be well defined, you should now check that with these operations ๐‘…/๐ผ forms a commutative ring with identity. For example, the

48

3. Congruences in rings

additive identity is given by the congruence class 0 mod ๐ผ, and the multiplicative identity by 1 mod ๐ผ. Check that under the operation of addition, the set ๐‘…/๐ผ of all equivalence classes mod ๐ผ forms a group. Check that multiplication is commutative, and distributes over addition. Example 3.4. In any ring ๐‘… you can take the ideal ๐ผ = {0}. Then two elements are congruent mod(0) only if they are equal, and so the congruence classes are the same as the elements of the ring. At the other extreme, if we take ๐ผ = ๐‘… then all elements of the ring are congruent to each other, and there is only one congruence class 0 mod ๐ผ. Thus ๐‘…/๐ผ here is the trivial zero ring. Example 3.5. If ๐‘… = โ„ค and ๐ผ = (๐‘›), the ideal consisting of multiples of the natural number ๐‘›, then we recover the notion of congruences mod ๐‘›, which may be familiar to you, and which we discussed briefly in Example 1.9. Recall that here we write ๐‘Ž โ‰ก ๐‘ mod ๐‘› to mean ๐‘›|(๐‘Ž โˆ’ ๐‘), and mod (๐‘›) has been abbreviated to mod ๐‘›. We shall discuss this ring a little more in the next section, and also in Chapter 6. Here note that ๐‘Ž mod ๐‘› is the same as ๐‘Ž + ๐‘› mod ๐‘› or ๐‘Ž โˆ’ 17๐‘› mod ๐‘› etc. An explicit partition of โ„ค into equivalence classes mod ๐‘› is the union of ๐‘– mod ๐‘› for 0 โ‰ค ๐‘– โ‰ค ๐‘› โˆ’ 1. In โ„ค it is common to call ๐‘Ž mod ๐‘› a residue class, and we may sometimes use the phrase complete set of residue classes mod ๐‘› to refer to a collection of distinct residue classes with union โ„ค. The notion of quotient ring we have developed is an instance of a general theme in mathematics of taking quotients of various structures. In linear algebra you may have encountered the idea of a quotient space of a vector space by a subspace. To give another example (which you will encounter in much more detail in a group theory course), if ๐บ is a group and ๐ป is a subgroup of ๐บ then you can think of the quotient ๐บ/๐ป as equivalence classes under the relation that ๐‘”1 and ๐‘”2 in ๐บ are treated the same if ๐‘”โˆ’1 2 ๐‘”1 is in the subgroup ๐ป. In general, the quotient ๐บ/๐ป will not inherit a group structure and does so only when ๐ป is a special kind of subgroup (known as a normal subgroup). For abelian (that is, commutative) groups, all subgroups are normal, and in this setting you may wish to check that ๐บ/๐ป forms a group. We will discuss this idea further in ยง5.2.

3.2. The ring โ„ค/๐‘›โ„ค

49

3.2. The ring โ„ค/๐‘›โ„ค Let us look a little more closely at the ring โ„ค/๐‘›โ„ค. We start with the additive structure of this ring, which is easy to understand. The congruence class 1 mod ๐‘› can be added to itself many times and generates 2 mod ๐‘›, 3 mod ๐‘›, . . ., (๐‘› โˆ’ 1) mod ๐‘›, and then ๐‘› โ‰ก 0 mod ๐‘›. This is an example of a cyclic group, which is a group generated by the powers (positive and negative) of some element. The group โ„ค is also a cyclic group, generated by 1, but that group is infinite in contrast to the additive group โ„ค/๐‘›โ„ค which is finite with ๐‘› elements. You may recall that we discussed cyclic groups and subgroups briefly in Example 1.3, and we will return to them later in ยง5.1. Understanding the multiplicative structure needs more work, and we shall return to this problem in Chapter 5. For the present let us consider the problem of determining the units in โ„ค/๐‘›โ„ค. Recall that in any ring ๐‘…, the units form a multiplicative group which we denote by ๐‘…ร— . What then are the elements of the multiplicative group of units (โ„ค/๐‘›โ„ค)ร— ? Definition 3.6. A residue class ๐‘Ž mod ๐‘› is called reduced if (๐‘Ž, ๐‘›) = 1 (where (๐‘Ž, ๐‘›) denotes the gcd of ๐‘Ž and ๐‘›). If two integers have gcd 1, they are called coprime. The number of reduced residue classes mod ๐‘› is called Eulerโ€™s totient function, and is denoted by ๐œ™(๐‘›). Thus ๐œ™(๐‘›) denotes the number of integers ๐‘Ž that are coprime to ๐‘› with 1 โ‰ค ๐‘Ž โ‰ค ๐‘›.

Lemma 3.7. The multiplicative units of โ„ค/๐‘›โ„ค are precisely the reduced residue classes. Thus for every reduced residue class ๐‘Ž mod ๐‘› there exists a reduced residue class ๐‘ mod ๐‘› such that ๐‘Ž๐‘ โ‰ก 1 mod ๐‘›; in the sequel, we shall write the multiplicative inverse of ๐‘Ž mod ๐‘› as ๐‘Žโˆ’1 mod ๐‘›. Proof. Suppose first that ๐‘Ž mod ๐‘› is a unit. This means that there is a residue class ๐‘ mod ๐‘› with ๐‘Ž๐‘ mod ๐‘› being the multiplicative identity 1 mod ๐‘›. Thus ๐‘Ž๐‘ โ‰ก 1 mod ๐‘› which implies that (๐‘Ž๐‘, ๐‘›) = 1, and therefore (๐‘Ž, ๐‘›) = 1. Thus ๐‘Ž mod ๐‘› is reduced. Conversely, suppose that ๐‘Ž mod ๐‘› is reduced. We must find its inverse ๐‘ mod ๐‘›. Since (๐‘Ž, ๐‘›) = 1, by the Euclidean algorithm (or simply because โ„ค is a PID), we have ๐‘Ž๐‘ฅ + ๐‘›๐‘ฆ = 1 for some integers ๐‘ฅ and ๐‘ฆ. But then ๐‘Ž๐‘ฅ โ‰ก 1 mod ๐‘› and ๐‘ฅ mod ๐‘› is the sought after inverse. โ–ก

50

3. Congruences in rings

In Chapter 6 we shall understand the structure of the group of reduced residues (โ„ค/๐‘›โ„ค)ร— , which is a good bit more complicated than the simple cyclic structure of the additive group โ„ค/๐‘›โ„ค. Now let us consider when โ„ค/๐‘›โ„ค is an integral domain, and when it is a field. Proposition 3.8. If ๐‘› is composite (that is, it is not a prime number) then โ„ค/๐‘›โ„ค is not an integral domain. If ๐‘› = ๐‘ is a prime number, then โ„ค/๐‘›โ„ค = โ„ค/๐‘โ„ค is a field (and thus an integral domain). Proof. If ๐‘› = ๐‘Ž๐‘ (with ๐‘Ž and ๐‘ being positive integers with neither ๐‘Ž nor ๐‘ being 1) is composite, then ๐‘Ž mod ๐‘› and ๐‘ mod ๐‘› are zero divisors in the ring โ„ค/๐‘›โ„ค. Thus this ring is not an integral domain. Now suppose that ๐‘› = ๐‘ is a prime. If ๐‘Ž is not a multiple of ๐‘ then ๐‘Ž must be coprime to ๐‘. Thus all non-zero elements in โ„ค/๐‘โ„ค are units (or reduced residues), and therefore โ„ค/๐‘โ„ค is a field. โ–ก We shall also denote โ„ค/๐‘โ„ค as ๐”ฝ๐‘ to indicate that it is a field of size ๐‘. One of our main goals will be to construct finite fields of order ๐‘๐‘˜ for all prime powers ๐‘๐‘˜ , and further to show that these are all the possible finite fields. The fields of prime power order cannot be constructed just using quotients of โ„ค. For instance, the field of size ๐‘2 is not the ring โ„ค/๐‘2 โ„ค which, as mentioned above, is not even an integral domain! We end this section by establishing Wilsonโ€™s theorem together with a variant of it, which we will use in Section 3.4 to determine all the primes in the Gaussian integers. Theorem 3.9. If ๐‘ is a prime number then (3.3)

(๐‘ โˆ’ 1)! โ‰ก โˆ’1 mod ๐‘.

Further, if ๐‘ is an odd prime then (3.4)

(

๐‘โˆ’1 2 )! 2

โ‰ก (โˆ’1)

๐‘+1 2

mod ๐‘.

The right side of (3.4) is โˆ’1 if ๐‘ โ‰ก 1 mod 4, and is +1 if ๐‘ โ‰ก 3 mod 4. Proof. Let us begin with Wilsonโ€™s theorem, which is the statement in (3.3). When ๐‘ = 2 the statement is that 1! โ‰ก โˆ’1 mod 2, which is clear. Now suppose ๐‘ โ‰ฅ 3, and write out (๐‘โˆ’1)! as 1ร—2ร—โ‹ฏร—(๐‘โˆ’1). The idea is that all the terms here correspond to reduced residue classes mod ๐‘, and therefore we may pair them off with their inverse, and in that way

3.3. Prime ideals and maximal ideals

51

simplify the product mod ๐‘. We must be a little careful though, for it may happen that a reduced residue class is its own inverse, and so cannot be paired off in this way. Which reduced residue classes mod ๐‘ are their own inverse? We are looking for reduced residue classes ๐‘ฅ mod ๐‘ such that ๐‘ฅ ร— ๐‘ฅ โ‰ก ๐‘ฅ2 โ‰ก 1 mod ๐‘. In other words ๐‘ must divide (๐‘ฅ2 โˆ’1) = (๐‘ฅ+1)(๐‘ฅโˆ’1), and since ๐‘ is prime, this means that ๐‘|(๐‘ฅ + 1) or ๐‘|(๐‘ฅ โˆ’ 1). Therefore, the only reduced residue classes mod ๐‘ that are their own inverse are 1 mod ๐‘, and โˆ’1 โ‰ก (๐‘โˆ’1) mod ๐‘. The remaining reduced residue classes ๐‘— mod ๐‘ with 2 โ‰ค ๐‘— โ‰ค ๐‘ โˆ’ 2 may all be paired off with their inverses. It follows that (๐‘ โˆ’ 1)! โ‰ก 1 ร— (2 ร— โ‹ฏ ร— (๐‘ โˆ’ 2)) ร— (๐‘ โˆ’ 1) โ‰ก 1 ร— (๐‘ โˆ’ 1) โ‰ก โˆ’1 mod ๐‘, which is (3.3). To deduce (3.4), note that (๐‘โˆ’1)

(๐‘โˆ’1)/2

โˆ

(๐‘โˆ’1)/2

๐‘– = โˆ (๐‘ โˆ’ ๐‘—) โ‰ก โˆ (โˆ’๐‘—) mod ๐‘

๐‘–=(๐‘+1)/2

๐‘—=1

โ‰ก (โˆ’1)

๐‘—=1 ๐‘โˆ’1 2

๐‘โˆ’1 ( 2 )!

mod๐‘,

and so (๐‘โˆ’1)/2

๐‘โˆ’1

(๐‘ โˆ’ 1)! = โˆ ๐‘— ๐‘—=1

โ‰ก (โˆ’1)

โˆ

๐‘–

๐‘–=(๐‘+1)/2 ๐‘โˆ’1 2

(

๐‘โˆ’1 2 )! 2

mod๐‘.

Appealing now to Wilsonโ€™s theorem (3.3), and noting that (โˆ’1) ๐‘โˆ’1 (โˆ’1)โˆ’ 2 , we deduce that (

๐‘โˆ’1 2 )! 2

โ‰ก (โˆ’1)

๐‘โˆ’1 2

(๐‘ โˆ’ 1)! โ‰ก (โˆ’1)

yielding (3.4).

๐‘+1 2

๐‘โˆ’1 2

=

mod ๐‘, โ–ก

3.3. Prime ideals and maximal ideals So far we have seen that for any ring ๐‘… and an ideal ๐ผ we can form a quotient ring ๐‘…/๐ผ, and we discussed in a bit more detail the special case of โ„ค/๐‘›โ„ค. In the special case โ„ค/๐‘›โ„ค, we found that the quotient ring is an integral domain (and in fact a field) precisely when ๐‘› is a prime. What

52

3. Congruences in rings

happens more generally? When do we get integral domains as quotients, and when do we get fields? In this section we describe how to characterize those ideals for which the quotient ring is an integral domain, and how to characterize those ideals for which the quotient ring is a field. Definition 3.10. Let ๐‘… be a ring, and let ๐‘ƒ be an ideal of ๐‘…. Then ๐‘ƒ is called a prime ideal if (i) ๐‘ƒ โ‰  ๐‘…, and (ii) whenever ๐‘Ž๐‘ lies in ๐‘ƒ we must have either ๐‘Ž โˆˆ ๐‘ƒ, or ๐‘ โˆˆ ๐‘ƒ. Example 3.11. When is (0) a prime ideal? Recall our usual assumption that the ring ๐‘… is not the zero ring. Then the requirement for (0) to be prime is that if ๐‘Ž๐‘ = 0 then either ๐‘Ž or ๐‘ must be 0. In other words, the zero ideal is prime precisely when ๐‘… is an integral domain. Of course, we usually care about more interesting ideals than this! Example 3.12. Suppose ๐‘… is a PID, and let ๐‘ƒ be an ideal of ๐‘…. Since ๐‘… is a PID, we may write ๐‘ƒ = (๐œ‹) for some element ๐œ‹ of ๐‘…. Suppose that ๐‘ƒ is not the zero ideal, nor all of ๐‘…. This is equivalent to ๐œ‹ โ‰  0, and ๐œ‹ not being a unit in ๐‘…. What does it mean to say that ๐‘ƒ is a prime ideal? The criterion (ii) for ๐‘ƒ to be a prime ideal may be restated as saying that whenever ๐‘Ž๐‘ is a multiple of ๐œ‹ (which is the same as ๐‘Ž๐‘ โˆˆ (๐œ‹)) then either ๐‘Ž or ๐‘ must be a multiple of ๐œ‹. Thus, the ideal ๐‘ƒ is prime exactly when the element ๐œ‹ is a prime. Since primes and irreducibles are the same in a PID, we could also say that ๐œ‹ must be irreducible. In particular, the prime ideals in โ„ค are (0) and the ideals (๐‘) for prime numbers ๐‘. Proposition 3.13. Let ๐‘… be a ring and ๐ผ an ideal of ๐‘…. The quotient ring ๐‘…/๐ผ is an integral domain precisely when ๐ผ is a prime ideal. Proof. Suppose ๐ผ is a prime ideal. We must show that the quotient ๐‘…/๐ผ has no zero divisors. Suppose to the contrary that there are nonzero classes ๐‘Ž mod ๐ผ and ๐‘ mod ๐ผ (non-zero elements of ๐‘…/๐ผ) with ๐‘Ž๐‘ โ‰ก 0 mod ๐ผ. The statement ๐‘Ž๐‘ โ‰ก 0 mod ๐ผ means that ๐‘Ž๐‘ โˆˆ ๐ผ, and since ๐ผ is a prime ideal either ๐‘Ž or ๐‘ must be in ๐ผ, so that either ๐‘Ž โ‰ก 0 mod ๐ผ or ๐‘ โ‰ก 0 mod ๐ผ. Contradiction! Conversely, suppose ๐‘…/๐ผ is an integral domain. Being an integral domain, ๐‘…/๐ผ is not the zero ring, and therefore ๐ผ is not the whole ring ๐‘…. Thus, if ๐ผ is not a prime ideal, then there must exist elements ๐‘Ž, ๐‘ in ๐‘… with ๐‘Ž๐‘ โˆˆ ๐ผ but with neither ๐‘Ž nor ๐‘ being an element of ๐ผ. But

3.3. Prime ideals and maximal ideals

53

then ๐‘Ž mod ๐ผ and ๐‘ mod ๐ผ would be non-zero congruence classes that multiply to give ๐‘Ž๐‘ โ‰ก 0 mod ๐ผ. This contradicts the assumption that ๐‘…/๐ผ is an integral domain. โ–ก Example 3.14. If ๐œ‹ is an irreducible in a PID ๐‘…, then ๐‘…/(๐œ‹) is an integral domain. For example, in ๐‘… = โ„š[๐‘ฅ] the polynomial ๐‘ฅ2 โˆ’ ๐‘ฅ โˆ’ 1 is irreducible (check this), and therefore (๐‘ฅ2 โˆ’ ๐‘ฅ โˆ’ 1) is a prime ideal and the quotient โ„š[๐‘ฅ]/(๐‘ฅ2 โˆ’ ๐‘ฅ โˆ’ 1) is an integral domain. Example 3.15. Consider ๐‘… = โ„ค[๐‘ฅ], which we saw in Example 1.38 is not a PID. Consider the ideal ๐ผ = (2) which consists of all polynomials in โ„ค[๐‘ฅ] whose coefficients are even. What does the quotient ๐‘…/๐ผ look like? What we are doing is to take any polynomial in โ„ค[๐‘ฅ] and reduce its coefficients mod 2. In other words the quotient may be thought of as the ring (โ„ค/2โ„ค)[๐‘ฅ], which is an integral domain. Therefore the ideal (2) is a prime ideal in ๐‘…. Similarly, consider the ideal (๐‘ฅ) which consists of all polynomials in โ„ค[๐‘ฅ] with constant term 0. The quotient โ„ค[๐‘ฅ]/(๐‘ฅ) then keeps track of only the constant term of a polynomial, and thus looks like the ring โ„ค. Since โ„ค is an integral domain, we see that (๐‘ฅ) is also a prime ideal. Our next goal is to characterize the ideals ๐ผ for which ๐‘…/๐ผ is a field. Definition 3.16. Let ๐‘… be a ring, and let ๐‘€ be an ideal of ๐‘…. Then ๐‘€ is called a maximal ideal if (i) ๐‘€ โ‰  ๐‘…, and (ii) the only ideals that contain ๐‘€ are ๐‘€ itself and the whole ring ๐‘…. Example 3.17. When is (0) a maximal ideal? With our usual assumption that ๐‘… is not the zero ring, (0) is maximal if and only if ๐‘… has no ideals besides (0) and ๐‘…. This is the same as wanting ๐‘… to be a field. Example 3.18. Suppose ๐‘… is a PID, and let ๐‘€ = (๐‘š) be an ideal with ๐‘€ โ‰  (0) and ๐‘€ โ‰  ๐‘…. When is ๐‘€ maximal? Recall that if ๐‘ = (๐‘›) is another ideal, then ๐‘€ is contained in ๐‘ exactly when ๐‘› divides ๐‘š. Thus if ๐‘š is irreducible (or equivalently prime), the only ideals containing ๐‘€ are ๐‘€ and ๐‘…, so that ๐‘€ is maximal. On the other hand, if ๐‘š = ๐‘Ž๐‘ is reducible, then (๐‘Ž) and (๐‘) would be examples of ideals containing (๐‘š). Thus, in a PID non-zero maximal ideals and prime ideals are the same, and they both correspond to ideals that are generated by prime (or irreducible) elements of the ring. The zero ideal is a prime ideal in

54

3. Congruences in rings

a PID (indeed in any integral domain), but need not be maximal; for example in โ„ค the zero ideal is prime, but not maximal. Proposition 3.19. If ๐‘€ is an ideal of ๐‘… then the quotient ๐‘…/๐‘€ is a field precisely when ๐‘€ is a maximal ideal. In particular, every maximal ideal is a prime ideal. Proof. Suppose ๐‘€ is a maximal ideal, and let ๐‘Ž be any element not in ๐‘€. Consider the ideal ๐‘ generated by โ€œaddingโ€ ๐‘Ž to ๐‘€: that is, take ๐‘ = {๐‘Ž๐‘ฅ + ๐‘š โˆถ ๐‘ฅ โˆˆ ๐‘…, ๐‘š โˆˆ ๐‘€}. Check that ๐‘ is indeed an ideal, and note that it strictly contains ๐‘€. Therefore by the maximality of ๐‘€ we must have ๐‘ = ๐‘…. It follows that for some ๐‘ฅ โˆˆ ๐‘… and some ๐‘š โˆˆ ๐‘€ we must have 1 = ๐‘Ž๐‘ฅ + ๐‘š, so that ๐‘Ž๐‘ฅ โ‰ก 1 mod ๐‘€. Thus every nonzero element ๐‘Ž mod ๐‘€ of ๐‘…/๐‘€ has an inverse (namely, ๐‘ฅ mod ๐‘€), and the quotient ๐‘…/๐‘€ is a field. Since fields are always integral domains, we may also conclude by Proposition 3.13 that ๐‘€ is a prime ideal. Now let us consider the converse statement. Suppose ๐‘…/๐‘€ is a field, and we want to show that ๐‘€ is maximal. Notice that ๐‘€ cannot be ๐‘…, since ๐‘…/๐‘€ is a field and therefore not the zero ring. Let ๐‘ be an ideal that strictly contains ๐‘€; we will show that ๐‘ must be the full ring ๐‘…. Let ๐‘Ž be an element of ๐‘ but not ๐‘€. Then ๐‘Ž mod ๐‘€ is a non-zero congruence class, and thus has an inverse. That is, there exists ๐‘ฅ โˆˆ ๐‘… with ๐‘Ž๐‘ฅ = 1+๐‘š for some ๐‘š โˆˆ ๐‘€. But ๐‘Ž๐‘ฅ is in ๐‘ (since ๐‘ is an ideal) and ๐‘š โˆˆ ๐‘ (since ๐‘ contains ๐‘€) and therefore 1 = ๐‘Ž๐‘ฅ โˆ’ ๐‘š is also in ๐‘. But this means that ๐‘ = ๐‘…. We conclude that ๐‘€ is maximal. โ–ก Example 3.20. In Example 3.14, we considered the quotient ring of the PID โ„š[๐‘ฅ] by the prime ideal (๐‘ฅ2 โˆ’๐‘ฅโˆ’1). Since prime ideals and maximal ideals are the same in a PID, we see that โ„š[๐‘ฅ]/(๐‘ฅ2 โˆ’ ๐‘ฅ โˆ’ 1) is in fact a field. Its elements are congruence classes ๐‘Ž + ๐‘๐‘ฅ mod (๐‘ฅ2 โˆ’ ๐‘ฅ โˆ’ 1), with ๐‘Ž, ๐‘ โˆˆ โ„š, and the ring operations on these congruence classes correspond to usual addition and multiplication of polynomials together with the ability to simplify ๐‘ฅ2 โˆ’ ๐‘ฅ โˆ’ 1 to 0. In the real numbers the golden ratio ๐œ™ = (1 + โˆš5)/2 is a real number satisfying the equation ๐œ™2 โˆ’ ๐œ™ โˆ’ 1 = 0, and this symbol ๐œ™ plays exactly the same role as ๐‘ฅ in our field โ„š[๐‘ฅ]/(๐‘ฅ2 โˆ’ ๐‘ฅ โˆ’ 1). In other words, we may think of the field โ„š(๐œ™) = {๐‘Ž + ๐‘๐œ™ โˆถ ๐‘Ž, ๐‘ โˆˆ โ„š} as being the same as โ„š[๐‘ฅ]/(๐‘ฅ2 โˆ’ ๐‘ฅ โˆ’ 1).

3.4. Primes in the Gaussian integers

55

Example 3.21. In Example 3.15, we considered ๐‘… = โ„ค[๐‘ฅ] and the ideals (2) and (๐‘ฅ), which we showed are prime ideals. We saw that the quotient โ„ค[๐‘ฅ]/(2) may be thought of as (โ„ค/2โ„ค)[๐‘ฅ] and that the quotient โ„ค[๐‘ฅ]/(๐‘ฅ) may be thought of as โ„ค. These quotients are thus integral domains, but not fields. Therefore neither (2) nor (๐‘ฅ) is a maximal ideal. Indeed they are both contained in the ideal (2, ๐‘ฅ). The quotient โ„ค[๐‘ฅ]/(2, ๐‘ฅ) consists of the congruence classes 0 mod (2, ๐‘ฅ) and 1 mod (2, ๐‘ฅ), which has the same structure as the field with two elements โ„ค/2โ„ค = ๐”ฝ2 . The ideal (2, ๐‘ฅ) is therefore maximal. We round out this section by recording two more propositions. Proposition 3.22. Let ๐‘… be a PID. Then the non-zero prime ideals of ๐‘… are (๐‘) where ๐‘ โˆˆ ๐‘… is an irreducible (or, equivalently, prime), and these ideals are also maximal. Thus for every irreducible ๐‘ โˆˆ ๐‘…, the quotient ๐‘…/(๐‘) is a field. Proof. The proposition merely records our discussion in Example 3.12, Example 3.18, and Proposition 3.19. โ–ก Proposition 3.23. Every finite integral domain is a field. Proof. Problem 8 of Chapter 1 shows that in a finite ring ๐‘… any element ๐‘Ž that is not zero and not a zero divisor must be a unit. It follows that in a finite integral domain ๐‘…, all non-zero elements are units, so that ๐‘… is a field. Here is an alternative proof. Let ๐‘Ž be a non-zero element of the integral domain ๐‘…. We must show that ๐‘Ž is a unit (that is, has a multiplicative inverse). Look at the powers of ๐‘Ž: ๐‘Ž, ๐‘Ž2 , ๐‘Ž3 , . . .. Since the ring is finite, we must have ๐‘Ž๐‘š = ๐‘Ž๐‘š+๐‘› for some natural numbers ๐‘š and ๐‘›. Thus ๐‘Ž๐‘š (๐‘Ž๐‘› โˆ’ 1) = 0, and since we are in an integral domain, we must have ๐‘Ž๐‘› = 1. But then ๐‘Ž(๐‘Ž๐‘›โˆ’1 ) = 1 and so ๐‘Ž๐‘›โˆ’1 is the desired multiplicative inverse of ๐‘Ž. โ–ก

3.4. Primes in the Gaussian integers From Chapter 1, we already know that the ring of Gaussian integers โ„ค[๐‘–] is a Euclidean domain, and therefore a PID, and therefore a UFD. What are the irreducibles (equivalently primes) in this ring? Once we identify these, their quotients will be fields by Proposition 3.22, and we will obtain some interesting new finite fields in this way.

56

3. Congruences in rings

A key tool in understanding this situation will be the norm function: ๐‘ โˆถ โ„ค[๐‘–] โ†’ โ„คโ‰ฅ0 defined by ๐‘(๐‘Ž + ๐‘๐‘–) = ๐‘Ž2 + ๐‘2 . Recall that the norm is multiplicative ๐‘(๐›ผ๐›ฝ) = ๐‘(๐›ผ)๐‘(๐›ฝ) for ๐›ผ, ๐›ฝ โˆˆ โ„ค[๐‘–] and that the units in โ„ค[๐‘–] correspond to the elements of norm 1 namely ยฑ1, and ยฑ๐‘– (see Example 1.18). Here is a simple criterion to recognize some irreducibles in โ„ค[๐‘–]. Lemma 3.24. Suppose ๐‘Ž + ๐‘๐‘– โˆˆ โ„ค[๐‘–] has norm ๐‘Ž2 + ๐‘2 = ๐‘ for a prime number ๐‘ (in the usual integers). Then ๐‘Ž+๐‘๐‘– is an irreducible (equivalently prime) in โ„ค[๐‘–]. Proof. Suppose (๐‘Ž + ๐‘๐‘–) factors as ๐œŒ๐œŽ with ๐œŒ, ๐œŽ โˆˆ โ„ค[๐‘–]. Then we must have ๐‘(๐‘Ž+๐‘๐‘–) = ๐‘(๐œŒ)๐‘(๐œŽ), and since ๐‘(๐‘Ž+๐‘๐‘–) is assumed to be a prime number, this forces either ๐‘(๐œŒ) or ๐‘(๐œŽ) to be 1, so that either ๐œŒ or ๐œŽ must be a unit. Thus there is no non-trivial way to factor ๐‘Ž + ๐‘๐‘–, so that ๐‘Ž + ๐‘๐‘– must be irreducible. โ–ก The next result gives a complete description of all the primes in โ„ค[๐‘–]. Theorem 3.25. Let ๐œ‹ denote an irreducible in โ„ค[๐‘–]. Then one of the following three cases holds: (i) The norm of ๐œ‹ is 2, and ๐œ‹ is an associate of 1 + ๐‘–. (ii) The norm of ๐œ‹ equals a prime integer ๐‘ โ‰ก 1 mod 4. In this case ๐‘ may be expressed as ๐‘Ž2 + ๐‘2 = (๐‘Ž + ๐‘๐‘–)(๐‘Ž โˆ’ ๐‘๐‘–) for some ๐‘Ž, ๐‘ โˆˆ โ„ค. Apart from associates, there are exactly two such irreducibles with norm ๐‘, namely ๐‘Ž + ๐‘๐‘– and ๐‘Ž โˆ’ ๐‘๐‘–, and so ๐œ‹ is an associate of one of these. (iii) The norm of ๐œ‹ is ๐‘2 for a prime ๐‘ โ‰ก 3 mod 4, and ๐œ‹ is an associate of ๐‘. Proof. Let ๐œ‹ be an irreducible in โ„ค[๐‘–], and consider the prime ideal (๐œ‹). What are the integers (elements of โ„ค) in this idealโ€”namely (๐œ‹) โˆฉ โ„ค? If we call this set ๐‘ƒ, note that 0 โˆˆ ๐‘ƒ and ๐‘(๐œ‹) = ๐œ‹๐œ‹ is a non-zero integer in ๐‘ƒ. First we claim that ๐‘ƒ is an ideal in โ„ค. Indeed if ๐‘Ž, ๐‘ are in ๐‘ƒ then they are both integers in (๐œ‹), and their sum ๐‘Ž + ๐‘ is also an integer, and also in (๐œ‹); thus ๐‘Ž + ๐‘ โˆˆ (๐œ‹) โˆฉ โ„ค = ๐‘ƒ. Similarly if ๐‘Ž โˆˆ ๐‘ƒ and ๐‘Ÿ โˆˆ โ„ค, then the product ๐‘Ž๐‘Ÿ is both an integer as well as an element of ๐œ‹ (since ๐‘Ž โˆˆ (๐œ‹) and ๐‘Ÿ โˆˆ โ„ค[๐‘–]), and therefore ๐‘Ž๐‘Ÿ lies in ๐‘ƒ. This establishes the claim.

3.4. Primes in the Gaussian integers

57

Next we claim that ๐‘ƒ is in fact a prime ideal in โ„ค. If ๐‘Ž and ๐‘ are two integers with ๐‘Ž๐‘ โˆˆ ๐‘ƒ, then ๐‘Ž๐‘ lies in (๐œ‹), and since (๐œ‹) is a prime ideal, either ๐‘Ž or ๐‘ must be in ๐œ‹. Since ๐‘Ž and ๐‘ were already known to be integers, it follows that either ๐‘Ž or ๐‘ must lie in (๐œ‹) โˆฉ โ„ค = ๐‘ƒ. From our work so far, we know that ๐‘ƒ = (๐œ‹) โˆฉ โ„ค is a non-zero prime ideal in โ„ค, so that ๐‘ƒ = ๐‘โ„ค for some prime number ๐‘. Suppose first that ๐‘ = 2. Note that 2 is not an irreducible in โ„ค[๐‘–] since it factors as 2 = (1 + ๐‘–)(1 โˆ’ ๐‘–) = (โˆ’๐‘–)(1 + ๐‘–)2 = ๐‘–(1 โˆ’ ๐‘–)2 . Note that 1 + ๐‘– and 1 โˆ’ ๐‘– are associates of each other, and they are irreducible since their norm is 2 which is a prime in โ„ค. Since 2 = (โˆ’๐‘–)(1+๐‘–)2 belongs to the prime ideal (๐œ‹), we must have 1 + ๐‘– โˆˆ (๐œ‹). Since 1 + ๐‘– is irreducible, and ๐œ‹ divides it, we must have ๐œ‹ being an associate of 1 + ๐‘–. This is the case described in part (i). Suppose next that ๐‘ โ‰ก 1 mod 4. We claim once again that ๐‘ is not an irreducible in โ„ค[๐‘–]. To prove this, we will use the variant of Wilsonโ€™s theorem from Section 3.2! Since (โˆ’1)(๐‘+1)/2 = โˆ’1 (for ๐‘ โ‰ก 1 mod 4), from (3.4) of Theorem 3.9 it follows that there is an integer ๐‘› with ๐‘›2 โ‰ก โˆ’1 mod ๐‘โ€”just take ๐‘› = ((๐‘ โˆ’ 1)/2)!. Thus ๐‘ divides ๐‘›2 + 1 = (๐‘› + ๐‘–)(๐‘› โˆ’ ๐‘–), but note that ๐‘ does not divide ๐‘› + ๐‘– or ๐‘› โˆ’ ๐‘–. Therefore ๐‘ is not a prime (and hence not an irreducible) in โ„ค[๐‘–]. Since ๐‘ is reducible in โ„ค[๐‘–] it must factor as ๐‘ = ๐›ผ๐›ฝ with ๐›ผ, ๐›ฝ โˆˆ โ„ค[๐‘–] and neither of them a unit. But then we have ๐‘(๐‘) = ๐‘2 = ๐‘(๐›ผ)๐‘(๐›ฝ), and since neither ๐›ผ nor ๐›ฝ is a unit we must have ๐‘(๐›ผ) = ๐‘(๐›ฝ) = ๐‘. If we write ๐›ผ as ๐‘Ž+๐‘๐‘–, it follows that ๐‘ = ๐‘(๐‘Ž+๐‘๐‘–) = ๐‘Ž2 +๐‘2 = (๐‘Ž+๐‘๐‘–)(๐‘Žโˆ’๐‘๐‘–), so that ๐›ฝ must be ๐‘Ž โˆ’ ๐‘๐‘–. By Lemma 3.24 both ๐›ผ = ๐‘Ž + ๐‘๐‘– and ๐›ฝ = ๐‘Ž โˆ’ ๐‘๐‘– must be irreducibles in โ„ค[๐‘–], since their norm is the prime number ๐‘. Finally since ๐‘ lies in (๐œ‹), ๐‘ must be a multiple of ๐œ‹, so that ๐œ‹ must be an associate of either the irreducible ๐›ผ or the irreducible ๐›ฝ. This proves the second case described in the theorem, and note that we have established the non-obvious fact that every prime ๐‘ โ‰ก 1 mod 4 is the sum of two squares! It remains to consider the last case when ๐‘ โ‰ก 3 mod 4. We claim that ๐‘ is irreducible in โ„ค[๐‘–]. For, if ๐‘ can be reduced, then there must be an element ๐‘Ž + ๐‘๐‘– of norm ๐‘, which means that ๐‘ = ๐‘Ž2 + ๐‘2 . But every

58

3. Congruences in rings

square of an integer is either 0 or 1 mod 4, and so the sum of two squares is either 0, 1, or 2 mod 4. Since ๐‘ โ‰ก 3 mod 4, it cannot be a sum of two squares. So ๐‘ is irreducible, and since ๐œ‹ divides ๐‘, we must have that ๐œ‹ is an associate of ๐‘. This completes our proof. โ–ก Let us isolate two interesting facts furnished by Theorem 3.25: Corollary 3.26. Every prime ๐‘ โ‰ก 1 mod 4 is a sum of two squares: ๐‘ = ๐‘Ž2 + ๐‘2 with ๐‘Ž, ๐‘ both integers. For every prime ๐‘ โ‰ก 3 mod 4, the quotient ring โ„ค[๐‘–]/๐‘โ„ค[๐‘–] is a finite field with ๐‘2 elements. As a set of representatives for the congruence classes mod ๐‘โ„ค[๐‘–] we may take ๐‘Ž+๐‘๐‘– mod ๐‘โ„ค[๐‘–] where 0 โ‰ค ๐‘Ž, ๐‘ โ‰ค ๐‘ โˆ’ 1. Proof. The first statement was explicitly mentioned in the statement of Theorem 3.25. As for the second statement, when ๐‘ โ‰ก 3 mod 4 is a prime in the integers, it remains prime in the ring โ„ค[๐‘–]. Since โ„ค[๐‘–] is a PID, the ideal ๐‘โ„ค[๐‘–] is not just prime, but also maximal and the quotient โ„ค[๐‘–]/๐‘โ„ค[๐‘–] is a field. Lastly it is a simple matter to check that for any prime ๐‘ (not just those โ‰ก 3 mod 4), the equivalence classes ๐‘Ž + ๐‘๐‘– mod ๐‘โ„ค[๐‘–] for 0 โ‰ค ๐‘Ž, ๐‘ โ‰ค ๐‘ โˆ’ 1 are all distinct, and their union gives all of โ„ค[๐‘–]. โ–ก

3.5. Exercises 1. Let โ„ denote the field of real numbers. Describe the quotient ring โ„[๐‘ฅ]/(๐‘ฅ2 + 1). Is this object already familiar to you? Explain. 2. Let ๐‘… denote the polynomial ring โ„ค[๐‘ฅ] and ๐ผ denote the ideal (๐‘ฅ2 ) in ๐‘…. Describe the quotient ring ๐‘…/๐ผ, giving the units in that ring and describing the zero divisors (if any). Compare briefly this problem with Exercise 3 of Chapter 1. 3. Let ๐‘˜ be a positive integer congruent to 3 mod 4, and write ๐‘˜ = 4โ„“ โˆ’ 1. Describe the quotient ring โ„ค[๐‘ฅ]/(๐‘ฅ2 โˆ’ ๐‘ฅ + โ„“): by this I mean that you should describe the equivalence classes (by giving a representative for each equivalence class), and explain how to add and multiply equivalence classes. Is there a connection between this ring, and the one you encountered in Exercise 17(i) of Chapter 1? Explain briefly. 4. Show that the additive group โ„ค/๐‘›โ„ค is generated by the residue class ๐‘Ž mod ๐‘› if and only if (๐‘Ž, ๐‘›) = 1.

3.5. Exercises ๐‘’

59 ๐‘’

๐‘’

5. Let ๐‘› = ๐‘11 ๐‘22 โ‹ฏ ๐‘๐‘Ÿ๐‘Ÿ denote the prime factorization of the natural number ๐‘›, where the ๐‘๐‘— are distinct primes, and the exponents ๐‘’๐‘— are natural numbers. Show that the total number of integers ๐‘‘ (positive and negative) that divide ๐‘› equals 2(1 + ๐‘’ 1 )(1 + ๐‘’ 2 ) โ‹ฏ (1 + ๐‘’ ๐‘Ÿ ). ๐‘’

๐‘’

๐‘’

6. Let ๐‘› = ๐‘11 ๐‘22 โ‹ฏ ๐‘๐‘Ÿ๐‘Ÿ denote the prime factorization of the natural number ๐‘›, where the ๐‘๐‘— are distinct primes, and the exponents ๐‘’๐‘— are natural numbers. In terms of the numbers ๐‘’๐‘— , how many ideals does the ring โ„ค/๐‘›โ„ค have? 7. For any prime ๐‘ and any natural numbers ๐‘Ž โ‰ฅ ๐‘ show that (

๐‘Ž๐‘ ๐‘Ž ) โ‰ก ( ) mod ๐‘. ๐‘๐‘ ๐‘

8. Let ๐‘› โ‰ฅ 2 be a natural number, and put ๐‘ = โˆ ๐‘Ž. 1โ‰ค๐‘Žโ‰ค๐‘› (๐‘Ž,๐‘›)=1

Let ๐‘† denote the set of reduced residue classes ๐‘  mod ๐‘› such that ๐‘ 2 โ‰ก 1 mod ๐‘›. Show that ๐‘ โ‰ก ( โˆ ๐‘ ) mod ๐‘›. 1โ‰ค๐‘ โ‰ค๐‘› ๐‘ โˆˆ๐‘†

Deduce Wilsonโ€™s theorem: (๐‘ โˆ’ 1)! โ‰ก โˆ’1 (mod ๐‘) for prime numbers ๐‘. 9. If ๐‘ is prime show that (๐‘โˆ’1 ) โ‰ก (โˆ’1)๐‘˜ mod ๐‘ for all 0 โ‰ค ๐‘˜ โ‰ค ๐‘ โˆ’ 1. ๐‘˜ 10. Let ๐‘… be the ring โ„ค[๐‘ฅ] and let ๐ผ denote the ideal (๐‘ฅ2 + 1). (i) Describe the quotient ring ๐‘…/๐ผ. Give an explicit description of representatives for all congruence classes mod ๐ผ. Multiply the congruence classes 3+4๐‘ฅ mod ๐ผ and 3โˆ’4๐‘ฅ mod ๐ผ, and give the answer in terms of the representatives you chose. (ii) What kind of ideal is ๐ผ? Does it happen to be a prime, or maximal ideal? (iii) If ๐ผ is not a maximal ideal, give explicitly an ideal ๐ฝ that strictly contains ๐ผ and is not all of ๐‘…. 11. Let ๐‘… be a ring, and let ๐‘† be a subring of ๐‘…. That is, ๐‘† is a subset of ๐‘…, such that ๐‘† contains identity elements 0 and 1 in ๐‘…, and ๐‘† forms a ring

60

3. Congruences in rings

under the two operations of ๐‘…. If ๐‘ƒ is a prime ideal in ๐‘…, show that ๐‘ƒ โˆฉ ๐‘† is a prime ideal in ๐‘†. 12. Let ๐‘… be a ring, and let ๐‘† be a subring of ๐‘…. Show, by means of an example, that if ๐‘€ is a maximal ideal in ๐‘…, then ๐‘€ โˆฉ ๐‘† need not be a a maximal ideal in ๐‘†. 13. (i) Let ๐‘ be a prime with ๐‘ โ‰ก 1 mod 4. Show that there are exactly 8 ways to write ๐‘ as the sum of two squares of integers. For example, 5 = (ยฑ1)2 + (ยฑ2)2 = (ยฑ2)2 + (ยฑ1)2 โ€”you may complain rightly that the eight ways are really just one, but at least there should be no confusion about what I mean by 8 ways! (ii) Let ๐‘1 , . . ., ๐‘ ๐‘˜ denote ๐‘˜ distinct primes all congruent to 1 mod 4. Show that the number of ways of writing ๐‘1 โ‹ฏ ๐‘ ๐‘˜ as the sum of two squares of integers equals 4 ร— 2๐‘˜ . 14. Let ๐‘… denote the ring โ„ค[โˆšโˆ’2], which from Exercise 18 of Chapter 1 you know to be a Euclidean domain. In this exercise, we are concerned with the primes in this ring ๐‘…. (i) What are the units in ๐‘…? If ๐œ‹ โˆˆ ๐‘… is an irreducible, show that (๐œ‹) โˆฉ โ„ค is a prime ideal in โ„ค. (ii) Prove that every prime integer ๐‘ โ‰ก 5 mod 8, or โ‰ก 7 mod 8 remains a prime in the ring ๐‘… = โ„ค[โˆšโˆ’2]. (iii) Show that 3, 11, 17, 19, 41, and 43 all split into the product of two primes in ๐‘…. Would you care to make a guess as to what all the primes in ๐‘… are? What would you need to prove your guess? (iv) Exhibit a field with 25 elements, and give a few illustrations of how addition and multiplication in your field work. (This is to familiarize yourself with such objects, so work out as many examples as may be helpful to you.) Part (iii) is open ended, of course, but it should get you to revisit our work on โ„ค[๐‘–], and you should be able to come up with an educated guess! 15. By thinking about unique factorization in โ„ค[๐‘–] prove that integer solutions to the Pythagorean equation ๐‘ฅ2 +๐‘ฆ2 = ๐‘ง2 may be parametrized (up to changing signs of ๐‘ฅ, ๐‘ฆ, or ๐‘ง) as (๐‘˜(๐‘š2 โˆ’ ๐‘›2 ), 2๐‘š๐‘›๐‘˜, ๐‘˜(๐‘š2 + ๐‘›2 ))

3.5. Exercises

61

(or flipping ๐‘ฅ and ๐‘ฆ by (2๐‘˜๐‘š๐‘›, ๐‘˜(๐‘š2 โˆ’ ๐‘›2 ), ๐‘˜(๐‘š2 + ๐‘›2 ))). Here ๐‘˜, ๐‘š and ๐‘› are integers.

Chapter 4

Primes in polynomial rings: constructing finite fields

In this chapter we consider the polynomial ring ๐”ฝ[๐‘ฅ] where ๐”ฝ is a finite field. For instance, think of ๐”ฝ as being the main example that we know so far of a finite field, namely ๐”ฝ๐‘ = โ„ค/๐‘โ„ค. Our goal is to determine the primes in ๐”ฝ[๐‘ฅ]. Since we know that ๐”ฝ[๐‘ฅ] is a Euclidean domain (and therefore a PID), if ๐‘“ is an irreducible (equivalently prime) in ๐”ฝ[๐‘ฅ], then the quotient ring ๐”ฝ[๐‘ฅ]/(๐‘“) will give a field. In this way we shall show that there exists a finite field of size ๐‘๐‘˜ for every prime power ๐‘๐‘˜ .

4.1. Primes in the polynomial ring over a field As mentioned above, our goal is to understand primes (equivalently irreducibles) in the polynomial ring ๐”ฝ[๐‘ฅ] where ๐”ฝ is a field. We will be mainly interested in the case where ๐”ฝ is a finite field (at present we know the examples ๐”ฝ๐‘ , and for primes ๐‘ โ‰ก 3 mod 4 we have seen finite fields of size ๐‘2 in our work on โ„ค[๐‘–]). But to start, it may be helpful to consider also familiar fields such as โ„š, โ„, or โ„‚. So far when we have discussed polynomials, we have thought of them as formal expressions ๐‘Ž0 + ๐‘Ž1 ๐‘ฅ + . . . + ๐‘Ž๐‘› ๐‘ฅ๐‘› without making any reference to them as functions. Let us now make use of this natural idea. Given a polynomial ๐‘“ โˆˆ ๐”ฝ[๐‘ฅ], we can โ€œplug inโ€ values in ๐”ฝ for ๐‘ฅ and in 63

64

4. Primes in polynomial rings: constructing finite fields

this way think of the polynomial as giving rise to a function ๐‘“ โˆถ ๐”ฝ โ†’ ๐”ฝ. It is a simple matter to check (and you should check!) that if ๐‘“ and ๐‘” are polynomials in ๐”ฝ[๐‘ฅ] then when the polynomial ๐‘“ + ๐‘” is evaluated at ๐›ผ โˆˆ ๐”ฝ the result is the sum of evaluating ๐‘“ and ๐‘” at ๐›ผ. Similarly (๐‘“๐‘”)(๐›ผ) equals ๐‘“(๐›ผ)๐‘”(๐›ผ). Example 4.1. There are only 4 possible functions from ๐”ฝ2 to ๐”ฝ2 , but there are infinitely many polynomials in ๐”ฝ2 [๐‘ฅ]. So when we view a polynomial in ๐”ฝ2 [๐‘ฅ] as a function from ๐”ฝ2 โ†’ ๐”ฝ2 , we may lose a lot of information about ๐‘“ and many different polynomials may give rise to the same function. For instance the polynomials ๐‘ฅ, ๐‘ฅ2 , ๐‘ฅ3 , . . . all give rise to the same function from ๐”ฝ2 to ๐”ฝ2 (taking 0 to 0, and 1 to 1), but they are all different elements of ๐”ฝ2 [๐‘ฅ]. Definition 4.2. Let ๐‘“ โˆˆ ๐”ฝ[๐‘ฅ] be a polynomial with coefficients in the field ๐”ฝ. An element ๐›ผ โˆˆ ๐”ฝ is called a root of ๐‘“ if ๐‘“(๐›ผ) = 0. Lemma 4.3. Let ๐”ฝ be a field, and let ๐‘“ โˆˆ ๐”ฝ[๐‘ฅ] be a non-zero polynomial. If ๐›ผ โˆˆ ๐”ฝ is a root of ๐‘“ then ๐‘“(๐‘ฅ) = (๐‘ฅ โˆ’ ๐›ผ)๐‘”(๐‘ฅ) for a polynomial ๐‘” โˆˆ ๐”ฝ[๐‘ฅ]. Moreover, if ๐‘“ has degree ๐‘› then ๐‘“ can have at most ๐‘› distinct roots in ๐”ฝ. Proof. Let us begin with the first assertion. Use the division algorithm to write ๐‘“(๐‘ฅ) = (๐‘ฅโˆ’๐›ผ)๐‘”(๐‘ฅ)+๐‘Ÿ(๐‘ฅ), where either ๐‘Ÿ(๐‘ฅ) is zero (in which case ๐‘“(๐‘ฅ) = (๐‘ฅ โˆ’ ๐›ผ)๐‘”(๐‘ฅ) as desired), or ๐‘Ÿ(๐‘ฅ) is of degree 0 which means that it is a non-zero constant ๐‘Ÿ. We now show that the second case cannot arise. Indeed, evaluating the relation ๐‘“(๐‘ฅ) = (๐‘ฅ โˆ’ ๐›ผ)๐‘”(๐‘ฅ) + ๐‘Ÿ(๐‘ฅ) at ๐‘ฅ = ๐›ผ, we obtain 0 = 0 โ‹… ๐‘”(๐›ผ) + ๐‘Ÿ(๐›ผ), so that ๐‘Ÿ(๐›ผ) = ๐‘Ÿ = 0. To prove the second statement, we use induction. Polynomials of degree 0 are non-zero constants, and thus have no roots. Let now ๐‘“ be a polynomial of degree ๐‘› โ‰ฅ 1, and suppose that the result has been established for all smaller degrees. If ๐‘“ has no roots, then there is nothing to prove. If ๐‘“ has a root ๐›ผ, we may write ๐‘“(๐‘ฅ) = (๐‘ฅ โˆ’ ๐›ผ)๐‘”(๐‘ฅ) for ๐‘” of degree ๐‘› โˆ’ 1. By the induction hypothesis ๐‘” has at most ๐‘› โˆ’ 1 roots, and the roots of ๐‘“ must be either ๐›ผ or among the roots of ๐‘”, which completes our proof. โ–ก Example 4.4. In the ring (โ„ค/15โ„ค)[๐‘ฅ], the polynomial ๐‘ฅ2 โˆ’ 1 has 4 roots, namely ๐‘ฅ โ‰ก 1, โˆ’1, 4, โˆ’4 mod 15. How do you reconcile this with our result above?

4.1. Primes in the polynomial ring over a field

65

Definition 4.5. A polynomial ๐‘“ โˆˆ ๐”ฝ[๐‘ฅ] is called monic if its leading coefficient (that is, coefficient of the largest power of ๐‘ฅ) is 1. Thus a monic polynomial of degree ๐‘› looks like ๐‘“(๐‘ฅ) = ๐‘ฅ๐‘› + ๐‘Ž๐‘›โˆ’1 ๐‘ฅ๐‘›โˆ’1 + . . . + ๐‘Ž0 , and every non-zero polynomial in ๐”ฝ[๐‘ฅ] can be written as a non-zero constant times a monic polynomial. The units of ๐”ฝ[๐‘ฅ] are the non-zero constants in ๐”ฝ. By restricting to monic polynomials we are basically getting rid of the units, in much the same way that rather than thinking of factorization in โ„ค we are used to getting rid of the sign ยฑ1 and restricting to factorization in the positive integers โ„•. Thus, refining our original question a little, what are the monic irreducible polynomials in ๐”ฝ[๐‘ฅ]? As a first observation, note that all monic polynomials of degree 1, namely ๐‘ฅ โˆ’ ๐›ผ with ๐›ผ โˆˆ ๐”ฝ, are irreducible. Example 4.6. You may have heard of the Fundamental Theorem of Algebra (which we wonโ€™t prove here) which guarantees that every nonconstant polynomial in โ„‚[๐‘ฅ] has a root. This implies that the only monic irreducible polynomials in โ„‚[๐‘ฅ] are the linear polynomials (๐‘ฅ โˆ’ ๐›ผ) for ๐›ผ โˆˆ โ„‚, and every polynomial of higher degree may be factored into these linear polynomials. We know that the quotient rings โ„‚[๐‘ฅ]/(๐‘ฅ โˆ’ ๐›ผ) are fields, but in fact these turn out to be essentially just โ„‚. Indeed, note that the equivalence classes ๐›ฝ mod (๐‘ฅ โˆ’ ๐›ผ) with ๐›ฝ โˆˆ โ„‚ are disjoint, and partition โ„‚[๐‘ฅ]โ€”if ๐‘“ is a polynomial in โ„‚[๐‘ฅ] then ๐‘“(๐‘ฅ) โ‰ก ๐‘“(๐›ผ) mod (๐‘ฅ โˆ’ ๐›ผ). Example 4.7. The situation in โ„[๐‘ฅ] is also not too bad. We already know that all monic polynomials of degree 1, namely (๐‘ฅ โˆ’ ๐‘Ž) with ๐‘Ž โˆˆ โ„, are irreducible. There are also irreducible quadratics ๐‘ฅ2 +๐‘๐‘ฅ+๐‘ with ๐‘, ๐‘ โˆˆ โ„ such that the discriminant ๐‘2 โˆ’ 4๐‘ < 0. Such quadratic polynomials do not have real roots, and thus cannot be factored into linear polynomials and therefore must be irreducible. These are all the irreducible polynomials in โ„[๐‘ฅ]. Indeed if ๐‘“ is a polynomial in โ„[๐‘ฅ] with a real root then it is divisible by some linear polynomial ๐‘ฅ โˆ’ ๐‘Ž. On the other hand, if ๐‘“ has a complex root ๐›ผ which is not real, then the complex conjugate ๐›ผ must also be a root of ๐‘“, and ๐‘“ will be divisible by the quadratic polynomial (๐‘ฅ โˆ’ ๐›ผ)(๐‘ฅ โˆ’ ๐›ผ) = ๐‘ฅ2 โˆ’ (๐›ผ + ๐›ผ)๐‘ฅ + |๐›ผ|2 โˆˆ โ„[๐‘ฅ].

66

4. Primes in polynomial rings: constructing finite fields

You should stop and work out what examples of fields arise when we quotient โ„[๐‘ฅ] by (๐‘ฅ โˆ’ ๐‘Ž), or by an irreducible quadratic (๐‘ฅ2 + ๐‘๐‘ฅ + ๐‘). Example 4.8. The story for โ„š[๐‘ฅ] is more complicated, or much more interesting, depending on your perspective! There are a lot more examples of irreducible polynomials: for example, ๐‘ฅ2 โˆ’ 2, ๐‘ฅ2 + 5, ๐‘ฅ3 โˆ’ 2, 1 + ๐‘ฅ + ๐‘ฅ2 + ๐‘ฅ3 + ๐‘ฅ4 are all examples of irreducible polynomials. Taking the quotient of โ„š[๐‘ฅ] by the ideal generated by any of these irreducible polynomials gives rise to what are called number fields. A lot of work has gone into trying to understand such fields, and you may encounter them in courses on algebraic number theory, or in Galois theory. Marcus [17] gives a friendly introduction to such fields. Let us finally turn to the question of chief interest for us. Let ๐”ฝ = ๐”ฝ๐‘ž be a finite field with ๐‘ž elements. If you like you could just think of the familiar example ๐”ฝ๐‘ = โ„ค/๐‘โ„ค with ๐‘ž = ๐‘ a prime number, but the arguments work equally well if we start with any finite field. Our goal is to show that there exist monic irreducible polynomials ๐‘“ of every degree ๐‘› in ๐”ฝ๐‘ž [๐‘ฅ]. Then the quotient ring ๐”ฝ๐‘ž [๐‘ฅ]/(๐‘“) would be a field, and we shall see that its size is ๐‘ž๐‘› . In particular, starting with the fields ๐”ฝ๐‘ , this process would produce fields of every prime power size ๐‘๐‘› , and we shall see in the next chapter that every finite field must necessarily have size a prime power. Given a natural number ๐‘›, define ๐œ‹(๐‘›; ๐”ฝ๐‘ž ) = #{๐‘ƒ โˆถ ๐‘ƒ โˆˆ ๐”ฝ๐‘ž [๐‘ฅ], deg(๐‘ƒ) = ๐‘›, (4.1)

with ๐‘ƒ monic and irreducible},

where deg(๐‘“) denotes the degree of a polynomial ๐‘“. In the next section we will rework our proof of Bertrandโ€™s postulate (see ยง2.2) to show the following key result, and deduce from it that there must be monic irreducibles of every degree. Theorem 4.9. Suppose we are given a field ๐”ฝ๐‘ž with ๐‘ž elements, and let ๐œ‹(๐‘›; ๐”ฝ๐‘ž ) be as in (4.1). Then for all natural numbers ๐‘› we have (4.2)

๐‘ž๐‘› = โˆ‘ ๐‘‘๐œ‹(๐‘‘; ๐”ฝ๐‘ž ). ๐‘‘|๐‘›

Corollary 4.10. For all natural numbers ๐‘› we have ๐‘ž๐‘› ๐‘ž๐‘› โˆ’ 2(๐‘žโŒŠ๐‘›/2โŒ‹ โˆ’ 1) โ‰ค ๐œ‹(๐‘›; ๐”ฝ๐‘ž ) โ‰ค . ๐‘› ๐‘›

4.1. Primes in the polynomial ring over a field

67

In particular, for every natural number ๐‘›, there exists a monic irreducible polynomial in ๐”ฝ๐‘ž [๐‘ฅ] of degree ๐‘›. The notation ๐œ‹(๐‘›; ๐”ฝ๐‘ž ) may remind you of the notation ๐œ‹(๐‘ฅ) that we used to count primes below ๐‘ฅ. In fact, there is a strong analogy between these two situations, as we shall see in Sections 4.2 and 4.3. For the present, let us note that Gaussโ€™s conjecture for ๐œ‹(๐‘ฅ) (which we discussed in Section 2.3) asserts that (roughly speaking) a number ๐‘› has about a 1/ log ๐‘› chance of being prime. Analogously, Corollary 4.10 reveals that a monic polynomial in ๐”ฝ๐‘ž [๐‘ฅ] of degree ๐‘› has about a 1/๐‘› chance of being irreducible. In Section 2.3 we mentioned the Riemann Hypothesis which predicts that ๐œ‹(๐‘ฅ) is approximated by li(๐‘ฅ) to accuracy about โˆš๐‘ฅ. Corollary 4.10 shows that in the ๐”ฝ๐‘ž [๐‘ฅ] setting the analogue of the Riemann Hypothesis can be established! Indeed, it shows that ๐œ‹(๐‘›; ๐”ฝ๐‘ž ) may be approximated by ๐‘ž๐‘› /๐‘› to accuracy about โˆš๐‘ž๐‘› . We have already mentioned before that the existence of such monic irreducible polynomials leads to the existence of finite fields of size ๐‘๐‘› for every prime power ๐‘๐‘› . Let us now flesh out this consequence carefully. Theorem 4.11. For every prime power ๐‘ž = ๐‘๐‘› there exists a finite field of size ๐‘ž.

Proof. Start with the known finite field of size ๐‘: ๐”ฝ๐‘ = โ„ค/๐‘โ„ค. Recall that the ring ๐”ฝ๐‘ [๐‘ฅ] is a Euclidean domain, and hence a PID. Pick a monic irreducible polynomial ๐‘“ โˆˆ ๐”ฝ๐‘ [๐‘ฅ] of degree ๐‘›, which exists by Corollary 4.10. Since ๐‘“ is irreducible (and hence prime), the ideal (๐‘“) is a prime ideal. In fact, since we are working in a PID this ideal is also maximal (see Chapter 3, Proposition 3.22). Since (๐‘“) is maximal, the quotient ring ๐”ฝ๐‘ [๐‘ฅ]/(๐‘“) is a field. The last thing is to check the size of this field ๐”ฝ๐‘ [๐‘ฅ]/(๐‘“). Using the division algorithm, we may express every polynomial in ๐”ฝ๐‘ [๐‘ฅ] as a multiple of ๐‘“ plus a remainder, which is either zero or a polynomial of degree โ‰ค ๐‘› โˆ’ 1. The number of such remainder polynomials is clearly ๐‘๐‘› , and moreover the difference of any two distinct polynomials of degree โ‰ค ๐‘› โˆ’ 1 is a non-zero polynomial of degree โ‰ค ๐‘› โˆ’ 1 and so cannot be a multiple of ๐‘“. Therefore the quotient ๐”ฝ๐‘ [๐‘ฅ]/(๐‘“) has exactly ๐‘๐‘› elements as claimed. โ–ก

68

4. Primes in polynomial rings: constructing finite fields

More generally, we could start with any known field ๐”ฝ๐‘ž of size ๐‘ž, and using a monic irreducible ๐‘“ of degree ๐‘› (which exists by Corollary 4.10) we would obtain a field ๐”ฝ๐‘ž [๐‘ฅ]/(๐‘“) of size ๐‘ž๐‘› . This follows from the argument of Theorem 4.11. The rest of this chapter is organized as follows. In the next section we shall prove Theorem 4.9 and Corollary 4.10 by finding analogues of our work on Bertrandโ€™s postulate. Then in ยง4.3, we revisit Eulerโ€™s proof of the infinitude of primes, and sketch a related argument which gives another proof of the fundamental relation (4.2). Finally, in ยง4.4 we show how the relation (4.2) (and other such relations) may be โ€œinvertedโ€ to obtain an exact formula for ๐œ‹(๐‘›; ๐”ฝ๐‘ž ).

4.2. An analogue of the proof of Bertrandโ€™s postulate Recall that in Section 2.2 we established Bertrandโ€™s postulate which guarantees the existence of a prime ๐‘ with ๐‘›+1 โ‰ค ๐‘ โ‰ค 2๐‘› for all ๐‘›. If we apply this with ๐‘› = 2๐‘˜ for a natural number ๐‘˜, then we see that there always exists a prime number with ๐‘˜+1 binary digits: 2๐‘˜ +๐‘Ž๐‘˜โˆ’1 2๐‘˜โˆ’1 +. . .+๐‘Ž0 with all ๐‘Ž๐‘– โˆˆ {0, 1}. This problem bears a similarity to our problem of finding monic irreducibles ๐‘ฅ๐‘› + ๐‘Ž๐‘›โˆ’1 ๐‘ฅ๐‘›โˆ’1 + . . . + ๐‘Ž0 where the coefficients ๐‘Ž๐‘— arise from the ๐‘ž-element set ๐”ฝ๐‘ž . In this section we develop analogues of the ideas in Section 2.2, and thus establish Theorem 4.9 and Corollary 4.10. Our proof of Bertrandโ€™s postulate revolved around factorials and the middle binomial coefficient (2๐‘› ) ). We then played off the size of (2๐‘› ๐‘› ๐‘› against its prime factorization. Let us begin by thinking of an analogue of the factorial in the context of ๐”ฝ๐‘ž [๐‘ฅ]. Define (4.3)

โ„ฑ๐‘› =

โˆ

๐‘“,

๐‘“โˆˆ๐”ฝ๐‘ž [๐‘ฅ] ๐‘“ monic deg(๐‘“)=๐‘›

so that โ„ฑ๐‘› is the product of all monic polynomials of degree ๐‘›. Note that โ„ฑ๐‘› is a monic polynomial in ๐”ฝ๐‘ž [๐‘ฅ] of degree ๐‘›๐‘ž๐‘› (since it is the product of ๐‘ž๐‘› polynomials each of degree ๐‘›). Note that โ„ฑ๐‘› is only an approximate analogue of the factorial, since we multiply only the monic polynomials of degree exactly ๐‘›, rather than all the monic polynomials of degree at most ๐‘›. In analogy with Lemma 2.3, let us determine the prime factorization of โ„ฑ๐‘› .

4.2. An analogue of the proof of Bertrandโ€™s postulate

69

Lemma 4.12. We may factor โ„ฑ๐‘› as โˆ

โ„ฑ๐‘› =

๐‘ƒ ๐‘’(๐‘ƒ) ,

๐‘ƒ monic, irreducible deg(P)โ‰ค๐‘›

where, if we denote deg(๐‘ƒ) by ๐‘‘, the exponent ๐‘’(๐‘ƒ) is given by ๐‘’(๐‘ƒ) = โˆ‘ ๐‘ž๐‘›โˆ’โ„“๐‘‘ . โ„“โ‰ค๐‘›/๐‘‘

Proof. The proof parallels our argument in Lemma 2.3 closely. It is clear that only monic irreducibles ๐‘ƒ with degree at most ๐‘› are relevant to the factorization of โ„ฑ๐‘› and what needs proving is the formula for the exponent ๐‘’(๐‘ƒ). How many monic polynomials of degree ๐‘› are divisible by the monic irreducible ๐‘ƒ of degree ๐‘‘? If we write ๐‘“ as ๐‘ƒ๐‘”, then ๐‘” is a monic polynomial of degree ๐‘› โˆ’ ๐‘‘, and thus there are ๐‘ž๐‘›โˆ’๐‘‘ possibilities for ๐‘”. Each such polynomial ๐‘“ contributes 1 to the exponent ๐‘’(๐‘ƒ), but some may contribute more than 1. The number of polynomials that are divisible by ๐‘ƒ 2 is ๐‘ž๐‘›โˆ’2๐‘‘ , provided 2๐‘‘ โ‰ค ๐‘›, and these contribute at least 2 to ๐‘’(๐‘ƒ), and are counted twice in our formula, once from being a multiple of ๐‘ƒ, and once from being a multiple of ๐‘ƒ2 . And so on. โ–ก (2๐‘›)!

We now want an analogue of the binomial coefficient (2๐‘› ) = ๐‘›!2 , ๐‘› ๐‘ž and this will be played by โ„ฑ๐‘› /โ„ฑ๐‘›โˆ’1 . Here is one plausible reason for considering this analogue. The binomial coefficient (2๐‘› ) has an equal num๐‘› ber of terms appearing in the products in the numerator (namely 2๐‘›) ๐‘ž and denominator (๐‘› terms, each appearing twice). Likewise โ„ฑ๐‘› /โ„ฑ๐‘›โˆ’1 also has an equal number of terms appearing in the numerator (namely ๐‘ž๐‘› ) and denominator (๐‘ž๐‘›โˆ’1 terms, each appearing ๐‘ž times). While the binomial coefficient is clearly an integer, it is not at all ๐‘ž clear why the quantity โ„ฑ๐‘› /โ„ฑ๐‘›โˆ’1 should be a polynomial in ๐”ฝ๐‘ž [๐‘ฅ] rather than just a ratio of polynomials. But, very pleasantly, it turns out that ๐‘ž โ„ฑ๐‘› /โ„ฑ๐‘›โˆ’1 is in ๐”ฝ๐‘ž [๐‘ฅ], and later (see Theorem 9.1 in Chapter 9) we shall see exactly what this polynomial is. ๐‘ž

Lemma 4.13. The polynomial โ„ฑ๐‘›โˆ’1 divides the polynomial โ„ฑ๐‘› . More precisely, we have the factorization โ„ฑ๐‘› โˆ = ๐‘ƒ. (4.4) ๐‘ž โ„ฑ๐‘›โˆ’1 ๐‘ƒ monic, irreducible deg(๐‘ƒ)|๐‘›

70

4. Primes in polynomial rings: constructing finite fields

Proof. Let ๐‘ƒ be a monic irreducible with ๐‘‘ = deg(๐‘ƒ) โ‰ค ๐‘›. Let us compare the power of ๐‘ƒ dividing the numerator โ„ฑ๐‘› with the power of ๐‘ƒ divid๐‘ž ing the denominator โ„ฑ๐‘›โˆ’1 . Our goal is to show that if ๐‘‘ does not divide ๐‘›, then the two exponents match, while if ๐‘‘|๐‘› then there is one more power of ๐‘ƒ in the numerator than in the denominator. Suppose first that ๐‘‘ does not divide ๐‘›. Then ๐‘›/๐‘‘ is not an integer, and using Lemma 4.12 the power of ๐‘ƒ dividing โ„ฑ๐‘› equals โˆ‘ ๐‘ž๐‘›โˆ’โ„“๐‘‘ = โ„“โ‰ค๐‘›/๐‘‘

๐‘ž๐‘›โˆ’โ„“๐‘‘ = ๐‘ž

โˆ‘ โ„“โ‰ค(๐‘›โˆ’1)/๐‘‘

๐‘ž๐‘›โˆ’1โˆ’โ„“๐‘‘ .

โˆ‘ โ„“โ‰ค(๐‘›โˆ’1)/๐‘‘

But the right side is simply ๐‘ž times the power of ๐‘ƒ dividing โ„ฑ๐‘›โˆ’1 . Thus in this case ๐‘ƒ divides to an equal power the numerator โ„ฑ๐‘› and the de๐‘ž nominator โ„ฑ๐‘›โˆ’1 . Suppose now that ๐‘‘ divides ๐‘›. Thus ๐‘›/๐‘‘ is an integer, and the power of ๐‘ƒ dividing โ„ฑ๐‘› is now โˆ‘ ๐‘ž๐‘›โˆ’โ„“๐‘‘ = โ„“โ‰ค๐‘›/๐‘‘

โˆ‘

๐‘ž๐‘›โˆ’โ„“๐‘‘ + 1 = 1 + ๐‘ž

โˆ‘

๐‘ž๐‘›โˆ’1โˆ’โ„“๐‘‘ ,

โ„“โ‰ค(๐‘›โˆ’1)/๐‘‘

โ„“โ‰ค(๐‘›โˆ’1)/๐‘‘

which is 1 more than the power of ๐‘ƒ dividing

๐‘ž โ„ฑ๐‘›โˆ’1 .

โ–ก

Proof of Theorem 4.9. Recall that our goal is to establish the identity (4.2): ๐‘ž๐‘› = โˆ‘ ๐‘‘๐œ‹(๐‘‘; ๐”ฝ๐‘ž ). ๐‘‘|๐‘›

Let us compute the degrees on both sides of the relation (4.4). In our analogy with the proof of Bertrandโ€™s postulate, the degree of a polynomial plays the role of the size of an integer. Since the degree of โ„ฑ๐‘› is ๐‘›๐‘ž๐‘› , computing the degree on the left side of (4.4) gives deg(โ„ฑ๐‘› ) โˆ’ ๐‘ždeg(โ„ฑ๐‘›โˆ’1 ) = ๐‘›๐‘ž๐‘› โˆ’ ๐‘ž((๐‘› โˆ’ 1)๐‘ž๐‘›โˆ’1 ) = ๐‘ž๐‘› . On the other hand, the degree of the right side of (4.4) is โˆ‘ ๐‘‘#{๐‘ƒ โˆถ ๐‘ƒ monic, irreducible of degree ๐‘‘} = โˆ‘ ๐‘‘๐œ‹(๐‘‘; ๐”ฝ๐‘ž ). ๐‘‘|๐‘›

๐‘‘|๐‘›

Equating these two expressions proves the theorem. Proof of Corollary 4.10. Our main goal is to establish the bounds ๐‘ž๐‘› ๐‘ž๐‘› โˆ’ 2(๐‘žโŒŠ๐‘›/2โŒ‹ โˆ’ 1) โ‰ค ๐œ‹(๐‘›; ๐”ฝ๐‘ž ) โ‰ค . ๐‘› ๐‘›

โ–ก

4.3. An analogue of Eulerโ€™s proof

71

First let us establish the upper bound on ๐œ‹(๐‘›; ๐”ฝ๐‘ž ), which follows at once from Theorem 4.9. Indeed, since ๐œ‹(๐‘‘; ๐”ฝ๐‘ž ) is always non-negative, ๐‘›๐œ‹(๐‘›; ๐”ฝ๐‘ž ) โ‰ค โˆ‘ ๐‘‘๐œ‹(๐‘‘; ๐”ฝ๐‘ž ) = ๐‘ž๐‘› , ๐‘‘|๐‘›

so that ๐œ‹(๐‘›; ๐”ฝ๐‘ž ) โ‰ค ๐‘ž๐‘› /๐‘› as claimed. Now we turn to the lower bound. Using the upper bound just established, we get (4.5)

๐‘›๐œ‹(๐‘›; ๐”ฝ๐‘ž ) = ๐‘ž๐‘› โˆ’ โˆ‘ ๐‘‘๐œ‹(๐‘‘; ๐”ฝ๐‘ž ) โ‰ฅ ๐‘ž๐‘› โˆ’ โˆ‘ ๐‘ž๐‘‘ . ๐‘‘|๐‘› ๐‘‘ ๐‘Ž with ๐‘”๐‘Ž = ๐‘”๐‘ , then ๐‘”๐‘โˆ’๐‘Ž = 1 so that ๐‘ โˆ’ ๐‘Ž would be a non-zero element in ๐‘†. Thus in this case ๐บ is infinite. Define ๐œ™ โˆถ ๐บ โ†’ โ„ค by setting ๐œ™(๐‘”๐‘˜ ) = ๐‘˜. Since all the elements ๐‘”๐‘˜ are distinct, this is a bijection. Further, clearly, ๐œ™(๐‘”๐‘˜ ร— ๐‘”โ„“ ) = ๐œ™(๐‘”๐‘˜+โ„“ ) = ๐‘˜ + โ„“ = ๐œ™(๐‘”๐‘˜ ) + ๐œ™(๐‘”โ„“ ), so that ๐œ™ sets up an isomorphism between ๐บ and โ„ค. Observe that the right side above is compatible with our definition in (5.1) since the group operation in โ„ค is addition. Now suppose that ๐‘† = (๐‘›), so that ๐‘”โ„“๐‘› = 1 for all โ„“ โˆˆ โ„ค. For any integer ๐‘˜, it follows that ๐‘”๐‘˜ = ๐‘”๐‘˜+โ„“๐‘› , or in other words the values ๐‘”๐‘˜ really depend only on the residue class ๐‘˜ mod ๐‘›. Note that the elements

86

5. Additive and multiplicative structures

๐‘”๐‘˜ with 0 โ‰ค ๐‘˜ โ‰ค ๐‘› โˆ’ 1 are all distinct; for if 0 โ‰ค ๐‘Ž < ๐‘ โ‰ค ๐‘› โˆ’ 1 with ๐‘”๐‘Ž = ๐‘”๐‘ then ๐‘ โˆ’ ๐‘Ž would be an element of ๐‘† with 0 < ๐‘ โˆ’ ๐‘Ž < ๐‘›, which is impossible. Thus in this case ๐บ = {1 = ๐‘”0 , ๐‘”1 , . . . , ๐‘”๐‘›โˆ’1 }, and we can define a map ๐œ™ โˆถ ๐บ โ†’ โ„ค/๐‘›โ„ค by setting ๐œ™(๐‘”๐‘˜ ) = ๐‘˜ mod ๐‘›. This map gives the desired isomorphism. โ–ก Thus the structure of a cyclic group is entirely determined by its size. We will sometimes denote a cyclic group of size ๐‘› by ๐ถ๐‘› . A first step in understanding a general group ๐บ would be to understand the cyclic groups generated by elements ๐‘” โˆˆ ๐บ. Definition 5.4. Let ๐บ be a group, and let ๐‘” be an element of ๐บ. Consider the cyclic subgroup of ๐บ generated by ๐‘”: ๐ป = {๐‘”๐‘› โˆถ ๐‘› โˆˆ โ„ค}. If the group ๐ป is finite, then we call the size of this group the order of the element ๐‘” โˆˆ ๐บ. If ๐ป is infinite, we say that ๐‘” has infinite order. Proposition 5.5. Let ๐‘” be an element of finite order in the group ๐บ. Then the order of ๐‘” is the smallest natural number ๐‘› such that ๐‘”๐‘› equals the identity element of ๐บ. Proof. This was essentially discussed in our proof of Proposition 5.3. As in that proof, if we set ๐‘† to be the set of all integers ๐‘  such that ๐‘”๐‘  = 1, then ๐‘† is an ideal of โ„ค and must equal (๐‘›) for some natural number ๐‘›. Then ๐‘› is the size of the group generated by ๐‘”, which is isomorphic to โ„ค/๐‘›โ„ค. Thus ๐‘› is the order, and since ๐‘† = (๐‘›), we also have that ๐‘› is the smallest natural number such that ๐‘”๐‘› = 1. โ–ก We end this section by giving a complete description of all the possible orders of elements in a finite cyclic group, together with how many elements have that order. Proposition 5.6. Let ๐บ be a cyclic group of size ๐‘›, and let ๐‘” denote a generator of this group. Then for each integer ๐‘Ž, the element ๐‘”๐‘Ž has order ๐‘›/(๐‘›, ๐‘Ž). For every divisor ๐‘‘ of ๐‘›, there are exactly ๐œ™(๐‘‘) elements of ๐บ with order ๐‘‘. In particular, there are ๐œ™(๐‘›) generators of the group ๐บ. Proof. Suppose ๐‘”๐‘Ž has order ๐‘˜. Then ๐‘”๐‘Ž๐‘˜ = 1 in ๐บ, and since ๐‘” has order ๐‘›, this means that ๐‘› divides ๐‘Ž๐‘˜ (as we saw in the proof of Proposition 5.5). Now a small exercise using the Euclidean algorithm should show that ๐‘›/(๐‘›, ๐‘Ž) must divide ๐‘˜ (see Exercise 1 from Chapter 2). Further ๐‘Ž

5.2. More about groups: Lagrangeโ€™s theorem

87

times ๐‘›/(๐‘›, ๐‘Ž) is a multiple of ๐‘›, and so (๐‘”๐‘Ž )๐‘›/(๐‘›,๐‘Ž) = 1. This establishes that the order of ๐‘”๐‘Ž is ๐‘›/(๐‘›, ๐‘Ž). As ๐‘Ž ranges from 1 to ๐‘› (so that ๐‘”๐‘Ž ranges over all elements of ๐บ), the possible values for (๐‘›, ๐‘Ž) = ๐‘˜ are the divisors of ๐‘›. Writing ๐‘Ž = ๐‘˜โ„“, the number of ๐‘Ž in 1 to ๐‘› with (๐‘›, ๐‘Ž) = ๐‘˜ equals the number of โ„“ in 1 to ๐‘›/๐‘˜ that are coprime to ๐‘›/๐‘˜. In other words, there are ๐œ™(๐‘›/๐‘˜) such values of โ„“, and so ๐œ™(๐‘›/๐‘˜) values of ๐‘Ž with (๐‘Ž, ๐‘›) = ๐‘˜. Thus we have shown that for every divisor ๐‘˜ of ๐‘›, there are exactly ๐œ™(๐‘›/๐‘˜) elements of ๐บ with order ๐‘›/๐‘˜. Writing ๐‘› = ๐‘‘๐‘˜, we see that ๐‘‘ = ๐‘›/๐‘˜ ranges over the divisors of ๐‘›, and the proposition follows. โ–ก Since each of the ๐‘› elements in ๐บ must have some order ๐‘‘|๐‘›, we may also conclude that ๐‘› = โˆ‘๐‘‘|๐‘› ๐œ™(๐‘‘); a relation we already saw in Proposition 4.21 (and the proofs are quite similar).

5.2. More about groups: Lagrangeโ€™s theorem We just saw that in a cyclic group of size ๐‘›, all elements have order dividing ๐‘›. A beautiful theorem of Lagrange establishes that in any finite group ๐บ (abelian or not), the order of any element must always divide the size of the group. Theorem 5.7 (Lagrangeโ€™s theorem). Let ๐บ be a finite group, and let ๐ป be any subgroup of ๐บ. Then the size of ๐ป divides the size of ๐บ. In particular, the order of any element ๐‘” โˆˆ ๐บ divides the size of the group. Proof. Given a subgroup ๐ป and an element ๐‘” โˆˆ ๐บ, define ๐‘”๐ป = {๐‘”โ„Ž โˆถ โ„Ž โˆˆ ๐ป}. Such sets are called left cosets. Note that each left coset ๐‘”๐ป has exactly |๐ป| elements in it, since ๐‘”โ„Ž1 = ๐‘”โ„Ž2 implies that โ„Ž1 = โ„Ž2 . Further, if ๐‘”1 ๐ป and ๐‘”2 ๐ป are two such cosets, we claim that they are either identical sets, or they are disjoint. For if ๐‘”1 โ„Ž1 = ๐‘”2 โ„Ž2 for some โ„Ž1 , โ„Ž2 โˆˆ ๐ป then ๐‘”1 = ๐‘”2 โ„Ž3 with โ„Ž3 = โ„Ž2 โ„Ž1โˆ’1 โˆˆ ๐ป. Therefore any ๐‘”1 โ„Ž may be written as ๐‘”2 (โ„Ž3 โ„Ž) and so lies in the coset ๐‘”2 ๐ป. It follows that ๐‘”1 ๐ป โŠ‚ ๐‘”2 ๐ป. By symmetry ๐‘”2 ๐ป โŠ‚ ๐‘”1 ๐ป and the two sets must be the same. Now start with ๐‘”1 = 1 and ๐ป1 = ๐‘”1 ๐ป = ๐ป. If this accounts for all of ๐บ, then we stop, and note that |๐ป| = |๐บ| and so |๐ป| divides |๐บ|.

88

5. Additive and multiplicative structures

Otherwise pick ๐‘”2 to be some element in ๐บ but not in ๐ป1 , and put ๐ป2 = ๐‘”2 ๐ป. Note that ๐ป1 and ๐ป2 have the same number of elements (namely |๐ป|) and are disjoint (else they would have to be the same, forcing ๐‘”2 โˆˆ ๐ป1 ). Now either ๐บ = ๐ป1 โˆช ๐ป2 , in which case |๐บ| = 2|๐ป| and we are done. Or we can pick ๐‘”3 โˆˆ ๐บ but not in ๐ป1 โˆช ๐ป2 , and now consider ๐ป3 = ๐‘”3 ๐ป. Note that since ๐‘”3 is not in ๐ป1 or ๐ป2 , ๐ป3 cannot be exactly ๐ป1 or exactly ๐ป2 . So ๐ป3 is disjoint from ๐ป1 and ๐ป2 , and so on. Since ๐บ is finite, we must end up with a partition of ๐บ into say ๐‘˜ disjoint cosets ๐ป1 โˆช ๐ป2 โˆช โ‹ฏ โˆช ๐ป๐‘˜ , and so |๐บ| = ๐‘˜|๐ป| as desired. If we take ๐ป to be the subgroup generated by ๐‘”, it follows that the order of the element ๐‘” divides the size of the group, |๐บ|. โ–ก

Here is another way to phrase our proof of Lagrangeโ€™s theorem. Define a binary relation โˆผ on ๐บ by saying that ๐‘”1 โˆผ ๐‘”2 holds exactly when ๐‘”โˆ’1 2 ๐‘”1 is an element of ๐ป. This is also the same (you should check this) as saying that ๐‘”1 โˆผ ๐‘”2 holds exactly when ๐‘”1 and ๐‘”2 belong to the same left coset ๐‘”1 ๐ป = ๐‘”2 ๐ป. Check further that โˆผ is an equivalence relation, and the equivalence classes are precisely the left cosets. Since we can partition ๐บ as a disjoint union of equivalence classes, Lagrangeโ€™s theorem follows. In our proof of Lagrangeโ€™s theorem, we used left cosets. One could equally well use right cosets ๐ป๐‘” = {โ„Ž๐‘” โˆถ โ„Ž โˆˆ ๐ป}, which corresponds to the equivalence relation ๐‘”1 โ‰ˆ ๐‘”2 exactly when ๐‘”1 ๐‘”โˆ’1 2 โˆˆ ๐ป. If the group ๐บ is abelian, then the notions of right and left cosets are identical. In fact, this can happen even when ๐บ is not abelian, and the subgroup ๐ป might still satisfy the nice property that ๐‘”๐ป = ๐ป๐‘” for all ๐‘” โˆˆ ๐บ. Such nice subgroups ๐ป are called normal, and they play an important role in understanding the structure of groups. This discussion of cosets and partitioning ๐บ into equivalence classes may remind you of our earlier discussion of quotient rings. It is natural to ask whether the set of left cosets {๐‘”๐ป โˆถ ๐‘” โˆˆ ๐บ} can be given a group structure by defining the product of ๐‘”1 ๐ป and ๐‘”2 ๐ป to be (๐‘”1 ๐‘”2 )๐ป. One must check however that this notion is well defined: namely, if we picked any other element ๐‘”โ€ฒ1 โˆˆ ๐‘”1 ๐ป and ๐‘”โ€ฒ2 โˆˆ ๐‘”2 ๐ป, we would need to make sure that the coset ๐‘”1 ๐‘”2 ๐ป is the same as ๐‘”โ€ฒ1 ๐‘”โ€ฒ2 ๐ป. This does indeed hold when ๐บ is abelian (and so we get here a quotient group ๐บ/๐ป), but it

5.2. More about groups: Lagrangeโ€™s theorem

89

does not hold in general. In fact the notion is well defined exactly when the subgroup ๐ป is normal! Let us now return to the situations of interest for us, which are all abelian groups, and record some immediate and interesting consequences of Lagrangeโ€™s theorem. Corollary 5.8 (Fermat). If ๐‘ is a prime number then ๐‘Ž๐‘ โ‰ก ๐‘Ž mod ๐‘ for all integers ๐‘Ž. Proof. Consider the multiplicative group (โ„ค/๐‘โ„ค)ร— , which has size ๐‘โˆ’1. Lagrangeโ€™s theorem gives that if ๐‘˜ is the order of any reduced residue ๐‘Ž mod ๐‘ (so ๐‘Ž๐‘˜ โ‰ก 1 mod ๐‘) then ๐‘˜ divides ๐‘ โˆ’ 1. Thus ๐‘Ž๐‘โˆ’1 = (๐‘Ž๐‘˜ )(๐‘โˆ’1)/๐‘˜ โ‰ก 1 mod ๐‘, and it follows that ๐‘Ž๐‘ = ๐‘Ž ร— ๐‘Ž๐‘โˆ’1 โ‰ก ๐‘Ž mod ๐‘ for (๐‘Ž, ๐‘) = 1. If ๐‘|๐‘Ž then clearly ๐‘Ž๐‘ โ‰ก 0 mod ๐‘ and ๐‘Ž โ‰ก 0 mod ๐‘, so that the result holds in this case also. โ–ก We saw earlier in (4.8), that if โ„“ is prime and there is a field ๐”ฝ๐‘ž of size ๐‘ž then ๐œ‹(โ„“; ๐”ฝ๐‘ž ) = (๐‘žโ„“ โˆ’ ๐‘ž)/โ„“. Since ๐œ‹(โ„“; ๐”ฝ๐‘ž ) is an integer, we know that โ„“ must divide ๐‘žโ„“ โˆ’ ๐‘ž (if there is a field of size ๐‘ž). Now from Fermatโ€™s theorem we recognize that for all integers ๐‘ž, if โ„“ is prime then โ„“ must divide ๐‘žโ„“ โˆ’ ๐‘ž. Corollary 5.9 (Euler). Let ๐‘› be a natural number, and let ๐œ™(๐‘›) denote the Euler ๐œ™-function (which is the size of the multiplicative group (โ„ค/๐‘›โ„ค)ร— ). Then for any (๐‘Ž, ๐‘›) = 1 we have ๐‘Ž๐œ™(๐‘›) โ‰ก 1 mod ๐‘›. Proof. Apply Lagrangeโ€™s theorem to the group (โ„ค/๐‘›โ„ค)ร— .

โ–ก

With Lagrangeโ€™s theorem we can make a first step in understanding the additive and multiplicative groups of a finite field. Corollary 5.10. Let ๐”ฝ๐‘ž be a finite field with ๐‘ž elements. Then for all ๐›ผ โˆˆ ๐”ฝ๐‘ž we have (5.2)

๐‘ž๐›ผ = 0,

and (5.3)

๐›ผ๐‘ž = ๐›ผ.

90

5. Additive and multiplicative structures

Proof. We should first clarify that when we write ๐‘ž๐›ผ in (5.2), we mean the result of adding ๐›ผ to itself ๐‘ž times; just as ๐›ผ๐‘ž denotes the result of multiplying ๐›ผ by itself ๐‘ž times. We mention this explicitly to draw attention to a possible ambiguity. We denote the multiplicative identity in our field by 1, and this could also just denote the natural number 1. Similarly, it is tempting to write 2 for the element 1 + 1 in the field and so on. Thus ๐‘ž could either have denoted the natural number ๐‘ž, or the element 1 + . . . + 1 (added ๐‘ž times) in the field (which should be 0 according to (5.2)). In the additive group ๐”ฝ๐‘ž , the element ๐›ผ must have order dividing ๐‘ž by Lagrange, and this gives (5.2). The proof of (5.3) is exactly like our proof of Corollary 5.8. If ๐›ผ = 0 then so is ๐›ผ๐‘ž so that (5.3) holds. If ๐›ผ โ‰  0 then ๐›ผ belongs to the multiplicative group ๐”ฝ๐‘žร— which has ๐‘ž โˆ’ 1 elements. By Lagrange ๐›ผ๐‘žโˆ’1 = 1, and so once again ๐›ผ๐‘ž = ๐›ผ. โ–ก

5.3. The additive structure of finite fields In Definition 5.2 we explained what it means for two groups to be isomorphic. In a similar fashion we can make precise what it means for rings or fields to be isomorphic. Definition 5.11. Let ๐‘… and ๐‘† be two rings. We say that ๐‘… and ๐‘† are isomorphic if there is a bijection ๐œ™ โˆถ ๐‘… โ†’ ๐‘† such that for all ๐‘Ÿ1 , ๐‘Ÿ2 โˆˆ ๐‘… we have (5.4)

๐œ™(๐‘Ÿ1 + ๐‘Ÿ2 ) = ๐œ™(๐‘Ÿ1 ) + ๐œ™(๐‘Ÿ2 ), and ๐œ™(๐‘Ÿ1 ๐‘Ÿ2 ) = ๐œ™(๐‘Ÿ1 )๐œ™(๐‘Ÿ2 ).

Similarly, if ๐น and ๐พ are two fields, then we say that ๐น and ๐พ are isomorphic if there is a bijection ๐œ™ โˆถ ๐น โ†’ ๐พ with the relations in (5.4) holding for all elements ๐‘Ÿ1 , ๐‘Ÿ2 in the field ๐น. In other words, two fields are isomorphic exactly when they are isomorphic when viewed just as rings. Let ๐”ฝ be a field. To start with, let us allow ๐”ฝ to be finite or infinite, and later specialize to the case of finite fields. What is the order of 1 in the additive group of ๐”ฝ? It could either be infinite, or a finite number (which we will soon see must be a prime number). Let us begin with the case when 1 has infinite order.

5.3. The additive structure of finite fields

91

Proposition 5.12. Let ๐”ฝ be a field, and suppose that 1 has infinite order in the additive group of ๐”ฝ. Then ๐”ฝ contains in it a field isomorphic to the field of rational numbers โ„š. Proof. For clarity let us denote the multiplicative identity in the field by 1๐น . Our assumption is that this element has infinite order, which means that under addition 1๐น generates an infinite cyclic group, which we know must be isomorphic to โ„ค (see Proposition 5.3). Indeed the isomorphism is simply given by identifying 1๐น + 1๐น + . . . + 1๐น (summed ๐‘› times, and which we could denote by ๐‘›๐น ) with the natural number ๐‘›, and similarly โˆ’๐‘›๐น being identified with โˆ’๐‘›. But since ๐น is a field, we must also have a multiplicative inverse for ๐‘›๐น (assuming ๐‘› โ‰  0), which we may denote by 1/๐‘›๐น , and this forces us further to have other fractions ๐‘š๐น /๐‘›๐น . Identifying the fraction ๐‘š๐น /๐‘›๐น with the rational number ๐‘š/๐‘› shows that ๐”ฝ contains inside it a field isomorphic to โ„š. โ–ก Next consider the case when the order of 1 is finite. Proposition 5.13. Let ๐”ฝ be a field, and suppose that 1 has finite order in the additive group of ๐”ฝ. Then the order of 1 must be a prime number ๐‘, and for every ๐›ผ โˆˆ ๐”ฝ we have ๐‘๐›ผ = 0, where ๐‘๐›ผ is the result of adding ๐›ผ to itself ๐‘ times. Further the field ๐”ฝ contains in it a field isomorphic to ๐”ฝ๐‘ . Proof. Again for clarity let 1๐น denote the multiplicative identity of the field, and suppose its order is ๐‘›. We wish to show that ๐‘› is prime. Suppose to the contrary that ๐‘› = ๐‘Ž๐‘ is composite with ๐‘Ž and ๐‘ both natural numbers smaller than ๐‘›. Let ๐‘Ž๐น denote the result of adding 1๐น to itself ๐‘Ž times, and ๐‘๐น the result of adding 1๐น to itself ๐‘ times. Note that ๐‘Ž๐น and ๐‘๐น are both non-zero, since ๐‘Ž and ๐‘ are smaller than the order of 1๐น (which is ๐‘›). What is ๐‘Ž๐น ร— ๐‘๐น ? If we expand it out using the distributive law, we see that we must have 1๐น added to itself ๐‘Ž๐‘ = ๐‘› times. But by assumption 1๐น added to itself ๐‘› times gives 0. In other words ๐‘Ž๐น ร— ๐‘๐น = 0, which means that ๐‘Ž๐น and ๐‘๐น are zero divisors, contradicting ๐”ฝ being a field. Thus the order of 1๐น must be a prime number ๐‘. Since ๐‘1๐น = 0, it follows by the distributive law that ๐‘๐›ผ = 0 for all ๐›ผ โˆˆ ๐”ฝ.

92

5. Additive and multiplicative structures

Now ๐”ฝ contains inside it the ๐‘-element set {1๐น , 2๐น , . . . , (๐‘ โˆ’ 1)๐น , 0} generated additively by the element 1๐น . We claim that these ๐‘ elements form a field, the point being that we can identify these elements ๐‘Ž๐น with the corresponding residue class ๐‘Ž mod ๐‘. How can we find the inverse of a non-zero element in this set ๐‘Ž๐น ? Simply take the inverse of ๐‘Ž mod ๐‘ in โ„ค/๐‘โ„ค, say this is ๐‘ mod ๐‘, and then the distributive law gives ๐‘Ž๐น ร— ๐‘๐น = (๐‘Ž๐‘) ร— 1๐น = 1๐น , since ๐‘Ž๐‘ โ‰ก 1 mod ๐‘. Thus the set {1๐น , 2๐น , . . . , (๐‘ โˆ’ 1)๐น , 0} forms a field contained in ๐”ฝ, and upon identifying ๐‘˜๐น with the residue class ๐‘˜ mod ๐‘, this field is clearly isomorphic to ๐”ฝ๐‘ . โ–ก Definition 5.14. A field ๐”ฝ is said to be of characteristic zero if the order of 1 is infinite. If the order of 1 is finite, then this order ๐‘ (which is a prime number) is called the characteristic of the field ๐”ฝ, and then the field is said to be of finite characteristic, or of characteristic ๐‘. So far we have seen that the โ€œsmallest fieldโ€ of characteristic zero is the field โ„š of rational numbers, in the sense that any field of characteristic zero contains an isomorphic copy of โ„š. Correspondingly, the smallest field of characteristic ๐‘ is ๐”ฝ๐‘ = โ„ค/๐‘โ„ค, and every field of characteristic ๐‘ contains a copy of ๐”ฝ๐‘ . Example 5.15. Clearly every field of characteristic zero must be infinite, and every finite field necessarily has finite characteristic ๐‘. But it is also possible for fields of characteristic ๐‘ to be infinite. To see this consider the polynomial ring ๐”ฝ๐‘ [๐‘ฅ]. Since this is an integral domain, we may form its field of fractions, obtaining all โ€œrational functionsโ€ ๐‘“(๐‘ฅ)/๐‘”(๐‘ฅ) with ๐‘“, ๐‘” โˆˆ ๐”ฝ๐‘ [๐‘ฅ] and ๐‘” โ‰  0. This field is denoted by ๐”ฝ๐‘ (๐‘ฅ), and is clearly infinite, but still of characteristic ๐‘. Suppose now that ๐พ is a field, containing inside it a field ๐น (which we may naturally call a subfield of ๐พ). We introduce a new way of thinking about the relationship between ๐พ and ๐น. Temporarily, let us forget that we know how to multiply elements in ๐พ, and just focus on adding elements in ๐พ, and multiplying elements in ๐พ by elements in ๐น. The resulting structure may remind you of the idea of a vector space from linear algebra. Think of the elements of ๐น as โ€œscalarsโ€ and the elements of ๐พ as โ€œvectors.โ€ We then have a notion of what it means to add vectors (just addition in the field ๐พ), and the vectors form an abelian group under addition. We also have a notion of scalar multiplication (multiplying elements in ๐พ by elements in ๐น), and this notion satisfies ๐‘Ž(๐‘๐‘ฃ) = (๐‘Ž๐‘)๐‘ฃ

5.3. The additive structure of finite fields

93

together with the distributive laws (๐‘Ž + ๐‘)๐‘ฃ = ๐‘Ž๐‘ฃ + ๐‘๐‘ฃ and ๐‘Ž(๐‘ฃ + ๐‘ค) = ๐‘Ž๐‘ฃ + ๐‘Ž๐‘ค (for scalars ๐‘Ž, ๐‘ โˆˆ ๐น and vectors ๐‘ฃ, ๐‘ค โˆˆ ๐พ). In other words, the axioms of a vector space over a field are satisfied, and we may view ๐พ as a vector space over ๐น. Example 5.16. The field โ„‚ may be viewed as a vector space over the field โ„. The dimension of โ„‚ as a vector space is 2, as โ„‚ may be spanned by the two vectors 1 and ๐‘– which are linearly independent over โ„. All that is missing in this picture is the knowledge of how to multiply two complex numbers ๐‘Ž1 + ๐‘1 ๐‘– and ๐‘Ž2 + ๐‘2 ๐‘–, which we are ignoring temporarily. The field โ„ may be viewed as a vector space over โ„š, but this is a more complicated situation, being an example of an infinite dimensional vector space. We are now ready to describe the additive structure of finite fields, as well as to explain why the sizes of finite fields must be prime powers. Theorem 5.17. Let ๐”ฝ๐‘ž be a finite field with characteristic ๐‘, so that ๐”ฝ๐‘ž contains ๐”ฝ๐‘ . Additively, ๐”ฝ๐‘ž has the structure of a finite dimensional vector space over ๐”ฝ๐‘ . If ๐‘˜ denotes this dimension, then ๐‘ž = ๐‘๐‘˜ must be a power of the prime ๐‘, and we may find ๐‘˜ elements ๐‘ฃ 1 , . . ., ๐‘ฃ ๐‘˜ โˆˆ ๐”ฝ๐‘ž such that all the ๐‘๐‘˜ elements of ๐”ฝ๐‘ž may be expressed uniquely as a linear combination ๐‘Ž1 ๐‘ฃ 1 + ๐‘Ž2 ๐‘ฃ 2 + . . . + ๐‘Ž๐‘˜ ๐‘ฃ ๐‘˜ , where the coefficients ๐‘Ž1 , . . ., ๐‘Ž๐‘˜ lie in the finite field ๐”ฝ๐‘ . Proof. We discussed above how ๐”ฝ๐‘ž may be viewed as a vector space over ๐”ฝ๐‘ , and since ๐”ฝ๐‘ž is finite, the vector space must be finite dimensional. We may then find a basis for this vector space, and the dimension is the size of this basis. If ๐‘ฃ 1 , . . ., ๐‘ฃ ๐‘˜ is a basis for ๐”ฝ๐‘ž over the field ๐”ฝ๐‘ , then the sums ๐‘Ž1 ๐‘ฃ 1 + . . . + ๐‘Ž๐‘˜ ๐‘ฃ ๐‘˜ with ๐‘Ž๐‘– โˆˆ ๐”ฝ๐‘ must all be distinct (else there would be a linear relation among the ๐‘ฃ 1 , . . ., ๐‘ฃ ๐‘˜ ) and must give all elements of ๐”ฝ๐‘ž (since these vectors must span the whole space). It follows that ๐”ฝ๐‘ž must have ๐‘๐‘˜ elements, completing the proof of the theorem. If you need a review of the linear algebra mentioned above, here is the same proof developed from scratch. Pick any non-zero element ๐‘ฃ 1 โˆˆ ๐”ฝ๐‘ž . By its span over ๐”ฝ๐‘ we mean Span(๐‘ฃ 1 ) = {๐‘Ž1 ๐‘ฃ 1 โˆถ ๐‘Ž1 โˆˆ ๐”ฝ๐‘ }, which has ๐‘ elements. If these are all the elements of ๐”ฝ๐‘ž , then the dimension ๐‘˜ is 1 and ๐‘ž = ๐‘, and our proof is finished.

94

5. Additive and multiplicative structures

Otherwise we may find an element ๐‘ฃ 2 โˆˆ ๐”ฝ๐‘ž with ๐‘ฃ 2 โˆ‰ Span(๐‘ฃ 1 ). Consider now the span of ๐‘ฃ 1 and ๐‘ฃ 2 : namely, Span(๐‘ฃ 1 , ๐‘ฃ 2 ) = {๐‘Ž1 ๐‘ฃ 1 + ๐‘Ž2 ๐‘ฃ 2 โˆถ ๐‘Ž1 , ๐‘Ž2 โˆˆ ๐”ฝ๐‘ }. We claim that these elements are all distinct so that Span(๐‘ฃ 1 , ๐‘ฃ 2 ) has size ๐‘2 . Indeed if ๐‘Ž1 ๐‘ฃ 1 + ๐‘Ž2 ๐‘ฃ 2 = ๐‘1 ๐‘ฃ 1 + ๐‘2 ๐‘ฃ 2 , then (๐‘1 โˆ’๐‘2 )๐‘ฃ 2 = (๐‘Ž2 โˆ’๐‘Ž1 )๐‘ฃ 1 , and since ๐‘ฃ 2 โˆ‰ Span(๐‘ฃ 1 ) we must have ๐‘1 โˆ’๐‘2 = 0, and then (๐‘Ž2 โˆ’ ๐‘Ž1 )๐‘ฃ 1 = 0 forces ๐‘Ž1 = ๐‘Ž2 . If Span(๐‘ฃ 1 , ๐‘ฃ 2 ) = ๐”ฝ๐‘ž , then the dimension ๐‘˜ is 2, and ๐‘ž = ๐‘2 , and the proof is complete. Else find ๐‘ฃ 3 โˆˆ ๐”ฝ๐‘ž with ๐‘ฃ 3 โˆ‰ Span(๐‘ฃ 1 , ๐‘ฃ 2 ), and then consider Span(๐‘ฃ 1 , ๐‘ฃ 2 , ๐‘ฃ 3 ). And so on. The process must stop since ๐”ฝ๐‘ž is finite. โ–ก Example 5.18. Suppose ๐‘“ โˆˆ ๐”ฝ๐‘ [๐‘ฅ] is a monic irreducible polynomial of degree ๐‘˜, and consider the field ๐”ฝ๐‘ [๐‘ฅ]/(๐‘“). Some elements in this field are ๐‘ฅ, ๐‘ฅ + 1, ๐‘ฅ(๐‘ฅ + 1), ๐‘ฅ3 + 1, all of these representing congruence classes ๐‘ฅ + (๐‘“), ๐‘ฅ + 1 + (๐‘“), etc. By the division algorithm every element in ๐”ฝ๐‘ [๐‘ฅ] lies in a congruence class ๐‘Ÿ(๐‘ฅ) + (๐‘“) where ๐‘Ÿ โˆˆ ๐”ฝ๐‘ [๐‘ฅ] is a polynomial of degree at most ๐‘˜ โˆ’ 1 (with ๐‘Ÿ possibly being the zero polynomial). Thus 1, ๐‘ฅ, ๐‘ฅ2 , . . ., ๐‘ฅ๐‘˜โˆ’1 forms a basis over ๐”ฝ๐‘ for this field. As with general vector spaces, there are of course many other possible ways of writing down a basis. We have thus determined the additive structure of finite fields. Every such field must have ๐‘ž = ๐‘๐‘˜ elements for some prime power ๐‘๐‘˜ , and then additively ๐”ฝ๐‘ž is a vector space of dimension ๐‘˜ over ๐”ฝ๐‘ . Picking a basis, we may think of the additive group of ๐”ฝ๐‘ž as ๐”ฝ๐‘๐‘˜ = {(๐‘Ž1 , . . . , ๐‘Ž๐‘˜ ) โˆถ ๐‘Ž๐‘— โˆˆ ๐”ฝ๐‘ } with the addition law on the ๐‘˜-tuples being componentwise addition of the โ€œcoordinatesโ€ in ๐”ฝ๐‘ . The structure that we have just described is a special case of a general construction known as the direct product. Definition 5.19. Let ๐บ 1 and ๐บ 2 be two groups. The direct product ๐บ 1 ร— ๐บ 2 is defined as the set ๐บ 1 ร— ๐บ 2 = {(๐‘”1 , ๐‘”2 ) โˆถ ๐‘”1 โˆˆ ๐บ 1 , ๐‘”2 โˆˆ ๐บ 2 }, with a group operation given by component-wise multiplication. That is, (๐‘”1 , ๐‘”2 ) ร— (โ„Ž1 , โ„Ž2 ) = (๐‘”1 โ„Ž1 , ๐‘”2 โ„Ž2 ), where the first coordinates are multiplied using the group law in ๐บ 1 and the second coordinates using the law on ๐บ 2 .

5.4. The multiplicative structure of finite fields

95

Corollary 5.20. Let ๐”ฝ๐‘ž be a finite field of size ๐‘ž = ๐‘๐‘˜ . The additive group of ๐”ฝ๐‘ž is isomorphic to the direct product ๐ถ๐‘ ร— ๐ถ๐‘ ร— . . . ร— ๐ถ๐‘ of ๐‘˜ cyclic groups ๐ถ๐‘ of size ๐‘. The additive group of ๐”ฝ๐‘ž has one element of order 1 (namely 0), and the remaining ๐‘ž โˆ’ 1 elements all have order ๐‘. We end this section with one last result on the possible sizes of subfields of ๐”ฝ๐‘ž . Proposition 5.21. Let ๐”ฝ๐‘ž be a field with characteristic ๐‘, and size ๐‘ž = ๐‘๐‘˜ . If ๐พ is a subfield of ๐”ฝ๐‘ž , then ๐พ has ๐‘๐‘‘ elements for some divisor ๐‘‘ of ๐‘˜. Proof. The point is that ๐”ฝ๐‘ž may be thought of as a vector space over ๐พ (exactly as in Theorem 5.17). If ๐‘Ÿ is the dimension of this vector space, then ๐‘ž must be |๐พ|๐‘Ÿ , which forces |๐พ| = ๐‘๐‘‘ with ๐‘‘๐‘Ÿ = ๐‘˜, so that ๐‘‘ is a divisor of ๐‘˜. โ–ก Notice that Proposition 5.21 places a stronger constraint on the size of the subfield ๐พ than just requiring that |๐พ| divides ๐‘ž (which is equivalent to ๐‘‘ โ‰ค ๐‘˜, whereas we must in fact have ๐‘‘ divides ๐‘˜). To illustrate, a field of size 16 = 24 can only have subfields of size 21 = 2, 22 = 4, or 24 , but not one of size 8 = 23 .

5.4. The multiplicative structure of finite fields Let ๐”ฝ๐‘ž denote a finite field with ๐‘ž elements. So far, we know that there exist such fields when ๐‘ž = ๐‘๐‘˜ is a prime power, and that there are no other ๐‘ž for which a finite field exists. We have just discussed the structure of the additive group in ๐”ฝ๐‘ž , and now we turn to the multiplicative structure of ๐”ฝ๐‘ž โ€”namely, the structure of the group ๐”ฝร—๐‘ž which has size ๐‘ž โˆ’ 1. Theorem 5.22. The multiplicative group ๐”ฝร—๐‘ž is cyclic. Thus there exists ๐›ผ โˆˆ ๐”ฝร—๐‘ž with order ๐‘ž โˆ’ 1, and all the elements of ๐”ฝร—๐‘ž may be written as ๐›ผ๐‘— with 1 โ‰ค ๐‘— โ‰ค ๐‘ž โˆ’ 1. Now that ๐”ฝร—๐‘ž is known to be cyclic, you should recall Proposition 5.6 which tells you about the order of all elements of ๐”ฝร—๐‘ž . In particular, it follows that ๐”ฝร—๐‘ž has ๐œ™(๐‘ž โˆ’ 1) generators. To prepare for the theorem, we need two lemmas, but first one piece of notation. If ๐‘ is a prime and ๐‘๐‘Ž |๐‘› but ๐‘๐‘Ž+1 does not divide ๐‘› (so that

96

5. Additive and multiplicative structures

๐‘๐‘Ž is the exact power of ๐‘ dividing ๐‘›) then we shall write ๐‘๐‘Ž โ€–๐‘› (read ๐‘๐‘Ž exactly divides ๐‘›). Lemma 5.23. Let ๐”ฝ๐‘ž be a field with ๐‘ž elements, and suppose that โ„“ is a prime with โ„“๐‘Ž โ€–(๐‘ž โˆ’ 1), where ๐‘Ž โ‰ฅ 1 is a natural number. Then there exists an element ๐‘” in ๐”ฝร—๐‘ž with order โ„“๐‘Ž . Proof. Consider the polynomial equation ๐‘ฅ(๐‘žโˆ’1)/โ„“ โˆ’ 1 = 0. This is a polynomial equation in ๐”ฝ๐‘ž [๐‘ฅ], and the polynomial has degree (๐‘ž โˆ’ 1)/โ„“. Therefore there are at most (๐‘ž โˆ’ 1)/โ„“ solutions to this congruence (this is the important factor theorem for polynomials, see Lemma 4.3). It follows that there are some elements of ๐”ฝร—๐‘ž that are not roots of ๐‘ฅ(๐‘žโˆ’1)/โ„“ โˆ’ 1, which means that there must exist some ๐›ฝ โˆˆ ๐”ฝร—๐‘ž whose order does not divide (๐‘ž โˆ’ 1)/โ„“. Since the order of ๐›ฝ must divide ๐‘ž โˆ’ 1 (by Lagrangeโ€™s theorem, see Corollary 5.10), this means that the order of ๐›ฝ must be a multiple of โ„“๐‘Ž ; say it is โ„“๐‘Ž ๐‘Ÿ. But then the order of ๐‘” = ๐›ฝ ๐‘Ÿ is simply โ„“๐‘Ž , which proves our lemma. โ–ก Lemma 5.24. Suppose that ๐บ is a finite abelian group, and that ๐‘Ž โˆˆ ๐บ has order ๐‘˜ and ๐‘ โˆˆ ๐บ has order โ„“. If (๐‘˜, โ„“) = 1 then ๐‘Ž๐‘ โˆˆ ๐บ has order ๐‘˜โ„“. Proof. Since ๐บ is commutative, (๐‘Ž๐‘)๐‘˜โ„“ = ๐‘Ž๐‘˜โ„“ ๐‘๐‘˜โ„“ = 1. Thus the order of ๐‘Ž๐‘ is some factor of ๐‘˜โ„“. Next we show that ๐‘˜โ„“ must divide the order of ๐‘Ž๐‘, which will complete our proof. Suppose ๐‘Ÿ is the order of ๐‘Ž๐‘, so that (๐‘Ž๐‘)๐‘Ÿ = ๐‘Ž๐‘Ÿ ๐‘๐‘Ÿ = 1. Raising this to the power ๐‘˜, we find that (๐‘Ž๐‘)๐‘Ÿ๐‘˜ = ๐‘๐‘Ÿ๐‘˜ = 1, so that โ„“ (the order of ๐‘) must divide ๐‘Ÿ๐‘˜. Since (โ„“, ๐‘˜) = 1, it follows that โ„“ divides ๐‘Ÿ. Similarly, raising to the power โ„“ instead we can see that ๐‘˜ divides ๐‘Ÿ. Again since (๐‘˜, โ„“) = 1 it follows that ๐‘˜โ„“ divides ๐‘Ÿ, as we desired. โ–ก ๐‘Ž

๐‘Ž

๐‘Ž

Proof of Theorem 5.22. Suppose ๐‘ž โˆ’ 1 = ๐‘1 1 ๐‘2 2 โ‹ฏ ๐‘๐‘Ÿ ๐‘Ÿ is the prime factorization of ๐‘ž โˆ’ 1, where the ๐‘ ๐‘– are distinct primes with ๐‘Ž๐‘– โ‰ฅ 1. By Lemma 5.23 there exist elements ๐‘”1 , . . ., ๐‘”๐‘Ÿ โˆˆ ๐”ฝร—๐‘ž with ๐‘”๐‘— having order ๐‘Ž๐‘—

๐‘๐‘— . Applying Lemma 5.24 repeatedly, the product ๐‘”1 โ‹ฏ ๐‘”๐‘Ÿ has order ๐‘Ž ๐‘Ž ๐‘1 1 โ‹ฏ ๐‘๐‘Ÿ ๐‘Ÿ = ๐‘ž โˆ’ 1. In other words, we have produced ๐›ผ = ๐‘”1 โ‹ฏ ๐‘”๐‘Ÿ โˆˆ ๐”ฝร—๐‘ž with order ๐‘žโˆ’1, and so all the elements of ๐”ฝร—๐‘ž are simply powers of ๐›ผ. โ–ก

5.5. Exercises

97

5.5. Exercises 1. Prove that the notion of isomorphism of groups satisfies the reflexive, symmetry, and transitive properties of an equivalence relation. 2. Let ๐‘Ž mod ๐‘› be a reduced residue class and let its order be ๐‘”. Show that the order of ๐‘Ž๐‘˜ mod ๐‘› is also ๐‘”, where ๐‘˜ is any integer coprime to ๐‘”. 3. Let ๐‘ be a prime with ๐‘ โ‰  2, 5. Prove that the decimal expansion of 1/๐‘ has exactly ๐‘” digits that repeat, where ๐‘” is the order of 10 mod ๐‘. For example 1/7 = 142857/999999 = 0.142857 has six repeating digits, and the order of 10 mod 7 is also equal to 6. 4. Let ๐‘˜ and ๐‘Ž be positive integers with ๐‘Ž โ‰ฅ 2. Show that ๐‘˜ โˆฃ ๐œ™(๐‘Ž๐‘˜ โˆ’ 1). (Hint: consider the order of ๐‘Ž mod (๐‘Ž๐‘˜ โˆ’ 1).) 5. Let ๐‘ be an odd prime, and let ๐‘Ž be coprime to ๐‘. If ๐‘Ž โ‰ข 1 mod ๐‘, prove that ๐‘ divides 1 + ๐‘Ž + ๐‘Ž2 + . . . + ๐‘Ž๐‘โˆ’2 . 6. Let ๐บ be a group, and let ๐ป be a subgroup of ๐บ. Define a relation by saying that ๐‘”1 โˆผ ๐‘”2 precisely if ๐‘”โˆ’1 1 ๐‘”2 โˆˆ ๐ป. Prove that โˆผ is an equivalence relation. 7. Let ๐บ and ๐ป be two groups. Suppose ๐‘” โˆˆ ๐บ has order ๐‘š, and โ„Ž โˆˆ ๐ป has order ๐‘›. Show that (๐‘”, โ„Ž) โˆˆ ๐บ ร— ๐ป has order [๐‘š, ๐‘›], where [๐‘š, ๐‘›] denotes the least common multiple (lcm) of ๐‘š and ๐‘›. 8. Suppose ๐‘š and ๐‘› are coprime positive integers. Show that the direct product ๐ถ๐‘š ร— ๐ถ๐‘› of the cyclic groups of size ๐‘š and ๐‘› is isomorphic to the cyclic group ๐ถ๐‘š๐‘› of size ๐‘š๐‘›. 9. Suppose ๐‘š and ๐‘› are two positive integers with (๐‘š, ๐‘›) > 1. Show that ๐ถ๐‘š ร— ๐ถ๐‘› is not a cyclic group. 10. Suppose ๐‘ โ‰ก 2 mod 3 is prime. Show that the map ๐‘“ โˆถ ๐”ฝ๐‘ร— โ†’ ๐”ฝ๐‘ร— defined by ๐‘“(๐‘Ž) = ๐‘Ž3 is a bijection. 11. Suppose ๐‘ โ‰ก 1 mod 3 is prime. Show that the map ๐‘“ โˆถ ๐”ฝ๐‘ร— โ†’ ๐”ฝ๐‘ร— given by ๐‘“(๐‘Ž) = ๐‘Ž3 is not a bijection. Deduce that there is some ๐‘Ž โˆˆ ๐”ฝ๐‘ร— such that ๐‘ฅ3 โˆ’ ๐‘Ž is an irreducible polynomial in ๐”ฝ๐‘ [๐‘ฅ]. 12. Let ๐‘ be a prime. Show that ๐‘ฅ๐‘ โˆ’ ๐‘ฅ and ๐‘ฅ(๐‘ฅ โˆ’ 1)(๐‘ฅ โˆ’ 2) โ‹ฏ (๐‘ฅ โˆ’ (๐‘ โˆ’ 1)) are the same polynomial in ๐”ฝ๐‘ [๐‘ฅ]. Deduce Wilsonโ€™s theorem.

98

5. Additive and multiplicative structures

13. Let ๐‘“ be a polynomial of degree ๐‘› in ๐”ฝ๐‘ [๐‘ฅ]. Show that ๐‘“ has exactly ๐‘› distinct roots mod ๐‘ if and only if ๐‘“(๐‘ฅ) divides ๐‘ฅ๐‘ โˆ’ ๐‘ฅ in ๐”ฝ๐‘ [๐‘ฅ]. (That is, there is a polynomial ๐‘” โˆˆ ๐”ฝ๐‘ [๐‘ฅ] such that ๐‘ฅ๐‘ โˆ’ ๐‘ฅ = ๐‘“๐‘” in ๐”ฝ๐‘ [๐‘ฅ].) 14. Let ๐”ฝ be a finite field with characteristic ๐‘. Define a map ๐œ“ โˆถ ๐”ฝ โ†’ ๐”ฝ by ๐œ“(๐›ผ) = ๐›ผ๐‘ . (i) Show that for any two elements ๐›ผ, ๐›ฝ in ๐”ฝ we have ๐œ“(๐›ผ + ๐›ฝ) = (๐›ผ + ๐›ฝ)๐‘ = ๐›ผ๐‘ + ๐›ฝ ๐‘ = ๐œ“(๐›ผ) + ๐œ“(๐›ฝ). (ii) Show that ๐œ“ is a bijection. (iii) Show that ๐œ“ โˆถ ๐”ฝ โ†’ ๐”ฝ is an isomorphism of fields. (iv) Show that the elements ๐›ผ of ๐”ฝ satisfying ๐œ“(๐›ผ) = ๐›ผ form the subfield ๐”ฝ๐‘ contained in ๐”ฝ. 15. Let ๐‘ be a prime with ๐‘ โ‰ก 3 mod 4. Let ๐”ฝ denote the field โ„ค[๐‘–]/(๐‘). Prove that if ๐‘Ž + ๐‘๐‘– is an element of ๐”ฝ, then (๐‘Ž + ๐‘๐‘–)๐‘ = ๐‘Ž โˆ’ ๐‘๐‘–.

Chapter 6

Understanding the structure of โ„ค/๐‘›โ„ค

This chapter takes a little break from developing finite fields, and uses the ideas developed so far to understand the structure of the quotient rings โ„ค/๐‘›โ„ค, which we discussed previously in ยง3.2. Throughout, we have in mind that ๐‘› โ‰ฅ 2 is a positive integer. The additive group in this ring is easy to understand: it is a cyclic group of size ๐‘›. Here we flesh out the structure of the multiplicative group of units (โ„ค/๐‘›โ„ค)ร— , which is a group of size ๐œ™(๐‘›). When ๐‘› is a prime number ๐‘, we know from our work in ยง5.4 that the multiplicative group (โ„ค/๐‘โ„ค)ร— is cyclic (being the multiplicative group of a field). The main result of this chapter will give a complete description of (โ„ค/๐‘›โ„ค)ร— , identifying in particular the values of ๐‘› for which this group is cyclic.

6.1. The Chinese Remainder Theorem An important step in understanding the structure of the ring โ„ค/๐‘›โ„ค is the Chinese Remainder Theorem. This will allow us to focus on โ„ค/๐‘๐‘Ž โ„ค for prime powers ๐‘๐‘Ž , which will turn out to be a simpler structure to untangle. Proposition 6.1. Let ๐‘š and ๐‘› be two coprime natural numbers. Let ๐‘Ž mod ๐‘š and ๐‘ mod ๐‘› be two residue classes. Then there is a unique 99

100

6. Understanding the structure of โ„ค/๐‘›โ„ค

residue class ๐‘ mod ๐‘š๐‘› such that the set {๐‘ฅ โˆˆ โ„ค โˆถ ๐‘ฅ โ‰ก ๐‘Ž mod ๐‘š, ๐‘ฅ โ‰ก ๐‘ mod ๐‘›} equals the residue class ๐‘ mod ๐‘š๐‘›. Proof. First let us show that there exists an integer ๐‘ with ๐‘ โ‰ก ๐‘Ž mod ๐‘š, and with ๐‘ โ‰ก ๐‘ mod ๐‘›. Since ๐‘š and ๐‘› are coprime we may find integers ๐‘˜ and โ„“ with ๐‘š๐‘˜ + ๐‘›โ„“ = 1. We claim that the integer ๐‘ = ๐‘๐‘š๐‘˜ + ๐‘Ž๐‘›โ„“ satisfies the two desired congruences. Indeed, viewed mod ๐‘š we have ๐‘ = ๐‘๐‘š๐‘˜ + ๐‘Ž๐‘›โ„“ โ‰ก ๐‘Ž๐‘›โ„“ โ‰ก ๐‘Ž(1 โˆ’ ๐‘š๐‘˜) โ‰ก ๐‘Ž mod ๐‘š, and viewed mod ๐‘› we have ๐‘ = ๐‘๐‘š๐‘˜ + ๐‘Ž๐‘›โ„“ โ‰ก ๐‘๐‘š๐‘˜ โ‰ก ๐‘(1 โˆ’ ๐‘›โ„“) โ‰ก ๐‘ mod ๐‘›. Once we have found an integer ๐‘ satisfying both congruences, it is clear that any integer ๐‘ + ๐‘Ÿ๐‘š๐‘› will also satisfy both congruences. Thus all elements in the residue class ๐‘ mod ๐‘š๐‘› satisfy both congruences. Finally if ๐‘ฅ is any integer with ๐‘ฅ โ‰ก ๐‘Ž mod ๐‘š and ๐‘ฅ โ‰ก ๐‘ mod ๐‘›, then we must have ๐‘ฅ โˆ’ ๐‘ โ‰ก 0 mod ๐‘š, and ๐‘ฅ โˆ’ ๐‘ โ‰ก 0 mod ๐‘›. Thus ๐‘š and ๐‘› must both divide ๐‘ฅ โˆ’ ๐‘, and since ๐‘š and ๐‘› are coprime, this means ๐‘š๐‘› divides ๐‘ฅ โˆ’ ๐‘, or ๐‘ฅ โ‰ก ๐‘ mod ๐‘š๐‘›. โ–ก In Definition 5.19 we defined the direct product of two groups, and in exactly the same way we may define the direct product of two rings. Definition 6.2. Let ๐‘… and ๐‘† be two rings (commutative with identity as always). Then the direct product ๐‘… ร— ๐‘† is defined as the set ๐‘… ร— ๐‘† = {(๐‘Ÿ, ๐‘ ) โˆถ ๐‘Ÿ โˆˆ ๐‘…, ๐‘  โˆˆ ๐‘†} together with ring operations defined by component-wise addition and multiplication. That is (๐‘Ÿ1 , ๐‘ 1 ) + (๐‘Ÿ2 , ๐‘ 2 ) = (๐‘Ÿ1 + ๐‘Ÿ2 , ๐‘ 1 + ๐‘ 2 ), and (๐‘Ÿ1 , ๐‘ 1 ) ร— (๐‘Ÿ2 , ๐‘ 2 ) = (๐‘Ÿ1 ๐‘Ÿ2 , ๐‘ 1 ๐‘ 2 ). Example 6.3. Note that the direct product ๐‘… ร— ๐‘† forms a commutative ring with identity. The additive identity in ๐‘… ร— ๐‘† is (0, 0) where the 0 in the first coordinate is the additive identity in ๐‘…, and the 0 in the second coordinate denotes the additive identity in ๐‘†. Similarly, the multiplicative identity in ๐‘… ร— ๐‘† is (1, 1). You should check that the unit group of

6.1. The Chinese Remainder Theorem

101

๐‘… ร— ๐‘† is ๐‘…ร— ร— ๐‘† ร— , which is the direct product of the unit groups of ๐‘… and ๐‘†. In Proposition 6.1 we saw that if ๐‘š and ๐‘› are coprime, then to any pair of residue classes ๐‘Ž mod ๐‘š and ๐‘ mod ๐‘› we may associate a residue class ๐‘ mod ๐‘š๐‘›. The correspondence given there is a bijection. For example, the residue class ๐‘ mod ๐‘š๐‘› will arise from the pair of residue classes ๐‘ mod ๐‘š and ๐‘ mod ๐‘›, so that the correspondence is surjective. Since there are ๐‘š๐‘› pairs (๐‘Ž mod ๐‘š, ๐‘ mod ๐‘›) and ๐‘š๐‘› residue classes ๐‘ mod ๐‘š๐‘›, we see that the correspondence must therefore be a bijection. Naturally there are many possible bijections between two sets of the same cardinality. The bijection of Proposition 6.1 is special in that it gives a ring isomorphism between โ„ค/๐‘šโ„ค ร— โ„ค/๐‘›โ„ค and โ„ค/๐‘š๐‘›โ„ค. Theorem 6.4 (The Chinese Remainder Theorem). Let ๐‘š and ๐‘› be two coprime natural numbers. Then there is a ring isomorphism ๐œ“ โˆถ โ„ค/๐‘šโ„ค ร— โ„ค/๐‘›โ„ค โ†’ โ„ค/๐‘š๐‘›โ„ค, where the map ๐œ“ is the correspondence given in Proposition 6.1. Proof. To clarify, the map ๐œ“ is given by ๐œ“(๐‘Ž mod ๐‘š, ๐‘ mod ๐‘›) = ๐‘ mod ๐‘š๐‘›, where ๐‘ mod ๐‘š๐‘› = {๐‘ฅ โˆˆ โ„ค โˆถ ๐‘ฅ โ‰ก ๐‘Ž mod ๐‘š, ๐‘ฅ โ‰ก ๐‘ mod ๐‘›}. We have already discussed why this is a bijection, and what remains is to show that ๐œ“ preserves the ring structure. Suppose that ๐œ“(๐‘Ž1 mod ๐‘š, ๐‘1 mod ๐‘›) = ๐‘ 1 mod ๐‘š๐‘›, and ๐œ“(๐‘Ž2 mod ๐‘š, ๐‘2 mod ๐‘›) = ๐‘ 2 mod ๐‘š๐‘›. What we then want is ๐œ“(๐‘Ž1 + ๐‘Ž2 mod ๐‘š, ๐‘1 + ๐‘2 mod ๐‘›) = ๐‘ 1 + ๐‘ 2 mod ๐‘š๐‘›. This is indeed true because the elements in ๐‘ 1 + ๐‘ 2 mod ๐‘š๐‘› will clearly be โ‰ก ๐‘Ž1 + ๐‘Ž2 mod ๐‘š, and โ‰ก ๐‘1 + ๐‘2 mod ๐‘›. Thus, addition of residue classes mod ๐‘š๐‘› corresponds exactly to component-wise addition in โ„ค/๐‘šโ„คร—โ„ค/๐‘›โ„ค. Similar considerations apply to multiplication, and therefore we have a ring isomorphism as claimed. โ–ก

102

6. Understanding the structure of โ„ค/๐‘›โ„ค

Example 6.5. The condition that ๐‘š and ๐‘› are coprime is crucial in the Chinese Remainder Theorem. For example, in Proposition 6.1 we started with the important relation ๐‘š๐‘˜ + ๐‘›โ„“ = 1, which of course cannot hold if ๐‘š and ๐‘› have a common factor. You can also easily see why there cannot be any solution lying in 3 mod 10 and 5 mod 15, for example. See Exercise 1 below for a version when the moduli are not coprime. If ๐‘›1 , ๐‘›2 , . . ., ๐‘›๐‘˜ are pairwise coprime (that is, any two are coprime to each other) then you should have little difficulty in extending the Chinese Remainder Theorem to obtain an isomorphism between the rings โ„ค/(๐‘›1 โ‹ฏ ๐‘›๐‘˜ )โ„ค and โ„ค/๐‘›1 โ„ค ร— โ‹ฏ ร— โ„ค/๐‘›๐‘˜ โ„ค. Summarizing our work so far, we record the following corollary. ๐‘’

๐‘’

Corollary 6.6. Write the prime factorization of ๐‘› as ๐‘› = ๐‘11 โ‹ฏ ๐‘๐‘˜๐‘˜ , where ๐‘’ ๐‘1 , . . ., ๐‘ ๐‘˜ are distinct primes. Then the ring โ„ค/๐‘›โ„ค is isomorphic to โ„ค/๐‘11 โ„คร— ๐‘’๐‘˜ ร— โ‹ฏร—โ„ค/๐‘๐‘˜ โ„ค. In particular, the multiplicative group (โ„ค/๐‘›โ„ค) is isomorphic ๐‘’ ๐‘’ to (โ„ค/๐‘11 โ„ค)ร— ร— โ‹ฏ ร— (โ„ค/๐‘๐‘˜๐‘˜ โ„ค)ร— . Example 6.7. We saw earlier in Proposition 4.21 that the Euler ๐œ™-function is multiplicative. The Chinese Remainder Theorem gives us another explanation of this fact: if ๐‘š and ๐‘› are coprime then the groups (โ„ค/๐‘š๐‘›โ„ค)ร— and (โ„ค/๐‘šโ„ค)ร— ร— (โ„ค/๐‘›โ„ค)ร— are isomorphic, and therefore their sizes ๐œ™(๐‘š๐‘›) and ๐œ™(๐‘š)๐œ™(๐‘›) must be the same. We end this section with a brief discussion of the Chinese Remainder Theorem in a general ring ๐‘… (commutative with identity as always). Definition 6.8. Let ๐‘… be a ring, and let ๐ผ and ๐ฝ be two ideals of ๐‘…. We say that ๐ผ and ๐ฝ are comaximal if there exists ๐‘– โˆˆ ๐ผ and ๐‘— โˆˆ ๐ฝ with ๐‘– + ๐‘— = 1. Example 6.9. If ๐‘… = โ„ค then the ideals (๐‘š) and (๐‘›) are comaximal exactly when ๐‘š and ๐‘› are coprime. Suppose ๐ผ and ๐ฝ are comaximal ideals in a ring ๐‘…. Given a congruence class ๐‘Ž mod ๐ผ and a congruence class ๐‘ mod ๐ฝ, we would like to describe the elements in ๐‘… that are both โ‰ก ๐‘Ž mod ๐ผ and โ‰ก ๐‘ mod ๐ฝ. If such an element ๐‘Ÿ โˆˆ ๐‘… exists, then note that any element in ๐‘Ÿ mod ๐ผ โˆฉ ๐ฝ would also have the same property. (Check or recall from Exercise 9 of Chapter 1 that ๐ผ โˆฉ ๐ฝ is also an ideal in ๐‘….) Further if some other ๐‘  was also ๐‘Ž mod ๐ผ and ๐‘ mod ๐ฝ then ๐‘Ÿ โˆ’ ๐‘  must be in ๐ผ and in ๐ฝ and so in

6.2. The structure of the multiplicative group (โ„ค/๐‘›โ„ค)ร—

103

๐ผ โˆฉ ๐ฝโ€”in other words, all solutions to the pair of congruences must be in ๐‘Ÿ mod ๐ผ โˆฉ ๐ฝ. Why does such an ๐‘Ÿ exist? We use the comaximality property of ๐ผ and ๐ฝ: recall ๐‘– + ๐‘— = 1 for some ๐‘– โˆˆ ๐ผ and ๐‘— โˆˆ ๐ฝ. Now consider ๐‘Ÿ = ๐‘Ž๐‘— + ๐‘๐‘–. Since ๐‘๐‘– โˆˆ ๐ผ, ๐‘Ÿ โ‰ก ๐‘Ž๐‘— mod ๐ผ, and since ๐‘— = 1 โˆ’ ๐‘– โ‰ก 1 mod ๐ผ, we conclude that ๐‘Ÿ โ‰ก ๐‘Ž mod ๐ผ. Similarly we find ๐‘Ÿ โ‰ก ๐‘ mod ๐ฝ. In other words we have found a correspondence between pairs of residue classes mod ๐ผ and mod ๐ฝ and a residue class mod ๐ผ โˆฉ ๐ฝ. This generalizes Proposition 6.1 and, indeed, the proofs are entirely similar. Further, exactly as in Theorem 6.4, we have a ring isomorphism between ๐‘…/๐ผ ร— ๐‘…/๐ฝ and ๐‘…/(๐ผ โˆฉ ๐ฝ). One last remark: when ๐ผ and ๐ฝ are comaximal, you should check (this is Exercise 5 below) that ๐ผ โˆฉ ๐ฝ = ๐ผ๐ฝ, where ๐ผ๐ฝ denotes the product of the two ideals ๐ผ and ๐ฝ (which was defined in Exercise 13 of Chapter 1).

6.2. The structure of the multiplicative group (โ„ค/๐‘›โ„ค)ร— Our goal is to understand the structure of the multiplicative group (โ„ค/๐‘›โ„ค)ร— , which has size ๐œ™(๐‘›). To give an idea of what it means to understand this group, here are some questions that we might want to answer. For what values of ๐‘› is this group cyclic? What are the possible orders of elements in (โ„ค/๐‘›โ„ค)ร— and how many elements are there of each possible order? ๐‘’

๐‘’

If ๐‘11 โ‹ฏ ๐‘๐‘˜๐‘˜ is the prime factorization of ๐‘›, then the Chinese Re๐‘’ mainder Theorem allows us to understand (โ„ค/๐‘›โ„ค)ร— as (โ„ค/๐‘11 โ„ค)ร— ร— โ‹ฏ ร— ๐‘’๐‘˜ ร— (โ„ค/๐‘๐‘˜ โ„ค) . This reduces our problem to understanding the groups (โ„ค/๐‘๐‘’ โ„ค)ร— for prime powers ๐‘๐‘’ . We already know that the group (โ„ค/๐‘โ„ค)ร— is cyclic, since it forms the multiplicative group of the field ๐”ฝ๐‘ = โ„ค/๐‘โ„ค. For all odd primes ๐‘ (that is, for ๐‘ > 2), it turns out that the groups (โ„ค/๐‘๐‘’ โ„ค)ร— are also cyclic, and the story for powers of 2 is slightly more complicated. Theorem 6.10. If ๐‘ is an odd prime, then the group (โ„ค/๐‘๐‘’ โ„ค)ร— is cyclic for all ๐‘’ โ‰ฅ 1. Thus the group (โ„ค/๐‘๐‘’ โ„ค)ร— is isomorphic to ๐ถ๐œ™(๐‘๐‘’ ) . Example 6.11. In number theory books, a generator of the group (โ„ค/๐‘๐‘’ โ„ค)ร— is also known as a primitive root mod ๐‘๐‘’ . Recall Proposition 5.6 which describes the orders of elements of cyclic groups. It follows that there are ๐œ™(๐œ™(๐‘๐‘’ )) primitive roots mod ๐‘๐‘’ for odd prime powers ๐‘๐‘’ .

104

6. Understanding the structure of โ„ค/๐‘›โ„ค

For powers of 2, we have the following supplement to Theorem 6.10, whose proof will be left as an exercise for you (see Exercise 13 below). Theorem 6.12 (Supplement to Theorem 6.10). The groups (โ„ค/2โ„ค)ร— and (โ„ค/4โ„ค)ร— are cyclic. If ๐‘’ โ‰ฅ 3 then the order of 5 mod 2๐‘’ is 2๐‘’โˆ’2 . Moreover every reduced residue class mod 2๐‘’ can be written as ยฑ1 ร— 5๐‘˜ . Thus, for ๐‘’ โ‰ฅ 3, the group (โ„ค/2๐‘’ โ„ค)ร— is isomorphic to ๐ถ2 ร— ๐ถ2๐‘’โˆ’2 . Combining Theorems 6.10 and 6.12 with the Chinese Remainder Theorem, we can give a description of the group (โ„ค/๐‘›โ„ค)ร— . Corollary 6.13. (i) Suppose 8 does not divide ๐‘›, and write the prime fac๐‘’ ๐‘’ torization of ๐‘› as ๐‘› = ๐‘11 โ‹ฏ ๐‘๐‘˜๐‘˜ . Then (โ„ค/๐‘›โ„ค)ร— is isomorphic to the product of cyclic groups ๐ถ๐œ™(๐‘๐‘’1 ) ร— โ‹ฏ ร— ๐ถ๐œ™(๐‘๐‘’๐‘˜ ) . 1

๐‘˜

๐‘’

๐‘’

(ii) Suppose 8|๐‘›, and write ๐‘› = 2๐‘’ โ‹… ๐‘22 โ‹ฏ ๐‘๐‘˜๐‘˜ . Then (โ„ค/๐‘›โ„ค)ร— is isomorphic to ๐ถ2 ร— ๐ถ2๐‘’โˆ’2 ร— ๐ถ๐œ™(๐‘๐‘’2 ) ร— โ‹ฏ ร— ๐ถ๐œ™(๐‘๐‘’๐‘˜ ) . 2

๐‘˜

Thus for all ๐‘›, we have described the group (โ„ค/๐‘›โ„ค)ร— as a direct product of cyclic groups. In fact, more generally, every finite abelian group may be decomposed as a product of cyclic groups (and still more generally, every finitely generated abelian group may be decomposed in such a way). This result is known as the fundamental theorem of finitely generated abelian groups, and you would encounter it in a group theory course. We already saw another instance of this theorem: the additive group in a finite field with characteristic ๐‘ is the product of several copies of the cyclic group of size ๐‘. Let us now see how this abstract description of the group (โ„ค/๐‘›โ„ค)ร— answers the questions posed at the beginning of this section. Let us begin with the second question about the possible orders of elements in (โ„ค/๐‘›โ„ค)ร— . Definition 6.14. The Carmichael function ๐œ† โˆถ โ„• โ†’ โ„• is defined as follows. Set ๐œ†(1) = 1, and, if ๐‘ is an odd prime, define for prime powers ๐‘๐‘’ > 1 ๐œ†(๐‘๐‘’ ) = ๐œ™(๐‘๐‘’ ) = ๐‘๐‘’โˆ’1 (๐‘ โˆ’ 1). Put ๐œ†(2) = 1, ๐œ†(4) = 2, and for ๐‘’ โ‰ฅ 3 define ๐œ†(2๐‘’ ) = 2๐‘’โˆ’2 .

6.3. Proof of Theorem 6.10 ๐‘’

105

๐‘’

Finally, if ๐‘› = ๐‘11 โ‹ฏ ๐‘๐‘˜๐‘˜ then define ๐‘’

๐‘’

๐œ†(๐‘›) = lcm[๐œ†(๐‘11 ), โ‹ฏ , ๐œ†(๐‘๐‘˜๐‘˜ )]. The significance of this definition may be seen from the following refinement of Eulerโ€™s theorem. Theorem 6.15 (Refining Eulerโ€™s theorem). Every reduced residue class ๐‘Ž mod ๐‘› has order dividing ๐œ†(๐‘›). Moreover there exist residue classes ๐‘Ž mod ๐‘› with order exactly equal to ๐œ†(๐‘›). Sketch proof. Exercise 7 of Chapter 5 asked you to show that if ๐บ and ๐ป are any two groups, and ๐‘” โˆˆ ๐บ has order ๐‘š and โ„Ž โˆˆ ๐ป has order ๐‘›, then (๐‘”, โ„Ž) โˆˆ ๐บ ร— ๐ป has order [๐‘š, ๐‘›] (the lcm of ๐‘š and ๐‘›). It follows that ๐‘’ ๐‘’ if ๐‘› = ๐‘11 โ‹ฏ ๐‘๐‘˜๐‘˜ then the reduced ๐‘Ž mod ๐‘› has order equal to the least ๐‘’ common multiple of the order of ๐‘Ž mod ๐‘๐‘– ๐‘– for all 1 โ‰ค ๐‘– โ‰ค ๐‘˜. If ๐‘ is an odd prime, then ๐œ†(๐‘๐‘’ ) = ๐œ™(๐‘๐‘’ ) and Theorem 6.10 showed that the orders of elements in (โ„ค/๐‘๐‘’ โ„ค)ร— divide ๐œ†(๐‘๐‘’ ), and that there is an element with order ๐œ†(๐‘๐‘’ ). The same conclusion holds for powers of 2 by Theorem 6.12 and our definition of ๐œ†(2๐‘’ ). This completes our sketch proof, and you should fill in the details. โ–ก The answer to the first question on when the group (โ„ค/๐‘›โ„ค)ร— is cyclic is contained in the following result (which you are invited to prove in Exercise 11 below). Theorem 6.16. The group (โ„ค/๐‘›โ„ค)ร— is cyclic if and only if (i) ๐‘› = ๐‘๐‘’ or ๐‘› = 2๐‘๐‘’ for some odd prime ๐‘; (ii) ๐‘› = 2 or ๐‘› = 4.

6.3. Existence of primitive roots mod ๐‘๐‘’ : Proof of Theorem 6.10 Throughout, let ๐‘ denote an odd prime. If ๐‘’ = 1 then the congruence classes mod ๐‘๐‘’ form the field ๐”ฝ๐‘ , and we have already shown in ยง5.4 that the group ๐”ฝ๐‘ร— is cyclic. Thus there is a primitive root ๐‘” mod ๐‘, and we now want to find primitive roots mod ๐‘๐‘’ for higher prime powers. Given a residue class ๐‘Ž mod ๐‘, for 0 โ‰ค ๐‘˜ โ‰ค ๐‘ โˆ’ 1 the residue classes ๐‘Ž + ๐‘˜๐‘ mod ๐‘ are all the same, but viewed mod ๐‘2 the residue classes ๐‘Ž + ๐‘˜๐‘ mod ๐‘2 are all distinct. We say that the residue class ๐‘Ž mod ๐‘

106

6. Understanding the structure of โ„ค/๐‘›โ„ค

โ€œliftsโ€ to these ๐‘ residue classes mod ๐‘2 : namely ๐‘Ž, ๐‘Ž + ๐‘, ๐‘Ž + 2๐‘, . . . , ๐‘Ž + ๐‘(๐‘ โˆ’ 1) mod ๐‘2 , or equivalently that the residue classes ๐‘Ž + ๐‘˜๐‘ mod ๐‘2 โ€œlie aboveโ€ ๐‘Ž mod ๐‘. Similarly, we can think of residue classes ๐‘Ž mod ๐‘๐‘’ lifting to the residue classes ๐‘Ž + ๐‘˜๐‘๐‘’ mod ๐‘๐‘’+1 (for 0 โ‰ค ๐‘˜ โ‰ค ๐‘ โˆ’ 1 say). Proposition 6.17. Let ๐‘ be an odd prime. (i) For each primitive root ๐‘” mod ๐‘ there are exactly ๐‘ โˆ’ 1 residue classes ๐‘” + ๐‘˜๐‘ mod ๐‘2 lying above ๐‘” mod ๐‘ that are primitive roots mod ๐‘2 . (ii) If ๐‘’ โ‰ฅ 2 then every primitive root ๐‘” mod ๐‘๐‘’ lifts to ๐‘ primitive roots ๐‘” + ๐‘˜๐‘๐‘’ mod ๐‘๐‘’+1 ( for 0 โ‰ค ๐‘˜ โ‰ค ๐‘ โˆ’ 1). Example 6.18. There are ๐œ™(๐‘ โˆ’ 1) primitive roots mod ๐‘, and the first part of Proposition 6.17 tells us that these give rise to (๐‘ โˆ’ 1)๐œ™(๐‘ โˆ’ 1) primitive roots mod ๐‘2 . Note that if ๐‘” generates all the reduced residue classes mod ๐‘2 then it must clearly generate all the reduced residue classes mod ๐‘, so that these account for all the primitive roots mod ๐‘2 . This is consistent with our prior knowledge that there must be ๐œ™(๐œ™(๐‘2 )) generators of the cyclic group ๐ถ๐œ™(๐‘2 ) : indeed ๐œ™(๐œ™(๐‘2 )) = ๐œ™(๐‘(๐‘ โˆ’ 1)) = ๐œ™(๐‘)๐œ™(๐‘ โˆ’ 1) = (๐‘ โˆ’ 1)๐œ™(๐‘ โˆ’ 1). Similarly, for ๐‘’ โ‰ฅ 2 the ๐œ™(๐œ™(๐‘๐‘’ )) = ๐œ™(๐‘๐‘’โˆ’1 (๐‘ โˆ’ 1)) = ๐‘๐‘’โˆ’2 (๐‘ โˆ’ 1)๐œ™(๐‘ โˆ’ 1) primitive roots mod ๐‘๐‘’ lift to ๐‘๐œ™(๐œ™(๐‘๐‘’ )) = ๐‘๐‘’โˆ’1 (๐‘ โˆ’ 1)๐œ™(๐‘ โˆ’ 1) primitive roots mod ๐‘๐‘’+1 which is consistent with ๐œ™(๐œ™(๐‘๐‘’+1 )). A key step in proving Proposition 6.17 is the following simple observation (which holds also for the prime ๐‘ = 2). Lemma 6.19. Let ๐‘ be any prime (including 2). Let ๐‘˜ โ‰ฅ 1 be a natural number and ๐‘Ž an integer with (๐‘Ž, ๐‘) = 1. Suppose โ„“ is the order of ๐‘Ž mod ๐‘๐‘˜ . Then the order of ๐‘Ž mod ๐‘๐‘˜+1 is either โ„“ or ๐‘โ„“. Proof. Suppose ๐‘Ž๐‘Ÿ โ‰ก 1 mod ๐‘๐‘˜+1 . Then certainly ๐‘Ž๐‘Ÿ โ‰ก 1 mod ๐‘๐‘˜ . Therefore the order of ๐‘Ž mod ๐‘๐‘˜ , which is โ„“, must divide ๐‘Ÿ. It follows that โ„“ divides the order of ๐‘Ž mod ๐‘๐‘˜+1 . Now write ๐‘Žโ„“ = 1 + ๐‘ ๐‘๐‘˜ for some integer ๐‘ , and consider ๐‘Žโ„“๐‘ = (1 + ๐‘ ๐‘๐‘˜ )๐‘ . Expand this out using the binomial theorem: ๐‘ ๐‘ ๐‘ (1 + ๐‘ ๐‘๐‘˜ )๐‘ = 1 + ( )๐‘ ๐‘๐‘˜ + ( )(๐‘ ๐‘๐‘˜ )2 + . . . + ( )(๐‘ ๐‘๐‘˜ )๐‘ . 1 2 ๐‘

6.3. Proof of Theorem 6.10

107

Since (๐‘ ๐‘๐‘˜ )๐‘— โ‰ก 0 mod ๐‘๐‘˜+1 for all ๐‘— โ‰ฅ 2, and ๐‘ ( )๐‘ ๐‘๐‘˜ = ๐‘ ๐‘๐‘˜+1 โ‰ก 0 mod ๐‘๐‘˜+1 , 1 we see that (1 + ๐‘ ๐‘๐‘˜ )๐‘ โ‰ก 1 mod ๐‘๐‘˜+1 . Thus ๐‘Žโ„“๐‘ โ‰ก 1 mod ๐‘๐‘˜+1 ; or in other words, the order of ๐‘Ž mod ๐‘๐‘˜+1 divides โ„“๐‘. We have shown that the order of ๐‘Ž mod ๐‘๐‘˜+1 is a multiple of โ„“, and that it divides ๐‘โ„“. The only choices are โ„“ and ๐‘โ„“. โ–ก Proof of Proposition 6.17 (Part i). Let us start with the first assertion about lifting primitive roots from mod ๐‘ to mod ๐‘2 . For each 0 โ‰ค ๐‘˜ โ‰ค ๐‘ โˆ’ 1 note that ๐‘” + ๐‘˜๐‘ โ‰ก ๐‘” mod ๐‘ is a primitive root mod ๐‘. Therefore by Lemma 6.19, ๐‘” + ๐‘˜๐‘ mod ๐‘2 has order either (๐‘ โˆ’ 1) or ๐‘(๐‘ โˆ’ 1). We shall prove that for exactly one value of ๐‘˜ the order is ๐‘โˆ’1, and therefore for the remaining (๐‘ โˆ’ 1) values of ๐‘˜ the order equals ๐‘(๐‘ โˆ’ 1). If (๐‘” + ๐‘˜๐‘) mod ๐‘2 has order ๐‘ โˆ’ 1, then (๐‘” + ๐‘˜๐‘)๐‘โˆ’1 โ‰ก 1 mod ๐‘2 . Expand using the binomial theorem: (๐‘” + ๐‘˜๐‘)๐‘โˆ’1 = ๐‘”๐‘โˆ’1 + (

๐‘โˆ’1 ๐‘โˆ’1 )(๐‘˜๐‘)๐‘”๐‘โˆ’2 + ( )(๐‘˜๐‘)2 ๐‘”๐‘โˆ’3 1 2

๐‘โˆ’1 + ... + ( )(๐‘˜๐‘)๐‘โˆ’1 . ๐‘โˆ’1 From the third term onwards we get multiples of ๐‘2 . So ๐‘โˆ’1 (๐‘” + ๐‘˜๐‘)๐‘โˆ’1 โ‰ก ๐‘”๐‘โˆ’1 + ( )(๐‘˜๐‘)๐‘”๐‘โˆ’2 โ‰ก ๐‘”๐‘โˆ’1 + (๐‘ โˆ’ 1)๐‘˜๐‘๐‘”๐‘โˆ’2 1 โ‰ก (๐‘”๐‘โˆ’1 โˆ’ ๐‘˜๐‘๐‘”๐‘โˆ’2 ) mod ๐‘2 . If we write ๐‘”๐‘โˆ’1 = 1 + ๐‘ ๐‘, then the above is 1 + ๐‘(๐‘  โˆ’ ๐‘˜๐‘”๐‘โˆ’2 ) mod ๐‘2 and this is 1 mod ๐‘2 if and only if ๐‘  โ‰ก ๐‘˜๐‘”๐‘โˆ’2 mod ๐‘

or equivalently

๐‘”๐‘  โ‰ก ๐‘˜๐‘”๐‘โˆ’1 โ‰ก ๐‘˜ mod ๐‘.

Thus there is exactly one possible value of ๐‘˜ with 0 โ‰ค ๐‘˜ โ‰ค ๐‘ โˆ’ 1 (namely ๐‘˜ โ‰ก ๐‘”๐‘  mod ๐‘) for which ๐‘” + ๐‘˜๐‘ mod ๐‘2 has order (๐‘ โˆ’ 1). This proves what we wanted. โ–ก Proof of Proposition 6.17 (Part ii). Let us see how to lift from a primitive root mod ๐‘2 to a primitive root mod ๐‘3 , and generalizing this is straightforward and left to you. Suppose ๐‘” mod ๐‘2 is a primitive root.

108

6. Understanding the structure of โ„ค/๐‘›โ„ค

Then we claim that ๐‘” is automatically a primitive root mod ๐‘3 . This proves (ii) because ๐‘” + ๐‘˜๐‘2 โ‰ก ๐‘” mod ๐‘2 will then be a primitive root mod ๐‘3 for all ๐‘˜. Let us start with ๐‘” mod ๐‘. Since ๐‘” generates all reduced residue classes mod ๐‘2 , it must generate all reduced residue classes mod ๐‘, and so is a primitive root. Write ๐‘”๐‘โˆ’1 = 1 + ๐‘ ๐‘, say. Note that ๐‘  cannot be a multiple of ๐‘, or else the order of ๐‘” mod ๐‘2 would be (๐‘ โˆ’ 1). Now what is ๐‘”๐‘(๐‘โˆ’1) ? Expanding out by the binomial theorem, ๐‘ ๐‘ (1 + ๐‘ ๐‘)๐‘ = 1 + ๐‘ ๐‘2 + ( )(๐‘ ๐‘)2 + . . . + ( )(๐‘ ๐‘)๐‘ โ‰ก 1 + ๐‘ ๐‘2 mod ๐‘3 , 2 ๐‘ because (๐‘ ๐‘)๐‘— will be a multiple of ๐‘3 for ๐‘— โ‰ฅ 3, and for the term (๐‘2)(๐‘ ๐‘)2 the binomial coefficient gives an extra factor of ๐‘. Since ๐‘  is not a multiple of ๐‘, this congruence shows that ๐‘” mod ๐‘3 cannot have order ๐‘(๐‘ โˆ’ 1), and therefore by Lemma 6.19 its order must be ๐‘2 (๐‘ โˆ’ 1). That is, ๐‘” is a primitive root mod ๐‘3 . โ–ก

6.4. Exercises 1. Let ๐‘š and ๐‘› be natural numbers and ๐‘Ž mod ๐‘š and ๐‘ mod ๐‘› be given residue classes. Show that there is a solution to the congruences ๐‘ฅ โ‰ก ๐‘Ž mod ๐‘š and ๐‘ฅ โ‰ก ๐‘ mod ๐‘› if and only if ๐‘Ž โ‰ก ๐‘ mod ๐‘” where ๐‘” = (๐‘š, ๐‘›). If ๐‘Ž โ‰ก ๐‘ mod ๐‘” show that the solution ๐‘ฅ is unique mod[๐‘š, ๐‘›]. Here [๐‘š, ๐‘›] denotes the least common multiple of ๐‘š and ๐‘›. 2. If ๐‘ is a prime prove that (๐‘ โˆ’ 1)! โ‰ก (๐‘ โˆ’ 1) mod (1 + 2 + 3 + . . . + (๐‘ โˆ’ 1)). 3. Let ๐‘” be a primitive root mod ๐‘. Show that (๐‘ โˆ’ 1)! โ‰ก ๐‘” โ‹… ๐‘”2 โ‹… ๐‘”3 โ‹ฏ โ‹… ๐‘”๐‘โˆ’1 โ‰ก ๐‘”๐‘(๐‘โˆ’1)/2 mod ๐‘, and conclude Wilsonโ€™s theorem. 4. Let ๐‘˜ be a natural number, and ๐‘ be a prime. Show that ๐‘โˆ’1

โˆ’1 mod ๐‘ โˆ‘ ๐‘›๐‘˜ โ‰ก { 0 mod ๐‘ ๐‘›=1

if (๐‘ โˆ’ 1) divides ๐‘˜ if (๐‘ โˆ’ 1) does not divide ๐‘˜.

5. If ๐ผ and ๐ฝ are comaximal ideals in a ring ๐‘… show that ๐ผ๐ฝ = ๐ผ โˆฉ ๐ฝ.

6.4. Exercises

109

6. Prove that the sequence ๐‘›๐‘› is periodic mod ๐‘, where ๐‘ is prime. Determine the least period. (That is, find the least number โ„“ such that (๐‘› + โ„“)๐‘›+โ„“ โ‰ก ๐‘›๐‘› mod ๐‘ for all ๐‘›.) 7. Set ๐‘Ž๐‘› = 11 + 22 + 33 + . . . + ๐‘›๐‘› . Prove that this sequence is periodic mod ๐‘, and determine the least period. 8. A composite number ๐‘› is called a Carmichael number if ๐‘Ž๐‘›โˆ’1 โ‰ก 1 mod ๐‘› for all ๐‘Ž with (๐‘Ž, ๐‘›) = 1. Show that 561, 1105, and 1729 are Carmichael numbers. 9. As in Exercise 8, a composite number ๐‘› is called a Carmichael number if ๐‘Ž๐‘›โˆ’1 โ‰ก 1 mod ๐‘› for all reduced reside classes ๐‘Ž mod ๐‘›. (i) Show that a composite number ๐‘› is Carmichael if and only if ๐œ†(๐‘›) divides ๐‘› โˆ’ 1. (ii) Show that a Carmichael number ๐‘› cannot be divisible by the square of any prime. (iii) If ๐‘› = ๐‘1 โ‹ฏ ๐‘ ๐‘˜ , with ๐‘˜ โ‰ฅ 2 and ๐‘1 , . . ., ๐‘ ๐‘˜ being distinct, show that ๐‘› is Carmichael if and only if ๐‘๐‘— โˆ’ 1 divides ๐‘› โˆ’ 1 for all ๐‘—. 10. Prove that the Carmichael function ๐œ†(๐‘›) is at most ๐œ™(๐‘›)/2 unless ๐‘› is of the form ๐‘๐‘’ or 2๐‘๐‘’ for an odd prime ๐‘, or unless ๐‘› = 2 or ๐‘› = 4. 11. Prove Theorem 6.16. 12. This problem gives a generalization of the strategy used to lift primitive roots mod ๐‘ to primitive roots mod ๐‘2 . Let ๐‘“ be a polynomial of degree ๐‘‘ with integer coefficients and leading coefficient 1, and let ๐‘“โ€ฒ denote its derivative. Let ๐‘Ž be a solution to ๐‘“(๐‘ฅ) โ‰ก 0 mod ๐‘. (i) If ๐‘“โ€ฒ (๐‘Ž) โ‰ข 0 mod ๐‘ then show that the solution ๐‘Ž mod ๐‘ lifts (or gives rise) to a unique solution mod ๐‘2 . (ii) If ๐‘“โ€ฒ (๐‘Ž) โ‰ก 0 mod ๐‘, but ๐‘“(๐‘Ž) โ‰ข 0 mod ๐‘2 then show that ๐‘Ž does not lift to a solution mod ๐‘2 . (iii) If ๐‘“โ€ฒ (๐‘Ž) โ‰ก 0 mod ๐‘ and ๐‘“(๐‘Ž) โ‰ก 0 mod ๐‘2 show that ๐‘Ž gives rise to ๐‘ solutions mod ๐‘2 . (iv) What is the maximum number of solutions that ๐‘“(๐‘ฅ) โ‰ก 0 mod ๐‘2 can have? ๐‘˜

13. Prove, by induction or otherwise, that for every ๐‘˜ โ‰ฅ 0 that 52 โ‰ก 1 mod 2๐‘˜+2 but โ‰ข 1 mod 2๐‘˜+3 . Conclude that the order of 5 mod 2๐‘’ is 2๐‘’โˆ’2 for all ๐‘’ โ‰ฅ 2. Prove that every reduced residue class mod 2๐‘’ may be

110

6. Understanding the structure of โ„ค/๐‘›โ„ค

expressed as ยฑ1 times a power of 5, and that โˆ’1 is not a power of 5. In short, prove Theorem 6.12.

Chapter 7

Combinatorial applications of finite fields

In this chapter, we will use our work on finite fields to construct interesting combinatorial objects. In particular, we will discuss constructions of Sidon sets and perfect difference sets, and De Bruijn sequences. Even though these combinatorial objects are defined in settings like the integers, or residue classes mod ๐‘›, we shall see that they are not easy to construct without some (hidden) insight coming from finite fields. And, on the flip side, constructing these combinatorial objects will involve working concretely with finite fields, and thus add to our understanding of these objects. In particular, we have described earlier the structure of the additive and multiplicative groups in a finite field, and we shall now see how these structures interact with each other.

7.1. Sidon sets and perfect difference sets Definition 7.1. A Sidon set is a finite set of integers ๐’œ = {๐‘Ž1 , ๐‘Ž2 , . . . , ๐‘Ž๐‘˜ } such that the sums ๐‘Ž๐‘– + ๐‘Ž๐‘— with 1 โ‰ค ๐‘– โ‰ค ๐‘— โ‰ค ๐‘˜ are all distinct. 111

112

7. Combinatorial applications of finite fields

Example 7.2. If ๐’œ is a Sidon set, then the set ๐‘Ž + ๐’œ obtained by translating all the elements of ๐ด by an integer ๐‘Ž is also a Sidon set. Thus we may confine attention to Sidon sets of natural numbers. If we take ๐‘Ž๐‘— = 2๐‘—โˆ’1 for 1 โ‰ค ๐‘— โ‰ค ๐‘˜, then all the pairwise sums are distinct. This gives a Sidon set of ๐‘˜ natural numbers in [1, 2๐‘˜โˆ’1 ]. This example however produces a very small Sidon set: in [1, ๐‘] it gives a Sidon set with about log2 ๐‘ elements. Can one construct larger Sidon sets? Given ๐‘ what is the maximal size of a Sidon set in [1, ๐‘]? This problem arose in work of Sidon in the 1930โ€™s concerning Fourier series. One of our goals in this chapter is to construct Sidon sets of size ๐‘ž in [1, ๐‘ž2 โˆ’1] for prime powers ๐‘ž. There is an extensive literature on this topic, which is still an area of active research, and we refer you to [12, 22] for much further information. Theorem 7.3 (Singer; Bose). Let ๐‘ž be a prime power. There is a Sidon set ๐’œ of ๐‘ž integers in [1, ๐‘ž2 โˆ’ 1]. In the other direction, we can also show that a Sidon set in [1, ๐‘] cannot be too big. Theorem 7.4 (Erdล‘sโ€“Turรกn). Let ๐’œ be a Sidon set in [1, ๐‘]. Then 1

|๐’œ| โ‰ค โˆš๐‘ + โˆš2๐‘ 4 . To construct a large Sidon set in [1, ๐‘], we can simply pick the largest prime ๐‘ below โˆš๐‘, and use Theorem 7.3 to find a Sidon set in [1, ๐‘2 โˆ’1]. Since, by Bertrandโ€™s postulate, we can always find a prime ๐‘ in (โˆš๐‘/2, โˆš๐‘), we find that for all ๐‘ there is a Sidon set of size at least โˆš๐‘/2, and for some ๐‘ (e.g., squares of primes) we get nearly โˆš๐‘ elements in the Sidon set. Actually, one can considerably improve upon Bertrandโ€™s postulate, and there is always a prime between ๐‘ฅ and ๐‘ฅ(1 + ๐œ–) for any ๐œ– > 0 and ๐‘ฅ large enough. This follows from the prime number theorem which we briefly mentioned in ยง2.3, and it shows that there are Sidon sets in [1, ๐‘] with โ‰ฅ โˆš๐‘(1 โˆ’ ๐œ–) elements for all ๐‘ large enough (given ๐œ– > 0). In fact a deep theorem states that for large ๐‘› there is always a prime between two consecutive cubes ๐‘›3 and (๐‘›+1)3 (so that one can find a prime ๐‘ very close to โˆš๐‘), and a famous open problem is to show that there is always a prime between two consecutive squares ๐‘›2 and (๐‘› + 1)2 .

7.1. Sidon sets and perfect difference sets

113

In other words, the construction of Theorem 7.3 and the bound of Theorem 7.4 are pretty close to each other, and one understands well the size of the largest Sidon set in [1, ๐‘]. This is a rare situation in extremal combinatorics where we are able to determine asymptotically the true answer. Example 7.5. Let us give a simple preliminary upper bound for the size of a Sidon set in [1, ๐‘]. If the Sidon set has size ๐‘˜, then the number of sums ๐‘Ž๐‘– + ๐‘Ž๐‘— with 1 โ‰ค ๐‘– โ‰ค ๐‘— โ‰ค ๐‘˜ is ๐‘˜ ๐‘˜(๐‘˜ + 1) . ( )+๐‘˜= 2 2 By definition these sums must all be distinct, and they lie in the interval [2, 2๐‘] which contains 2๐‘โˆ’1 integers. It follows that ๐‘˜(๐‘˜+1)/2 โ‰ค 2๐‘โˆ’1, so that ๐‘˜(๐‘˜ + 1) โ‰ค 4๐‘ โˆ’ 2 which gives ๐‘˜ โ‰ค 2โˆš๐‘. A little trick allows us to do slightly better. If the sums ๐‘Ž๐‘– + ๐‘Ž๐‘— are all distinct, it must also be the case that the differences ๐‘Ž๐‘— โˆ’๐‘Ž๐‘– are all distinct for 1 โ‰ค ๐‘– < ๐‘— โ‰ค ๐‘˜ (here we omitted ๐‘– = ๐‘— which gives the difference 0). There are (๐‘˜2) such differences, all lying in the interval [1, ๐‘ โˆ’ 1]. Therefore we must have (๐‘˜2) โ‰ค ๐‘ โˆ’ 1 from which it follows that 1 1 1 2 (๐‘˜ โˆ’ ) = ๐‘˜(๐‘˜ โˆ’ 1) + โ‰ค 2(๐‘ โˆ’ 1) + < 2๐‘, 2 4 4 so that (7.1)

1

๐‘˜ < โˆš2๐‘ + 2 .

Example 7.6. Example 7.5 shows why one cannot have Sidon sets with more than about โˆš2๐‘ elements, which will be improved further in Theorem 7.4. Should we be surprised that there exist Sidon sets in [1, ๐‘] of size about โˆš๐‘ as guaranteed by Theorem 7.3? This may seem more of a psychological question than a mathematical one! One way to address it would be to pick a large number like ๐‘ = 1024, and to search (for example by writing a computer program) for the largest Sidon set that you can find in [1, 1024]. Another idea is to consider a random set โ„ฌ of ๐‘˜ elements chosen from [1, ๐‘] and ask how likely is it that this a Sidon set? Consider ๐‘Ž+๐‘โˆ’ ๐‘ โˆ’ ๐‘‘ with ๐‘Ž, ๐‘, ๐‘, ๐‘‘ distinct elements in โ„ฌ. There are (๐‘˜4) โ‰ˆ ๐‘˜4 /24 such expressions, and they all lie in [โˆ’2๐‘, 2๐‘]. If these values were evenly spread out over [โˆ’2๐‘, 2๐‘], then we may think of the chance that ๐‘Ž + ๐‘ โˆ’

114

7. Combinatorial applications of finite fields

๐‘ โˆ’ ๐‘‘ = 0 is about 1 in 4๐‘. If ๐‘˜4 /24 is large in comparison to 4๐‘, then it seems very likely that there would be a โ€œcollisionโ€ ๐‘Ž + ๐‘ โˆ’ ๐‘ โˆ’ ๐‘‘ = 0 so that the set โ„ฌ would not be a Sidon set. This reasoning suggests that 1 a random set with substantially more than ๐‘ 4 elements is unlikely to be a Sidon set. So we should be surprised that there exists a Sidon set with as many as โˆš๐‘ elements! The reasoning above is closely related to the birthday problem: in a room with 23 people, the probability that two 1 people share the same birthday is about 2 . We observed in Example 7.5 that if the sums ๐‘Ž๐‘– + ๐‘Ž๐‘— are all distinct (apart from the order ๐‘Ž๐‘– + ๐‘Ž๐‘— = ๐‘Ž๐‘— + ๐‘Ž๐‘– ), then the differences ๐‘Ž๐‘– โˆ’ ๐‘Ž๐‘— with ๐‘– โ‰  ๐‘— must also all be distinct. This gives a (loose) connection between Sidon sets and our next object of interest: perfect difference sets. Definition 7.7. A set of residues {๐‘Ž1 , ๐‘Ž2 , . . . , ๐‘Ž๐‘˜+1 mod ๐‘›} is called a perfect difference set if every non-zero residue class mod ๐‘› can be expressed as ๐‘Ž๐‘– โˆ’๐‘Ž๐‘— for some unique choice of ๐‘– and ๐‘—. Since the number of possible differences among ๐‘Ž๐‘– and ๐‘Ž๐‘— (with ๐‘– โ‰  ๐‘—) is ๐‘˜(๐‘˜ + 1), clearly the modulus ๐‘› must equal ๐‘˜2 + ๐‘˜ + 1. Theorem 7.8 (Singer). If ๐‘˜ is a prime power, then there is a perfect difference set mod ๐‘˜2 + ๐‘˜ + 1. Example 7.9. Here are three examples of perfect difference sets: {1, 2 mod 3}, {1, 2, 4 mod 7}, and {1, 2, 5, 7 mod 13}. Take the perfect difference set {1, 2, 4 mod 7} and translate it by residue classes mod 7: thus we get the 7 sets {1, 2, 4 mod 7}, {2, 3, 5 mod 7}, {3, 4, 6 mod 7}, {4, 5, 0 mod 7}, {5, 6, 1 mod 7}, {6, 0, 2 mod 7}, and {0, 1, 3 mod 7}. Note that (i) each set contains exactly three residue classes, (ii) each residue class appears in exactly three sets, (iii) any two sets intersect in a unique residue class, and (iv) any two residue classes lie in a unique set. Do the same with the perfect difference set mod 13. Definition 7.10. A (combinatorial) finite projective plane of order ๐‘˜ is a collection of ๐‘˜2 + ๐‘˜ + 1 โ€œpointsโ€ and ๐‘˜2 + ๐‘˜ + 1 โ€œlinesโ€ (sets of points) such that (i) every line contains ๐‘˜ + 1 points, (ii) every point lies on ๐‘˜ + 1 lines, (iii) any two distinct lines intersect at exactly one point, and (iv) and two distinct points lie on exactly one line.

7.1. Sidon sets and perfect difference sets

115

1

5

4 7

2

6

3

The figure above depicts a finite projective plane of order 2, known as the Fano plane. It has seven points, numbered above 1 through 7. The seven lines are the sets {1, 2, 4}, {2, 3, 6}, {1, 3, 5}, {1, 6, 7}, {2, 5, 7}, {3, 4, 7}, and {4, 5, 6}. Generalizing Example 7.9, one can start with a perfect difference set and by translating it obtain a finite projective plane. There is also a natural way to construct finite projective planes using finite fields (see Exercise 7), and these are important objects in algebra and geometry. In combinatorics, a longstanding open problem is whether perfect difference sets are only possible when ๐‘˜ is either 1 or a prime power. This has been checked for ๐‘˜ up to twenty billion [8], but the general problem remains unsolved. Recently, Sarah Peluse [23] established an asymptotic version of this conjecture, showing that the number of ๐‘˜ below ๐‘ฅ for which there exists a perfect difference set mod ๐‘˜2 + ๐‘˜ + 1 is asymptotically of the same size as the number of prime powers below ๐‘ฅ. It is also believed that finite projective planes only exist when ๐‘˜ is 1, or a prime power. Not much is known about this problemโ€”in the 1980s, combining many ideas with a massive computer search, it was shown that there are no finite projective planes of order 10 (see Lam [16]). It remains an open problem to show that there are no finite projective planes of order 12.

116

7. Combinatorial applications of finite fields

To round out this discussion, let me mention that finite projective planes are a special case of a more general combinatorial object called a design. Given parameters (๐‘›, ๐‘ž, ๐‘Ÿ, ๐œ†), a design with these parameters means the following: Let ๐‘‹ be a set with ๐‘› elements. A collection of ๐‘ž-element subsets of ๐‘‹ is called a design, if every ๐‘Ÿ-element subset of ๐‘‹ is contained in exactly ๐œ† elements of this collection. The story here is far from being settled, and in 2014, Peter Keevash made important progress in showing the existence of designs for a large class of parameters. See Gowers [9] and Kalai [15] for friendly introductions to the work of Keevash. You may find it easier to grasp the flavor of these combinatorial problems by contemplating the following puzzle by Kirkman, which appeared in 1850 in The Ladyโ€™s and Gentlemanโ€™s Diaryโ€”โ€œFifteen young ladies in a school walk out three abreast for seven days in succession: it is required to arrange them daily so that no two shall walk twice abreast.โ€

7.2. Proof of Theorem 7.3 For clarity, we restrict ourselves to ๐‘ž being a prime number, but the same proof works with small changes for ๐‘ž a prime power (Exercise 2). Suppose ๐‘ž = ๐‘ is a prime number. We work in the field ๐”ฝ๐‘2 with ๐‘2 elements. We know that the multiplicative group ๐”ฝ๐‘ร—2 is cyclic, and so pick a generator ๐›ผ for this group. Consider the elements ๐›ผ๐‘‘ โˆ’ ๐›ผ as ๐‘‘ ranges from 1 to ๐‘2 โˆ’ 1. These are all distinct, and range over all elements of ๐”ฝ๐‘2 with the exception of โˆ’๐›ผ (which cannot occur since ๐›ผ๐‘‘ cannot be 0). In particular, all the ๐‘ elements in ๐”ฝ๐‘ appear among these values. Take ๐’œ = {๐‘‘ โˆˆ [1, ๐‘2 โˆ’ 1] โˆถ ๐›ผ๐‘‘ โˆ’ ๐›ผ โˆˆ ๐”ฝ๐‘ }, so that ๐’œ is a subset of size ๐‘ in [1, ๐‘2 โˆ’ 1]. We claim that ๐’œ is a Sidon set. Suppose, to the contrary, that ๐‘‘1 + ๐‘‘2 = ๐‘‘3 + ๐‘‘4 for two distinct pairs ๐‘‘1 โ‰ค ๐‘‘2 and ๐‘‘3 โ‰ค ๐‘‘4 . For each ๐‘– = 1, 2, 3, 4, put ๐›ผ๐‘‘๐‘– = ๐›ผ + ๐‘Ž๐‘– where ๐‘Ž๐‘– lies in ๐”ฝ๐‘ by construction. Since ๐‘‘1 + ๐‘‘2 = ๐‘‘3 + ๐‘‘4 we have ๐›ผ๐‘‘1 ๐›ผ๐‘‘2 = ๐›ผ๐‘‘3 ๐›ผ๐‘‘4 , which means that (๐›ผ + ๐‘Ž1 )(๐›ผ + ๐‘Ž2 ) = (๐›ผ + ๐‘Ž3 )(๐›ผ + ๐‘Ž4 ).

7.3. The Erdล‘s-Turรกn boundโ€”Proof of Theorem 7.4

117

Cancelling the ๐›ผ2 terms, we find that ๐›ผ satisfies a linear relation over ๐”ฝ๐‘ , namely (7.2)

(๐‘Ž1 + ๐‘Ž2 )๐›ผ + ๐‘Ž1 ๐‘Ž2 = (๐‘Ž3 + ๐‘Ž4 )๐›ผ + ๐‘Ž3 ๐‘Ž4 .

Note that ๐›ผ โˆ‰ ๐”ฝ๐‘ ; otherwise the powers of ๐›ผ would all be in ๐”ฝ๐‘ contradicting our choice of ๐›ผ as a generator of the multiplicative group ๐”ฝ๐‘ร—2 . Thus the relation (7.2) must be trivial and ๐‘Ž1 + ๐‘Ž2 = ๐‘Ž3 + ๐‘Ž4 and ๐‘Ž1 ๐‘Ž2 = ๐‘Ž3 ๐‘Ž4 . But these last relations imply that in ๐”ฝ๐‘ [๐‘ฅ], one has (๐‘ฅ + ๐‘Ž1 )(๐‘ฅ + ๐‘Ž2 ) = (๐‘ฅ + ๐‘Ž3 )(๐‘ฅ + ๐‘Ž4 ). Unique factorization in ๐”ฝ๐‘ [๐‘ฅ] now tells us that either ๐‘ฅ + ๐‘Ž1 is the same as ๐‘ฅ + ๐‘Ž3 (and ๐‘ฅ + ๐‘Ž2 then equals ๐‘ฅ + ๐‘Ž4 ), or that ๐‘ฅ + ๐‘Ž1 equals ๐‘ฅ + ๐‘Ž4 (and ๐‘ฅ + ๐‘Ž2 equals ๐‘ฅ + ๐‘Ž3 ). In other words, one must have ๐‘‘1 = ๐‘‘3 and ๐‘‘2 = ๐‘‘4 , or ๐‘‘1 = ๐‘‘4 and ๐‘‘2 = ๐‘‘3 . Thus the pairs (๐‘‘1 , ๐‘‘2 ), and (๐‘‘3 , ๐‘‘4 ) cannot be different, and ๐’œ is a Sidon set.

7.3. The Erdล‘s-Turรกn boundโ€”Proof of Theorem 7.4 Let ๐’œ = {๐‘Ž1 , . . . , ๐‘Ž๐‘˜ } be a Sidon set in [1, ๐‘]. We have already seen a 1 preliminary bound ๐‘˜ < โˆš2๐‘ + 2 in (7.1) and our goal is to improve upon this. Let ๐‘ฅ be a natural number, to be chosen later. Imagine an interval of length ๐‘ฅ which we shall slide around and see how many elements of ๐’œ land inside it. Thus let โˆ’๐‘ฅ < ๐‘š โ‰ค ๐‘ โˆ’ 1 denote an integer, and for each such integer put ๐’œ(๐‘š) = ๐’œ โˆฉ (๐‘š, ๐‘š + ๐‘ฅ]. The proof is based on studying the first two moments of the sequence of values |๐’œ(๐‘š)|, namely ๐‘โˆ’1

โˆ‘ ๐‘š=โˆ’๐‘ฅ+1

๐‘โˆ’1

|๐’œ(๐‘š)|,

and

โˆ‘

|๐’œ(๐‘š)|2 .

๐‘š=โˆ’๐‘ฅ+1

Such moments are often very informativeโ€”the first moment may be thought of as trying to understand the mean (or average) value of the sequence |๐’œ(๐‘š)|, and the second moment is closely related to the variance of this sequence. In the statistical study of any sequence, the mean and

118

7. Combinatorial applications of finite fields

variance are of fundamental importance, and our proof of the Erdล‘sโ€“ Turรกn bound is built around understanding these two moments for a careful choice of the parameter ๐‘ฅ. Let us begin with the first moment, or equivalently with understanding the mean of |๐’œ(๐‘š)|. Note that ๐‘โˆ’1

๐‘โˆ’1

โˆ‘

โˆ‘

|๐’œ(๐‘š)| =

๐‘š=โˆ’๐‘ฅ+1

#{๐‘Ž โˆถ ๐‘Ž โˆˆ ๐’œ(๐‘š)}

๐‘š=โˆ’๐‘ฅ+1

= โˆ‘ #{๐‘š โˆถ ๐‘Ž โˆˆ ๐’œ(๐‘š)} ๐‘Žโˆˆ๐’œ

= |๐’œ|๐‘ฅ, since each ๐‘Ž โˆˆ ๐’œ belongs to exactly ๐‘ฅ sets ๐’œ(๐‘š), namely those ๐‘š with ๐‘Ž โˆ’ ๐‘ฅ โ‰ค ๐‘š < ๐‘Ž. Therefore ๐‘โˆ’1

โˆ‘

(7.3)

|๐’œ(๐‘š)| = ๐‘ฅ|๐’œ| = ๐‘ฅ๐‘˜.

๐‘š=โˆ’๐‘ฅ+1

The mean of |๐’œ(๐‘š)| would simply be this first moment divided by the number of possibilities for ๐‘š, namely ๐‘ + ๐‘ฅ โˆ’ 1. Now let us turn to the second moment, beginning with a general lower bound for it. This lower bound indeed holds for any sequence of real numbers. Suppose ๐‘ฆ1 , ๐‘ฆ2 , . . ., ๐‘ฆ๐‘› are any ๐‘› real numbers, and let ๐‘ฆ = (๐‘ฆ1 + . . . + ๐‘ฆ๐‘› )/๐‘› denote their mean. Then their variance is defined by ๐‘›

1 โˆ‘ (๐‘ฆ โˆ’ ๐‘ฆ)2 . ๐‘› ๐‘—=1 ๐‘— Being a sum of squares, this variance is clearly non-negative. Moreover, expanding out the square we may write it as ๐‘›

๐‘›

๐‘›

2 2 1 1 1 โˆ‘ (๐‘ฆ2 โˆ’ 2๐‘ฆ๐‘ฆ๐‘— + ๐‘ฆ ) = โˆ‘ ๐‘ฆ๐‘—2 โˆ’ 2๐‘ฆ โˆ‘ ๐‘ฆ๐‘— + ๐‘ฆ ๐‘› ๐‘—=1 ๐‘— ๐‘› ๐‘—=1 ๐‘› ๐‘—=1 ๐‘›

=

2 1 โˆ‘ ๐‘ฆ2 โˆ’ ๐‘ฆ . ๐‘› ๐‘—=1 ๐‘—

This relation shows how the second moment of the sequence ๐‘ฆ๐‘— is closely related to its variance. Moreover, since the variance is non-negative, we

7.3. The Erdล‘s-Turรกn boundโ€”Proof of Theorem 7.4

119

conclude that ๐‘›

๐‘›

2 1 1 โˆ‘ ๐‘ฆ 2 โ‰ฅ ( โˆ‘ ๐‘ฆ๐‘— ) , ๐‘› ๐‘—=1 ๐‘— ๐‘› ๐‘—=1

or equivalently that ๐‘›

๐‘›

โˆ‘ ๐‘ฆ๐‘—2 โ‰ฅ ๐‘—=1

2 1 ( โˆ‘ ๐‘ฆ๐‘— ) . ๐‘› ๐‘—=1

You could also have recognized this inequality as a consequence of one of the most useful tools from analysisโ€”the Cauchyโ€“Schwarz inequality! Recall that this states (for any real or complex numbers ๐‘ฅ๐‘— , ๐‘ฆ๐‘— ) ๐‘›

2

๐‘›

๐‘›

๐‘—=1

๐‘—=1

| โˆ‘ ๐‘ฅ ๐‘ฆ | โ‰ค ( โˆ‘ |๐‘ฅ |2 )( โˆ‘ |๐‘ฆ |2 ). ๐‘— ๐‘—| ๐‘— ๐‘— | ๐‘—=1

The inequality for the second moment that we derived above follows upon taking ๐‘ฅ๐‘— = 1. Applying the above estimate to the sequence of values |๐’œ(๐‘š)|, we conclude that ๐‘โˆ’1

๐‘โˆ’1

โˆ‘

|๐’œ(๐‘š)|2 โ‰ฅ

๐‘š=โˆ’๐‘ฅ+1

(7.4)

=

2 1 ( โˆ‘ |๐’œ(๐‘š)|) ๐‘ + ๐‘ฅ โˆ’ 1 ๐‘š=โˆ’๐‘ฅ+1

๐‘ฅ2 ๐‘˜2 , ๐‘+๐‘ฅโˆ’1

upon using (7.3). So far we have not used that ๐’œ is a Sidon set. We now make crucial use of this fact, and obtain an upper bound for the second moment, which we will compare with the lower bound (7.4). Consider ๐‘โˆ’1

โˆ‘ ๐‘š=โˆ’๐‘ฅ+1

๐‘โˆ’1

(

|๐’œ(๐‘š)| ) = โˆ‘ #{(๐‘Ž, ๐‘) โˆถ ๐‘Ž < ๐‘, ๐‘Ž, ๐‘ โˆˆ ๐’œ(๐‘š)} 2 ๐‘š=โˆ’๐‘ฅ+1 = #{(๐‘š, ๐‘Ž, ๐‘) โˆถ ๐‘Ž < ๐‘, ๐‘Ž, ๐‘ โˆˆ ๐’œ(๐‘š)}.

If we are given ๐‘Ž and ๐‘ in ๐’œ with ๐‘Ž < ๐‘, then how many ๐‘š are there with (๐‘š, ๐‘Ž, ๐‘) being a triple counted above? Clearly we must have ๐‘ โˆ’ ๐‘Ž โˆˆ [1, ๐‘ฅ โˆ’ 1] if both ๐‘Ž and ๐‘ are to be in ๐’œ(๐‘š) for some ๐‘š, and in that case there are exactly ๐‘ฅ โˆ’ (๐‘ โˆ’ ๐‘Ž) possible values for ๐‘š (namely those ๐‘š that

120

7. Combinatorial applications of finite fields

lie in the interval [๐‘ โˆ’ ๐‘ฅ, ๐‘Ž โˆ’ 1]). Therefore โˆ‘

#{(๐‘š, ๐‘Ž, ๐‘) โˆถ ๐‘Ž < ๐‘, ๐‘Ž, ๐‘ โˆˆ ๐’œ(๐‘š)} =

(๐‘ฅ โˆ’ ๐‘Ÿ).

๐‘Ž,๐‘โˆˆ๐’œ ๐‘Ÿ=๐‘โˆ’๐‘Žโˆˆ[1,๐‘ฅโˆ’1]

Now note that since ๐’œ is a Sidon set, if we are given a value ๐‘Ÿ โˆˆ [1, ๐‘ฅ โˆ’1], then it can appear as a difference of two elements ๐‘Ž < ๐‘ โˆˆ ๐’œ in at most one way. Therefore ๐‘ฅโˆ’1

โˆ‘

(๐‘ฅ โˆ’ ๐‘Ÿ) โ‰ค โˆ‘ (๐‘ฅ โˆ’ ๐‘Ÿ) =

๐‘Ž,๐‘โˆˆ๐’œ ๐‘Ÿ=๐‘โˆ’๐‘Žโˆˆ[1,๐‘ฅโˆ’1]

๐‘Ÿ=1

๐‘ฅ(๐‘ฅ โˆ’ 1) . 2

In other words, we have established that ๐‘โˆ’1

(7.5)

๐‘โˆ’1

|๐’œ(๐‘š)|2 โˆ’ |๐’œ(๐‘š)| ๐‘ฅ(๐‘ฅ โˆ’ 1) |๐’œ(๐‘š)| โ‰ค . ( )= โˆ‘ 2 2 2 ๐‘š=โˆ’๐‘ฅ+1 ๐‘š=โˆ’๐‘ฅ+1 โˆ‘

Using (7.3), we may rewrite the inequality above as ๐‘โˆ’1

๐‘โˆ’1

|๐’œ(๐‘š)|2 โ‰ค ๐‘ฅ(๐‘ฅ โˆ’ 1) +

โˆ‘ ๐‘š=โˆ’๐‘ฅ+1

โˆ‘

|๐’œ(๐‘š)|

๐‘š=โˆ’๐‘ฅ+1

(7.6)

= ๐‘ฅ(๐‘ฅ + ๐‘˜ โˆ’ 1).

This is the upper bound that we wanted for the second moment. Let us now compare the lower bound (7.4) with the upper bound (7.6). These give (7.7)

๐‘ฅ๐‘˜2 โ‰ค (๐‘ฅ + ๐‘˜ โˆ’ 1)(๐‘ + ๐‘ฅ โˆ’ 1).

Now it is simply a matter of performing some calculus style optimization to get our theoremโ€”the parameter ๐‘ฅ is still free for us to choose, and we wish to find a choice for ๐‘ฅ which could be used in (7.7) to deduce a good upper bound for ๐‘˜. But we can make life a little easier by using the upper 1 bound we already know for ๐‘˜, namely ๐‘˜ โ‰ค โˆš2๐‘ + 2 , in the right side of (7.7). Using this bound, we find (7.8)

๐‘˜2 โ‰ค

(๐‘ฅ + โˆš2๐‘) (๐‘ + ๐‘ฅ โˆ’ 1). ๐‘ฅ

All that remains is to choose ๐‘ฅ, and naturally we should choose it in such a way that the right side of the estimate (7.8) above becomes smallest. Once again we can use calculus to choose ๐‘ฅ carefully, and then

7.4. Perfect difference setsโ€”Proof of Theorem 7.8

121

the theorem would followโ€”I strongly urge you to pause and try that, or attempt some rough calculations to get a sense of what the smallest value for the right side is (or, write code to do this for numerical values of ๐‘). Alternatively, if we imagine that ๐‘ฅ is large compared with โˆš๐‘, but small compared with ๐‘, then we can see that (๐‘ฅ + โˆš2๐‘)/๐‘ฅ would be close to 1, while ๐‘ + ๐‘ฅ โˆ’ 1 would be roughly ๐‘. Thus for such values of ๐‘ฅ, the right side of (7.8) is roughly ๐‘, and we would get the bound of the theorem. Clearly, we should be winning! 3

Motivated by the above heuristic, let us choose ๐‘ฅ = โŒˆ๐‘ 4 โŒ‰ which lies 3 3 between ๐‘ 4 and ๐‘ 4 + 1. Then the right side of (7.8) is โ‰ค (1 +

โˆš2๐‘ 3

3

)(๐‘ + ๐‘ 4 ) < ๐‘(1 +

โˆš2 1

2

) .

๐‘4

๐‘4 It follows that ๐‘˜ โ‰ค โˆš๐‘(1 +

โˆš2 ๐‘

1 4

1

) = โˆš๐‘ + โˆš2๐‘ 4 .

This wraps up our proof.

7.4. Perfect difference setsโ€”Proof of Theorem 7.8 Our construction of perfect difference sets is a variation of the argument behind Theorem 7.3. Again for clarity, let us restrict to the case when ๐‘˜ is prime, and the general prime power case only needs some cosmetic changes (Exercise 5). We now work in a field ๐”ฝ๐‘3 of size ๐‘3 , which contains the finite field with ๐‘ elements ๐”ฝ๐‘ . Let ๐›ผ be a generator of the multiplicative group ๐”ฝ๐‘ร—3 . We begin with a key observation, which we shall set in a more general context in the next section. Lemma 7.11. The element ๐›ผ satisfies a cubic relation over ๐”ฝ๐‘ , that is, ๐›ผ3 = ๐‘Ž0 + ๐‘Ž1 ๐›ผ + ๐‘Ž2 ๐›ผ2 for some ๐‘Ž0 , ๐‘Ž1 and ๐‘Ž2 in ๐”ฝ๐‘ . But, ๐›ผ cannot satisfy any non-trivial quadratic relation over ๐”ฝ๐‘ . Proof. Since ๐”ฝ๐‘3 is a vector space of dimension 3 over ๐”ฝ๐‘ , there must be a ๐”ฝ๐‘ -linear relation among the four vectors 1, ๐›ผ, ๐›ผ2 and ๐›ผ3 . In other words ๐›ผ satisfies a cubic polynomial relation ๐‘0 + ๐‘1 ๐›ผ + ๐‘2 ๐›ผ2 + ๐‘3 ๐›ผ3 = 0

122

7. Combinatorial applications of finite fields

with ๐‘0 , ๐‘1 , ๐‘2 , ๐‘3 in ๐”ฝ๐‘ , not all zero. If ๐‘3 โ‰  0, then we may divide through by ๐‘3 , obtaining a cubic relation as claimed in the lemma. It remains to show that ๐‘3 โ‰  0, or, in other words, that one cannot have a non-trivial quadratic relation ๐‘0 + ๐‘1 ๐›ผ + ๐‘2 ๐›ผ2 = 0. If there were such a relation, note that ๐‘2 must be non-zero (otherwise, we would have a relation ๐‘0 +๐‘1 ๐›ผ = 0, which is impossible since ๐›ผ โˆ‰ ๐”ฝ๐‘ ). Thus, dividing through by ๐‘2 , we find that ๐›ผ2 lies in the span of 1 and ๐›ผ, and we claim that this forces all powers of ๐›ผ to be in the span of 1 and ๐›ผ. Indeed, if ๐›ผ2 = ๐‘Ž + ๐‘๐›ผ, then ๐›ผ3 = (๐‘Ž + ๐‘๐›ผ)๐›ผ = ๐‘Ž๐›ผ + ๐‘๐›ผ2 = ๐‘Ž๐›ผ + ๐‘(๐‘Ž + ๐‘๐›ผ), and so on. However the powers of ๐›ผ generate ๐”ฝ๐‘ร—3 (which has ๐‘3 โˆ’ 1 elements), whereas the span of 1 and ๐›ผ contains only ๐‘2 elements. โ–ก Since ๐›ผ generates ๐”ฝ๐‘ร—3 , as โ„“ varies over all residue classes mod (๐‘3 โˆ’ 1), the elements ๐›ผโ„“ range over all the non-zero elements of ๐”ฝ๐‘ร—3 , which we may also think of as the non-zero elements in the span of 1, ๐›ผ, ๐›ผ2 . For some special exponents โ„“, it may happen that ๐›ผโ„“ lies in the span of 1 and ๐›ผ. We will focus on these exponents. Thus define โ„’ = {โ„“ mod (๐‘3 โˆ’ 1) โˆถ ๐›ผโ„“ = ๐‘Ž + ๐‘๐›ผ, ๐‘Ž, ๐‘ โˆˆ ๐”ฝ๐‘ }. Since ๐›ผโ„“ cannot be zero, we must omit the possibility ๐‘Ž = ๐‘ = 0 above, and the remaining ๐‘2 โˆ’ 1 elements of the span of 1 and ๐›ผ will all occur. Thus โ„’ is a set of ๐‘2 โˆ’ 1 residue classes mod (๐‘3 โˆ’ 1). Lemma 7.12. If ๐›ผ generates ๐”ฝ๐‘ร—3 , then the elements of ๐”ฝ๐‘ร— are 2 +๐‘+1)๐‘Ÿ

๐›ผ(๐‘

,

with 1 โ‰ค ๐‘Ÿ โ‰ค ๐‘ โˆ’ 1. Proof. The equation ๐‘ฅ๐‘โˆ’1 = 1 has exactly ๐‘โˆ’1 solutions in ๐”ฝ๐‘3 , namely all the elements in ๐”ฝ๐‘ร— . Clearly 2 +๐‘+1)

(๐›ผ๐‘Ÿ(๐‘ 2

3 โˆ’1)

)๐‘โˆ’1 = ๐›ผ๐‘Ÿ(๐‘

= 1,

so that ๐›ผ๐‘Ÿ(๐‘ +๐‘+1) is a solution to ๐‘ฅ๐‘โˆ’1 = 1. Therefore, the ๐‘ โˆ’ 1 distinct 2 โ–ก values ๐›ผ๐‘Ÿ(๐‘ +๐‘+1) give all the elements of ๐”ฝ๐‘ร— as claimed.

7.4. Perfect difference setsโ€”Proof of Theorem 7.8

123

Lemma 7.12 tells us that if โ„“ mod (๐‘3 โˆ’ 1) belongs to โ„’, then so do the residue classes โ„“ + (๐‘2 + ๐‘ + 1)๐‘Ÿ mod (๐‘3 โˆ’ 1) 2

for 1 โ‰ค ๐‘Ÿ โ‰ค (๐‘ โˆ’ 1). Indeed, since ๐›ผ(๐‘ +๐‘+1)๐‘Ÿ lies in ๐”ฝ๐‘ร— by Lemma 7.12, 2 it follows that if ๐›ผโ„“ lies in the span of 1 and ๐›ผ, then so will ๐›ผโ„“+(๐‘ +๐‘+1)๐‘Ÿ . Therefore the set โ„’, which was initially defined as a set of (๐‘2 โˆ’1) residue classes mod (๐‘3 โˆ’ 1), may be thought of as (๐‘ + 1) residue classes mod (๐‘2 + ๐‘ + 1), with each residue class mod (๐‘2 + ๐‘ + 1) accounting for (๐‘ โˆ’ 1) residue classes mod (๐‘3 โˆ’ 1). Write these ๐‘ + 1 residue classes mod (๐‘2 + ๐‘ + 1) as โ„“1 , โ„“2 , . . . , โ„“๐‘+1 mod (๐‘2 + ๐‘ + 1), and suppose for concreteness that the representatives โ„“๐‘— have been chosen to lie in 1 โ‰ค โ„“๐‘— โ‰ค ๐‘2 + ๐‘ + 1. We claim that โ„“1 , . . ., โ„“๐‘+1 form a perfect difference set mod (๐‘2 + ๐‘ + 1). Thus what we want to show is that if we pick four residue classes โ„“แต† , โ„“๐‘ฃ , โ„“๐‘ค , โ„“๐‘ง from the โ„“๐‘— , then the congruence โ„“แต† โˆ’ โ„“๐‘ฃ โ‰ก โ„“๐‘ค โˆ’ โ„“๐‘ง mod (๐‘2 + ๐‘ + 1) can only hold if ๐‘ข = ๐‘ฃ and ๐‘ค = ๐‘ง, or if ๐‘ข = ๐‘ค and ๐‘ฃ = ๐‘ง. Then all the non-zero differences would be distinct, and must give all the non-zero residue classes mod (๐‘2 + ๐‘ + 1) (since there are ๐‘2 + ๐‘ such differences, and an equal number of non-zero residue classes). Why is this true? From the way in which we selected the set โ„’, we may write ๐›ผโ„“๐‘ข = ๐‘Žแต† + ๐‘แต† ๐›ผ, ๐›ผโ„“๐‘ฃ = ๐‘Ž๐‘ฃ + ๐‘๐‘ฃ ๐›ผ, ๐›ผโ„“๐‘ค = ๐‘Ž๐‘ค + ๐‘๐‘ค ๐›ผ,

๐›ผโ„“๐‘ง = ๐‘Ž๐‘ง + ๐‘๐‘ง ๐›ผ,

where ๐‘Žแต† , ๐‘Ž๐‘ฃ , ๐‘Ž๐‘ค , ๐‘Ž๐‘ง , ๐‘แต† , ๐‘๐‘ฃ , ๐‘๐‘ค , ๐‘๐‘ง are all in ๐”ฝ๐‘ . If โ„“แต† โˆ’ โ„“๐‘ฃ โ‰ก โ„“๐‘ค โˆ’ โ„“๐‘ง mod ๐‘2 + ๐‘ + 1, then โ„“แต† + โ„“๐‘ง โ‰ก โ„“๐‘ฃ + โ„“๐‘ค mod (๐‘2 + ๐‘ + 1), and in view of Lemma 7.12, this means that ๐›ผโ„“๐‘ข +โ„“๐‘ง = ๐‘๐›ผโ„“๐‘ฃ +โ„“๐‘ค , for some ๐‘ โˆˆ ๐”ฝ๐‘ร— . In other words, (๐‘Žแต† + ๐‘แต† ๐›ผ)(๐‘Ž๐‘ง + ๐‘๐‘ง ๐›ผ) = ๐‘(๐‘Ž๐‘ฃ + ๐‘๐‘ฃ ๐›ผ)(๐‘Ž๐‘ค + ๐‘๐‘ค ๐›ผ). But this gives a quadratic equation (with coefficients in ๐”ฝ๐‘ ) that must be satisfied by ๐›ผ, which we know is impossible by Lemma 7.11 unless the

124

7. Combinatorial applications of finite fields

quadratic equation is trivial (all coefficients being zero). Equivalently, we must have as an identity in ๐”ฝ๐‘ [๐‘ฅ] (๐‘Žแต† + ๐‘แต† ๐‘ฅ)(๐‘Ž๐‘ง + ๐‘๐‘ง ๐‘ฅ) = ๐‘(๐‘Ž๐‘ฃ + ๐‘๐‘ฃ ๐‘ฅ)(๐‘Ž๐‘ค + ๐‘๐‘ค ๐‘ฅ). By unique factorization in ๐”ฝ๐‘ [๐‘ฅ], we must therefore have that either ๐‘Žแต† + ๐‘แต† ๐‘ฅ and ๐‘Ž๐‘ฃ + ๐‘๐‘ฃ ๐‘ฅ are ๐”ฝ๐‘ร— multiples of each other (and then ๐‘Ž๐‘ง + ๐‘๐‘ง ๐‘ฅ and ๐‘Ž๐‘ค + ๐‘๐‘ค ๐‘ฅ are similarly associates), or that ๐‘Žแต† + ๐‘แต† ๐‘ฅ and ๐‘Ž๐‘ค + ๐‘๐‘ค ๐‘ฅ are associates (and ๐‘Ž๐‘ง + ๐‘๐‘ง ๐‘ฅ and ๐‘Ž๐‘ฃ + ๐‘๐‘ฃ ๐‘ฅ are associates). But again by Lemma 7.12 these force โ„“แต† โ‰ก โ„“๐‘ฃ mod (๐‘2 + ๐‘ + 1) (and so โ„“๐‘ง โ‰ก โ„“๐‘ค mod (๐‘2 + ๐‘ + 1)) or that โ„“แต† โ‰ก โ„“๐‘ค mod (๐‘2 + ๐‘ + 1) (and so โ„“๐‘ง โ‰ก โ„“๐‘ฃ mod (๐‘2 + ๐‘ + 1)). This completes our proof.

7.5. A little more on finite fields Let us expand a little more on Lemma 7.11 used in the previous section. This will add to our understanding of finite fields, and will be of use in coming applications. Starting with a finite field ๐”ฝ๐‘ž , we showed how to construct bigger fields of size ๐‘žโ„“ by taking a monic irreducible of degree โ„“ in ๐”ฝ๐‘ž [๐‘ฅ] and forming ๐”ฝ๐‘ž [๐‘ฅ]/(๐‘“(๐‘ฅ)). We now show that all finite fields appear in this way. Later (see Corollary 9.2) we shall show that in addition, all finite fields of a given size have the same structure (that is, all finite fields of a given size are isomorphic). Suppose that ๐พ = ๐”ฝ๐‘žโ„“ is a finite field containing the field ๐น = ๐”ฝ๐‘ž . We know that the bigger field ๐พ may be viewed as a vector space of dimension โ„“ over ๐น. Take any element ๐›ผ โˆˆ ๐พ ร— , and consider the โ„“ + 1 elements 1, ๐›ผ, ๐›ผ2 , . . ., ๐›ผโ„“ in ๐พ. Since the dimension of ๐พ over ๐น is โ„“, there must be a linear combination (with coefficients in ๐น, not all zero) among these elements. In other words, there must be a nonzero polynomial of degree at most โ„“ in ๐”ฝ๐‘ž [๐‘ฅ] for which ๐›ผ is a root. We can flesh this out a little bit more. Proposition 7.13. Let ๐พ be a field of size ๐‘žโ„“ containing the field ๐น of size ๐‘ž. Then every element ๐›ผ โˆˆ ๐พ ร— is the root of some polynomial in ๐น[๐‘ฅ] of degree at most โ„“. Further, there is a unique monic polynomial in ๐น[๐‘ฅ] of smallest degree for which ๐›ผ is a root, which is known as the minimal polynomial for ๐›ผ over ๐น, and every polynomial having ๐›ผ as a root is a multiple of the minimal polynomial. Finally, the minimal polynomial is irreducible.

7.5. A little more on finite fields

125

Proof. Consider the set of all polynomials in ๐น[๐‘ฅ] = ๐”ฝ๐‘ž [๐‘ฅ] for which ๐›ผ is a root. As observed above this set contains some non-zero polynomial of degree at most โ„“. If ๐‘“ and ๐‘” are polynomials with ๐›ผ as a root, then so is ๐‘“ + ๐‘”. And, if ๐‘“ has ๐›ผ as a root, then so does ๐‘“๐‘” for any polynomial ๐‘” โˆˆ ๐น[๐‘ฅ]. In other words, this set of polynomials is an ideal. Since ๐น[๐‘ฅ] is a PID (indeed, a Euclidean domain), this ideal must be (๐‘“) for some polynomial ๐‘“, which we may assume to be monic (since all elements of ๐น ร— are units in ๐น[๐‘ฅ]). The polynomial ๐‘“ is the minimal polynomial described in the proposition. If the minimal polynomial ๐‘“ is reducible and factors as ๐‘”โ„Ž, then ๐›ผ must be a root of ๐‘” or โ„Ž. But these have smaller degree than ๐‘“, which is a contradiction. Therefore the minimal polynomial is irreducible. โ–ก Let ๐น and ๐พ be as above, and let ๐›ผ be an element of ๐พ. From Proposition 7.13 we know that ๐›ผ has a minimal polynomial, say ๐‘š(๐‘ฅ) โˆˆ ๐น[๐‘ฅ], which is monic and irreducible, has ๐›ผ for a rootโ€”that is, ๐‘š(๐›ผ) = 0โ€”and is the polynomial of smallest degree in ๐น[๐‘ฅ] with ๐›ผ as a root. Since ๐‘š is irreducible, we know that ๐น[๐‘ฅ]/(๐‘š(๐‘ฅ)) gives rise to a field. Suppose ๐‘š has degree ๐‘‘, and define ๐น[๐›ผ] = {๐‘Ž0 + ๐‘Ž1 ๐›ผ + . . . + ๐‘Ž๐‘› ๐›ผ๐‘› โˆถ ๐‘Ž๐‘— โˆˆ ๐น, ๐‘› โˆˆ โ„•}. Although at first ๐น[๐›ผ] looks infinite, it is really only a finite set with ๐‘ž๐‘‘ elements. This is because ๐›ผ๐‘‘ can be expressed in terms of smaller powers of ๐›ผ (using ๐‘š(๐›ผ) = 0) and similarly for all higher powers of ๐›ผ, and so every element of ๐น[๐›ผ] can be rewritten as ๐‘Ž0 + ๐‘Ž1 ๐›ผ + . . . + ๐‘Ž๐‘‘โˆ’1 ๐›ผ๐‘‘โˆ’1 with ๐‘Ž๐‘— โˆˆ ๐น, and all such expressions are distinct (since ๐›ผ cannot satisfy any polynomial relation of degree less than ๐‘‘). We can be even more precise: given ๐‘“(๐‘ฅ) โˆˆ ๐น[๐‘ฅ] we can replace ๐‘ฅ by ๐›ผ and arrive at ๐‘“(๐›ผ) โˆˆ ๐น[๐›ผ]. Note that adding and multiplying in ๐น[๐›ผ] correspond in this way to adding and multiplying in ๐น[๐‘ฅ] (and then evaluating at ๐‘ฅ = ๐›ผ). Moreover, if two polynomials ๐‘“(๐‘ฅ) and ๐‘”(๐‘ฅ) โˆˆ ๐น[๐‘ฅ] differ by some multiple of ๐‘š(๐‘ฅ) (that is, are in the same equivalence class in ๐น[๐‘ฅ]/(๐‘š(๐‘ฅ))) then they evaluate to the same element ๐‘“(๐›ผ) = ๐‘”(๐›ผ) โˆˆ ๐น[๐›ผ]. In other words, we have set up an isomorphism between ๐น[๐›ผ] and the field ๐น[๐‘ฅ]/(๐‘š(๐‘ฅ)). We have discussed this kind of isomorphism a few times already: For instance, in Example 3.20 we discussed how โ„š[๐‘ฅ]/(๐‘ฅ2 โˆ’ ๐‘ฅ โˆ’ 1) may be thought of as the field โ„š(๐œ™) with ๐œ™ = (1 + โˆš5)/2 being the golden ratio, and Exercise 1 of Chapter 3

126

7. Combinatorial applications of finite fields

wanted you to see how โ„[๐‘ฅ]/(๐‘ฅ2 + 1) is similar to โ„‚. To make sure you understand what is going on fully, you should stop and explain why any element ๐‘Ž0 + ๐‘Ž1 ๐›ผ + . . . + ๐‘Ž๐‘‘โˆ’1 ๐›ผ๐‘‘โˆ’1 โˆˆ ๐น[๐›ผ] with not all ๐‘Ž๐‘— โ€™s being 0 has a multiplicative inverse. We summarize the above discussion in the following proposition. Proposition 7.14. Let ๐น be a field with ๐‘ž elements, and ๐พ a field with ๐‘žโ„“ elements containing ๐น. Then for every ๐›ผ โˆˆ ๐พ with minimal polynomial ๐‘š(๐‘ฅ) โˆˆ ๐น[๐‘ฅ], we have the field generated by ๐›ผ: ๐น[๐›ผ] = {๐‘Ž0 + ๐‘Ž1 ๐›ผ + . . . + ๐‘Ž๐‘› ๐›ผ๐‘› โˆถ ๐‘Ž๐‘— โˆˆ ๐น, ๐‘› โˆˆ โ„•}. This field contains ๐น and is contained in ๐พ, and if ๐‘š has degree ๐‘‘ then ๐น[๐›ผ] has size ๐‘ž๐‘‘ and is isomorphic to ๐น[๐‘ฅ]/(๐‘š(๐‘ฅ)). Finally, the degree ๐‘‘ of ๐‘š must be a divisor of โ„“. Proof. Only the last assertion was not discussed above. This follows from the argument of Proposition 5.21. Since ๐น[๐›ผ] is a subfield of ๐พ, we may view ๐พ as a vector space over ๐น[๐›ผ]. If the dimension of this vector space is ๐‘˜ then we must have |๐พ| = ๐‘žโ„“ = |๐น[๐›ผ]|๐‘˜ = ๐‘ž๐‘‘๐‘˜ , so that ๐‘‘ must be a divisor of โ„“. โ–ก Corollary 7.15. If ๐พ and ๐น are as above, then there is an element ๐›ฝ โˆˆ ๐พ with ๐พ = ๐น[๐›ฝ]. In particular, every field of size ๐‘žโ„“ is isomorphic to ๐น[๐‘ฅ]/(๐‘š(๐‘ฅ)) for a monic irreducible polynomial ๐‘š(๐‘ฅ) โˆˆ ๐น[๐‘ฅ] of degree โ„“. Proof. Take ๐›ฝ to be a generator of the multiplicative group ๐พ ร— . Then ๐น[๐›ฝ] must contain all powers of ๐›ฝ, and therefore all of ๐พ ร— , so that ๐น[๐›ฝ] = ๐พ. โ–ก

7.6. De Bruijn sequences Definition 7.16. Suppose we are given an alphabet with ๐‘› letters. A De Bruijn sequence of order โ„“ is a cyclic string of ๐‘›โ„“ letters of the alphabet, such that every string of โ„“ letters appears exactly once as a subsequence of this string. Here โ€œcyclicโ€ means that the string has โ€œwrap-aroundโ€, and once we get to the ๐‘›โ„“ th letter we return to the beginning. Example 7.17. The sequence 0, 0, 0, 1, 0, 1, 1, 1

7.6. De Bruijn sequences

127

is a De Bruijn sequence of order 3 on the alphabet {0, 1}. The sequence 0, 0, 1, 2, 2, 0, 2, 1, 1 is a De Bruijn sequence of order 2 on the alphabet {0, 1, 2}. (Where is the subsequence 1, 1, 0?) De Bruijn sequences on ๐‘› letters and of order โ„“ always exist, and while they are rare compared to all possible strings of length ๐‘›โ„“ , there is still a plentiful supply of De Bruijn sequences. There are many ways to construct them, but a particularly efficient method involves finite fields. For simplicity, we shall restrict ourselves to the case when ๐‘› = ๐‘ž is a prime power, but from these cases it is not difficult to obtain De Bruijn sequences for all ๐‘› (see Exercise 8). Theorem 7.18. Let ๐‘› = ๐‘ž be a prime power, and โ„“ a natural number. Then there exists a De Bruijn sequence of order โ„“ on an alphabet of size ๐‘›. Proof. Consider a finite field ๐”ฝ๐‘ž of size ๐‘ž, and extend it to a field ๐”ฝ๐‘žโ„“ containing ๐”ฝ๐‘ž โ€”recall that this can be done using a monic irreducible over ๐”ฝ๐‘ž [๐‘ฅ] of degree โ„“. Now pick a generator ๐›ผ for the group ๐”ฝร—๐‘žโ„“ . From our work in ยง7.5, and since ๐”ฝ๐‘ž [๐›ผ] = ๐”ฝ๐‘žโ„“ , we know that ๐›ผ has a minimal polynomial of degree โ„“, which means that there is a relation (7.9)

๐›ผโ„“ = ๐‘Ž0 + ๐‘Ž1 ๐›ผ + . . . + ๐‘Žโ„“โˆ’1 ๐›ผโ„“โˆ’1 ,

with ๐‘Ž๐‘— โˆˆ ๐”ฝ๐‘ž . Now let ๐œ“ denote any linear map from ๐”ฝ๐‘žโ„“ to ๐”ฝ๐‘ž . That is, ๐œ“ satisfies ๐œ“(๐‘ข + ๐‘ฃ) = ๐œ“(๐‘ข) + ๐œ“(๐‘ฃ), for all ๐‘ข, ๐‘ฃ โˆˆ ๐”ฝ๐‘žโ„“ and ๐œ“(๐‘Ž๐‘ข) = ๐‘Ž๐œ“(๐‘ข), for ๐‘Ž โˆˆ ๐”ฝ๐‘ž , and ๐‘ข โˆˆ ๐”ฝ๐‘žโ„“ . We assume that ๐œ“ is non-trivial, meaning that it is not identically zero on all the elements of ๐”ฝ๐‘žโ„“ . Recall that ๐”ฝ๐‘žโ„“ may be viewed as an โ„“-dimensional vector space over ๐”ฝ๐‘ž , and you may have encountered linear maps in a linear algebra class. Linear maps from a vector space to the field of scalars (like our map ๐œ“) are also called linear functionals. As ๐‘— goes from 1 to ๐‘žโ„“ โˆ’ 1, look at the sequence of elements in ๐”ฝ๐‘ž formed by ๐œ“(๐›ผ๐‘— ). We claim that this sequence (considered as a cyclic string) contains every string of โ„“ elements from ๐”ฝ๐‘ž as a subsequence exactly once, except for the string of โ„“ zeros which does not appear as a

128

7. Combinatorial applications of finite fields

subsequence. To get a De Bruijn sequence, find a place in our sequence with โ„“ โˆ’ 1 zeros, and insert an extra zero there. It remains to prove our claim. We show that no string of length โ„“ can repeat in the ๐‘žโ„“ โˆ’ 1 vales ๐œ“(๐›ผ๐‘— ), and that the string of โ„“ zeros cannot appear โ€” if we can do this, then there would be ๐‘žโ„“ โˆ’ 1 possible subsequences, and ๐‘žโ„“ โˆ’ 1 possible strings each of which can appear at most once, and so each must appear exactly once. Suppose instead that some string repeats. Thus for two different starting points ๐‘Ž and ๐‘ we have ๐œ“(๐›ผ๐‘Ž+๐‘— ) = ๐œ“(๐›ผ๐‘+๐‘— ) for ๐‘— = 0, 1, . . ., โ„“ โˆ’ 1. Since ๐œ“ is linear, this means that ๐œ“(๐›ผ๐‘— (๐›ผ๐‘Ž โˆ’ ๐›ผ๐‘ )) = 0 for all ๐‘— = 0, . . ., โ„“ โˆ’ 1. In other words, the โ„“ vectors ๐›ผ๐‘— (๐›ผ๐‘Ž โˆ’ ๐›ผ๐‘ ) all lie in the null space of ๐œ“. If these vectors were all linearly independent, then the null space of ๐œ“ would be an โ„“ dimensional vector space over ๐”ฝ๐‘ž and would thus be all of ๐”ฝ๐‘žโ„“ . However, we assumed that ๐œ“ is non-trivial, and so this cannot be, and there must be some linear relation among ๐›ผ๐‘— (๐›ผ๐‘Ž โˆ’ ๐›ผ๐‘ ) (for ๐‘— = 0, 1, . . ., โ„“ โˆ’ 1). That is, for some ๐‘๐‘— โˆˆ ๐”ฝ๐‘ž not all zero, โ„“โˆ’1

( โˆ‘ ๐‘๐‘— ๐›ผ๐‘— )(๐›ผ๐‘Ž โˆ’ ๐›ผ๐‘ ) = 0. ๐‘—=0

The minimal polynomial for ๐›ผ has degree โ„“, and so the first factor cannot be zero. Further, ๐›ผ has order ๐‘žโ„“ โˆ’ 1 in ๐”ฝร—๐‘žโ„“ , and so ๐›ผ๐‘Ž โˆ’ ๐›ผ๐‘ = 0 implies ๐‘Ž โ‰ก ๐‘ mod ๐‘žโ„“ โˆ’ 1. But this means (taking into account โ€œwrap-aroundโ€) that the two starting points were the same after all. So no string can appear more than once. Similarly, the string of โ„“ zeros cannot appear, because then we would have ๐œ“(๐›ผ๐‘Ž+๐‘— ) = 0 for ๐‘— = 0, 1, . . ., โ„“ โˆ’ 1. Then these elements ๐›ผ๐‘Ž+๐‘— are all in the null space of ๐œ“, and since ๐œ“ is non-trivial, they cannot all be linearly independent. Therefore we must have a non-trivial relation โ„“โˆ’1 โˆ‘๐‘—=0 ๐‘๐‘— ๐›ผ๐‘— = 0, but this is impossible since the minimal polynomial for ๐›ผ has degree โ„“. This completes our proof. โ–ก Example 7.19. Let us consider De Bruijn sequences of order 2 with the alphabet ๐”ฝ3 . The polynomial ๐‘“(๐‘ฅ) = ๐‘ฅ2 โˆ’ ๐‘ฅ โˆ’ 1 โˆˆ ๐”ฝ3 [๐‘ฅ] is irreducible, and so ๐”ฝ3 [๐‘ฅ]/(๐‘“(๐‘ฅ)) is a finite field with 9 elements. The additive group is a vector space of dimension 2 with 1, ๐‘ฅ as one possible basis. The element ๐‘ฅ generates the non-zero elements of this field:

7.7. A magic trick

129

๐‘ฅ1 = ๐‘ฅ, ๐‘ฅ2 = ๐‘ฅ + 1, ๐‘ฅ3 = ๐‘ฅ(๐‘ฅ + 1) = 2๐‘ฅ + 1, ๐‘ฅ4 = 2๐‘ฅ2 + ๐‘ฅ = 2 = โˆ’1, ๐‘ฅ5 = โˆ’๐‘ฅ, ๐‘ฅ6 = โˆ’๐‘ฅ โˆ’ 1, ๐‘ฅ7 = ๐‘ฅ โˆ’ 1, ๐‘ฅ8 = 1. For the linear functional ๐œ“, write any element ๐‘ฃ as ๐‘Ž+๐‘๐‘ฅ, and take ๐œ“(๐‘ฃ) = ๐‘Žโ€”this is one possible example, you could also have taken ๐œ“(๐‘ฃ) = ๐‘, or ๐‘Ž + ๐‘ etc. Thus ๐œ“(๐‘ฅ) = 0, ๐œ“(๐‘ฅ2 ) = 1, ๐œ“(๐‘ฅ3 ) = 1, ๐œ“(๐‘ฅ4 ) = 2, ๐œ“(๐‘ฅ5 ) = 0, ๐œ“(๐‘ฅ6 ) = 2, ๐œ“(๐‘ฅ7 ) = 2, ๐œ“(๐‘ฅ8 ) = 1. Adding a zero at the beginning, gives the De Bruijn sequence 0, 0, 1, 1, 2, 0, 2, 2, 1.

7.7. A magic trick A magician (say, Persi Diaconis) throws a deck of cards to the audience, and invites them to cut the deck and place the top portion of the cut below the bottom. This can be done a few times. Then an audience member is invited to take the top card and pass the deck to another person who takes the next top card, and so on until five audience members each have one card. The magician concentrates and feels that the aura of the red cards is stronger. He invites those with red cards to raise a hand. Then he tells each audience member what card they have! How does the trick work? The deck thatโ€™s thrown out has really only 31 cards. The information of which of the five cards are red and which are black โ€” five bits of information, which means 32 possibilities โ€” is enough to work out the cards of each audience member. An elegant way to do this (and not requiring a prodigious memory) is to use our proof of Theorem 7.18, working in the finite field with 32 elements. Let us pick a monic irreducible polynomial of degree 5 in ๐”ฝ2 [๐‘ฅ]โ€” for convenience, take ๐‘“(๐‘ฅ) = ๐‘ฅ5 + ๐‘ฅ2 + 1. Let us work over the field ๐”ฝ2 [๐‘ฅ]/(๐‘“(๐‘ฅ)) and note that ๐‘ฅ generates the multiplicative group (since the size of the group is 31, which is prime, and ๐‘ฅ is clearly not the identity element 1 mod ๐‘“). We may write the powers of ๐‘ฅ as a linear combination of 1, ๐‘ฅ, ๐‘ฅ2 , ๐‘ฅ3 , and ๐‘ฅ4 , and for the linear functional ๐œ“ let us take the constant term in such an expression. This generates a sequence of length 31, with the string of 5 zeros omitted from all the possible strings of length 5.

130

7. Combinatorial applications of finite fields

Arrange a deck of 31 cards using the following code: for, say, the seventh card, use the terms 7 through 11 of our sequence. Use the first bit to indicate black (0) or red (1) suit; the second bit to specify major (spade and hearts, use 1) or minor (clubs and diamonds, use 0) suit; and the remaining 3 bits specify 8 numbers, and use them for ๐ด, 2, 3, 4, 5, 6, 7, 8 (binary expansion plus 1). Performing cuts to the deck does not change meaningfully this cyclic order. The configuration of the audience members with red cards tells you five bits of our De Bruijn sequence, and using the code one can easily figure out the first card. For example, if the second and fourth audience members had red cardsโ€”so we have 0, 1, 0, 1, 0โ€”then the first person has the 3 of spades. How do we figure out the rest of the cards? Suppose the bits we have now came from ๐œ“(๐›ผ๐‘— ), ๐œ“(๐›ผ๐‘—+1 ), . . ., ๐œ“(๐›ผ๐‘—+4 ). Then the next bit would be ๐œ“(๐›ผ๐‘—+5 ) = ๐œ“(๐›ผ๐‘— (๐›ผ2 + 1)) = ๐œ“(๐›ผ๐‘— ) + ๐œ“(๐›ผ๐‘—+2 ), which in our case is 0. So the second card corresponds to 1, 0, 1, 0, 0 and must be the five of diamonds. And so on. This trick illustrates a key feature of our construction of the De Bruijn sequence of order โ„“. Starting with any โ„“ initial letters (apart from all zeros), one can run a simple recurrence (depending on the equation (7.9) satisfied by ๐›ผ) and continue the sequence forwardโ€”only a small memory is needed, and the calculation is rapid. This construction is an example of what is known as a linear feedback shift register, and our theorem describes how to find one with maximal period. I learned of this magic trick from my colleague Persi Diaconis, whose book with Ron Graham [5] gives a wonderful account of several other magic tricks exploiting De Bruijn sequences and other mathematical ideas.

7.8. Exercises 1. Think through the proof of Theorem 7.3 to extract the following proposition: There is a set ๐’œ of ๐‘ residue classes mod (๐‘2 โˆ’ 1) such that every residue class ๐‘‘ mod (๐‘2 โˆ’ 1) with ๐‘‘ not a multiple of ๐‘ + 1 can be expressed uniquely as a difference of two elements of ๐’œ. 2. Adapt the argument of Theorem 7.3 for a general prime power ๐‘ž.

7.8. Exercises

131

3. This exercise gives a variant of Theorem 7.3 (due to Ruzsa): There is a Sidon set of size ๐‘โˆ’1 in [1, ๐‘2 โˆ’๐‘]. Let ๐‘” denote a primitive root mod ๐‘. For each 1 โ‰ค ๐‘ก โ‰ค ๐‘ โˆ’ 1 let ๐‘Ž(๐‘ก) denote the residue class mod (๐‘2 โˆ’ ๐‘) given by ๐‘Ž(๐‘ก) โ‰ก ๐‘ก mod (๐‘ โˆ’ 1) and ๐‘Ž(๐‘ก) โ‰ก ๐‘”๐‘ก mod ๐‘. Choose a representative for ๐‘Ž(๐‘ก) mod (๐‘2 โˆ’ ๐‘) in the interval [1, ๐‘2 โˆ’ ๐‘]. Show that the set of such representatives is a Sidon set. 4. Think through the proof of Theorem 7.4, and, either by performing 1 calculus starting from (7.7) or otherwise, show that |๐’œ| โ‰ค โˆš๐‘ + ๐‘ 4 + ๐ถ for some constant ๐ถ. (You should be able to take ๐ถ = 10 without too much fuss.) For a long time, apart from the value of ๐ถ, this was the best bound known in Theorem 7.4. However, recently in [3] the bound has 1 been improved slightly to โ‰ค โˆš๐‘ + 0.998๐‘ 4 for large ๐‘. 5. Adapt the argument of Theorem 7.8 for a general prime power ๐‘ž. 6. Let ๐’œ be a perfect difference set mod ๐‘˜2 + ๐‘˜ + 1. For each ๐‘— mod ๐‘˜2 + ๐‘˜ + 1 define the set ๐’œ๐‘— = {๐‘Ž + ๐‘— mod ๐‘˜2 + ๐‘˜ + 1 โˆถ ๐‘Ž โˆˆ ๐’œ}. Thinking of the residue classes mod ๐‘˜2 + ๐‘˜ + 1 as points, and the sets ๐’œ๐‘— as lines, show that we obtain in this way a finite projective plane of order ๐‘˜. 7. This exercise constructs the projective plane ๐‘ƒ2 (๐”ฝ๐‘ž ). Let ๐”ฝ๐‘ž denote a field with ๐‘ž elements. Let ๐‘† denote the set of size ๐‘3 โˆ’ 1, given by ๐‘† = {(๐‘Ž, ๐‘, ๐‘) โˆถ ๐‘Ž, ๐‘, ๐‘ โˆˆ ๐”ฝ๐‘ž , not all of ๐‘Ž, ๐‘, ๐‘ are zero}. Points. Say that (๐‘Ž1 , ๐‘1 , ๐‘ 1 ) and (๐‘Ž2 , ๐‘2 , ๐‘ 2 ) in ๐‘† are equivalent if there exists ๐œ† โˆˆ ๐”ฝร—๐‘ž with ๐‘Ž2 = ๐‘Ž1 ๐œ†, ๐‘2 = ๐‘1 ๐œ† and ๐‘ 2 = ๐‘ 1 ๐œ†. Show that this defines an equivalence relation, and splits ๐‘† into ๐‘ž2 + ๐‘ž + 1 equivalence classes. We call these equivalence classes โ€œpointsโ€. Lines. Given two distinct (that is, not equivalent to each other) points (๐‘Ž1 , ๐‘1 , ๐‘ 1 ) and (๐‘Ž2 , ๐‘2 , ๐‘ 2 ) as above, define the โ€œlineโ€ joining them to be the points of the form (๐œ†๐‘Ž1 + ๐œ‡๐‘Ž2 , ๐œ†๐‘1 + ๐œ‡๐‘2 , ๐œ†๐‘ 1 + ๐œ‡๐‘ 2 ) where ๐œ†, ๐œ‡ are elements of ๐”ฝ๐‘ž , not both of them being zero. With these definitions, prove that one obtains a finite projective plane of order ๐‘ž. That is, each line has ๐‘ž + 1 points, each point lies on

132

7. Combinatorial applications of finite fields

๐‘ž+1 lines, any two distinct lines intersect at a unique point, and any two distinct points lie on a unique line. 8. Let ๐‘š and ๐‘› be two coprime integers and let ๐ด and ๐ต be two alphabets with ๐‘š and ๐‘› letters respectively. Starting with a De Bruijn sequence of order โ„“ on each of the alphabets ๐ด and ๐ต, construct a De Bruijn sequence of order โ„“ on an alphabet ๐ถ with ๐‘š๐‘› letters. 9. Show that there is a set ๐’œ of ๐‘ elements in [1, ๐‘3 โˆ’ 1] such that all possible sums of three elements of ๐’œ are distinct (apart from rearranging the summands): that is, ๐‘Ž1 + ๐‘Ž2 + ๐‘Ž3 = ๐‘1 + ๐‘2 + ๐‘3 with ๐‘Ž1 , ๐‘Ž2 , ๐‘Ž3 , ๐‘1 , ๐‘2 , ๐‘3 all in ๐’œ only holds if the ๐‘1 , ๐‘2 , ๐‘3 are a permutation of ๐‘Ž1 , ๐‘Ž2 , ๐‘Ž3 . 10. Generalize Exercise 9 to produce ๐‘ elements in [1, ๐‘๐‘˜ โˆ’ 1] with all possible ๐‘˜-fold sums being distinct. 11. Suppose ๐’œ is a set of ๐‘˜ elements in [1, ๐‘] such that all possible sums of three elements of ๐’œ are distinct (apart from rearranging the summands, as in Exercise 9). Show that 1

๐‘˜ โ‰ค (18๐‘) 3 + 2. 1

12. Improve the upper bound in Exercise 11 to obtain ๐‘˜ โ‰ค (6๐‘) 3 + 2. You donโ€™t have to work as hard as in the Erdล‘s-Turรกn theorem, just a little trick is needed. 13. Define the greedy Sidon sequence as follows: Start with ๐‘Ž1 = 1 and for ๐‘› > 1 take ๐‘Ž๐‘› to be the smallest natural number such that the pairwise sums ๐‘Ž๐‘– + ๐‘Ž๐‘— for ๐‘– โ‰ค ๐‘— โ‰ค ๐‘› are all distinct. Thus ๐‘Ž1 = 1, ๐‘Ž2 = 2, ๐‘Ž3 = 4, ๐‘Ž4 = 8, ๐‘Ž5 = 13, and so on. Show that ๐‘Ž๐‘› โ‰ค (๐‘› โˆ’ 1)3 + 1. 14. Let ๐’œ be a set of integers with ๐‘˜ elements. Let ๐’œ + ๐’œ denote the set of integers ๐‘› that can be written as ๐‘Ž + ๐‘ with ๐‘Ž, ๐‘ โˆˆ ๐’œ. Let ๐‘Ÿ(๐‘›) denote the number of ways of writing ๐‘› as ๐‘Ž + ๐‘ with ๐‘Ž and ๐‘ being elements of ๐’œ (note that if ๐‘› = ๐‘Ž + ๐‘ with ๐‘Ž โ‰  ๐‘ then ๐‘Ž + ๐‘ and ๐‘ + ๐‘Ž will be count as two different way of writing ๐‘›), so that ๐‘Ÿ(๐‘›) = 0 unless ๐‘› โˆˆ ๐’œ + ๐’œ. What is โˆ‘๐‘›โˆˆ๐’œ+๐’œ ๐‘Ÿ(๐‘›)? Prove that |๐’œ + ๐’œ| โ‰ค ๐‘˜(๐‘˜ + 1)/2, and that โˆ‘ ๐‘Ÿ(๐‘›)2 โ‰ฅ 2๐‘˜2 โˆ’ 2๐‘˜. ๐‘›โˆˆ๐’œ+๐’œ

7.8. Exercises

133

15. Keep the notation of Exercise 14. Suppose ๐’œ is a Sidon set. What is โˆ‘๐‘› ๐‘Ÿ(๐‘›)2 in this case? 16. Let ๐‘ž = ๐‘2 and let ๐›ผ be a generator of the multiplicative group ๐”ฝร—๐‘ž . What are the exponents ๐‘› for which ๐›ผ๐‘› is an element of ๐”ฝ๐‘ร— ? Explain.

Chapter 8

The AKS Primality Test

First, a word from Gauss! The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. It has engaged the industry and wisdom of ancient and modern geometers to such an extent that it would be superfluous to discuss the problem at length. . . . Further, the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated. (Disquisitiones Arithmeticae, Article 329) In this chapter, we describe a remarkable result of Agrawal, Kayal and Saxena (abbreviated AKS) which gives a rapid algorithm to determine whether a given number is prime, thus providing finally an answer to Gaussโ€™s problem of distinguishing prime numbers from composite numbers. Pleasingly, the ideas behind this algorithm synthesize many of the topics that we have developed so far.

8.1. What is a rapid algorithm? Let us first give a definition of what is meant by a rapid algorithm. Definition 8.1. By a rapid algorithm (or a polynomial time algorithm) we mean an algorithm that executes in time (that is, number of bit operations that are needed) that may be bounded by a polynomial in the size of the input. By size of the input we mean the number of bits that 135

136

8. The AKS Primality Test

are needed to specify the input. By a bit operation we mean an output resulting from two input bits. Note that we are concerned here only with the complexity of an algorithm with respect to time; another important consideration could be the memory needed for an algorithm. Also, the definition above is of theoretical interest and gives a good intuitive sense of what a rapid algorithm means. In practice, one would also like that the degree of the polynomial should not be large, and that the coefficients involved are small. Example 8.2. The input size of a natural number ๐‘› is โŒŠlog2 ๐‘›โŒ‹+1, which is the number of bits used in the binary representation of ๐‘›. Since we are ignoring constants in our understanding of the complexity of algorithms, we will think of the input size of ๐‘› as being log ๐‘› (while it really is about (log ๐‘›)/ log 2 โ‰ˆ 1.4 log ๐‘›). Thus an algorithm taking a natural number ๐‘› as an input is rapid if it executes in time that is bounded by a polynomial in log ๐‘›. Example 8.3. The basic operations of arithmetic may be performed in polynomial time. For example, consider adding ๐‘š and ๐‘›, and suppose that ๐‘š โ‰ค ๐‘›. Then the inputs ๐‘š and ๐‘› require about log ๐‘› bits. To find the sum ๐‘š and ๐‘›, we must add corresponding bits in the binary representations of ๐‘š and ๐‘›, and keep track of carries (if needed). This gives a rapid algorithm, taking a constant times log ๐‘› operations. Here it is convenient to introduce the ๐‘‚ (โ€œbig Oโ€) notation, and write this complexity as ๐‘‚(log ๐‘›) to indicate that it is bounded by some unspecified constant times log ๐‘›. Similarly, one can subtract ๐‘š from ๐‘› in time ๐‘‚(log ๐‘›). The usual grade school algorithm for multiplying two natural numbers ๐‘š and ๐‘› executes in time ๐‘‚(log ๐‘š log ๐‘›); if ๐‘š โ‰ค ๐‘› then we may bound this by ๐‘‚((log ๐‘›)2 ). But here one can be more clever, and come up with a faster algorithm. The simplest version of such an algorithm is due to Karatsuba, but the key idea may even be traced back to Gauss. Consider multiplying two linear polynomials ๐‘Ž๐‘ฅ + ๐‘ and ๐‘๐‘ฅ + ๐‘‘ with say ๐‘Ž, ๐‘, ๐‘, ๐‘‘ in โ„ค. One might think that it is necessary to compute four products ๐‘Ž๐‘, ๐‘Ž๐‘‘, ๐‘๐‘, ๐‘๐‘‘ to determine the answer, but in fact it is enough to consider three products! Indeed (๐‘Ž๐‘ฅ + ๐‘)(๐‘๐‘ฅ + ๐‘‘) = ๐‘Ž๐‘๐‘ฅ2 + (๐‘Ž๐‘‘ + ๐‘๐‘)๐‘ฅ + ๐‘๐‘‘, and we compute ๐‘Ž๐‘, ๐‘๐‘‘, and (๐‘Ž + ๐‘)(๐‘ + ๐‘‘); these allow us to determine the coefficient of ๐‘ฅ since ๐‘Ž๐‘‘ + ๐‘๐‘ = (๐‘Ž + ๐‘)(๐‘ + ๐‘‘) โˆ’ ๐‘Ž๐‘ โˆ’ ๐‘๐‘‘. To see how this gives a faster way to multiply, suppose we are given

8.2. Primality and factoring

137

two 2๐‘˜ bit numbers which we write as 2๐‘˜ ๐‘Ž + ๐‘ and 2๐‘˜ ๐‘ + ๐‘‘ so that ๐‘Ž, ๐‘, ๐‘ and ๐‘‘ are ๐‘˜-bit numbers. The usual algorithm for multiplication would use four products involving the ๐‘˜-bit numbers ๐‘Ž, ๐‘, ๐‘, ๐‘‘, but we have just seen that this may be achieved using three such multiplications (and a few more subtractions). This represents an improvement, and iterating this scheme gives an algorithm for multiplying two integers ๐‘š and ๐‘› (with ๐‘š โ‰ค ๐‘›) that executes in time ๐‘‚((log ๐‘›)๐œ… ) with ๐œ… = log2 3 = 1.58 . . .. Still further advances have been made, and a recent algorithm of Harvey and van der Hoeven [14] allows one to multiply ๐‘š and ๐‘› in time ๐‘‚(log ๐‘›(log log ๐‘›)), so that multiplication is nearly as rapid as addition. We do not need these intricate algorithms, however, and we simply wanted to illustrate that multiplication may be performed rapidly. Similarly, the usual algorithm for division allows one to divide ๐‘› by ๐‘š (say ๐‘› โ‰ฅ ๐‘š) and extract a quotient and remainder in time ๐‘‚((log ๐‘›)(log ๐‘š)). Example 8.4. Check that the Euclidean algorithm gives a rapid way to compute the gcd of two natural numbers ๐‘š and ๐‘› (Exercise 1 below).

8.2. Primality and factoring Given a large integer ๐‘›, the two main questions of interest for us are (i) to determine whether ๐‘› is prime or composite, and (ii) to factor ๐‘› into primes. Naturally the second problem of factoring ๐‘› will also solve the problem of determining whether ๐‘› is prime or composite. However it turns out that there is a rapid algorithm to resolve the question of primality (this is the AKS algorithm, which is the focus of this chapter), while there is no known polynomial time algorithm for factoring. Example 8.5. A simple way to factor ๐‘› is trial division. Consider integers ๐‘Ž with 2 โ‰ค ๐‘Ž โ‰ค โˆš๐‘›, and check whether ๐‘Ž divides ๐‘›. If so, then we have factored ๐‘› as ๐‘Ž ร— (๐‘›/๐‘Ž) and we can repeat the procedure with the smaller factors ๐‘Ž and ๐‘›/๐‘Ž. If no such factor ๐‘Ž below โˆš๐‘› is found, then ๐‘› must be prime. The problem with this algorithm is that it could take ๐‘‚(โˆš๐‘›(log ๐‘›)2 ) operations to runโ€”each trial division takes about (log ๐‘›)2 steps, and there are โˆš๐‘› such divisions to be checked. We could restrict attention to just prime values of ๐‘Ž, but then we would also have to check that ๐‘Ž is prime, and it is not clear if this would be faster. Note that a run time of ๐‘‚(โˆš๐‘›(log ๐‘›)2 ) is not polynomial time in the input size, which is

138

8. The AKS Primality Test 1

log ๐‘›. Indeed โˆš๐‘› = exp( 2 log ๐‘›), so this algorithm is exponential in the size of the input. There are more ingenious ways of trying to factor integers, including algorithms that are expected to run in time 1

2

๐‘‚(exp(๐ถ(log ๐‘›) 3 (log log ๐‘›) 3 )) for a suitable constant ๐ถ (see [24] for a beautiful acount). This running time is much faster than the exponential trial division method, but still not as fast as polynomial time. So far as we know, factoring remains a difficult problem computationally. The (presumed) difficulty of factoring has been turned to good use in cryptography, where one exploits the idea that there are certain operations that may be performed quickly, but reversing the operations may be difficult computationally. Thus it is very easy to take say two large primes ๐‘ and ๐‘ž and multiply them together to form ๐‘› = ๐‘๐‘ž, but at present we do not have equally rapid algorithms for taking the large number ๐‘› and determining the prime factors ๐‘ and ๐‘ž. The RSA public key cryptosystem (RSA stands for Rivest, Shamir and Adelman) exploits the difficulty of factoring to give a way of encoding secret messages where everyone knows how to encode (public key), but which is nevertheless still difficult to decode for anyone but the intended recipient (who can decode using a private key). This is of practical importance since, for example, an internet store may want anyone to be able to send them a coded credit card number, but one would hope that no eavesdropper would be able to decode the credit card information. Here is how RSA works. The store picks two large primes ๐‘ and ๐‘ž and multiplies them together to form ๐‘› = ๐‘๐‘ž. The store can also readily compute ๐œ™(๐‘›) = (๐‘ โˆ’ 1)(๐‘ž โˆ’ 1). Next they choose a large random number ๐‘ (for coding) coprime to ๐œ™(๐‘›), and compute ๐‘‘ (for decoding) with ๐‘๐‘‘ โ‰ก 1 mod ๐œ™(๐‘›) (this can be computed rapidly by the Euclidean algorithm). Now the store tells everyone what ๐‘› and ๐‘ are, and keep secret the factorization ๐‘› = ๐‘๐‘ž, ๐œ™(๐‘›) and ๐‘‘. Suppose you want to send the store the secret number ๐‘Ž in the range [1, ๐‘›]. We assume that ๐‘Ž is coprime to ๐‘›, which is very likely to be the case (why?). You compute ๐‘Ž๐‘ mod ๐‘› (which we shall see in Example 8.6 below can be done rapidly) and send this to the store. To decode ๐‘Ž rapidly, the store, which knows ๐‘‘, simply computes (๐‘Ž๐‘ )๐‘‘ mod ๐‘› which

8.2. Primality and factoring

139

is ๐‘Ž๐‘๐‘‘ โ‰ก ๐‘Ž1+โ„“๐œ™(๐‘›) โ‰ก ๐‘Ž mod ๐‘›, upon recalling that ๐‘๐‘‘ = 1 + โ„“๐œ™(๐‘›) for some integer โ„“, and using Eulerโ€™s theorem. Any eavesdropper will only see ๐‘Ž๐‘ mod ๐‘›, and not the secret word ๐‘Ž; we do not know a rapid way to compute ๐‘Ž given ๐‘Ž๐‘ and ๐‘. However, if the eavesdropper could factor ๐‘› into the primes ๐‘ and ๐‘ž, then they could compute ๐œ™(๐‘›) and ๐‘‘ and recover the message ๐‘Ž as the store did. Thus the security of the RSA cryptosystem depends on the eavesdropper not knowing a rapid algorithm for factoring. Example 8.6. Given a large natural number ๐‘›, and natural numbers ๐‘Ž and ๐‘ below ๐‘› with (๐‘Ž, ๐‘›) = 1, can we compute ๐‘Ž๐‘ mod ๐‘› rapidly? We needed this in our discussion of RSA above, when we wanted to compute ๐‘Ž๐‘ mod ๐‘› and (๐‘Ž๐‘ )๐‘‘ mod ๐‘›. There is a clever, rapid way to compute ๐‘Ž๐‘ mod ๐‘›, known as repeated squaring. Starting with ๐‘Ž mod ๐‘›, we square to get ๐‘Ž2 mod ๐‘›, and square that to get ๐‘Ž4 mod ๐‘›, and so on, until ๐‘˜ ๐‘Ž2 mod ๐‘› where 2๐‘˜ โ‰ค ๐‘› < 2๐‘˜+1 . There are about log ๐‘› such squarings to perform, and each squaring takes ๐‘‚((log ๐‘›)2 ) stepsโ€”we must square a number below ๐‘› and reduce the answer mod ๐‘›. Thus it takes ๐‘— ๐‘‚((log ๐‘›)3 ) steps to generate ๐‘Ž2 mod ๐‘› for all 0 โ‰ค ๐‘— โ‰ค ๐‘˜. Finally, express ๐‘˜ ๐‘ in binary as ๐‘ = โˆ‘๐‘—=0 ๐œ–๐‘— 2๐‘— , with each ๐œ–๐‘— = 0 or 1, and multiply together ๐‘—

the values of ๐‘Ž2 mod ๐‘› with ๐œ–๐‘— = 1. This involves ๐‘‚(log ๐‘›) multiplications of numbers below ๐‘› (reducing mod ๐‘› after each multiplication) and takes again ๐‘‚((log ๐‘›)3 ) steps. Thus ๐‘Ž๐‘ mod ๐‘› may be computed in time ๐‘‚((log ๐‘›)3 ), which is rapid. Another example of a problem that is computationally difficult (again, as far as we know) is the discrete logarithm problem. We have already seen that the group (โ„ค/๐‘โ„ค)ร— is cyclic, and there are primitive roots ๐‘” mod ๐‘. Given such a primitive root ๐‘”, repeated squaring (as in Example 8.6) gives a rapid algorithm to compute ๐‘”๐‘ฅ mod ๐‘ for any number ๐‘ฅ with 1 โ‰ค ๐‘ฅ โ‰ค (๐‘ โˆ’ 1). The discrete logarithm problem asks to reverse this: given ๐‘” and ๐‘”๐‘ฅ mod ๐‘ can you find in polynomial time what ๐‘ฅ (which looks like a logarithm) is? Just as the difficulty of factoring allowed for the interesting RSA cryptosystem, the difficulty of the discrete logarithm problem can be exploited in an interesting way. It forms the basis for the Diffieโ€“Hellman

140

8. The AKS Primality Test

key exchange protocol, which permits two people to share a common secret word while only exchanging messages that everyone can see. How can this be done? Suppose ๐‘ is a large prime and ๐‘” is a primitive root mod ๐‘, and ๐‘ and ๐‘” are known to everyone. Akhnaten chooses a secret word ๐‘Ž and sends Nefertiti ๐‘”๐‘Ž mod ๐‘. Nefertiti chooses a secret word ๐‘ and sends Akhnaten ๐‘”๐‘ mod ๐‘. Akhnaten can now compute (๐‘”๐‘ )๐‘Ž = ๐‘”๐‘Ž๐‘ mod ๐‘, and Nefertiti can compute (๐‘”๐‘Ž )๐‘ = ๐‘”๐‘Ž๐‘ mod ๐‘. Thus they can share the secret ๐‘”๐‘Ž๐‘ mod ๐‘. Eavesdroppers can only see ๐‘”, ๐‘”๐‘Ž , and ๐‘”๐‘ mod ๐‘, but from this information there is no known way to compute ๐‘”๐‘Ž๐‘ โ€”since no one knows how to find the discrete logs ๐‘Ž and ๐‘ quickly. The shared message ๐‘”๐‘Ž๐‘ can then be used by Akhnaten and Nefertiti as a basis for other coding procedures. For both the factoring problem and the discrete logarithm problem there is a polynomial time algorithm (due to Peter Shor [25]) based on quantum computers, but no one has yet built a practical quantum computer. Yet another interesting problem is to find large primes quicklyโ€”for example, in RSA we needed two large primes ๐‘ and ๐‘ž. At the moment there is no known rapid algorithm that is guaranteed to work quickly and that will find a prime larger than a given bound ๐‘›. However, even though we canโ€™t prove that it works, we can simply run over integers larger than ๐‘›, checking each one for primality and stop when we find the first prime. This does in fact work well practically, but raises the question of how to check quickly whether a number ๐‘› is prime? This brings us to the central problem of the chapter: rapid algorithms for primality testing. How is it possible to have an algorithm to check whether ๐‘› is prime without trying to factor ๐‘›? Fermatโ€™s theorem gives a clue. If ๐‘ is prime, then we know that ๐‘Ž๐‘โˆ’1 โ‰ก 1 mod ๐‘ for all (๐‘Ž, ๐‘) = 1. Suppose we can find a reduced residue class ๐‘Ž mod ๐‘› such that ๐‘Ž๐‘›โˆ’1 โ‰ข 1 mod ๐‘› (note that by Example 8.6 we can check this criterion rapidly). This would then prove that ๐‘› is not prime, without finding a factor for ๐‘›. If somehow ๐‘Ž๐‘›โˆ’1 does turn out to be 1 mod ๐‘›, then ๐‘› is called a pseudoprime to the base ๐‘Ž. In this case, ๐‘› could be prime or composite, and we cannot come to any definite conclusion. But we may simply pick a different value of ๐‘Ž and try again. If this pseudoprime test works for many values of ๐‘Ž we may be reasonably confident that ๐‘› is prime.

8.3. The basic idea behind AKS

141

Unfortunately the test given above does not always work. There are composite numbers ๐‘›, known as Carmichael numbers, such that ๐‘Ž๐‘›โˆ’1 โ‰ก 1 mod ๐‘› for all reduced residues ๐‘Ž mod ๐‘›. You have already seen from Exercise 8 of Chapter 6 that 561, 1105, and 1729 are Carmichael numbers โ€” in fact these are the first three Carmichael numbers. Moreover, Alford, Granville and Pomerance [2] established in the 1990s that there are infinitely many such Carmichael numbers. However, there is a modified pseudoprime test which is guaranteed to work rapidly, at least if the Generalized Riemann Hypothesis (an important, but wide open, conjecture) is true! This is known as the strong pseudoprime test, and is described in Exercise 7 below; this test still forms the basis for primality testing in many computer packages. Finally in 2002, Agrawal, Kayal and Saxena [1] created a sensation by coming up with a rapid polynomial time primality test, which is an ingenious modification of these pseudoprime tests. The test is deterministic, and can be shown to work in polynomial time without relying on any unproved hypothesis. Notably, Kayal and Saxena were undergraduates when they did this work! Our goal in the rest of this chapter will be to understand the AKS algorithm, as it has come to be known. We will see that the argument involves working with finite fields, and a lot of cleverness. We follow largely the original treatment in [1]; the exposition in [10] gives many further references and later refinements.

8.3. The basic idea behind AKS In the previous section, we observed that one can try to use a โ€œconverse to Fermatโ€™s little theoremโ€ as a primality test, but unfortunately this doesnโ€™t always work. The key idea behind the AKS test is to use a variant of the pseudoprime test, but extended to polynomials. Lemma 8.7. Suppose ๐‘› is a natural number, and ๐‘Ž an integer coprime to ๐‘›. The number ๐‘› is prime if and only if the relation (๐‘ฅ + ๐‘Ž)๐‘› โ‰ก ๐‘ฅ๐‘› + ๐‘Ž mod ๐‘› holds. The congruence above means that the polynomials (๐‘ฅ+๐‘Ž)๐‘› and ๐‘ฅ๐‘› + ๐‘Ž in โ„ค[๐‘ฅ] differ by an element in the ideal (๐‘›) = ๐‘›โ„ค[๐‘ฅ]. Another way to say this is to reduce the coefficients of polynomials in โ„ค[๐‘ฅ] modulo ๐‘›, so

142

8. The AKS Primality Test

that we are working in the polynomial ring (โ„ค/๐‘›โ„ค)[๐‘ฅ], where we want the relation (๐‘ฅ + ๐‘Ž)๐‘› = ๐‘ฅ๐‘› + ๐‘Ž. Proof. Suppose first that ๐‘› = ๐‘ is a prime. Observe that ๐‘! ๐‘ ( )= ๐‘– ๐‘–! (๐‘ โˆ’ ๐‘–)! is a multiple of ๐‘ for all 1 โ‰ค ๐‘– โ‰ค ๐‘ โˆ’ 1. Therefore, using the binomial theorem, we have ๐‘โˆ’1

๐‘ (๐‘ฅ + ๐‘Ž)๐‘ = ๐‘ฅ๐‘ + โˆ‘ ( )๐‘ฅ๐‘โˆ’๐‘– ๐‘Ž๐‘– + ๐‘Ž๐‘ โ‰ก ๐‘ฅ๐‘ + ๐‘Ž๐‘ mod ๐‘ ๐‘– ๐‘–=1 โ‰ก ๐‘ฅ๐‘ + ๐‘Ž mod ๐‘, where the last relation holds because ๐‘Ž๐‘ โ‰ก ๐‘Ž mod ๐‘ for all ๐‘Ž โˆˆ โ„ค by Fermat. This proves one direction of the lemma. Conversely, if ๐‘› is not prime, then by Exercise 2 below there is some 1 โ‰ค ๐‘– โ‰ค ๐‘› โˆ’ 1 with (๐‘›๐‘–) not being a multiple of ๐‘›. Therefore in this case the binomial theorem shows that the coefficients of ๐‘ฅ๐‘›โˆ’๐‘– (or ๐‘ฅ๐‘– ) on both sides of the identity of the lemma do not match mod ๐‘›. โ–ก So we can use Lemma 8.7 as a test to check whether ๐‘› is prime. But, as it stands, this is not a very useful test because in order to check whether (๐‘ฅ + ๐‘Ž)๐‘› โ‰ก ๐‘ฅ๐‘› + ๐‘Ž mod ๐‘› we must compare ๐‘› coefficients, and this will take at least ๐‘› operations to do. The key idea behind the AKS test is instead to check whether (8.1)

(๐‘ฅ + ๐‘Ž)๐‘› โ‰ก ๐‘ฅ๐‘› + ๐‘Ž

mod ๐ผ,

where ๐ผ is the ideal in โ„ค[๐‘ฅ] given by ๐ผ = (๐‘›, ๐‘ฅ๐‘Ÿ โˆ’ 1) = {๐‘›๐‘“(๐‘ฅ) + (๐‘ฅ๐‘Ÿ โˆ’ 1)๐‘”(๐‘ฅ) โˆถ ๐‘“, ๐‘” โˆˆ โ„ค[๐‘ฅ]}, for a suitable value of ๐‘Ÿ and some (not too many) values of ๐‘Ž. Why is it faster to check congruences mod ๐ผ rather than mod ๐‘›? In reducing mod ๐ผ, we can reduce mod ๐‘› the coefficients of any polynomial. Further we can replace ๐‘ฅ๐‘š๐‘Ÿ by 1, since ๐‘ฅ๐‘š๐‘Ÿ โˆ’ 1 is a multiple of (๐‘ฅ๐‘Ÿ โˆ’ 1), and thus it is enough to consider terms ๐‘ฅ๐‘— with 0 โ‰ค ๐‘— < ๐‘Ÿ. In other words, working mod ๐ผ, we may restrict attention to polynomi๐‘Ÿโˆ’1 als โˆ‘๐‘—=0 ๐‘Ž๐‘— ๐‘ฅ๐‘— , with the coefficients ๐‘Ž๐‘— taken mod ๐‘›, so that ๐‘Ž๐‘— may be thought of as integers below ๐‘›. Thus, for example, we could compute (๐‘ฅ + ๐‘Ž)๐‘› mod ๐ผ by repeated squaring, keeping in mind that we only have

8.4. The algorithm

143

to multiply polynomials of degree at most ๐‘Ÿ and coefficients at most ๐‘›. If ๐‘Ÿ is small (like a power of log ๐‘›), then this could be done rapidly. In the next section, we describe the AKS algorithm precisely. Then in ยง8.5 we analyze its running time. Finally we explain the proof of why the algorithm works.

8.4. The algorithm If ๐‘› < 106 is a small number, then a quick trial division will settle the issue. Thus in what follows, we shall assume that ๐‘› โ‰ฅ 106 is a reasonably large number. Step 1. First we check that ๐‘› is not a perfect power. One can rapidly do this, because if ๐‘› = ๐‘š๐‘˜ for some ๐‘˜ โ‰ฅ 2, then we must have ๐‘˜ โ‰ค log2 ๐‘›. So there are not many choices for ๐‘˜, and for each choice ๐‘˜, we can compute quickly whether ๐‘› is a ๐‘˜th power or not (we will go over this in more detail in the next section). If ๐‘› is a ๐‘˜th power for some ๐‘˜ โ‰ฅ 2, we stop and output that ๐‘› is composite. Step 2. Second, let us check that ๐‘› has no prime factor smaller than 100(log ๐‘›)5 . Since there are only 100(log ๐‘›)5 divisions to check, this too is rapid. If we do find a small prime factor, of course we can stop and declare ๐‘› to be composite. Step 3. Find the smallest integer ๐‘Ÿ such that the order of ๐‘› mod ๐‘Ÿ is โ‰ฅ 9(log ๐‘›)2 . It is crucial that there is a small value of ๐‘Ÿ with this property, and this is guaranteed by the following lemma (proved in Section 8.6). Lemma 8.8. Assume that ๐‘› โ‰ฅ 106 is such that ๐‘› is not divisible by any prime number below 100(log ๐‘›)5 . There exists ๐‘Ÿ โ‰ค 100(log ๐‘›)5 such that the order of ๐‘› mod ๐‘Ÿ is at least 9(log ๐‘›)2 . Step 4. This involves checking the following key identity: (8.2)

(๐‘ฅ + ๐‘Ž)๐‘› โ‰ก ๐‘ฅ๐‘› + ๐‘Ž

mod (๐‘›, ๐‘ฅ๐‘Ÿ โˆ’ 1),

for various values of ๐‘Ž โˆˆ โ„ค. To clarify, the identity means that (๐‘ฅ + ๐‘Ž)๐‘› (which is in โ„ค[๐‘ฅ]) differs from ๐‘ฅ๐‘› +๐‘Ž by an element in the ideal (๐‘›, ๐‘ฅ๐‘Ÿ โˆ’1) of โ„ค[๐‘ฅ] โ€” or in other words, the difference (๐‘ฅ + ๐‘Ž)๐‘› โˆ’ ๐‘ฅ๐‘› โˆ’ ๐‘Ž can be expressed as ๐‘›๐‘“(๐‘ฅ) + (๐‘ฅ๐‘Ÿ โˆ’ 1)๐‘”(๐‘ฅ) where ๐‘“ and ๐‘” are in โ„ค[๐‘ฅ]. We are now at the most important point of the AKS algorithm: Theorem 8.9 (Agrawal, Kayal, and Saxena (2002)). Let ๐‘› โ‰ฅ 106 be given, with ๐‘› not a perfect power. Let ๐‘Ÿ be natural number such that all prime

144

8. The AKS Primality Test

factors of ๐‘› are larger than ๐‘Ÿ, and such that the order of ๐‘› mod ๐‘Ÿ is at least 9(log ๐‘›)2 . Then the key identity (8.2) holds for all 1 โ‰ค ๐‘Ž โ‰ค ๐‘Ÿ if and only if ๐‘› is a prime number. Thus, in Step 4, it is enough to check (8.2) for all 1 โ‰ค ๐‘Ž โ‰ค ๐‘Ÿ โ‰ค 100(log ๐‘›)5 and if ๐‘› satisfies all these identities we can declare it to be prime. Note that one half of Theorem 8.9 is easy: if ๐‘› is prime then (๐‘ฅ + ๐‘Ž)๐‘› โ‰ก ๐‘ฅ๐‘› + ๐‘Ž mod ๐‘› for all natural numbers ๐‘Ž by Lemma 8.7, so that (8.2) holds for all ๐‘Ž and all ๐‘Ÿ in this case. The interesting bit is the converse, that if the key identity holds for sufficiently many cases, then ๐‘› must be prime.

8.5. Running time analysis Let us now analyze how long the AKS algorithm takes. Our goal is just to show that it is a polynomial time algorithm, and we donโ€™t make an effort to optimize every detail. We shall show that the algorithm runs in ๐‘‚((log ๐‘›)18 ) steps. Step 1. Given ๐‘˜ โ‰ฅ 2 and ๐‘›, how long does it take to check if ๐‘› is a ๐‘˜th power? To check if ๐‘› is a ๐‘˜th power, the idea is just to start working out the binary expansion of ๐‘›1/๐‘˜ . The ๐‘˜th root will have about (log2 ๐‘›)/๐‘˜ bits, and to figure out each bit we will have to take the ๐‘˜th power of some number and check if it is larger than ๐‘› or not. To compute the ๐‘˜th power of a number with โ„“ bits takes ๐‘‚(โ„“โ‹…โ„“+โ„“โ‹…2โ„“+. . .+โ„“โ‹…๐‘˜โ„“) = ๐‘‚(โ„“2 ๐‘˜2 ) stepsโ€” this is just multiplying a number to itself many times, without even using repeated squaring. Thus to determine a bit of ๐‘›1/๐‘˜ takes ๐‘‚((log ๐‘›)2 ) steps, and determining the full ๐‘‚((log ๐‘›)/๐‘˜) bits takes ๐‘‚((log ๐‘›)3 /๐‘˜) steps. In other words, to check if ๐‘› is a ๐‘˜th power takes ๐‘‚((log ๐‘›)3 ) steps, and doing this for each 2 โ‰ค ๐‘˜ โ‰ค log2 ๐‘› we can check if ๐‘› is a perfect power in ๐‘‚((log ๐‘›)4 ) steps. Step 2. Here we need to divide ๐‘› by numbers up to about 100(log ๐‘›)5 . Each division takes ๐‘‚((log ๐‘›)(log log ๐‘›)) stepsโ€”the log log ๐‘› comes from the number of bits in a number of size 100(log ๐‘›)5 . So, in total, this step takes ๐‘‚((log ๐‘›)6 log log ๐‘›) operations, which may be bounded by ๐‘‚((log ๐‘›)7 ) for simplicity. Step 3. For each ๐‘Ÿ with 2 โ‰ค ๐‘Ÿ โ‰ค 100(log ๐‘›)5 we must compute the order of ๐‘› mod ๐‘Ÿ, which we want to be large. Once again, we are content to argue very crudely: given ๐‘Ÿ we simply compute ๐‘›1 , ๐‘›2 , . . ., ๐‘›๐พ , all mod ๐‘Ÿ,

8.6. Proof of Lemma 8.8

145

with ๐พ = โŒŠ9(log ๐‘›)2 โŒ‹, and check whether any of these is 1 mod ๐‘Ÿ. We begin by reducing ๐‘› mod ๐‘Ÿ, which takes about ๐‘‚((log ๐‘›)(log ๐‘Ÿ)) operations. Every subsequent computation of ๐‘›๐‘— mod ๐‘Ÿ (for 2 โ‰ค ๐‘— โ‰ค ๐พ) involves multiplying two numbers below ๐‘Ÿ and reducing mod ๐‘Ÿ, which takes ๐‘‚((log ๐‘Ÿ)2 ) steps. Thus for a given ๐‘Ÿ, we may check whether the order of ๐‘› mod ๐‘Ÿ exceeds ๐พ in ๐‘‚((log ๐‘›)(log ๐‘Ÿ) + ๐พ(log ๐‘Ÿ)2 ) = ๐‘‚((log ๐‘›)2 (log ๐‘Ÿ)2 ) steps. Let us bound this more simply by ๐‘‚((log ๐‘›)3 ). Performing this for each ๐‘Ÿ in our range, we can complete Step 3 and find a suitable ๐‘Ÿ in ๐‘‚((log ๐‘›)8 ) operations. Step 4. Here we must verify the key identity (8.2) for ๐‘Ÿ values of ๐‘Ž. For each ๐‘Ž, by repeated squaring we must perform on the order of log ๐‘› multiplications of polynomials mod(๐‘›, ๐‘ฅ๐‘Ÿ โˆ’ 1). Each such multiplication involves computing ๐‘Ÿ coefficients, and each coefficient involves about ๐‘Ÿ multiplications of numbers of size at most ๐‘›โ€”therefore each polynomial multiplication takes about ๐‘‚(๐‘Ÿ2 (log ๐‘›)2 ) steps. So for each ๐‘Ž our identity may be checked in about ๐‘‚(๐‘Ÿ2 (log ๐‘›)3 ) steps. And finally ranging over all ๐‘Ž โ‰ค ๐‘Ÿ, we can complete Step 4 in ๐‘‚(๐‘Ÿ3 (log ๐‘›)3 ) which is ๐‘‚((log ๐‘›)18 ). This is the bottleneck stepโ€”we have been wasteful in some parts of our analysis above, but at any rate it should be clear that we have a polynomial time algorithm!

8.6. Proof of Lemma 8.8 We now prove Lemma 8.8, which asserts that if ๐‘› is not divisible by any prime below 100(log ๐‘›)5 , then there exists an integer ๐‘Ÿ โ‰ค 100(log ๐‘›)5 with the order of ๐‘› mod ๐‘Ÿ being at least 9(log ๐‘›)2 . Suppose instead that all ๐‘Ÿ โ‰ค ๐‘… = 2โŒŠ50(log ๐‘›)5 โŒ‹ are such that the order of ๐‘› mod ๐‘Ÿ is at most ๐พ = โŒŠ9(log ๐‘›)2 โŒ‹. This means that each ๐‘Ÿ โ‰ค ๐‘… divides some ๐‘›๐‘˜ โˆ’ 1 with ๐‘˜ โ‰ค ๐พ. Therefore, ๐พ

(8.3)

(lcm of all 1 โ‰ค ๐‘Ÿ โ‰ค ๐‘…) divides โˆ(๐‘›๐‘˜ โˆ’ 1). ๐‘˜=1

We shall obtain a contradiction by establishing an upper bound for the right side of (8.3), and a lower bound for the left sideโ€”the goal will be to have the lower bound larger than the upper bound, which would be impossible as a larger number cannot divide a smaller one. Clearly

146

8. The AKS Primality Test

the right side of (8.3) is ๐พ

โ‰ค โˆ ๐‘›๐‘˜ = exp ( ๐‘˜=1

๐พ(๐พ + 1) log ๐‘›) โ‰ค exp(45(log ๐‘›)5 ). 2

Recall from Chapter 2, Proposition 2.4 (parts (i, ii)) that (

๐‘… ) divides โˆ ๐‘โŒŠlog ๐‘…/ log ๐‘โŒ‹ = lcm of 1 โ‰ค ๐‘Ÿ โ‰ค ๐‘…. ๐‘…/2 ๐‘โ‰ค๐‘…

Thus the left side of (8.3) is at least (

2๐‘… ๐‘… , )โ‰ฅ ๐‘… ๐‘…/2

๐‘… upon using Proposition 2.5 to bound (๐‘…/2 ). The assumption that ๐‘› is divisible by no prime below ๐‘… clearly implies that ๐‘… โ‰ค ๐‘›, and by definition ๐‘… = 2โŒŠ50(log ๐‘›)5 โŒ‹ โ‰ฅ 99(log ๐‘›)5 . We conclude that the left side of (8.3) is 5

โ‰ฅ

299(log ๐‘›) 5 โ‰ฅ 298(log ๐‘›) โ‰ฅ exp(49(log ๐‘›)5 ), ๐‘›

since 22 = 4 > ๐‘’. Clearly this lower bound is in conflict with our upper bound, and thus we obtain a contradiction to our assumption that for all ๐‘Ÿ โ‰ค ๐‘… the order of ๐‘› mod ๐‘Ÿ is at most โŒŠ9(log ๐‘›)2 โŒ‹. This completes our proof of Lemma 8.8.

8.7. Generating new relations from old The key to proving Theorem 8.9 is that (8.2) for different values of ๐‘Ž can be used to generate many other similar relations. If there is a composite ๐‘› satisfying (8.2) for many values of ๐‘Ž, then eventually we will obtain so many relations that in a suitable field we will be able to cook up a polynomial with more roots than its degree, thus getting a contradiction. Lemma 8.10. Suppose ๐‘›, ๐‘Ÿ and ๐‘Ž are such that (๐‘ฅ + ๐‘Ž)๐‘› โ‰ก ๐‘ฅ๐‘› + ๐‘Ž

mod (๐‘›, ๐‘ฅ๐‘Ÿ โˆ’ 1).

Let ๐‘ be a prime factor of ๐‘›. Then the relation (8.4)

(๐‘ฅ + ๐‘Ž)๐‘š โ‰ก ๐‘ฅ๐‘š + ๐‘Ž

mod (๐‘, ๐‘ฅ๐‘Ÿ โˆ’ 1)

holds for all ๐‘š of the form ๐‘›๐‘– ๐‘๐‘— with ๐‘– and ๐‘— being non-negative integers.

8.8. Proof of Theorem 8.9

147

Proof. By assumption the relation (8.4) holds for ๐‘š = ๐‘›. By the binomial theorem, as in Lemma 8.7, the relation (8.4) also holds for ๐‘š = ๐‘โ€” indeed (๐‘ฅ + ๐‘Ž)๐‘ โ‰ก ๐‘ฅ๐‘ + ๐‘Ž๐‘ โ‰ก ๐‘ฅ๐‘ + ๐‘Ž mod ๐‘. To prove our lemma, we establish that if (8.4) holds for ๐‘š = ๐‘˜ and ๐‘š = โ„“ then it also holds for ๐‘š = ๐‘˜โ„“. Indeed โ„“

(๐‘ฅ + ๐‘Ž)๐‘˜โ„“ = ((๐‘ฅ + ๐‘Ž)๐‘˜ ) โ‰ก (๐‘ฅ๐‘˜ + ๐‘Ž)โ„“

mod (๐‘, ๐‘ฅ๐‘Ÿ โˆ’ 1),

upon using (8.4) for ๐‘š = ๐‘˜. Now (8.4) with ๐‘š = โ„“ (and replacing ๐‘ฅ by ๐‘ฆ) gives (๐‘ฆ + ๐‘Ž)โ„“ โ‰ก ๐‘ฆโ„“ + ๐‘Ž mod (๐‘, ๐‘ฆ๐‘Ÿ โˆ’ 1), and if we take ๐‘ฆ = ๐‘ฅ๐‘˜ it follows that (๐‘ฅ๐‘˜ + ๐‘Ž)โ„“ โ‰ก ๐‘ฅ๐‘˜โ„“ + ๐‘Ž mod (๐‘, ๐‘ฅ๐‘˜๐‘Ÿ โˆ’ 1). Since ๐‘ฅ๐‘Ÿ โˆ’ 1 divides ๐‘ฅ๐‘˜๐‘Ÿ โˆ’ 1, we conclude that (๐‘ฅ๐‘˜ + ๐‘Ž)โ„“ โ‰ก ๐‘ฅ๐‘˜โ„“ + ๐‘Ž mod (๐‘, ๐‘ฅ๐‘Ÿ โˆ’ 1), which completes our proof.

โ–ก

8.8. Proof of Theorem 8.9 Suppose ๐‘› โ‰ฅ 106 is not a perfect power. Suppose that ๐‘› is not divisible by any prime at most ๐‘Ÿ, and that the order of ๐‘› mod ๐‘Ÿ is โ‰ฅ 9(log ๐‘›)2 . Suppose that (8.2) holds for all 1 โ‰ค ๐‘Ž โ‰ค ๐‘Ÿ. We must now show that ๐‘› is a prime. Suppose it is not, and let ๐‘ be a prime factor of ๐‘›. Observe that we need this prime ๐‘ only in the proof that the AKS algorithm works, and it plays no role in the algorithm itself. Define a set of positive integers by โ„ณ = {๐‘›๐‘– ๐‘๐‘— โˆถ ๐‘– โ‰ฅ 0, ๐‘— โ‰ฅ 0}. From Lemma 8.10 we know that for all 1 โ‰ค ๐‘Ž โ‰ค ๐‘Ÿ and all ๐‘š โˆˆ โ„ณ (๐‘ฅ + ๐‘Ž)๐‘š โ‰ก ๐‘ฅ๐‘š + ๐‘Ž mod (๐‘, ๐‘ฅ๐‘Ÿ โˆ’ 1). This is a congruence in the ring โ„ค[๐‘ฅ], and means that (8.5)

(๐‘ฅ + ๐‘Ž)๐‘š = ๐‘ฅ๐‘š + ๐‘Ž + ๐‘๐‘“(๐‘ฅ) + (๐‘ฅ๐‘Ÿ โˆ’ 1)๐‘”(๐‘ฅ),

for suitable polynomials ๐‘“ and ๐‘” in โ„ค[๐‘ฅ].

148

8. The AKS Primality Test

Instead of working with such relations in โ„ค[๐‘ฅ], we will find it more convenient to work with relations in an appropriate finite field. Let us now define this field over which we shall work. Suppose ๐‘ mod ๐‘Ÿ has order ๐‘˜โ€”thus ๐‘Ÿ|(๐‘๐‘˜ โˆ’1), and ๐‘Ÿ does not divide (๐‘๐‘— โˆ’1) for any ๐‘— < ๐‘˜. It is conceivable that ๐‘˜ could be 1, which would happen in case ๐‘ โ‰ก 1 mod ๐‘Ÿ. We will work in a finite field ๐”ฝ๐‘ž with ๐‘ž = ๐‘๐‘˜ elements. ๐‘˜

Let ๐›ฝ be a generator of ๐”ฝร—๐‘ž , and take ๐›ผ = ๐›ฝ (๐‘ โˆ’1)/๐‘Ÿ . Thus ๐›ผ is an element of ๐”ฝร—๐‘ž whose order is exactly ๐‘Ÿ, and in particular ๐›ผ๐‘Ÿ = 1. Consider now the relation (8.5). Plug in ๐‘ฅ = ๐›ผ in this relation, to obtain an identity in the field ๐”ฝ๐‘ž : (๐›ผ + ๐‘Ž)๐‘š = ๐›ผ๐‘š + ๐‘Ž + ๐‘๐‘“(๐›ผ) + (๐›ผ๐‘Ÿ โˆ’ 1)๐‘”(๐›ผ). Since ๐”ฝ๐‘ž has characteristic ๐‘, clearly ๐‘๐‘“(๐›ผ) = 0. Further, since ๐›ผ๐‘Ÿ = 1, we have (๐›ผ๐‘Ÿ โˆ’ 1)๐‘”(๐›ผ) = 0. In other words, the relations (8.5) become in ๐”ฝ๐‘ž the relations (8.6)

(๐›ผ + ๐‘Ž)๐‘š = ๐›ผ๐‘š + ๐‘Ž,

holding for all 1 โ‰ค ๐‘Ž โ‰ค ๐‘Ÿ, and all ๐‘š โˆˆ โ„ณ. Our goal is to show that all these relations in ๐”ฝ๐‘ž will force a contradiction to our assumption that ๐‘› is composite. Why should we be suspicious of the relations in (8.6)? Suppose we find two different integers ๐‘š1 and ๐‘š2 โˆˆ โ„ณ with ๐‘š1 โ‰ก ๐‘š2 mod ๐‘Ÿ. Since ๐›ผ has order ๐‘Ÿ, we must have ๐›ผ๐‘š1 โ‰ก ๐›ผ๐‘š2 so that the right hand sides of (8.6) would be identical for ๐‘š = ๐‘š1 and ๐‘š = ๐‘š2 . However it is not at all clear why one must have (๐›ผ + ๐‘Ž)๐‘š1 = (๐›ผ + ๐‘Ž)๐‘š2 . The proof below exploits this difference in the structure of the right and left sides of (8.6) by producing small values of ๐‘š1 , ๐‘š2 โˆˆ โ„ณ with ๐‘š1 โ‰  ๐‘š2 but ๐‘š1 โ‰ก ๐‘š2 mod ๐‘Ÿ. Lemma 8.11. Let โ„‹ denote the subgroup of (โ„ค/๐‘Ÿโ„ค)ร— generated by ๐‘› and ๐‘, and let โ„Ž denote the size of โ„‹. Then โ„Ž โ‰ฅ 9(log ๐‘›)2 , and there exist two distinct elements ๐‘š1 , ๐‘š2 โˆˆ โ„ณ with ๐‘š1 , ๐‘š2 โ‰ค ๐‘›2โˆšโ„Ž , and ๐‘š1 โ‰ก ๐‘š1 mod ๐‘Ÿ.

8.8. Proof of Theorem 8.9

149

Proof. The elements of โ„‹ are simply the elements of โ„ณ reduced mod ๐‘Ÿ. Note that inverses are automatically included among the elements ๐‘›๐‘– ๐‘๐‘— with ๐‘– โ‰ฅ 0, and ๐‘— โ‰ฅ 0, because (for example) ๐‘›โˆ’1 mod ๐‘Ÿ may be expressed as ๐‘›๐œ™(๐‘Ÿ)โˆ’1 mod ๐‘Ÿ. The group โ„‹ contains all the powers of ๐‘›, and since the order of ๐‘› mod ๐‘Ÿ is โ‰ฅ 9(log ๐‘›)2 by construction, we see that โ„Ž โ‰ฅ 9(log ๐‘›)2 . It remains now to show that there are two distinct elements ๐‘š1 , ๐‘š2 โˆˆ โ„ณ with ๐‘š1 , ๐‘š2 โ‰ค ๐‘›2โˆšโ„Ž and ๐‘š1 โ‰ก ๐‘š2 mod ๐‘Ÿ. To see this, consider the elements ๐‘›๐‘– ๐‘๐‘— โˆˆ โ„ณ with 0 โ‰ค ๐‘– โ‰ค โŒŠโˆšโ„ŽโŒ‹ and 0 โ‰ค ๐‘— โ‰ค โŒŠโˆšโ„ŽโŒ‹. There are (1 + โŒŠโˆšโ„ŽโŒ‹)2 > โ„Ž such integers, and they are all distinct since ๐‘› is not a perfect power, and so in particular ๐‘› is not a power of ๐‘. If these integers are reduced mod ๐‘Ÿ then they must lie in the group โ„‹ which has size โ„Ž. By the pigeonhole principle, it follows that there are two such distinct numbers ๐‘š1 and ๐‘š2 with ๐‘š1 โ‰ก ๐‘š2 mod ๐‘Ÿ; moreover both ๐‘š1 and ๐‘š2 are below ๐‘›โˆšโ„Ž ๐‘โˆšโ„Ž < ๐‘›2โˆšโ„Ž . โ–ก To make use of this, we will next define a subgroup ๐’ข of ๐”ฝร—๐‘ž motivated by the relations (8.6). We will use Lemma 8.11 to obtain an upper bound on the size of this group (see Lemma 8.12 below). Then in Lemma 8.13 we shall obtain a lower bound for the size of ๐’ข. Both bounds will rely crucially on the relations (8.6) together with the fact that a polynomial of degree ๐‘‘ over ๐”ฝ๐‘ž cannot have more than ๐‘‘ roots. The upper and lower bounds will then be shown to contradict each other, completing our proof. Lemma 8.12. The elements ๐›ผ + ๐‘Ž with 1 โ‰ค ๐‘Ž โ‰ค ๐‘Ÿ all lie in ๐”ฝร—๐‘ž . Let ๐’ข denote the subgroup of ๐”ฝร—๐‘ž generated by the elements ๐›ผ + ๐‘Ž with 1 โ‰ค ๐‘Ž โ‰ค ๐‘Ÿ. The size of the group ๐’ข is |๐’ข| โ‰ค ๐‘›2โˆšโ„Ž . Proof. Let us first show that all the elements ๐›ผ + ๐‘Ž with 1 โ‰ค ๐‘Ž โ‰ค ๐‘Ÿ are in ๐”ฝร—๐‘ž . If not, then ๐›ผ + ๐‘Ž = 0 for some 1 โ‰ค ๐‘Ž โ‰ค ๐‘Ÿ, and then (8.6) applied to ๐‘š = ๐‘› gives 0 = (๐›ผ + ๐‘Ž)๐‘› = ๐›ผ๐‘› + ๐‘Ž, so that one must have ๐›ผ๐‘› = โˆ’๐‘Ž = ๐›ผ. Since ๐›ผ has order ๐‘Ÿ, this means that ๐‘› โ‰ก 1 mod ๐‘Ÿ, which contradicts our assumption that the order of ๐‘› mod ๐‘Ÿ is at least 9(log ๐‘›)2 . We remark that this possibility that ๐›ผ + ๐‘Ž equals 0 only arises if ๐‘ž = ๐‘ (so that ๐‘ โ‰ก 1 mod ๐‘Ÿ), which was allowed in

150

8. The AKS Primality Test

our definition of the field ๐”ฝ๐‘ž . We could also have avoided this possibility by selecting a prime ๐‘ dividing ๐‘› with ๐‘ โ‰ข 1 mod ๐‘Ÿ; such a prime must exist since ๐‘› โ‰ข 1 mod ๐‘Ÿ. Having established that ๐›ผ + ๐‘Ž belongs to ๐”ฝร—๐‘ž for all 1 โ‰ค ๐‘Ž โ‰ค ๐‘Ÿ, we can now proceed to the subgroup ๐’ข of ๐”ฝร—๐‘ž generated by these elements. Concretely, the group ๐’ข consists of all elements of the form ๐‘Ÿ

โˆ(๐›ผ + ๐‘Ž)๐‘’๐‘Ž , ๐‘Ž=1

where the exponents ๐‘’ ๐‘Ž are non-negative integers. Note that this does form a groupโ€”inverses are included, because all elements have finite order, and so for example (๐›ผ + ๐‘Ž)โˆ’1 = (๐›ผ + ๐‘Ž)(๐‘žโˆ’1)โˆ’1 . It remains now to establish the upper bound on the size of ๐’ข. Let ๐‘š1 and ๐‘š2 be the elements of โ„ณ produced by Lemma 8.11. Thus ๐‘š1 and ๐‘š2 are unequal, both lying below ๐‘›2โˆšโ„Ž , and with ๐‘š1 โ‰ก ๐‘š2 mod ๐‘Ÿ. Consider the equation ๐‘ฅ๐‘š1 = ๐‘ฅ๐‘š2 . Being a polynomial equation of degree at most ๐‘›2โˆšโ„Ž , clearly this equation can have at most ๐‘›2โˆšโ„Ž roots in ๐”ฝ๐‘ž . We claim that all the elements of ๐’ข are solutions to this equation, and then the lemma would follow. ๐‘Ÿ

To prove our claim, suppose ๐‘” = โˆ๐‘Ž=1 (๐›ผ + ๐‘Ž)๐‘’๐‘Ž is an element of ๐’ข. Then, using (8.6), we see that ๐‘Ÿ

๐‘’๐‘Ž

๐‘”๐‘š1 = โˆ ((๐›ผ + ๐‘Ž)๐‘š1 )

๐‘Ÿ

= โˆ(๐›ผ๐‘š1 + ๐‘Ž)๐‘’๐‘Ž ,

๐‘Ž=1

๐‘Ž=1

and similarly ๐‘Ÿ

๐‘”๐‘š2 = โˆ(๐›ผ๐‘š2 + ๐‘Ž)๐‘’๐‘Ž . ๐‘Ž=1

But now ๐‘š1 โ‰ก ๐‘š2 mod ๐‘Ÿ, and ๐›ผ๐‘Ÿ = 1, so that ๐›ผ๐‘š1 = ๐›ผ๐‘š2 . Therefore our expressions for ๐‘”๐‘š1 and ๐‘”๐‘š2 are identical, and ๐‘” is a solution to the โ–ก equation ๐‘ฅ๐‘š1 = ๐‘ฅ๐‘š2 , as claimed. Lemma 8.13. The elements ๐‘Ÿ

๐‘Ÿ

โˆ(๐›ผ + ๐‘Ž)๐‘’๐‘Ž with โˆ‘ ๐‘’ ๐‘Ž โ‰ค โ„Ž โˆ’ 1 ๐‘Ž=1

๐‘Ž=1

are all distinct. Therefore ๐’ข has size |๐’ข| โ‰ฅ 2โ„Ž .

8.8. Proof of Theorem 8.9

151

Proof. Suppose instead that there are two such products ๐‘Ÿ

๐‘Ÿ

โˆ(๐›ผ + ๐‘Ž)๐‘’๐‘Ž

โˆ(๐›ผ + ๐‘Ž)๐‘“๐‘Ž

and

๐‘Ž=1

๐‘Ž=1 ๐‘Ÿ

๐‘Ÿ

with ๐‘’ ๐‘Ž , ๐‘“๐‘Ž โ‰ฅ 0 and โˆ‘๐‘Ž=1 ๐‘’ ๐‘Ž , โˆ‘๐‘Ž=1 ๐‘“๐‘Ž both less than โ„Ž, that happen to be the same element in ๐”ฝ๐‘ž . Naturally, we assume that the exponents ๐‘’ ๐‘Ž are not all equal to the exponents ๐‘“๐‘Ž . Consider the two polynomials in ๐”ฝ๐‘ [๐‘ฅ] given by ๐‘Ÿ

๐‘Ÿ

๐ธ(๐‘ฅ) = โˆ(๐‘ฅ + ๐‘Ž)๐‘’๐‘Ž ,

๐น(๐‘ฅ) = โˆ(๐‘ฅ + ๐‘Ž)๐‘“๐‘Ž .

and

๐‘Ž=1

๐‘Ž=1

Since ๐‘ > ๐‘Ÿ (we assumed that ๐‘› has no prime factors at most ๐‘Ÿ), the expressions for ๐ธ(๐‘ฅ) and ๐น(๐‘ฅ) give the factorizations of these two polynomials (the point is that no term ๐‘ฅ + ๐‘Ž equals ๐‘ฅ + ๐‘ for ๐‘Ž and ๐‘ below ๐‘Ÿ), and so ๐ธ(๐‘ฅ) and ๐น(๐‘ฅ) are distinct polynomials in ๐”ฝ๐‘ [๐‘ฅ]. Put ฮ”(๐‘ฅ) = ๐ธ(๐‘ฅ) โˆ’ ๐น(๐‘ฅ), so that ฮ” is a non-zero polynomial in ๐”ฝ๐‘ [๐‘ฅ] with degree less than โ„Ž. Therefore, ฮ” can have at most โ„Ž โˆ’ 1 roots in the field ๐”ฝ๐‘ž . The goal is now to show that ฮ” has too many roots. Clearly ฮ”(๐›ผ) = 0โ€”this is how we chose our polynomials ๐ธ and ๐น. The relation (8.6) now produces more roots. For any ๐‘š โˆˆ โ„ณ, note that ๐‘Ÿ

๐‘Ÿ

๐ธ(๐›ผ๐‘š ) = โˆ(๐›ผ๐‘š + ๐‘Ž)๐‘’๐‘Ž = โˆ(๐›ผ + ๐‘Ž)๐‘š๐‘’๐‘Ž = ๐ธ(๐›ผ)๐‘š , ๐‘Ž=1

๐‘Ž=1

and similarly, ๐น(๐›ผ๐‘š ) = ๐น(๐›ผ)๐‘š , so that ฮ”(๐›ผ๐‘š ) = 0. Now, note that two elements ๐›ผ๐‘š1 and ๐›ผ๐‘š2 are equal if and only if ๐‘š1 โ‰ก ๐‘š2 mod ๐‘Ÿ. Therefore we have produced โ„Ž roots of ฮ”, one for each element of the group โ„‹. This is a contradiction! Thus we have established the first claim of ๐‘Ÿ ๐‘Ÿ the lemma, that the elements โˆ๐‘Ž=1 (๐›ผ + ๐‘Ž)๐‘’๐‘Ž with โˆ‘๐‘Ž=1 ๐‘’ ๐‘Ž โ‰ค โ„Ž โˆ’ 1 are all distinct. To get our lower bound for the size of ๐’ข, just consider all the ways of choosing a subset of [1, ๐‘Ÿ] of size at most โ„Ž โˆ’ 1โ€”in doing so, we are ๐‘Ÿ only considering ๐‘’ ๐‘Ž = 0 or 1 with โˆ‘๐‘Ž=1 ๐‘’ ๐‘Ž โ‰ค โ„Ž โˆ’ 1. Since ๐‘Ÿ โ‰ฅ โ„Ž + 1, the

152

8. The AKS Primality Test

number of such subsets is ๐‘Ÿ ๐‘Ÿ ๐‘Ÿ โ„Ž+1 โ„Ž+1 โ„Ž+1 ( ) + ( ) + ... + ( )โ‰ฅ( )+( ) + ... + ( ) 0 1 โ„Žโˆ’1 0 1 โ„Žโˆ’1 = 2โ„Ž+1 โˆ’ โ„Ž โˆ’ 2 โ‰ฅ 2โ„Ž , since โ„Ž โ‰ฅ 2. This gives the stated lower bound for |๐’ข|.

๐‘›

โ–ก

Comparing the bounds of Lemmas 8.12 and 8.13, we must have 2โ„Ž โ‰ค , which upon taking logarithms implies that

2โˆšโ„Ž

โ„Žโ‰ค(

2 2 log ๐‘›) < 9(log ๐‘›)2 . log 2

But this contradicts our lower bound โ„Ž โ‰ฅ 9(log ๐‘›)2 , completing our proof!

8.9. Exercises 1. Let ๐‘š and ๐‘› be two positive integers. Give an analysis of the running time of the Euclidean algorithm to compute (๐‘š, ๐‘›). 2. Suppose ๐‘› is a natural number, and ๐‘ is a prime factor of ๐‘› with ๐‘๐‘˜ โ€–๐‘›. Show that ๐‘๐‘˜ does not divide (๐‘›๐‘). 3. (Love in Kleptopia, C. Calderbank via Peter Winkler [28]) Jan and Maria have fallen in love (via the internet) and Jan wishes to mail her a ring. Unfortunately, they live in the country of Kleptopia where anything sent through the mail will be stolen unless it is enclosed in a padlocked box. Jan and Maria each have plenty of padlocks, but none to which the other has a key. How can Jan get the ring safely into Mariaโ€™s hands? 4. Suppose ๐‘ = 6๐‘š+1, ๐‘ž = 12๐‘š+1 and ๐‘Ÿ = 18๐‘š+1 are all prime. Show that ๐‘๐‘ž๐‘Ÿ is a Carmichael number. Find a Carmichael number different from 561, 1105, and 1729โ€”of course, feel free to use a computer! 5. In the AKS algorithm, show that it is enough to check the key identity (8.2) in Section 8.4 for ๐‘Ž up to ๐ถโˆš๐‘Ÿ log ๐‘› for a suitable constant ๐ถ. This will give a speed-up to the AKS test.

8.9. Exercises

153

6. In her work on Fermatโ€™s last theorem, Sophie Germain established a result for primes ๐‘ for which 2๐‘ + 1 is also prime. Such primes are called Sophie Germain primes. (i) If ๐‘ and โ„“ = 2๐‘ + 1 are a Sophie Germain pair, then what can you say about the possible orders of an element ๐‘› mod โ„“? (ii) It is widely believed that there are infinitely many Sophie Germain pairs. In fact, we may expect that every interval [๐‘, 2๐‘] (for say ๐‘ โ‰ฅ 106 ) contains at least โˆš๐‘ primes ๐‘ with 2๐‘+1 also being prime. Assuming this Conjecture, show that one can find a value of ๐‘Ÿ โ‰ค ๐ถ(log ๐‘›)2 (for a suitable constant ๐ถ) with the order of ๐‘› mod ๐‘Ÿ being at least 9(log ๐‘›)2 . (That is, one can improve here the upper bound for ๐‘Ÿ in Lemma 8.8.) 7. The strong pseudoprime test for a number ๐‘› and a base ๐‘Ž < ๐‘› runs as follows: (a) Check that ๐‘› is odd and coprime to ๐‘Ž. (b) Write ๐‘› โˆ’ 1 = 2๐‘Ÿ ๐‘‘ with ๐‘‘ odd. Check if ๐‘Ž๐‘‘ โ‰ก 1 mod ๐‘›, and if ๐‘— not check if ๐‘Ž2 ๐‘‘ โ‰ก โˆ’1 mod ๐‘› for some 0 โ‰ค ๐‘— โ‰ค ๐‘Ÿ โˆ’ 1. (i) If ๐‘› meets all of these checks then it could be prime or it could be composite. Prove that if it fails these checks, then ๐‘› is definitely composite. (ii) The Generalized Riemann Hypothesis (GRH) implies that if ๐‘› is composite, then it fails the strong pseudoprime test for some ๐‘Ž โ‰ค 2(log ๐‘›)2 . Give an analysis of the running time for this test (conditional on GRH). 8. (i) Let ๐‘› โ‰ฅ 1 be a natural number. Show that โˆ ๐‘ โ‰ฅ 22๐‘› (2๐‘›)โˆ’โˆš2๐‘› . ๐‘โ‰ค2๐‘›

(ii) If ๐‘› is large enough (e.g., if ๐‘› โ‰ฅ 106 , but you donโ€™t have to prove this bound) prove that there exists an odd prime ๐‘ โ‰ค 2๐‘› such that the order of 2 in (โ„ค/๐‘โ„ค)ร— is at least โŒŠโˆš2๐‘›โŒ‹.

Chapter 9

Synopsis of finite fields

In this chapter we summarize all that we have discussed about finite fields so far, and add a little bit more toward understanding them. In particular, we shall explain why all finite fields of the same size are isomorphic. Let us begin by recalling how we constructed finite fields. We started with a given field ๐”ฝ๐‘ž with ๐‘ž elements, which could for example be the concrete field ๐”ฝ๐‘ = โ„ค/๐‘โ„ค with ๐‘ elements. Then we considered the polynomial ring ๐”ฝ๐‘ž [๐‘ฅ], which is a Euclidean domain (see Example 1.49), and therefore a PID (see Proposition 1.50). Thus an irreducible polynomial ๐‘“ โˆˆ ๐”ฝ๐‘ž [๐‘ฅ] of degree ๐‘› gives rise to a maximal ideal (๐‘“) in ๐”ฝ๐‘ž [๐‘ฅ] (see Example 3.18), and the quotient ring ๐”ฝ๐‘ž [๐‘ฅ]/(๐‘“) gives a field of size ๐‘ž๐‘› (see Proposition 3.19 and Theorem 4.11). We established the existence of irreducible polynomials of degree ๐‘› by giving a formula for ๐œ‹(๐‘›; ๐”ฝ๐‘ž ), the number of monic irreducibles of degree ๐‘›. In Corollaries 4.10 and 4.20 of Chapter 4, we showed that ๐œ‹(๐‘›; ๐”ฝ๐‘ž ) = โ‰ฅ

1 โˆ‘ ๐œ‡(๐‘‘)๐‘ž๐‘›/๐‘‘ ๐‘› ๐‘‘|๐‘› 1 ๐‘› (๐‘ž โˆ’ 2(๐‘žโŒŠ๐‘›/2โŒ‹ โˆ’ 1)), ๐‘›

and so there is an irreducible of each degree ๐‘›. Given the existence of a field with size ๐‘ž, this argument shows the existence of a field of size ๐‘ž๐‘› . 155

156

9. Synopsis of finite fields

Starting with the field ๐”ฝ๐‘ž = โ„ค/๐‘โ„ค, in this manner we produced finite fields of size ๐‘๐‘› for every prime power (see Theorem 4.11). The characteristic and the additive structure. Given a field with ๐”ฝ๐‘ž with ๐‘ž elements, we consider the order of 1 in the additive group of this field. This order must be a prime number ๐‘, which is called the characteristic of the field, and every ๐›ผ โˆˆ ๐”ฝ๐‘ž satisfies ๐‘๐›ผ = (๐›ผ + ๐›ผ + . . . + ๐›ผ) = 0 (see Proposition 5.13). That is, every non-zero element of the field has order ๐‘ in the additive group. Further, the field ๐”ฝ๐‘ž must contain the field ๐”ฝ๐‘ (all the elements generated by 1 additively), and ๐”ฝ๐‘ž has the structure of a finite dimensional vector space over the field ๐”ฝ๐‘ . If ๐‘˜ is the dimension of this vector space then ๐‘ž = ๐‘๐‘˜ , and thus all finite fields have prime power size (see Theorem 5.17). Similar reasoning showed that if ๐”ฝ๐‘ž is a field of size ๐‘ž = ๐‘๐‘˜ , and ๐พ is a subfield of ๐”ฝ๐‘ž then the size of ๐พ must be ๐‘๐‘‘ for some divisor ๐‘‘ of ๐‘˜ (see Proposition 5.21). The multiplicative structure. In Section 5.4 we showed that the multiplicative group of a finite field ๐”ฝ๐‘ž is cyclic (see Theorem 5.22). By our general reasoning on cyclic groups (see Section 5.1), the multiplicative group ๐”ฝร—๐‘ž has ๐œ™(๐‘žโˆ’1) generators (see Proposition 5.6). One key fact used in our proof is that a polynomial of degree ๐‘› over a field has at most ๐‘› roots (see Lemma 4.3). In Chapter 6 we discussed the structure of the multiplicative group of reduced residues (โ„ค/๐‘›โ„ค)ร— . In particular, we showed that (โ„ค/๐‘๐‘Ž โ„ค)ร— is cyclic for odd prime powers ๐‘๐‘Ž (see Theorem 6.10). But, be careful not to confuse โ„ค/๐‘๐‘Ž โ„ค with the field with ๐‘๐‘Ž elementsโ€”for ๐‘Ž = 1 these are the same, but for ๐‘Ž โ‰ฅ 2 note that โ„ค/๐‘๐‘Ž โ„ค is not even an integral domain. Minimal polynomials. Let ๐น be a field of size ๐‘ž, and let ๐พ be a field of size ๐‘ž๐‘˜ containing ๐น. Given ๐›ผ โˆˆ ๐พ ร— in Section 7.5 we showed that ๐›ผ satisfies a polynomial relation (in ๐น[๐‘ฅ]) of degree at most ๐‘˜. Further, the set of all polynomials in ๐น[๐‘ฅ] that have ๐›ผ as a root is an ideal, generated by a unique monic irreducible polynomial ๐‘š(๐‘ฅ). The minimal polynomial is the monic polynomial of smallest degree that has ๐›ผ as a root (see Proposition 7.13). We also showed that the set ๐น[๐›ผ] consisting of all expressions of the form ๐‘Ž0 + ๐‘Ž1 ๐›ผ + . . . + ๐‘Ž๐‘› ๐›ผ๐‘› with ๐‘Ž๐‘— โˆˆ ๐น is a field, and that it is a subfield of ๐พ. Moreover this field ๐น[๐›ผ] is isomorphic to ๐น[๐‘ฅ]/(๐‘š(๐‘ฅ)). Since a

9. Synopsis of finite fields

157

subfield of ๐พ (and containing ๐น) must have size ๐‘ž๐‘‘ for some divisor ๐‘‘ of ๐‘˜, it also follows that the minimal polynomial ๐‘š(๐‘ฅ) has degree ๐‘‘ dividing ๐‘˜ (see Proposition 7.14). Taking ๐›ผ to be a generator of ๐พ ร— , we see that the finite field ๐พ is isomorphic to ๐น[๐‘ฅ]/(๐‘š(๐‘ฅ)) for some polynomial ๐‘š of degree ๐‘˜ (see Corollary 7.15). Thus our construction of finite fields captures all the possible finite fields. We have recapitulated our work so far on finite fields, and next we add a bit more to their understanding. Specifically we would like to address the following natural questions. 1. Why are all finite fields of the same size isomorphic? 2. Given a finite field ๐พ of size ๐‘๐‘˜ , what are its subfields? We know that the possible subfields must necessarily have size ๐‘๐‘‘ with ๐‘‘|๐‘˜, but do all these possibilities actually occur? How many subfields can there be of each size? 3. Every element ๐›ผ in a field of size ๐‘๐‘˜ satisfies a minimal polynomial (in ๐”ฝ๐‘ [๐‘ฅ]) of degree at most ๐‘˜. What are the other roots of this polynomial? Theorem 9.1. Let ๐น be a finite field with ๐‘ž elements, with ๐‘ž being the power of a prime ๐‘. Let ๐พ be a field containing ๐น with |๐พ| = ๐‘ž๐‘˜ . Then in ๐‘˜ ๐พ[๐‘ฅ] we can factor ๐‘ฅ๐‘ž โˆ’ ๐‘ฅ completely into linear factors: (9.1)

๐‘˜

๐‘ฅ๐‘ž โˆ’ ๐‘ฅ = โˆ (๐‘ฅ โˆ’ ๐›ผ). ๐›ผโˆˆ๐พ ๐‘˜

Further in ๐น[๐‘ฅ] we may factor ๐‘ฅ๐‘ž โˆ’ ๐‘ฅ as (9.2)

๐‘˜

๐‘ฅ๐‘ž โˆ’ ๐‘ฅ = โˆ ๐‘‘|๐‘˜

โˆ

๐‘ƒ(๐‘ฅ),

๐‘ƒ deg(๐‘ƒ)=๐‘‘

where the product is over all monic irreducible polynomials ๐‘ƒ โˆˆ ๐น[๐‘ฅ] of degree ๐‘‘. Proof. The first equation, (9.1), simply encodes that all elements ๐›ผ โˆˆ ๐พ ๐‘˜ satisfy ๐›ผ๐‘ž โˆ’ ๐›ผ = 0 (see Corollary 5.10), so that they are all roots of ๐‘˜ ๐‘ฅ๐‘ž โˆ’ ๐‘ฅ. Since this polynomial has degree ๐‘ž๐‘˜ , these are all the roots of the polynomial, and the factorization follows.

158

9. Synopsis of finite fields

To show the second part, we will establish that the right side of (9.2) also has every element ๐›ผ โˆˆ ๐พ as a root. Since the right side of (9.2) is monic, and has degree โˆ‘๐‘‘|๐‘˜ ๐‘‘๐œ‹(๐‘‘; ๐น) = ๐‘ž๐‘˜ by Theorem 4.9, the desired conclusion (9.2) would follow. Every ๐›ผ โˆˆ ๐พ satisfies a minimal polynomial (in ๐น[๐‘ฅ]), which is irreducible of degree ๐‘‘ dividing ๐‘˜. Therefore there is a monic irreducible ๐‘ƒ โˆˆ ๐น[๐‘ฅ] of degree ๐‘‘ dividing ๐‘˜ for which ๐›ผ is a root. In other words, every element of ๐พ is a root of the right side of (9.2), and the theorem has been established. โ–ก Recall that in our proof of Theorem 4.9 (see in particular (4.4) of Lemma 4.13), a crucial step was to identify the degree of the right side of (9.2) as being ๐‘ž๐‘˜ . We have now added a little more to that proof, by recognizing what polynomial this is. We are now ready to answer our first two questions. Corollary 9.2. All finite fields of size ๐‘ž = ๐‘๐‘˜ are isomorphic to each otherโ€”in other words, up to isomorphism there is only one finite field of each prime power order. Further, the finite field ๐พ of size ๐‘ž = ๐‘๐‘˜ contains subfields of size ๐‘๐‘‘ for each divisor ๐‘‘ of ๐‘˜. In fact, ๐พ contains a unique subfield of size ๐‘๐‘‘ for each divisor ๐‘‘ of ๐‘˜, namely the set of ๐‘๐‘‘ solutions to ๐‘‘ the equation ๐‘ฅ๐‘ โˆ’ ๐‘ฅ = 0. Proof. Let ๐พ be a finite field with ๐‘ž = ๐‘๐‘˜ elements, so that ๐พ contains the field ๐น = ๐”ฝ๐‘ with ๐‘ elements. By Theorem 9.1 we know that every monic irreducible polynomial ๐‘ƒ โˆˆ ๐”ฝ๐‘ [๐‘ฅ] with degree ๐‘‘ dividing ๐‘˜ has a root ๐›ผ in ๐พ. Clearly the minimal polynomial for ๐›ผ (in ๐”ฝ๐‘ [๐‘ฅ]) is the polynomial ๐‘ƒ (because the minimal polynomial for ๐›ผ must divide ๐‘ƒ, which is irreducible), and the field ๐”ฝ๐‘ [๐›ผ] is a subfield of ๐น with size ๐‘๐‘‘ . This proves our second assertion that ๐พ contains a subfield of size ๐‘๐‘‘ for every divisor ๐‘‘ of ๐‘˜. If ๐ฟ is a subfield of ๐น with size ๐‘๐‘‘ , then every element of ๐ฟ satisfies ๐‘‘ the equation ๐‘ฅ|๐ฟ| โˆ’ ๐‘ฅ = ๐‘ฅ๐‘ โˆ’ ๐‘ฅ = 0. Since this equation cannot have more than ๐‘๐‘‘ solutions in ๐พ, the field ๐ฟ is unique and consists of all the solutions in ๐พ to this equation. This proves our third assertion. For the first assertion, we restrict attention to monic irreducibles in ๐”ฝ๐‘ [๐‘ฅ] of degree ๐‘˜. If ๐›ผ โˆˆ ๐พ is a root of such a polynomial then ๐”ฝ๐‘ [๐›ผ] must be the same as ๐พ (since ๐”ฝ๐‘ [๐›ผ] is clearly contained in ๐พ, and has the same

9. Synopsis of finite fields

159

size as ๐พ). We discussed in Section 7.5 (see Corollary 7.15) why ๐”ฝ๐‘ [๐›ผ] is isomorphic to ๐”ฝ๐‘ [๐‘ฅ]/(๐‘ƒ(๐‘ฅ)). Thus ๐พ is isomorphic to all fields of the form ๐”ฝ๐‘ [๐‘ฅ]/(๐‘ƒ(๐‘ฅ)) for all irreducibles of degree ๐‘˜. Since these exhaust all the ways of creating finite fields, all finite fields of a given size are isomorphic to each other. โ–ก Example 9.3. There is a very strong sense in which there is only one field of size ๐‘. Namely, if ๐น is a field of size ๐‘, then the multiplicative identity 1 in ๐น has additive order ๐‘, and the elements of ๐น are simply the elements 1, 1 + 1, . . ., ๐‘ ร— 1 = 0. As we have remarked earlier, this sets up an isomorphism between ๐น and ๐”ฝ๐‘ = โ„ค/๐‘โ„ค, with the multiplicative identity 1 โˆˆ ๐น being identified with the multiplicative identity 1 mod ๐‘ in โ„ค/๐‘โ„ค. In short, there is no choice at all in how we make this isomorphism between ๐น and ๐”ฝ๐‘ . The situation for prime power orders is different, and there can be many different isomorphisms among fields. For example, Exercise 14 from Chapter 5 asks you to show that if ๐”ฝ is a finite field with characteristic ๐‘ then the map ๐œ“ โˆถ ๐”ฝ โ†’ ๐”ฝ given by ๐œ“(๐›ผ) = ๐›ผ๐‘ is an isomorphism of fields. Isomorphisms of a field to itself are also known as automorphisms. You can get more such automorphisms by iterating this map ๐œ“. Exercise 15 from Chapter 5 gives a concrete example of this for the field โ„ค[๐‘–]/(๐‘) when ๐‘ โ‰ก 3 mod 4. Here the map ๐œ“ takes an element ๐‘Ž + ๐‘๐‘– โˆˆ โ„ค[๐‘–]/(๐‘) to its โ€œconjugateโ€ ๐‘Ž โˆ’ ๐‘๐‘–, and this map is a field isomorphism. Hereโ€™s one way to appreciate what Theorem 9.1 and Corollary 9.2 tell us. Take an irreducible polynomial ๐‘ƒ of degree ๐‘˜ and construct the finite field ๐”ฝ๐‘ [๐‘ฅ]/(๐‘ƒ(๐‘ฅ)). Then in this field any other irreducible polynomial of degree ๐‘˜ that you select will also have roots! In fact, every irreducible polynomial of degree ๐‘˜ will factor completely into linear polynomials in your fieldโ€”that is, will have exactly ๐‘˜ roots. Our third question asks for information about these other roots. Theorem 9.4. Let ๐พ be a field with ๐‘ž elements, with ๐‘ž = ๐‘๐‘˜ . Let ๐‘“ โˆˆ ๐”ฝ๐‘ [๐‘ฅ] be an irreducible polynomial with degree ๐‘‘|๐‘˜. Then ๐‘“ has a root ๐›ผ โˆˆ ๐พ, and there are ๐‘‘ distinct roots of ๐‘“ in ๐พ which are given by 0

2

๐‘‘โˆ’1

๐›ผ = ๐›ผ ๐‘ , ๐›ผ ๐‘ , ๐›ผ ๐‘ , . . . , ๐›ผ๐‘

.

160

9. Synopsis of finite fields

Proof. If ๐›ผ = 0, then the polynomial ๐‘“ is simply ๐‘ฅ of degree 1, and there is nothing to prove. Suppose then that ๐›ผ โ‰  0 below. Exercise 2 below asks you to show that if ๐‘“ โˆˆ ๐”ฝ๐‘ [๐‘ฅ] then ๐‘“(๐‘ฅ)๐‘ = 2 ๐‘“(๐‘ฅ๐‘ ). So if ๐‘“ has a root ๐›ผ โˆˆ ๐พ, then ๐›ผ๐‘ , ๐›ผ๐‘ , . . . are also roots of ๐‘“. Now if ๐‘“ is irreducible of degree ๐‘‘, then from our work in Theorem 9.1 and Corollary 9.2, we know that ๐‘“ has a root ๐›ผ in ๐พ. Moreover ๐‘“ is the minimal polynomial (in ๐”ฝ๐‘ [๐‘ฅ]) for ๐›ผ, and the field ๐”ฝ๐‘ [๐›ผ] has size ๐‘๐‘‘ and ๐‘‘

is a subfield of ๐พ. In particular ๐›ผ๐‘ = ๐›ผ, and therefore the multiplicative order of ๐›ผ is a divisor of ๐‘๐‘‘ โˆ’ 1. ๐‘‘โˆ’1

We claim that ๐›ผ, ๐›ผ๐‘ , . . ., ๐›ผ๐‘ are all distinct, in which case they ๐‘— ๐‘– would be all the roots of ๐‘“. If not, then some ๐›ผ๐‘ must equal ๐›ผ๐‘ , with say ๐‘— = ๐‘– + โ„“ with 1 โ‰ค โ„“ < ๐‘‘. Then ๐‘–

โ„“ โˆ’1)

๐›ผ๐‘ (๐‘

=1

so that the order of ๐›ผ must divide ๐‘๐‘– (๐‘โ„“ โˆ’1). Since we know that the order โ„“ of ๐›ผ divides ๐‘๐‘‘ โˆ’ 1, and thus is coprime to ๐‘, we must have ๐›ผ๐‘ โˆ’1 = 1. That is, the order of ๐›ผ must divide ๐‘โ„“ โˆ’ 1, as well as ๐‘๐‘‘ โˆ’ 1, which forces (โ„“,๐‘‘) (by Exercise 3 below) the order to divide ๐‘(โ„“,๐‘‘) โˆ’ 1. But then ๐›ผ๐‘ = (โ„“,๐‘‘) ๐›ผ, and (as in Corollary 9.2) ๐”ฝ๐‘ [๐›ผ] would be the subfield of ๐พ size ๐‘ (โ„“,๐‘‘)

โˆ’ ๐‘ฅ = 0. Therefore, all the given as the solutions to the equation ๐‘ฅ๐‘ ๐‘๐‘– elements ๐›ผ for 0 โ‰ค ๐‘– โ‰ค ๐‘‘ โˆ’ 1 are distinct, and the theorem follows. โ–ก Given a field ๐พ with ๐‘ž = ๐‘๐‘˜ elements, we noted earlier that if ๐›ผ is a generator of ๐พ ร— then the minimal polynomial of ๐›ผ (in ๐”ฝ๐‘ [๐‘ฅ]) has degree ๐‘˜, and ๐พ = ๐”ฝ๐‘ [๐›ผ]. But there we left open what happens for other elements ๐›ผ โˆˆ ๐พ ร— . We can now answer that question. Corollary 9.5. Let ๐พ be a field with ๐‘ž = ๐‘๐‘˜ elements. Let ๐›ผ โˆˆ ๐พ ร— be an element of order โ„“. Let ๐‘‘ denote the order of ๐‘ mod โ„“. Then the minimal polynomial of ๐›ผ (in ๐”ฝ๐‘ [๐‘ฅ]) has degree ๐‘‘. Proof. Suppose the minimal polynomial for ๐›ผ has degree ๐‘Ÿ. Then ๐”ฝ๐‘ [๐›ผ] has size ๐‘๐‘Ÿ , and therefore โ„“ must divide ๐‘๐‘Ÿ โˆ’ 1. Since ๐‘‘ is the order of ๐‘ modulo โ„“, it follows that ๐‘‘ must divide ๐‘Ÿ, so that ๐‘‘ โ‰ค ๐‘Ÿ. On the other hand, the roots of the minimal polynomial are (by The2 ๐‘Ÿโˆ’1 orem 9.4) given by ๐›ผ, ๐›ผ๐‘ , ๐›ผ๐‘ , . . ., ๐›ผ๐‘ and these must all be distinct. But

9.1. Exercises

161

๐‘‘

๐›ผ๐‘ = ๐›ผ (since โ„“|(๐‘๐‘‘ โˆ’ 1)), and so we must have ๐‘Ÿ โ‰ค ๐‘‘. Thus ๐‘Ÿ = ๐‘‘, as claimed. โ–ก Definition 9.6. A monic irreducible polynomial ๐‘“(๐‘ฅ) โˆˆ ๐”ฝ๐‘ [๐‘ฅ] is called a primitive polynomial if ๐‘ฅ generates the multiplicative group in the field ๐”ฝ๐‘ [๐‘ฅ]/(๐‘“(๐‘ฅ)). Corollary 9.7. There are ๐œ™(๐‘๐‘˜ โˆ’ 1)/๐‘˜ primitive polynomials of degree ๐‘˜. Recall that Exercise 4 of Chapter 5 asked you to prove that ๐‘˜ divides ๐œ™(๐‘Ž๐‘˜ โˆ’ 1) for any two positive integers ๐‘˜ and ๐‘Ž โ‰ฅ 2. Proof. Take a field ๐”ฝ๐‘ž with size ๐‘๐‘˜ . The cyclic group ๐”ฝร—๐‘ž has ๐œ™(๐‘žโˆ’1) generators. Primitive polynomials are the same as minimal polynomials of 2 ๐‘˜ these generators. If ๐›ผ is a generator, then so are ๐›ผ๐‘ , ๐›ผ๐‘ , . . ., ๐›ผ๐‘ = ๐›ผ, and these are all the roots of the minimal polynomial for ๐›ผ. So each primitive polynomial corresponds to ๐‘˜ generators of ๐”ฝร—๐‘ž , and the corollary follows. โ–ก Primitive polynomials are of interest in coding theory, where finite fields are of great use. We give a small taste of an error correcting Hamming code in Exercise 6 below, and refer you to [7] for a friendly introduction. Some of the material we have touched upon in our discussion here (Example 9.3 and Theorem 9.4) is related to Galois theory, and the finite fields ๐”ฝ๐‘ž are also sometimes called Galois fields and denoted by ๐บ๐น(๐‘ž). For a lucid treatment of Galois theory as well as an elaboration of many of the topics in algebra that we have touched upon, see [6].

9.1. Exercises 1. Prove the following statements from scratch, without appealing to Theorem 9.1. (i) Let ๐”ฝ๐‘ž be a finite field with ๐‘ž = ๐‘๐‘˜ elements. Let ๐›ผ be an element of and let ๐‘š(๐‘ฅ) โˆˆ ๐”ฝ๐‘ [๐‘ฅ] be the minimal polynomial for ๐›ผ. Show that in the ring ๐”ฝ๐‘ [๐‘ฅ] ๐‘š(๐‘ฅ)|(๐‘ฅ๐‘žโˆ’1 โˆ’ 1). ๐”ฝร—๐‘ž

(ii) Let โ„Ž(๐‘ฅ) โˆˆ ๐”ฝ๐‘ [๐‘ฅ] be an irreducible polynomial of degree ๐‘‘. Show ๐‘‘

that โ„Ž(๐‘ฅ) divides ๐‘ฅ๐‘ โˆ’ ๐‘ฅ. (iii) If ๐‘‘|๐‘˜ show that ๐‘๐‘‘ โˆ’ 1 divides ๐‘๐‘˜ โˆ’ 1.

162

9. Synopsis of finite fields (iv) Let ๐‘ƒ(๐‘ฅ) โˆˆ ๐”ฝ๐‘ [๐‘ฅ] be an irreducible polynomial of degree ๐‘‘ with ๐‘˜

๐‘‘|๐‘˜. Show that ๐‘ƒ(๐‘ฅ) divides ๐‘ฅ๐‘ โˆ’ ๐‘ฅ. 2. Let ๐‘ž = ๐‘๐‘˜ be a prime power. (i) Let ๐‘“ โˆˆ ๐”ฝ๐‘ž [๐‘ฅ] be a polynomial. Show that ๐‘“(๐‘ฅ)๐‘ž = ๐‘“(๐‘ฅ๐‘ž ). (ii) Let ๐‘“ โˆˆ ๐”ฝ๐‘ [๐‘ฅ] be a polynomial, and suppose ๐›ผ โˆˆ ๐”ฝ๐‘ž is a root of ๐‘“. Show that ๐›ผ๐‘ is also a root of ๐‘“. 3. (i) Let ๐‘ be a prime, and ๐‘š and ๐‘› be natural numbers. Show that the gcd of ๐‘๐‘š โˆ’ 1 and ๐‘๐‘› โˆ’ 1 equals ๐‘(๐‘š,๐‘›) โˆ’ 1. (ii) Suppose ๐‘š and ๐‘› are natural numbers, and consider the polynomials ๐‘ฅ๐‘š โˆ’ 1 and ๐‘ฅ๐‘› โˆ’ 1 in ๐”ฝ๐‘ [๐‘ฅ]. Suppose that an irreducible ๐‘“ divides both ๐‘ฅ๐‘š โˆ’ 1 and ๐‘ฅ๐‘› โˆ’ 1. Show that ๐‘“ divides ๐‘ฅ(๐‘š,๐‘›) โˆ’ 1. 4. Take two different monic irreducible polynomials of degree 2 in ๐”ฝ7 [๐‘ฅ], say ๐‘“ and ๐‘”. Use these two polynomials to construct two fields of size 49: thus, ๐น1 = ๐”ฝ7 [๐‘ฅ]/(๐‘“(๐‘ฅ)) and ๐น2 = ๐”ฝ7 [๐‘ฅ]/(๐‘”(๐‘ฅ)). Exhibit explicitly an isomorphism between these fields. That is, construct a bijection ๐œ™ โˆถ ๐น1 โ†’ ๐น2 such that ๐œ™(๐‘Ž + ๐‘) = ๐œ™(๐‘Ž) + ๐œ™(๐‘) and ๐œ™(๐‘Ž๐‘) = ๐œ™(๐‘Ž)๐œ™(๐‘) holds for all ๐‘Ž and ๐‘ in ๐น1 . 5. Let ๐น be a finite field with ๐‘ž = ๐‘๐‘˜ elements. Let ๐›ผ be an element of ๐น, and let ๐‘‘ be a divisor of ๐‘˜. Show that ๐‘‘

๐›ผ๐‘ + ๐›ผ๐‘

2๐‘‘

+ . . . + ๐›ผ๐‘

๐‘˜

lies in the subfield of ๐น with ๐‘๐‘‘ elements. 6. Let ๐‘› โ‰ฅ 2 be a natural number, and put ๐‘ = 2๐‘› โˆ’ 1. Let ๐น be a field with 2๐‘› elements. (i) Show that there is a monic irreducible polynomial โ„Ž โˆˆ ๐”ฝ2 [๐‘ฅ] of degree ๐‘› with a root ๐›ผ โˆˆ ๐น such that ๐›ผ generates the multiplicative group ๐นร—. (ii) Consider the set of multiples of โ„Ž of degree at most ๐‘ โˆ’ 1: thus ๐’ฎ = {๐‘“ โˆˆ ๐”ฝ2 [๐‘ฅ] โˆถ degree(๐‘“) โ‰ค ๐‘ โˆ’ 1, โ„Ž(๐‘ฅ)|๐‘“(๐‘ฅ)}. (Here ๐’ฎ will be taken to include the zero polynomial.) Show that |๐’ฎ| = 2๐‘โˆ’๐‘› .

9.1. Exercises

163

(iii) If ๐‘Ž(๐‘ฅ) = ๐‘Ž0 + ๐‘Ž1 ๐‘ฅ + . . . + ๐‘Ž๐‘โˆ’1 ๐‘ฅ๐‘โˆ’1 and ๐‘(๐‘ฅ) = ๐‘0 + ๐‘1 ๐‘ฅ + . . . + ๐‘๐‘โˆ’1 ๐‘ฅ๐‘โˆ’1 are two distinct polynomials in ๐’ฎ, then show that there must be at least three values of 0 โ‰ค ๐‘– โ‰ค ๐‘ โˆ’ 1 with ๐‘Ž๐‘– โ‰  ๐‘๐‘– . Remark: This is one way to get a Hamming code. 7. Let ๐‘“(๐‘ฅ) = ๐‘ฅ3 + ๐‘Ž๐‘ฅ2 + ๐‘๐‘ฅ + ๐‘ be an irreducible polynomial in ๐”ฝ๐‘ [๐‘ฅ]. Let ๐น be a field of size ๐‘3 . (i) Explain why ๐‘“ has a root in the field ๐น. (ii) Let ๐›ผ be a root of ๐‘“ in ๐น. Prove that 2

2

๐‘ = ๐›ผ1+๐‘ + ๐›ผ1+๐‘ + ๐›ผ๐‘+๐‘ .

Bibliography

[1] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena, PRIMES is in P, Ann. of Math. (2) 160 (2004), no. 2, 781โ€“793, DOI 10.4007/annals.2004.160.781. MR2123939 [2] W. R. Alford, Andrew Granville, and Carl Pomerance, There are infinitely many Carmichael numbers, Ann. of Math. (2) 139 (1994), no. 3, 703โ€“722, DOI 10.2307/2118576. MR1283874 [3] Jรณzsef Balogh, Zoltรกn Fรผredi, and Souktik Roy, An upper bound on the size of Sidon sets, 2021. [4] Jonathan W. Bober, Factorial ratios, hypergeometric series, and a family of step functions, J. Lond. Math. Soc. (2) 79 (2009), no. 2, 422โ€“ 444, DOI 10.1112/jlms/jdn078. MR2496522 [5] Persi Diaconis and Ron Graham, Magical mathematics, Princeton University Press, Princeton, NJ, 2012. The mathematical ideas that animate great magic tricks; With a foreword by Martin Gardner. MR2858033 [6] David S. Dummit and Richard M. Foote, Abstract algebra, 3rd ed., John Wiley & Sons, Inc., Hoboken, NJ, 2004. MR2286236 [7] Paul Garrett, The mathematics of coding theory, Pearson Prentice Hall, Upper Saddle River, NJ, 2004. Information, compression, error correction, and finite fields. MR2235369 [8] Daniel M. Gordon, On difference sets with small ๐œ†, J. Algebraic Combin. 55 (2022), no. 1, 109โ€“115, DOI 10.1007/s10801-020-00992-x. MR4382628 165

166

Bibliography

[9] W. T. Gowers, Probabilistic combinatorics and the recent work of Peter Keevash, Bull. Amer. Math. Soc. (N.S.) 54 (2017), no. 1, 107โ€“116, DOI 10.1090/bull/1553. MR3584100 [10] Andrew Granville, It is easy to determine whether a given integer is prime, Bull. Amer. Math. Soc. (N.S.) 42 (2005), no. 1, 3โ€“38, DOI 10.1090/S0273-0979-04-01037-7. MR2115065 [11] Andrew Granville, Using dynamical systems to construct infinitely many primes, Amer. Math. Monthly 125 (2018), no. 6, 483โ€“496, DOI 10.1080/00029890.2018.1447732. MR3806263 [12] Heini Halberstam and Klaus Friedrich Roth, Sequences, 2nd ed., Springer-Verlag, New York-Berlin, 1983. MR687978 [13] Malcolm Harper, โ„ค[โˆš14] is Euclidean, Canad. J. Math. 56 (2004), no. 1, 55โ€“70, DOI 10.4153/CJM-2004-003-9. MR2031122 [14] David Harvey and Joris van der Hoeven, Integer multiplication in time ๐‘‚(๐‘› log ๐‘›), Ann. of Math. (2) 193 (2021), no. 2, 563โ€“617, DOI 10.4007/annals.2021.193.2.4. MR4224716 [15] Gil Kalai, Designs exist! [after Peter Keevash], Astรฉrisque 380, Sรฉminaire Bourbaki. Vol. 2014/2015 (2016), Exp. No. 1100, 399โ€“422. MR3522180 [16] C. W. H. Lam, The search for a finite projective plane of order 10, Amer. Math. Monthly 98 (1991), no. 4, 305โ€“318, DOI 10.2307/2323798. MR1103185 [17] Daniel A. Marcus, Number fields, Universitext, Springer, Cham, 2018. Second edition of [ MR0457396]; With a foreword by Barry Mazur, DOI 10.1007/978-3-319-90233-3. MR3822326 [18] Barry Mazur and William Stein, Prime numbers and the Riemann hypothesis, Cambridge University Press, Cambridge, 2016, DOI 10.1017/CBO9781316182277. MR3616260 [19] Hugh L. Montgomery, Ten lectures on the interface between analytic number theory and harmonic analysis, CBMS Regional Conference Series in Mathematics, vol. 84, Published for the Conference Board of the Mathematical Sciences, Washington, DC; by the American Mathematical Society, Providence, RI, 1994, DOI 10.1090/cbms/084. MR1297543 [20] M. Nair, On Chebyshev-type inequalities for primes, Amer. Math. Monthly 89 (1982), no. 2, 126โ€“129, DOI 10.2307/2320934. MR643279

Bibliography

167

[21] Ivan Niven, Herbert S. Zuckerman, and Hugh L. Montgomery, An introduction to the theory of numbers, 5th ed., John Wiley & Sons, Inc., New York, 1991. MR1083765 [22] Kevin Oโ€™Bryant, A complete annotated bibliography of work related to Sidon sequences, Electron. J. Combin. DS11 (2004), no. Dynamic Surveys, 39. MR4336213 [23] Sarah Peluse, An asymptotic version of the prime power conjecture for perfect difference sets, Math. Ann. 380 (2021), no. 3-4, 1387โ€“1425, DOI 10.1007/s00208-021-02188-5. MR4297189 [24] Carl Pomerance, A tale of two sieves, Notices Amer. Math. Soc. 43 (1996), no. 12, 1473โ€“1485. MR1416721 [25] Peter W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput. 26 (1997), no. 5, 1484โ€“1509, DOI 10.1137/S0097539795293172. MR1471990 [26] K. Soundararajan, Integral factorial ratios, Duke Math. J. 171 (2022), no. 3, 633โ€“672, DOI 10.1215/00127094-2021-0017. MR4383251 [27] Gรฉrald Tenenbaum and Michel Mendรจs France, The prime numbers and their distribution, Student Mathematical Library, vol. 6, American Mathematical Society, Providence, RI, 2000. Translated from the 1997 French original by Philip G. Spain, DOI 10.1090/stml/006. MR1756233 [28] Peter Winkler, Mathematical puzzles: a connoisseurโ€™s collection, A K Peters, Ltd., Natick, MA, 2004. MR2034896

Index

abelian, 2 AKS algorithm, 137 arithmetic function, 81 associates, 10

Dirichlet convolution, 81 discrete logarithm problem, 139 divisibility, 9 division algorithm, 17

Bertrandโ€™s postulate, 32 binary operation, 1 binomial coefficients, 33 birthday problem, 114

equivalence class, 46 equivalence relation, 46 Euclidean algorithm, 21 Euclidean domain, 17 Eulerโ€™s theorem, 89 Eulerโ€™s totient function, 49

Carmichael numbers, 141 Cauchyโ€“Schwarz inequality, 119 characteristic of a field, 83, 92 characteristic zero, 92 Chinese Remainder Theorem, 99 comaximal ideals, 102 common divisor, 13 completely multiplicative function, 81 composite number, 41 congruence class, 46 congruences, 5 coprime, 49 coset, 87 cyclic group, 3, 49, 83 De Bruijn sequence, 126 degree of a polynomial, 7 design, 115 Diffieโ€“Hellman key exchange, 140 direct product of groups, 94 direct product of rings, 100

factoring, 138 Fano plane, 115 Fermatโ€™s little theorem, 89 field, 1, 8 field of fractions, 9 finite characteristic, 92 finite projective plane, 115 Fundamental Theorem of Algebra, 65 Fundamental Theorem of Arithmetic, 27 Gaussian integers, 1 generator of a group, 86 greatest common divisor, 13 group, 1 harmonic sum, 30 ideal, 12

169

170

Index

integral domain, 6, 7 irreducible, 11 isomorphism, 83 isomorphism of fields, 90 isomorphism of groups, 84 isomorphism of rings, 90

square-free number, 75 strong pseudoprime, 141 subfield, 92

Lagrangeโ€™s theorem, 87

variance, 118 vector space, 83, 93

maximal ideal, 53 mean, 118 minimal polynomial, 125 moments, 118 monic polynomial, 65 multiplicative function, 75 Mรถbius function, 75 Mรถbius inversion formula, 74 Noetherian ring, 17 normal subgroup, 88 order of an element, 86 partition into equivalence classes, 47 perfect difference set, 114 polynomial ring, 5 polynomial time algorithm, 136 polynomials, 1 primality testing, 140 prime, 11 prime ideal, 52 prime number theorem, 40 primitive polynomial, 161 principal ideal, 12 principal ideal domain (PID), 12 pseudoprime, 140 public key cryptosystem, 138 quotient ring, 45 rapid algorithm, 136 rational functions, 9 reduced residue class, 49 repeated squaring, 139 residue class, 48 Riemann hypothesis, 40 ring, 1, 4 root of a polynomial, 64 Sidon set, 111

unique factorization domain (UFD), 15 units, 8

Wilsonโ€™s theorem, 50 zero divisor, 6 zero ring, 4

Selected Published Titles in This Series 99 Kannan Soundararajan, Finite Fields, with Applications to Combinatorics, 2022 98 Gregory F. Lawler, Random Explorations, 2022 97 Anthony Bonato, An Invitation to Pursuit-Evasion Games and Graph Theory, 2022 96 Hilยด ario Alencar, Walcy Santos, and Gregยด orio Silva Neto, Di๏ฌ€erential Geometry of Plane Curves, 2022 95 Jยจ org Bewersdor๏ฌ€, Galois Theory for Beginners: A Historical Perspective, Second Edition, 2021 94 James Bisgard, Analysis and Linear Algebra: The Singular Value Decomposition and Applications, 2021 93 Iva Stavrov, Curvature of Space and Time, with an Introduction to Geometric Analysis, 2020 92 Roger Plymen, The Great Prime Number Race, 2020 91 Eric S. Egge, An Introduction to Symmetric Functions and Their Combinatorics, 2019 90 Nicholas A. Scoville, Discrete Morse Theory, 2019 89 Martin Hils and Franยธ cois Loeser, A First Journey through Logic, 2019 88 M. Ram Murty and Brandon Fodden, Hilbertโ€™s Tenth Problem, 2019 87 Matthew Katz and Jan Reimann, An Introduction to Ramsey Theory, 2018 86 Peter Frankl and Norihide Tokushige, Extremal Problems for Finite Sets, 2018 85 Joel H. Shapiro, Volterra Adventures, 2018 84 Paul Pollack, A Conversational Introduction to Algebraic Number Theory, 2017 83 Thomas R. Shemanske, Modern Cryptography and Elliptic Curves, 2017 82 A. R. Wadsworth, Problems in Abstract Algebra, 2017 81 Vaughn Climenhaga and Anatole Katok, From Groups to Geometry and Back, 2017 80 Matt DeVos and Deborah A. Kent, Game Theory, 2016 79 Kristopher Tapp, Matrix Groups for Undergraduates, Second Edition, 2016 78 Gail S. Nelson, A User-Friendly Introduction to Lebesgue Measure and Integration, 2015 77 Wolfgang Kยจ uhnel, Di๏ฌ€erential Geometry: Curves โ€” Surfaces โ€” Manifolds, Third Edition, 2015

For a complete list of titles in this series, visit the AMS Bookstore at www.ams.org/bookstore/stmlseries/.

This book uses finite field theory as a hook to introduce the reader to a range of ideas from algebra and number theory. It constructs all finite fields from scratch and shows that they are unique up to isomorphism. As a payoff, several combinatorial applications of finite fields are given: Sidon sets and perfect difference sets, de Bruijn sequences and a magic trick of Persi Diaconis, and the polynomial time algorithm for primality testing due to Agrawal, Kayal and Saxena. The book forms the basis for a one term intensive course with students meeting weekly for multiple lectures and a discussion session. Readers can expect to develop familiarity with ideas in algebra (groups, rings and fields), and elementary number theory, which would help with later classes where these are developed in greater detail. And they will enjoy seeing the AKS primality test application tying together the many disparate topics from the book. The pre-requisites for reading this book are minimal: familiarity with proof writing, some linear algebra, and one variable calculus is assumed. This book is aimed at incoming undergraduate students with a strong interest in mathematics or computer science.

For additional information and updates on this book, visit www.ams.org/bookpages/stml-99

STML/99