ma3a6 algebraic number theory - university of warwick€¦ · this is a module about algebraic...

MA3A6 Algebraic Number Theory

David Loeffler

Term 2, 2014–15

Chapter 0

Introduction

Lecture1

0.1 What is this module about?

This is a module about algebraic number fields. An algebraic number field is a special kind of field, whichcontains the rational numbers Q, but is a little bit bigger. We’ll give a formal definition soon enough, but agood example to bear in mind is the Gaussian field

Q(i) = {a + bi : a, b ∈ Q},

which comes with its subring of Gaussian integers

Z[i] = {a + bi : a, b ∈ Z}.

Exercise. Why is the Gaussian field a field? (Most of the axioms are straightforward, but why is it closedunder inverses?)

In Algebra 2 you saw that Z[i] was a unique factorization domain, and you used this to show that any primenumber p = 1 mod 4 could be written as the sum of two squares,

p = x2 + y2.

So rings like Z[i] have some interesting structure; and they tell us new things about Z.

0.2 Logistics

• There will be 4 problem sheets, which will be distributed as we go along. These count for 15% of yourgrade. The deadlines will be

– Sheet 1: distributed Thursday, week 2; deadline 3pm Monday, week 4.




• Weekly office hour: Tuesdays 13.30–14.30, Zeeman B1.25.

• Support classes with Heline Deconinck: Fridays 11–12, MS.04, from week 2 onwards.

1

• Books: see list on Undergraduate Handbook page. The main reference is Stewart & Tall, which is alsoprobably the friendliest of the books on the list; Swinnerton-Dyer’s book is harder going, but was thebook which inspired me to become a number theorist.

• Most of you have done Galois theory, and about half of you are doing Commutative Algebra.

2

Chapter 1

Algebraic number fields

1.1 Extensions of fields

Notation 1.1.1. Let K and L be fields. If K is a subfield of L, we say L is a field extension of K, and we write L | K.

For instance, C | Q is a field extension, as is C | R.

Definition 1.1.2. Let L | K be a field extension, and let α ∈ L. We say α is algebraic over K if there exists a nonzeropolynomial g ∈ K[X] such that g(α) = 0.

Example 1.1.3. In the extension C | R, the element iπ is algebraic over R (it’s a root of X2 + π2). However, itis not algebraic over Q.

Proposition 1.1.4. Let α be algebraic over K. Then there is a unique polynomial f ∈ K[X] such that f (α) = 0 andf is irreducible and monic (its leading coefficient is 1). We call this the minimal polynomial of f over K.

Proof. Recall from Algebra 2 the concept of an ideal and a principal ideal. The set I ⊂ K[X] of polynomialsg such that g(α) = 0 is an ideal of K[X]; the ring K[X] is a Euclidean domain, so every ideal of this ring isprincipal, i.e. consists of the multiples of some polynomial f (which we can assume is monic, by multiplyingit by an element of K× if necessary).

To see that f is irreducible, we suppose that we can write f = gh. Then g(α)h(α) = 0; since L is a field, wemust have either g(α) = 0 or h(α) = 0, and thus at least one of g and h is in I. So f divides one of g and h,WLOG g. Since g also divides f , we have deg(g) = deg( f ) and hence h is constant. Thus f is irreducible.

Remark. For Commutative Algebra students: a slightly posher way of stating the last part is that I is thekernel of the homomorphism

K[X]→ L g 7→ g(α).

L is an integral domain (being a field); the kernel of a homomorphism to an integral domain is a prime ideal;and a generator of a principal prime ideal is a prime element, and hence must be irreducible.

Definition 1.1.5. Let L | K be an extension. We say L | K is algebraic if every α ∈ L is algebraic over K. We sayL | K is finite if L has finite dimension as a K-vector space.

Example 1.1.6. The extension C | R is finite (of degree 2), since {1, i} is a basis of C over R. It is also algebraic,because every a + bi ∈ C satisfies the polynomial (X− a)2 + b2 = X2 − 2aX + (a2 + b2) ∈ R[X].

Notation 1.1.7. If L | K is finite, we define the degree [L : K] to be the dimension of L as a K-vector space.

3

Example 1.1.8. Let α = i +√

2 ∈ C. But α is also algebraic over Q: we have

α−√

2 = i⇒ α2 − 2√

2α + 2 = −1

⇒ α2 + 3 = 2√

2α

⇒ (α2 + 3)2 = 8α2

⇒ α4 − 2α2 + 9 = 0.

We’ll see later that X4 − 2X2 + 9 is irreducible in Q[X], so it is the minimal polynomial of α over Q. Lecture2On the other hand, the minimal polynomial of α over R is X2 − 2

√2X + 3, by the previous example. This

shows that the minimal polynomial of α over K really depends on which K we use!

Remark. I forgot to point out in the last lecture that in Proposition 1.1.4, the minimal polynomial f of α overK has the property that any polynomial g ∈ K[X] such that g(α) = 0 is necessarily a multiple of f . This isclear from the proof. We’ll use this fact a lot, so make sure it’s in your notes!

Proposition 1.1.9. Let L | K be a field extension. An element α ∈ L is algebraic over K if and only if there exists afinite extension of K inside L which contains α.

(In particular, any finite extension is algebraic, and any algebraic extension is a union of finite extensions.There are algebraic extensions which aren’t finite, as we’ll see later.)

Proof. Firstly, let’s prove the “if” part. It suffices to show that if L | K is a finite extension and α ∈ L, then α isalgebraic. Suppose [L : K] = d < ∞. Then the powers 1, α, α2, . . . , αd are d + 1 elements of a d-dimensionalvector space over K, so they must be linearly dependent: that is, we can find elements c0, . . . , cd of K, not allzero, such that

c0 + c1α + · · ·+ cdαd = 0.

Thus α satisfies the non-zero polynomial g(X) = ∑ ciXi ∈ K[X] of degree ≤ d. Thus α is algebraic over K.

The “only if” part is a little harder. Let f be the minimal polynomial of α over K, and d its degree. Wewill show that the K-subspace M of L spanned by the powers of α is d-dimensional over L, with basisS = {1, . . . , αd−1}, and is a subfield of L. Since S is a finite set, this shows that M is a finite field extension ofK inside L which contains α.

Claim 1: M is a subring of L.

By definition, M is exactly the elements of L which are of the form a0 + a1α + · · · + aNαN for someα0, . . . , αN ∈ K; that is, L is the image of the ring homomorphism K[X] → L given by mapping g tog(α). But the image of a ring homomorphism is always a subring (Algebra 2).

Claim 2: M is spanned by S.

By the division algorithm for polynomials, for each g ∈ K[X] we can write g(X) = a(X) f (X) + b(X) wherea, b ∈ K[X] and deg(b) ≤ d− 1. But this implies that

g(α) = a(α) f (α) + b(α) = b(α),

since f (α) = 0. As b has degree ≤ d− 1, b(α) is a K-linear combination of the elements of S.

Claim 3: M is closed under taking inverses of nonzero elements.

This is the most difficult bit! There are many possible proofs, but here’s one.

We know by this stage that M is finite-dimensional over K. Let x ∈ M be non-zero, and consider the mapmx : M→ M given by mx(y) = xy. (This is called the “multiplication-by-x map”).

I claim that mx is injective. If not, there would be some nonzero y such that xy = 0; but this equality takesplace inside L, which is a field, so either x = 0 or y = 0, which is a contradiction.

4

By the rank–nullity theorem, it follows that mx is surjective. In particular, 1 ∈ image(mx), which shows that1/x ∈ M.

This concludes the proof that M is a field.

As a by-product of the proof of the “only if” part, we get two interesting pieces of information.

Corollary 1.1.10. (i) An element α ∈ L is algebraic over K if and only if the powers of α span a finite-dimensionalK-subspace of L.

(ii) If α is algebraic over L, then there is a unique smallest extension of K in L which contains α, namely theK-subspace spanned by the powers of α; and this has a K-basis 1, α, . . . , αd−1, where d is the degree of α over K.

Proof. The only thing we have left to check is that if α has degree d over K, the set S = {1, . . . , αd−1} islinearly independent over K. Suppose S is linearly dependent. Then there are c0, . . . , cd−1 ∈ K, not all zero,such that c0 + c1α + · · ·+ cd−1αd−1 = 0; in other words, g(α) = 0 where g is the polynomial ∑ ciXi, whosedegree is ≤ d− 1. But this implies g must be divisible by the minimal polynomial f of α over K, which isimpossible, since f has degree d.

Example 1.1.11. It’s clear that√

2 is algebraic over Q, and its minimal polynomial is X2− 2. Thus the smallestextension of Q containing

√2 is the field

{a + b√

2 : a, b ∈ Q}.

Fact 1.1.12. For any extension L | K and α ∈ L, there’s always a unique smallest extension of K inside Lcontaining α (whether or not α is algebraic).

We denote this smallest extension by K(α). So Proposition 1.1.9 shows that α is algebraic over K if and onlyif [K(α) : K] < ∞.

We’ll occasionally have to consider stacking field extensions on top of each other: if we have three fieldsK, L, M with K ⊆ L ⊆ M, then we have three field extensions, L | K, M | L, and M | K.

Proposition 1.1.13 (Tower law). The extension M | K is finite if and only if L | K and M | L are both finite, and inthis case, we have

[M : K] = [M : L][L : K].

Proof. Suppose [M : L] = r and [L : K] = s are finite. Then let `1, . . . , `r be a K-basis of L and let m1, . . . , msbe an L-basis of M. It’s easy to see that {`imj : 1 ≤ i ≤ r, 1 ≤ j ≤ s} is a K-basis of M, so [M : K] = rs and inparticular M | K is a finite extension.

Conversely, if [M : K] is finite, then L is a K-vector subspace of a finite-dimensional K-vector space, hence isitself finite-dimensional over K, so L | K is finite; and any set spanning M as a K-vector space certainly spansM as an L-vector space, so M | L is also finite.

Example 1.1.14. Consider the field Q(α), where α =√

2+ i, as in Example 1.1.8. We know that [Q(α) : Q] ≤ 4,since we have written down a polynomial of degree 4 that α satisfies.

On the other hand, α2+32α =

√2, so Q(

√2) is a subfield of Q(α). We know that Q(α) must be bigger than

Q(√

2) (since α isn’t in R), and thus both [Q(α) : Q(√

2)] and [Q(√

2) : Q] are ≥ 2. Hence

[Q(α) : Q] = [Q(α) : Q(√

2)][Q(√

2) : Q] ≥ 4

by the tower law. So the degree is exactly 4.

Moreover, by Proposition 1.1.9, we know that {1,√

2} is a basis of Q(√

2) over Q, and {1, i} is a basis ofQ(α) over Q(

√2) (since i = α−

√2 is in Q(α) but not in Q(

√2)). So, by the proof of the tower law, we see

that {1,√

2, i, i√

2} is a basis of Q(α) over Q.

5

1.2 Algebraic numbers and number fieldsLecture3Definition 1.2.1. An algebraic number is a complex number α ∈ C which is algebraic over Q: that is, there exists a

non-zero polynomial g ∈ Q[X] such that g(α) = 0.

We write A for the set of all algebraic numbers (so A ⊂ C).

Example 1.2.2. Any rational number α is algebraic (it’s a root of f (X) = X− α). The numbers i,√

3, etc arealgebraic; and we saw above that

√2 + i was algebraic, although this took a bit of work to show.

Remark. We’ll see in the next section that A is a field, so in particular the sum of any two algebraic numbersis always algebraic; but we’ll need to develop a bit more theory first.

Definition 1.2.3. An algebraic number field, or just a number field, is a subfield of C which is finite as anextension of Q.

Exercise. Can you see why every subfield of C must automatically contain Q?

As a special case of Proposition 1.1.9, we see that α ∈ C is algebraic if and only if Q(α) is a number field.This gives us a massive supply of number fields: if we take any irreducible polynomial f ∈ Q[X], then wecan find a root α of f in C (by the Fundamental Theorem of Algebra), and then Q(α) will be a number field.

Example 1.2.4 (Quadratic fields). Let d be a non-square in Q. Then there are exactly two square roots of d inC; choose one of them and call it

√d (it doesn’t matter which we choose). Then the field

Q(√

d) = {a + b√

d : a, b ∈ Q}

is a number field, of degree 2 over Q.

These are called quadratic fields and they’re some of the simplest number fields; we’ll use them as one of ourmain sources of examples.

Of course there is some redundancy here: the fields Q(√

2), Q(√

8) and Q(√

18) are the same. Let’s say aninteger d is square-free if it is not divisible by m2 for any integer m > 1. (Thus 1 is squarefree, but 0 is not.)

Proposition 1.2.5. Any number field K such that [K : Q] = 2 is equal to Q(√

d) for a unique square-free integerd 6= 1.

Proof. Let K be a number field of degree 2, and let α ∈ K be such that α /∈ Q. Then {1, α} must be a basisof K, so we have α2 = xα + y for some x, y ∈ Q. Replacing α with α− x/2, which doesn’t change the fieldgenerated by α, we can assume that α2 = y; so K is the field Q(

√y) for some rational number y.

Let us factorize y into prime powers, y = ±pn11 . . . pnr

r (where some of the nr may be negative). Replacing α

with p−n1/21 α if n1 is even, and with p(1−n1)/2

1 if n1 is odd, and similarly for the other factors, we may arrangethat y is a square-free integer d. If we end up with d = 1 then this is a contradiction, since this forces α to be±1, contradicting the assumption that α 6= Q.

We still need to check that the fields Q(√

d1) and Q(√

d2) are different if d1 and d2 are distinct squarefreeintegers. This is left as an exercise (see coursework #1).

1.3 Extensions of number fields

We defined number fields as finite extensions of Q, and this gave us a bunch of new and interesting fields.We might expect to get even more new fields by taking finite extensions of number fields; but we don’t getanything new if we do this.

6

Proposition 1.3.1. Let K be a number field, and let α ∈ C. Suppose α is algebraic over K. Then K(α) is a numberfield, and in particular α ∈ A.

Proof. Applying Proposition 1.1.9, we see that K(α) is a finite extension of K; but K is also finite as anextension of Q. The tower law now shows that K(α) | Q is a finite extension. Thus K(α) is a numberfield.

Notation 1.3.2. Let L | K be a field extension. For a finite set S = {a1, a2, ..., an} ⊂ L, we denote by K(S) =K(a1, a2, . . . , an) the smallest extension of K inside L that contains S.

Example 1.3.3. The field Q(√

2, i) is the smallest extension of Q inside C that contains i and√

2. The fieldQ(α) from Example 1.1.14 contains i and

√2, so Q(α) ⊇ Q(i,

√2); on the other hand, any field containing i

and√

2 must contain α =√

2 + i, so Q(α) = Q(i,√

2).

Corollary 1.3.4. If S is any finite set of algebraic numbers, then Q(S) is a number field.

Proof. We will show, by induction on n, that if S is any set of algebraic numbers with #S = n, then Q(S) isa number field. For n = 0 this is trivial (Q is a number field). So let us assume it is true for n− 1. WriteS = {a1, . . . , an}. We have Q(S) = Q(a1, . . . , an) = K(an), where K is the field Q(a1, . . . , an−1). By theinduction hypothesis, K is a number field. Since an is algebraic over Q it is certainly algebraic over K, so, bythe previous proposition, K(an) = Q(S) is a number field. So the induction hypothesis holds for n and weare done.

We can now show that all the hard work we had to do in Example 1.1.8, to prove that√

2 + i was algebraic,has been washed away by the rising sea of theory!

Theorem 1.3.5. The set A of algebraic numbers is a field.

Proof. We need to show that A contains 0 and 1 (easy), and is closed under addition, multiplication, andinversion of non-zero elements. If α ∈ A is nonzero, then Q(α) is a number field and 1/α ∈ Q(α), so1/α ∈ A.

(Exercise: If fα(X) = ∑di=0 ciXi is the minimal polynomial of α over Q, write down explicitly a nonzero

polynomial over Q satisfied by 1/α.)

Now let α, β ∈ A. By the previous corollary, Q(α, β) is a number field, so Q(α, β) ⊂ A. However, Q(α, β)obviously contains α + β and αβ so we are done.

Remark. Note that A is not itself a number field (why?)Lecture4

1.4 Interlude: Number fields and matrices

Recall from the proof of Proposition 1.1.9 that if K is a number field, and α ∈ K, then we can associate to α alinear operator

mα : K → K.

If we choose a basis of K as a Q-vector space, we can write mα as a matrix.

Example 1.4.1. Let K = Q(√

d) be a quadratic field. Then {1,√

d} is a basis of K. If we take α = a + b√

d,then we have

mα(1) = a + b√

d

mα(√

d) = bd + a√

d

7

so the matrix of mα is(

a bdb a

).

It turns out that lots of useful algebraic information about α is encapsulated in the operator mα.

Proposition 1.4.2. Let K be a number field.

(i) The map α 7→ mα is an injective Q-linear map, and a ring homomorphism, from K to the ring of Q-linearoperators on K.

(ii) If g is the characteristic polynomial of mα, then g(α) = 0.

Proof. Part (i) is obvious, so we give the proof of part (ii).

We know that g(mα) is the zero matrix by the Cayley–Hamilton theorem. However, for any polynomialh ∈ Q[X], we have h(mα) = mh(α) by part (i). So mg(α) is the zero linear operator; but by injectivity thisforces g(α) = 0.

Example 1.4.3. Let K = Q(θ) where θ is the unique real root of f (X) = X3 + X + 1. Then {1, θ, θ2} is a basisof K over Q. Let’s let α = 1 + 3θ2 and calculate the matrix of α. We have

α · 1 = 1 + 3θ2

α · θ = θ + 3θ3 = −3− 2θ

α · θ2 = −3θ − 2θ2

so the matrix of mα in this basis is 1 −3 00 −2 −33 0 −2

Hence α satisfies the characteristic polynomial of this matrix, which is X3 + 3X2 − 31.

We can also use this method to calculate 1α : we have

m1/α = 1/mα = 131

4 −6 9−9 −2 3

6 −9 −2

and the first column of this shows that 1/α = m1/α(1) = 1

31 (4− 9θ + 6θ2).Remark. Some textbooks refer to the characteristic polynomial of mα as the field polynomial of α. Noticethat unlike the minimal polynomial, it really depends on the field K, e.g. the field polynomials of

√2 as an

element of Q(√

2) and as an element of Q(√

2, i) aren’t the same.

1.5 Embeddings

Definition 1.5.1. An embedding of a number field K is a ring homomorphism ϕ : K → C.

Any such homomorphism is necessarily injective, and satisfies ϕ(x) = x for all x ∈ Q. Note that K is bydefinition a subfield of C, so there is a distinguished identity embedding (sending x to x for all x); but theremight be more.

For instance, we can embed Q(√

3) into C by sending a + b√

3 ∈ K to a− b√

3 ∈ C.

If L | K is an extension of number fields, then any embedding of L restricts to an embedding of K; butdifferent embeddings L→ C can give the same embedding K → C.

8

Example 1.5.2. Let K be the field Q(√

2). Let ϕ : K → C be the embedding a + b√

2 7→ a− b√

2. Let L be theextension Q(i,

√2) of K; as in Example 1.1.14, every element of L can be written uniquely as

a + b√

2 + ci + di√

2

for some a, b, c, d ∈ Q.

There are two embeddings Φ1, Φ2 of L which restrict to ϕ, given by

Φ1(a + b√

2 + ci + di√

2) = a− b√

2 + ci− di√

2,

Φ2(a + b√

2 + ci + d√

2) = a− b√

2− ci + di√

2.

There’s a close link between embeddings of K, and roots of the minimal polynomials of elements of K. We’llneed a preliminary lemma:

Lemma 1.5.3 (Separability Lemma). Let K be a number field, let f ∈ K[X] be an irreducible polynomial of degreed ≥ 1, and let ϕ be an embedding of K. Let ϕ( f ) ∈ C[X] be the polynomial obtained by applying ϕ to the coefficientsof f . Then ϕ( f ) has d distinct roots in C.

Proof. Replacing K with its image under ϕ, which is also a number field, we can assume that ϕ is the identityembedding. The Fundamental Theorem of Algebra tells us that any complex polynomial of degree d has droots in C counted with multiplicity; so we need to show that f cannot have repeated roots.

Let f ′ be the derivative of f , which is also in K[X] and is non-zero. Let h ∈ K[X] be the GCD of f and f ′.Then h has degree ≤ d− 1, but divides f , so h must be a constant. So f cannot have roots in common with f ′.But any repeated root of f is a common root of f and f ′.

Remark. We call this the Separability Lemma because it’s related to the concept of “separable extensions” inGalois theory (but we won’t need to know that here).

This now gives us a pretty good handle on embeddings:

Proposition 1.5.4. (i) Let L | K be an extension of number fields. For any embedding ϕ of K, there are exactly[L : K] distinct embeddings of L extending ϕ.

(ii) Any number field K has [K : Q] embeddings.

Proof. For (i), let us suppose first that L = K(α) for a single element α. Let f be the minimal polynomial of αover K. I claim that the extensions of ϕ to an embedding Φ of L biject with the roots of ϕ( f ) in C.

By Proposition 1.1.9, we know that every ` ∈ L can be written uniquely in the form ` = k0 + k1α + · · ·+kd−1αd−1, for some ki ∈ K, where d = [L : K]. Thus, if Φ is an embedding of L extending ϕ, we must haveΦ(`) = ∑ ϕ(ci)Φ(α)i; thus Φ is uniquely determined by where it sends α. Moreover, we have

(ϕ( f ))(Φ(α)) = Φ( f (α)) = Φ(0) = 0,

so Φ(α) must be a root of ϕ( f ). Lecture5It remains to show that, for every root ρ of ϕ( f ), there is an embedding sending α to ρ. We define a map Φ

by sending ` = ∑d−1i=0 kiα

i to ∑ ϕ(ki)ρi. This is obviously compatible with addition, but we need to show it is

compatible with multiplication.

Let ` = ∑ aiαi and ` = ∑ biα

i be elements of L. We can write ` = r(α) and m = s(α) where r = ∑ aiXi ands = ∑ biXi are polynomials in K[X] of degree ≤ d− 1. Then `m = t(α) where t is the remainder of rs dividedby f . Under the map Φ, we have ` 7→ ϕ(r)(ρ) and m 7→ ϕ(s)(ρ). Hence we have

Φ(`)Φ(m) = ϕ(r)(ρ)ϕ(s)(ρ) = ϕ(rs)(ρ),

9

butΦ(`m) = ϕ(t)(ρ).

Since ϕ(t) differs from ϕ(rs) by a multiple of ϕ( f ), and ϕ( f )(ρ) = 0, we have ϕ(rs)(ρ) = ϕ(t)(ρ) asrequired.

This proves (i) when L = K(α). Now let’s prove the general case. It’s clear that we can find a finiteset α1, . . . , αn such that L = K(α1, . . . , αn) (for example, any basis of L as a K-vector space will do). LetKi = K(α1, . . . , αi). Then each embedding of K extends to [K1 : K] embeddings of K1, and these extend to[K2 : K1] embeddings of K2, etc; so the number of embeddings of Kn = L is

[L : Kn−1][Kn−1 : Kn−2] . . . [K1 : K] = [L : K]

by the tower law.

To prove (ii), we simply apply (i) to the extension K/Q.

Remark. Note that the image of an embedding of K doesn’t always land in K. For instance, there is anembedding of K = Q( 3

√2) mapping 3

√2 to ω 3

√2, where ω = e2πi/3; this isn’t in K, since K is contained in R

(and ω isn’t).

From the proof of (i), we see that if α ∈ A, the embeddings of Q(α) biject with the roots in C of the minimalpolynomial of α (over Q). These have a special name:

Definition 1.5.5. Let α be an algebraic number, and let fα be its minimal polynomial. Then the roots of fα inC are called the conjugates of α. If ϕ1, . . . , ϕd are the embeddings of Q(α) in C, then the conjugates of α areα1 = ϕ1(α), . . . , αd = ϕd(α).

Proposition 1.5.6. Let α ∈ A, and let α1 = α, α2, . . . , αd be the conjugates of α and f its minimal polynomial. Then

f (X) =d

∏i=1

(X− αi).

Proof. We know that f is monic of degree d and the αi are its roots, and the same is true of ∏di=1(X− αi), so

the two polynomials must coincide.


2 +√

5), so [K : Q] = 4. The conjugates of√

2 +√

5 are ±√

2±√

5 and wecalculate that

(X−√

2−√

5)(X−√

2 +√

5))(X +√

2−√

5)(X +√

2 +√

5)

= ((X−√

2)2 − 5)((X +√

2)2 − 5)

= (X2 − 2√

2X− 3)(X2 + 2√

2X− 3)

= (X2 − 3)2 − (2√

2X)2

= X4 − 14X2 + 9,

which is the minimal polynomial of√

2 +√

5.

Remark. If K is a number field and α ∈ K, and ϕ1, . . . , ϕd are the embeddings of K, then

d

∏i=1

(X− αi) = fα(X)r

where r = [K : Q(α)]. This follows easily from Prop 1.5.4 and Prop 1.5.6.

10

1.6 Primitive elements

Corollary 1.3.4 gives us lots of examples of number fields, like Q(√

2, i), which aren’t given to us in the formQ(α) for a single α. However, sometimes these fields are “secretly” of this form: for instance, we saw abovethat

Q(√

2, i) = Q(√

2 + i).

This is an instance of a more general fact:

Theorem 1.6.1 (Primitive element theorem). For any number field K, we can find an element α ∈ K such thatK = Q(α) (a “primitive element” for K over Q).

The proof is a little technical but the idea is fairly simple: if we let α be any “sufficiently random” element ofK, then α will be a primitive element. We’ll need a lemma first.

Lemma 1.6.2. Let K be a number field, and let α ∈ K. If the only embedding ϕ of K such that ϕ(α) = α is the identityembedding, then α is a primitive element (i.e. K = Q(α)).

Proof. Suppose α is not a primitive element. Then Q(α) is a proper subfield of K, and thus e = [Q(α) : Q] is< d. By Proposition 1.5.4, the identity embedding of Q(α) extends to more than one embedding of K, andthese all satisfy ϕ(α) = α.

Proof of Theorem 1.6.1. We can certainly find a finite set S such that K = Q(S) (any Q-basis of K will do). So,by induction on the size of S, it is sufficient to show that in any field extension of the form K = Q(α, β) thereis a primitive element.

Let f (t), g(t) ∈ Q[t] be the minimal polynomials of α and β over Q, respectively. Let ϕ1, . . . , ϕr be theembeddings of Q(α), and ψ1, . . . , ψs the embeddings of β, and write αi = ϕi(α), β j = ψj(β). WLOG, α1 = αand β1 = β.

Choose c ∈ Q so thatα + cβ 6= αi + cβ j unless i = j = 1. (1.1)

This is possible since Q is infinite and each of the equations

α + cβ = αi + cβ j

has at most one solution for c.

Now let θ = α + cβ; we will show that Q(α, β) = Q(θ). Let ϕ be an embedding of K, and suppose thatϕ(θ) = θ. We know that ϕ(α) must be one of the αi, and ϕ(β) must be one of the β j. By the condition (1.1),this implies that ϕ(α) = α and ϕ(β) = β, so ϕ is the identity on Q(α, β). By the lemma, it follows thatQ(α, β) = Q(θ).

1.7 Norm and traceLecture6The last purely field-theoretic topic we’ll cover is to do with ways of passing between elements of K and

elements of Q. Recall that if K is a number field and α ∈ K, then multiplication by α defines a linear mapmα : K → K.

Definition 1.7.1. We define the trace of α by

TrK/Q(α) = Tr(mα) ∈ Q

and the norm of α by

NmK/Q(α) = Det(mα) ∈ Q.

11

(We sometimes omit the subscripts if it’s clear what field K we are talking about.)

So in Example 1.4.1 we have TrQ(√

d)/Q(a + b√

d) = 2a and NmQ(√

d)/Q(a + b√

d) = a2 − db2. In Example

1.4.3 we have TrK/Q(α) = −3, and NmK/Q(α) =

∣∣∣∣∣∣1 −3 00 −2 −33 0 −2

∣∣∣∣∣∣ = 31.

Proposition 1.7.2. The trace is additive, and the norm is multiplicative; for any α, β in K we have

TrK/Q(α + β) = TrK/Q(α) + TrK/Q(β),NmK/Q(αβ) = NmK/Q(α)NmK/Q(β).

Proof. This follows immediately from the equalities of linear operators

mα+β = mα + mβ,

mαβ = mαmβ,

which are just the associativity of addition and multiplication.

Theorem 1.7.3. Let ϕ1, . . . , ϕd be the embeddings K → C, and let α ∈ K. Then the characteristic polynomial of mα

is given byd

∏i=1

(X− ϕi(α)),

so in particular we have

TrK/Q(α) =d

∑i=1

ϕi(α),

NmK/Q(α) =d

∏i=1

ϕi(α).

Proof. We first prove the theorem assuming that K = Q(α). Consider the linear map mα, and let gα be itscharacteristic polynomial. By vector-space theory, we have

gα(X) = Xd − TrK/Q(α)Xd−1 + · · ·+ (−1)d NmK/Q(α).

On the other hand, α must be a root of the characteristic polynomial gα of mα, by the Cayley-Hamiltontheorem. Since gα is of degree d and is monic, we must have

gα(X) = fα(X) = ∏i(x− αi).

We can then compare coefficients to conclude.

This deals with “almost all” α. To clinch the result in general, choose a primitive element β of the exten-sion K|Q. The result above shows that the matrix of mβ (with respect to any choice of Q-basis of K) isdiagonalizable over C, with distinct eigenvalues; so there exists an invertible matrix T over C such that

mβ = TDβT−1,

12

where Dβ is the diagonal matrix with entries β1 = ϕ1(β), . . . , βd = ϕd(β). Now an arbitrary element α of Kcan be written in the form ∑i ciβ

i, and exploiting associativity and distributivity again, we get

Mα =d−1

∑i=0

ci Miβ

=d−1

∑i=0

ci(TDβT−1)i

= T(d−1

∑i=0

ciDiβ)T−1.

But since the ϕi are ring homomorphisms, the matrix ∑d−1i=0 ciDi

β is diagonal with its j-th diagonal entry being

∑d−1i=0 ci ϕj(β) = ϕj(∑d−1

i=0 ciβi) = ϕj(α). The result once again follows by taking trace and determinant.

13

Chapter 2

Algebraic integers

2.1 Motivation and definitions

We now understand the purely field-theoretic structure of number fields pretty thoroughly. But there’s a limitto the interesting things you can say about a field.

For instance, Q is a pretty boring ring: there are no nontrivial ideals (only the zero ideal), and every nonzeroelement divides every other element, so there is no interesting theory of factorisation, etc. On the other hand,the ring Z of integers is a much richer object – we can factor integers into primes, for instance, and this is agenuinely subtle and interesting process.

The aim of this chapter is to show that inside the field A of algebraic numbers, there’s a subset of “nice”elements R, with R sitting inside A in the same nice way that Z sits inside Q. Here are some natural thingswe might ask for:

• R should be a subring of A (the sum and product of algebraic integers should be an integer).

• We know what it means for a rational number to be integral, so it should be true that R ∩Q = Z.

• If α ∈ R, then all the conjugates of α should be in R.

Proposition 2.1.1. Suppose that a subring R ⊂ A exists with these properties. Then for any α ∈ R, the minimalpolynomial fα(X) has integer coefficients.

Proof. Let α = α1, . . . , αd be the conjugates of α. Then we have

fα(X) =d

∏i=1

(X− αi) ∈ R[X],

so the coefficients of fα are in R. But they are also in Q, and we’re assuming that R ∩Q = Z.

Warning: we haven’t yet proven that a ring R satisfying our wishlist actually exists, or that it is unique. Butthis gives us a strong hint what R should be!

Definition 2.1.2. We define the algebraic integers as the subset B ⊂ A given by

{α ∈ C : the minimal polynomial of α over Q lies in Z[X]} .

14

We’ll see shortly that B satisfies our wishlist above; and it’s clear that any other subset R satisfying ourwishlist must be contained in B, so B is somehow the “best choice”. First, we give a slightly more usefulcriterion for identifying elements of B.

Proposition 2.1.3. Let α ∈ A be such that g(α) = 0 for some monic polynomial g ∈ Z[X]. Then α ∈ B.

Proof. Recall “Gauss’ Lemma” from Algebra 2, which states that if f , g ∈ Q[X] are monic polynomials withf | g, and g ∈ Z[X], then f ∈ Z[X] as well.

We apply this with g as in the statement, and f equal to the minimal polynomial of α. We know that f mustdivide g, so by Gauss’ Lemma we have f ∈ Z[X].

Lecture7Example 2.1.4. Clearly

√2 ∈ B, since its minimal polynomial is X2 − 2. A more subtle example is 1+

√5

2 (the“Golden Ratio”). This has minimal polynomial X2 − X− 1 = 0, so it’s in B, even though it might not lookintegral at first sight!

We’ll now give a version of Proposition 1.1.9 (and Corollary 1.1.10) for algebraic integers.

Proposition 2.1.5. Let α ∈ C. Then α ∈ B iff there is a subring of C containing α which is finitely-generated as anabelian group.

Moreover, for any α ∈ C there is a unique smallest subring of C containing α, denoted by Z[α], which is generated asan abelian group by the powers of α; so α ∈ B iff Z[α] is finitely-generated as an abelian group.

Proof. Define Z[α] to be the subgroup of C generated by {1, α, . . . } under addition. This is a subring, sinceit is the image of the ring Z[X] under the evaluation-at-α homomorphism. Moreover, any subring of Ccontaining α must contain Z[α] so it’s the unique smallest such subring.

Now, suppose α ∈ B. Let the minimal polynomial of α be f ∈ Z[X]. Take any x ∈ Z[α]; then we havex = g(α) for some polynomial g ∈ Z[X]. By polynomial division, we can write g = a f + b for somepolynomials a, b with b of degree < deg( f ); and since f is monic, we have a, b in Z[X]. Thus x = g(α) = b(α)is in the group generated by 1, α, . . . , αd−1. So Z[α] is finitely-generated as an abelian group, as required.

Conversely, suppose α lies in a subring R ⊆ C which is finitely-generated as an abelian group. ThenR ⊇ Z[α], so Z[α] is itself finitely-generated. Hence there must be some N such that {1, α, . . . , αN−1} is agenerating set. So αN is a Z-linear combination of {1, . . . , αN−1}, which shows that α is a root of a monicpolynomial (of degree N) with coefficients in Z. Hence α ∈ B by Proposition 2.1.3.

Remark. Whenever you see two theorems with virtually identical proofs, you should be thinking “Can Iformulate a single theorem of which both of these are special cases?”. It is indeed possible to formulate atheorem of which Proposition 1.1.9 and Proposition 2.1.5 are special cases, but you need to use the notion of amodule over a commutative ring – this is a concept which you’ll meet if you’re doing Commutative Algebra.

Proposition 2.1.6. The set B satisfies our wishlist above.

Proof. It is clear that B ∩Q = Z, since the minimal polynomial of α ∈ Q is X− α, which is in Z[X] iff α ∈ Z.Moreover, if α ∈ B then the conjugates of α are in B, since they have the same minimal polynomial as α.

So let’s show that B is a ring. Let α, β ∈ B. I claim that the abelian group generated by the expressions{αiβj : i, j ≥ 0} is finitely-generated. If α has degree r and β has degree s, then one sees by induction onmax(i, j) that any term αiβj can be written as a linear combination of αpβq with 0 ≤ p < r, 0 ≤ q < s, andthere are finitely many of these, which proves the claim. But this group is a ring (it’s the image of Z[X, Y]under the map f (X, Y) 7→ f (α, β)) and it contains α and β, so it contains αβ and α± β.

Thus αβ and α± β are contained in a subring that’s a finitely-generated abelian group; so they’re both in Bby the previous proposition.

15

We also have another property of B, which shows that B is “big enough” in some sense.

Proposition 2.1.7. Let α ∈ A. Then there is an integer n ≥ 1 such that nα ∈ B.

Proof. Suppose the minimal polynomial of α is fα(X) = ∑ ciXi, with cd = 1 and ci ∈ Q. Let di ≥ 1 be thedenominator of ci (as a fraction in lowest terms); and let n be the lowest common multiple of the di.

Thennd fα(X/n) = Xn + ncd−1Xd−1 + n2cd−2Xd−2 + · · ·+ ndc0 ∈ Z[X]

is a monic polynomial satisfied by nα, so nα ∈ B.

Remark. This certainly implies that any element of A can be written as αβ with α, β ∈ B; so A is the field of

fractions of B, in the sense of Commutative Algebra.

2.2 Rings of integers and integral bases

Definition 2.2.1. If K is a number field, the ring of integers of K, denoted OK, is the ring K ∩ B.

Proposition 2.2.2 (Integers of quadratic fields). Let d 6= 1 be a square-free integer and K = Q(√

d). I claim that

OK =

{Z[√

d] if d 6= 1 mod 4,

Z[

1+√

d2

]if d = 1 mod 4.

Proof. It is clear that Z[√

d] ⊆ OK (for any value of d). Conversely, if α = a + b√

d ∈ OK, then either b = 0,in which case α ∈ OK ∩Q = Z; or the minimal polynomial of α is X2 − 2aX + (a2 − db2), so 2a ∈ Z and4db2 ∈ Z. Since d is square-free, the last condition implies that 2b is also in Z.

Hence α differs by an element of Z[√

d] from one of the elements {0, 12 ,√

d2 , 1+

√d

2 }. Clearly 12 is not in OK, and

nor is√

d2 . The minimal polynomial of 1+

√d

2 is X2 − X + 1−d4 , so it is integral if and only if d = 1 mod 4.

Lecture8Definition 2.2.3. An integral basis of a number field K is a set of elements b1, . . . , bn ∈ OK which are a Z-basis for

OK; that is, a set such that every x ∈ OK can be written uniquely in the form n1b1 + · · ·+ ndbd with ni ∈ Z.

So {1,√

d} is an integral basis of Q(√

d) if d 6= 1 mod 4, and {1, 1+√

d2 } is an integral basis if d = 1 mod 4.

Note that we haven’t shown, yet, that every number field actually has an integral basis! We’ll prove this inthe next section. Notice that any integral basis of K must in particular be a basis of K as a Q-vector space(use Proposition 2.1.7 to see that it spans).

Remark. Not every basis of K consisting of algebraic integers is an integral basis – for instance, if K = Q(√

5),then {1,

√5} is a basis of K contained in OK, but not an integral basis of K.

2.3 The trace pairing and the discriminant

In chapter 1 we thought a lot about number fields K | Q as vector spaces over Q. There is some moreQ-linear structure on K, which comes from a special Q-bilinear form on K, namely

(α, β) 7−→ TrK/Q(αβ).

We call this pairing the trace pairing. It’s a symmetric bilinear form.

16

Proposition 2.3.1. This pairing is perfect: if α is an element of K, and TrK/Q(αβ) = 0 for all β ∈ K, then α = 0.

Proof. If α 6= 0, then α−1 ∈ K and TrK/Q(αα−1) = [K : Q] is non-zero.

We’ll use the trace pairing to study bases of K, and in particular determine which bases are integral bases.Let b1, . . . , bd be a basis of K. The matrix of the trace pairing with respect to B is the d× d matrix TB given by

(TB)ij = Tr(bibj).

The determinant of the trace-pairing matrix is rather important, and it has a special name:

Definition 2.3.2. The discriminant of K relative to the basis B, denoted by ∆K(B) or ∆K(b1, . . . , bd), is thedeterminant of the matrix TB.

(Notations vary: Stewart–Tall write ∆[b1, . . . , bd].)

Remark. One can define ∆K(b1, . . . , bd) for any d elements of K as the determinant of the matrix with (i, j)-entry Tr(bibj), whether or not b1, . . . , bd is a basis. In fact ∆K(b1, . . . , bd) is non-zero if and only if b1, . . . , bd isa basis – can you see how to prove this?


d) for d 6= 1 squarefree. Then B = {1,√

d} is a basis of K and we have

TB =

(Tr(1) Tr(

√d)

Tr(√

d) Tr(d)

)=

(2 00 2d

)so ∆K(B) = 4d.

If we use instead B = {1, 1+√

d2 }, then we have Tr

(1+√

d2

)= 1 and Tr

((1+√

d2

)2)= Tr

(1+d+2

√d

4

)= 1+d

2 ,so

TB =

(2 11 1+d

2

)so ∆K(B) = d.

Proposition 2.3.4. Let B and C be bases of K, and let S be the change-of-basis matrix (so S = (Sij), whereci = ∑j Sjibj). Then

∆K(C) = Det(S)2∆K(B).

Proof. By Algebra 1, the matrix of the trace pairing with respect to the basis C is given by TC = StTBS whereSt is the transpose of S. Hence Det TC = Det(St)Det(TB)Det(S) = Det(S)2 Det(TB).

Proposition 2.3.5. If the bi are in OK, then ∆(b1, . . . , bd) ∈ Z.

Proof. This is clear since bibj is an algebraic integer, so TrK/Q(bibj) is in Z. Thus TB is a matrix of integers, soits determinant is an integer.

Fact 2.3.6. In fact one can show that if the bi are in OK then ∆(b1, . . . , bd) is always congruent to 0 or 1 modulo4. See Swinnerton-Dyer’s book for the proof.

Theorem 2.3.7. Let B = {b1, . . . , bd} be a basis of K contained in OK, and such that |∆K(B)| is as small as possibleamong bases of K contained in OK. Then B is an integral basis of K.

In particular, every number field admits integral bases.

17

Proof. For the first part, it suffices to prove the following: if B = {b1, . . . , bd} is any basis of K contained inOK, and there exists an element α ∈ OK that is not in the Z-span of B, then we can find a new basis B′ ⊂ OKsuch that |∆K(B′)| < |∆K(B)|.Let H be the abelian group generated by the bi, and let G be the larger abelian group generated by the bi andα. Note that both G and H are subgroups of OK, and by assumption G is strictly bigger than H. It is clearthat G is finitely-generated, and G has no nonzero elements of finite order (because it’s a subgroup of C). Bythe classification of finitely-generated abelian groups, we must have G ∼= Zr for some r.

We must have r ≥ d, because G contains H which is itself isomorphic to Zd; on the other hand, we must haver ≤ d, since any d + 1 elements of G are linearly dependent over Q and hence linearly dependent over Z.Thus G ∼= Zd, so we can pick a set of elements C = {c1, . . . , cd} which are a basis of G as an abelian group,and the ci are also a basis for K as a Q-vector space.

If we let S be the matrix whose columns are the coefficients of the bi in the basis ci, then we have Det(S) =[G : H] > 1 (by the Smith normal form theorem from Algebra 1). Hence ∆K(B) = Det(S)2∆K(C), and so|∆K(C)| < |∆K(B)|, as required.

Now, we show existence. Any number field has some basis B as a Q-vector space, and by Proposition 2.1.7we may scale B so it is contained in OK. Hence the set

{|∆K(B)| : B ⊂ OK basis of K}

is a non-empty set of positive integers and hence has a smallest element. By the first part, this implies that Khas integral bases.

Lecture9Corollary 2.3.8. Let B ⊂ OK be a basis of K. If ∆K(B) is a square-free integer, then B is an integral basis.

Proof. Let C be an integral basis of K and let S be the change-of-basis matrix. Then we have ∆K(B) =Det(S)2∆K(C), but ∆K(B) is squarefree, so we must have Det(S) = ±1. Thus ∆K(B) = ∆K(C), so B is itselfan integral basis.

Example 2.3.9. Let Q(θ) be the cubic field from Example 1.4.3, where θ3 + θ + 1 = 0. We compute that

Tr(1) = 3,Tr(θ) = 0,

Tr(θ2) = −2,

Tr(θ3) = Tr(−1− θ) = −3,

Tr(θ4) = Tr(−θ − θ2) = 2.

Hence the discriminant of K in the basis {1, θ, θ2} is given by∣∣∣∣∣∣3 0 −20 −2 −3−2 −3 2

∣∣∣∣∣∣ = −31.

Since −31 is squarefree, it follows that OK = Z[θ].

Note that Corollary 2.3.8 is not an “if and only if” criterion!

Example 2.3.10. Recall that if K = Q(i), then we know that {1, i} is an integral basis. However, ∆K(1, i) = −4,which is certainly not square-free.

Definition 2.3.11. We define the discriminant of K, denoted ∆K, to be the discriminant ∆K(B), where B is anintegral basis.

18

Notice that any two integral bases have the same discriminant, because if B and C are integral bases, thebasis-change matrix S in Proposition 2.3.4 has determinant ±1, so ∆K(C) = Det(S)2∆K(B) = ∆K(B). Thus∆K is well-defined. By Theorem 2.3.7, |∆K| is the smallest value of |∆K(B)| as B varies over bases of Kcontained in OK.

2.4 Interlude: formulae for discriminants

There are lots of rather pretty formulae for discriminants. The first one is elegant, but not particularly usefulin practice:

Proposition 2.4.1. Let ϕ1, . . . , ϕd be the embeddings of K into C. Then

∆K(B) =(Det T′B

)2

where T′B is the matrix with (i, j) entry ϕi(bj).

Proof. We know that Tr(bibj) = ∑k ϕk(bi)ϕk(bj); but this is exactly the (i, j) entry of the matrix (T′B)tT′B. Thus

we haveDet TB = Det

((T′B)

tT′B)= Det(T′B)

2.

Remark. The problem with using this in practice is that the entries of the matrix TB are in Q, but the entries ofT′B aren’t even in K (they’re in the subfield of C generated by all the images ϕi(K), which is a number field,but typically has much bigger degree than K does). It works quite well on a computer, though.

The bases that come up most often tend to be ones of the form {1, α, . . . , αd−1} for some primitive elementα ∈ K (“power bases”), so we have some special formulae for these.

Proposition 2.4.2. Suppose B = (1, α, ..., αd−1) for some α ∈ K. Then

∆K(B) = ∏i<j

(ϕi(α)− ϕj(α))2.

Proof. It’s a general fact that for any complex numbers x1, . . . , xn, the determinant of the n× n matrix1 x1 x21 . . . xn−1

1...

...1 xn x2

n . . . xn−1n

(a Vandermonde matrix) is equal to ∏i<j(xi − xj). (See §2.2 of Stewart & Tall for a proof.) So the formulafollows immediately from the previous one.

Again, this formula suffers from the fact that the ϕi(α) aren’t in Q or even in K, so doing arithmetic withthem is a bit fiddly. But our last, and weirdest, formula doesn’t have this problem:

Proposition 2.4.3. Suppose K = Q(α), and let B = (1, α, ..., αd−1) again. Then

∆K(B) = (−1)d(d−1)/2 NmK/Q(

f ′(α))

where f is the minimal polynomial of α.

19

Proof. Let’s define g(X) = 1X−α f (X), which is in K[X]. Then we see easily that g(α) = f ′(α).

Let ϕ1, . . . , ϕd be the embeddings of K, and write αi = ϕi(α). For each i, we have

ϕi(g)(X) =f (X)

X− αi= ∏

j 6=i(X− αj) ∈ C[X],

so thatϕi(g(α)) = (ϕi(g)) (αi) = ∏

j 6=i(αi − αj).

Multiplying all these together we have

d

∏i=1

ϕi(g(α)) =n

∏i=1

(∏j 6=i

(αi − αj)

)= ∏

i<j(αj − αi)(αi − αj)

= (−1)d(d−1)

2 ∏i<j

(αi − αj)2

= (−1)d(d−1)

2 ∆K(B),

using the previous proposition. On the other hand we have

d

∏i=1

ϕi(g(α)) = NmK/Q (g(α))

by a formula from Chapter 1.

Example 2.4.4. Let’s do Example 2.3.9 again: K = Q(θ) where θ3 + θ + 1 = 0, and B = {1, θ, θ2}. We havef ′(X) = 3X2 + 1, so we just need to calculate NK/Q(3α2 + 1). We did this already in Example 1.4.3 (what ahandy coincidence!): it’s 31. So ∆K(1, θ, θ2) = −31. (Notice that −31 = 1 mod 4.)

Exactly the same method works for any cubic field (i.e. any K with [K : Q] = 3). Here’s a handy special case.

Corollary 2.4.5. Let K be a cubic field, and let θ be a primitive element of K whose minimal polynomial over Q is ofthe form f (X) = X3 + bX + c. Then

∆K(1, θ, θ2) = −27c2 − 4b3.

For the proof, just put together Examples 1.4.3 and 2.4.4. See Coursework # 2 for the general formula. Lecture10

2.5 An algorithm for finding OK

The proof of Theorem 2.3.7 can be extended to give an explicit recipe – an algorithm – for finding an integralbasis.

Proposition 2.5.1. Suppose b1, . . . , bd is a basis of K consisting of algebraic integers. If B is not an integral basis,then there exists a prime p such that p2 | ∆K(B), and integers λ1, . . . , λd with 0 ≤ λi < p and not all λi zero, suchthat

u =1p

d

∑i=1

λibi

is in OK.

20

Proof. Let H be the additive subgroup generated by the bi as before. Then Q = OK/H is a finite group, and|Q|2 divides ∆K(B) by Proposition 2.3.4.

If Q is non-trivial, then there is some prime p dividing its order, so p2 | ∆K(B). Moreover, Q must have anelement of order p, so we can find an algebraic integer u ∈ OK such that u /∈ H but g = pu ∈ H.

We can write g = ∑ λibi with λi ∈ Z, so u = 1p ∑ λibi and if we change the λi by multiples of p, then we

don’t change the class of u in Q, so we can assume 0 ≤ λi < p. Since u isn’t the identity in Q, the λi aren’t allzero.

With this in hand, we can give the following algorithm:

1. Start with any Q-basis B = b1, . . . , bn of K consisting of algebraic integers.

2. Calculate ∆K(B).

3. List all primes p such that p2 | ∆K(B).

4. For each p in the list, and each number of the form

u =1p

d

∑i=1

λibi

with λi ∈ {0, . . . , p− 1} not all zero, check whether u ∈ OK.

5. If you find a u that’s in OK, then compute a basis for the abelian group generated by B and u and goback to step 2 with B replaced by this new basis. (In fact the new basis will have discriminant 1

p2 ∆K(B),so we can skip straight to step 3.)

6. If no such u was found, then B is an integral basis by Prop 2.5.1, so we can stop.

Notice that it might well happen that the list in step 3 is empty – this is exactly the situation of Corollary 2.3.8where there are no primes whose squares divide ∆K(B). Since |∆K(B)| decreases each time we go aroundfrom Step 5 back to Step 3, the algorithm will always finish after a finite number of steps.

Example 2.5.2. Let θ be a root of the polynomial f (X) = X3 + 11X + 4. Note that f is irreducible in Z[X](any root would have to divide 4 by comparing constant terms, and none of ±1,±2,±4 are roots) and henceirreducible in Q[X] by Gauss’ Lemma. So if we let K = Q(θ), then [K : Q] = 3, and B = {1, θ, θ2} is aQ-basis of K.

Corollary 2.4.5 implies that∆K(B) = −1439 · 22.

As 1439 is prime, the only prime we need to worry about is p = 2. So we need to check whether any of thefollowing seven elements of K are algebraic integers:{

12 , θ

2 , θ2

2 , 1+θ2 , 1+θ2

2 , 1+θ2 , 1+θ+θ2

2

}.

We can rule out a lot of these already: clearly 12 /∈ OK; and θ

2 isn’t in OK either as its norm would be

NmK/Q(θ)/ NmK/Q(2) = 48 = 1

2 . Similarly, 1+θ2 is ruled out because Tr(θ) = 0 and so Tr

(1+θ

2

)= 3

2 .

That leaves us with four candidates u to test. For each of these, we can compute a cubic polynomial that killsit by taking the characteristic polynomial of is 3× 3 matrix (in the basis B); and this must be the minimalpolynomial (since otherwise u would have to be in Q).

21

Some linear algebra later, we find that u = 12 (θ + θ2) gives us the matrix

12

0 0 −41 0 −110 1 0

+ 12

0 0 −41 0 −110 1 0

2

=

0 −2 −212 − 11

2 − 152

12

12 − 11

2

.

The characteristic polynomial of this matrix is X3 + 11X2 + 36X + 4, so we conclude that 12 (θ + θ2) is in OK.

The subgroup of K generated by B and θ+θ2

2 has basis{

1, θ, θ+θ2

2

}, and it contains Z[θ] with index 2; so

∆K

(1, θ, θ+θ2

2

)= −1439

which is squarefree, and thus{

1, θ, θ+θ2

2

}is an integral basis.

Remark. It can be shown that for this field K there is no α ∈ OK such that OK = Z[α]; so there is no analogueof the primitive element theorem (Theorem 1.6.1) for OK in place of K.

2.6 Shortcuts for calculating integral bases

Recall the following result from Algebra 2:

Proposition 2.6.1 (Eisenstein’s Criterion). Let f (X) ∈ Z[X] be monic, and write

f (X) = Xd + ad−1Xd−1 + · · ·+ a0.

If there is a prime p such that p | ai for all 0 ≤ i ≤ d− 1, but p2 - a0, then f is irreducible in Z[X] (and hence alsoirreducible in Q[X] by Gauss’ Lemma).

There is a shortcut for computing integral bases when this criterion applies:

Lemma 2.6.2. Suppose that f ∈ Z[X] satisfies Eisenstein’s criterion for the prime p, and d = deg( f ) > 1. LetK = Q(θ) where θ is a root of f . Then

(i) p | ∆K(1, θ, . . . , θd−1);

(ii) but no element of K of the form1p

d−1

∑i=0

λiθi, 0 ≤ λi < p not all zero

is in OK.Lecture11Remark. In fact more is true: we always have pd−1 | ∆K(1, θ, . . . , θd−1), but this requires a bit more work to

prove.

Proof. For (i) we use Proposition 2.4.3. By assumption, f (X) ≡ Xd (mod pZ[X]), so we have f ′(X) ≡ dXd−1

(mod pZ[X]). This implies that the matrices of f ′(θ) and of dθd−1, relative to the basis {1, θ, . . . , θd−1} ofK, have entries in Z and are congruent to each other modulo p. Hence their determinants are congruentmodulo p; that is,

Nm( f ′(θ)) = Nm(dθd−1) = dd Nm(θ)d−1 (mod p).

Since Nm(θ) is the constant term of f (up to sign), it is zero modulo p. This finishes the proof.

22

For (ii), let’s suppose we have some non-zero element

u = 1p ∑ λiθ

i ∈ OK

with 0 ≤ λi < p. Let j be the smallest index such that λj 6= 0. Then we can write this as

u =1p

(λjθ

j + θ j+1δ)

, δ ∈ Z[θ] ⊆ OK.

Multiplying u by θd−1−j we still have an element of OK:

θd−1−ju =λjθ

d−1

p+

θdδ

p∈ OK.

On the one hand, since f (t) satisfies Eisenstein’s criterion we have

θd ∈ pZ[θ] ⊆ pOK.

So we must haveλjθ

d−1

p∈ OK.

We shall calculate the norm of this to get a contradiction:

Nm

(λjθ

d−1

p

)=

λdj Nm(θ)d−1

pd .

Since θ is a root of an Eisenstein polynomial, we have Nm(θ) = pr, where p - r. Hence we have

Nm

(λjθ

d−1

p

)=

λdj pd−1rd−1

pd =λd

j rd−1

p.

However this cannot be an integer, since neither λj nor r is a multiple of p. This gives the contradiction.

Example 2.6.3. Let us determine an integral basis of the number field Q( 3√

2). Let α = 3√

2. The minimalpolynomial of α over Q is f (t) = t3 − 2, which is obviously Eisenstein for the prime p = 2.

Corollary 2.4.5 implies that∆K(1, α, α2) = −4 · 33.

Thus the primes p we need to worry about are p = 2 and p = 3. But we can ignore p = 2, so we only need toworry about p = 3.

In fact we can be even cleverer than this: let β = α− 2, so clearly K = Q(β); and moreover Z[α] = Z[β], so∆K(1, β, β2) is also equal to −4 · 33. Now the minimal polynomial of β over Q is g(t) = t3 + 6t2 + 12t + 6,which is Eisenstein for p = 3 as well. Hence Lemma 2.6.2 implies that we can’t have 1

3 appearing in thedenominators either, so OK = Z[α− 2] = Z[α].

2.7 Example: cyclotomic fields

In this section, we will use Proposition 2.6.2 to determine an integral basis of cyclotomic fields.

Definition 2.7.1. A cyclotomic field is a field of the form K = Q(ζ), where ζ = e2πi/m is a primitive m-th root ofunity for some m.

23

Remark. Much of algebraic number theory was first developed for this special class of fields in an attempt toattack Fermat’s last theorem. If OK had unique factorization for every cyclotomic field K (or even just form prime) we could use this to prove Fermat’s last theorem without too much difficulty. Sadly, this fails form = 23. There were several wrong “proofs” of Fermat’s theorem in the 19th century, based on assuming thatcyclotomic integer rings had unique factorization; and some historians think that Fermat himself may havemade a similar mistake.

We will specialize to the case where m = p is an odd prime. You saw in Algebra 2 that the minimalpolynomial of ζp over Q is the cyclotomic polynomial

f (X) = Xp−1 + · · ·+ X + 1,

and the roots of this are exactly the powers ζ j for j ∈ (Z/pZ)× (i.e. all the primitive p-th roots of unity).The reason that f is irreducible is that the polynomial g(X) = f (X + 1) = Xp−1 + (p

1)Xp−2 + · · ·+ ( pp−1) is

Eisenstein at p.

Lemma 2.7.2. We have Nm(ζ) = 1 and Nm(ζ − 1) = p.

Proof. Clear from the minimal polynomials.

Theorem 2.7.3. We have∆K(1, ζ, . . . , ζ p−2) = (−1)

p−12 pp−2,

and {1, ζ, . . . , ζ p−2} is an integral basis in K.

Proof. Let λ = ζ − 1.It is clear that {1, ζ, . . . , ζ p−2} is an integral basis if and only if {1, λ, . . . , λp−2} is anintegral basis, and these two bases have the same discriminant.

By Proposition 2.4.3 we have

∆K(1, λ, . . . , λp−2) = (−1)(p−1)(p−2)

2 Nm(g′(λ)).

To calculate Nm(g′(λ)), we use a trick: recall that g(t) = (t+1)p−1t . By the quotient rule, we have

g′(t) =p(t + 1)p−1t−

((t + 1)p − 1

)t2 ,

so g′(λ) = p ζ p−1

λ . We deduce that

Nm(g′(λ)) = Nm(p)Nm(ζ)p−1 Nm(λ)−1 = pp−2

by Lemma 2.7.2. Since p is odd, we have (−1)(p−1)(p−2)

2 = (−1)p−1

2 . Hence

∆[1, λ, . . . , λp−2] = (−1)p−1

2 pp−2

as claimed.

The only prime whose square divides this is p. However g(t) satisfies Eisenstein’s criterion at p, so weconclude by Lemma 2.6.2.

Remark. If m is not prime and K = Q(ζ) where ζ is a primitive m-th root of unity, then it is still true thatOK = Z[ζ], but the proof is harder. If m = pa for some prime p, then the minimal polynomial of ζ − 1 stillsatisfies Eisenstein’s criterion for the prime p, and we can argue as above to prove that {(ζ − 1)i} is anintegral basis. If n is not a power of a prime then Eisenstein’s criterion isn’t satisfied, so the proof is quitedifferent in this case.

24

Chapter 3

Factorisation and ideals

Notation 3.0.4. All rings in this chapter are assumed to be commutative.

3.1 Units, irreducible elements, and prime elements

Let R be a (commutative!) ring, and r ∈ R. Recall that we say R is

• a unit if there exists an inverse r−1 ∈ R;

• irreducible if it isn’t a unit, and whenever we have r = xy with x, y ∈ R, then one of x and y is a unit;

• prime if it’s not a unit and whenever we have r | xy with x, y ∈ R, then either r | x or r | y (or possiblyboth!)

Lecture12

Units

Notation 3.1.1. The group of units of a ring R is denoted by R×.

Proposition 3.1.2. If K is a number field, then O×K = {x ∈ OK : NmK/Q(x) = ±1}.

Proof. If x−1 ∈ OK, then Nm(x)Nm(x−1) = Nm(1) = 1, so Nm(x) is a unit in Z and hence must be ±1.

Conversely, suppose Nm(x) = ±1 and let σ1, . . . , σd be the embeddings of K, with σ1(x) = x. Then we have

x

(d

∏i=2

σi(x)

)= ±1

so that x−1 = ±∏di=2 σi(x), and since all the σi(x) are in B, this shows that x−1 ∈ B ∩ K = OK.


d), with d < 0 squarefree.

If d 6= 1 mod 4 then OK = Z[√

d] and a + b√

d is a unit if and only if a2 + |d|b2 = 1. For d 6= −1 this forcesb = 0 and a = ±1.

If d = 1 mod 4 then any unit is of the form 12

(a + b

√d)

for a, b ∈ Z and hence a2 + |d|b2 = 4, and unlessd = −3 this forces b = 0 so a = ±2.

This shows that O×K = {±1} unless d = −1 or d = −3. For these d a case-by-case check gives us

25

• {±1,±i} if d = −1;

• {±1,±ω,±ω2} if d = −3, where ω = 1+√−3

2 is a primitive 6th root of unity;

Note that these are all finite cyclic groups – any finite subgroup of the multiplicative group of a field must becyclic. On the other hand, if d > 1 there are lots of units which don’t have finite order, e.g. 1 +

√2 is a unit in

Z[√

2], and since it is real and > 1 it can’t be a root of unity, so the unit group of Z[√

2] is infinite. (We’ll seelater that the ring of integers of Q(

√d) has infinite unit group for any squarefree d > 1.)

Irreducible and prime elements

Now, irreducibility and primality. Notice that irreducibility is about things dividing r, while primality isabout r dividing other things. Nonetheless, there’s a relation between the two: you saw in Algebra 2 thatif the ring R is an integral domain, any nonzero prime element is irreducible. But sometimes irreducibleelements can fail to be prime, and this really does happen for the rings OK that we care about in this course.

You saw in Algebra 2 that in a PID, any non-zero element has a factorisation into irreducibles, and this isunique up to re-ordering the factors and multiplying them by units. The existence of such a factorisationworks very generally:

Proposition 3.1.4. Let K be a number field, and let x ∈ OK be a non-unit. Then there are irreducible elementsx1, . . . , xn such that x = ∏ xi.

Proof. Let’s say x is factorisable if it can be written in this way. We prove by induction on N that everynon-unit element r ∈ OK with |Nm(r)| = N is factorisable.

The result is trivial for N = 1 (there are no non-unit r); so assume it is true for all N′ < N, and supposer ∈ OK has |Nm(r)| = N.

If r is irreducible it is trivially factorisable. If r is not irreducible, we can write r = xy where both x and yare non-units. Since x and y are non-units and Nm(x)Nm(y) = Nm(r), we must have |Nm(x)| < |Nm(r)|and |Nm(y)| < |Nm(r)|; thus both x and y are factorisable. Multiplying together factorisations of x and ygives a factorisation of r.

Remark. You can replace OK by any ring with reasonable finiteness properties (any Noetherian ring in thesense of Commutative Algebra). It doesn’t work in R = B, though!

What fails when we go from Z to general OK is uniqueness of the factorisation; and this is connected with thefact that in OK, irreducible elements aren’t necessarily prime, and ideals aren’t necessarily principal.

Example 3.1.5. Let K = Q(√−5). Then OK = Z[

√−5]. Then 2 is an irreducible element in OK, because if we

have 2 = xy with x, y ∈ OK, then Nm(x)Nm(y) = Nm(2) = 4. Thus one of x and y (WLOG x) has norm1 or 2. However, there are no solutions in integers to a2 + 5b2 = 2, and a2 + 5b2 = 1 has only the trivialsolutions a = ±1, b = 0. So x = ±1 is a unit in OK. Thus 2 is irreducible.

On the other hand, 2 divides (1 +√−5)(1−

√−5) = 6, but 2 doesn’t divide either of the factors. So 2 isn’t

a prime element in OK. This means that 6 has two essentially different factorizations into irreducibles, as(2)(3) and (1 +

√−5)(1−

√−5).

So OK cannot be a PID, and there must be an ideal that isn’t principal. Consider the set

I = {a + b√−5 : a = b mod 2}.

I claim I is an ideal. Obviously I is an abelian group, so we just need to check that xI ⊆ I for any x ∈ OK. Itsuffices to check this for x = 1 (obvious) and x =

√−5, and if y = a + b

√−5 ∈ I, then xy = −5b + a

√5,

and −5b has the same parity as b.

26

We clearly have 2 ∈ I. If I were principal, with some generator d, we’d have to have d | 2, but 2 is irreducible,so d would have to be 1 or 2 times a unit, and thus we’d have either I = OK or I = 2OK, neither of which aretrue. So I is not principal.

We’re now going to see a really rather radical idea: we’ll embrace the fact that non-principal ideals exist, andrather than factorising elements into irreducible elements, we’ll factorise ideals into irreducible ideals! Lecture

13

3.2 Arithmetic with ideals

What do ideals in a number field look like?

Notation 3.2.1. If R is a ring and x1, . . . , xn ∈ R we write 〈x1, . . . , xn〉 for the ideal generated by the ri, which is theset of all finite sums of the form

r1x1 + · · ·+ rnxn : ri ∈ R.

(If R isn’t clear from context we sometimes write 〈x1, . . . , xn〉R.)

So the ideal I of Example 3.1.5 is 〈2, 1 +√−5〉.

Exercise. Show that any ideal in OK is generated by a finite set.

Fact 3.2.2. One can actually show the stronger fact that any ideal in the ring of integers of a number field canbe generated by at most 2 elements. We won’t prove this or use it explicitly, but you might find it helpful tobear it in mind as a guide when doing calculations, much like Fact 2.3.6.

We’ll need to use the following fact:

Proposition 3.2.3. Let I be a non-zero ideal of OK. Then I contains some positive integer, and the quotient ring OK/Iis finite.

Proof. Firstly, suppose I is a non-zero ideal. Then I contains some non-zero element x ∈ OK. Let N =|NmK/Q(x)|. We know that N/x ∈ K, but N/x = ±∏j ϕj(x) where the ϕj are the non-identity embeddingsof K, so N/x ∈ B. Thus N/x ∈ OK; so N is a multiple of x in OK and hence x ∈ I ⇒ N ∈ I.

The ideal 〈N〉 = NOK is contained in I, so OK/〈N〉 surjects onto OK/I. But OK ∼= Zd as an abelian groupand hence OK/NOK ∼= (Z/NZ)d is finite and thus OK/I is also finite.

Now we explain what’s meant by multiplying ideals.

Definition 3.2.4. Let I, J be ideals in a ring R. We define an ideal I J as the ideal consisting of all finite sums of theform i1 j1 + · · ·+ iN jN where im ∈ I and jm ∈ J.

Remark. It’s important to note that not every element of I J is necessarily of the form ij with i ∈ I and j ∈ J.However, I J is the smallest ideal containing all such elements.

Clearly if I = 〈x1, . . . , xr〉 and J = 〈y1, . . . , ys〉, then I J is exactly the ideal generated by the pairwise productsxiyj.

Example 3.2.5. Let R = Z[√−5], I = 〈2, 1 +

√−5〉 as before. What is I2?

Evidently I2 =⟨4, 2 + 2

√−5, (1 +

√−5)2⟩ = 〈4, 2 + 2

√−5,−4 + 2

√5〉.

Can we give a simpler generating set? Clearly the ideal 〈4, 2 + 2√−5,−4 + 2

√5〉 contains (2 + 2

√−5)−

(−4 + 2√

5) = 6. So it contains both 4 and 6, so it must contain 2. On the other hand, all the generators of Iare multiples of 2. So we have I2 = 〈2〉.

Definition 3.2.6. An ideal I in a ring R is prime if I 6= R and the following relation holds: if x, y are elements of R,and xy ∈ I, then either x ∈ I or y ∈ I.

27

Clearly the principal ideal 〈r〉 is prime if and only if r is a prime element (or zero; it’s a historical quirk that〈0〉 is considered prime but 0 itself is not).

Notice that x ∈ I if and only if the principal ideal 〈x〉 is a subset of I, so the definition of “prime” is thatwhenever 〈x〉〈y〉 ⊂ I then either 〈x〉 ⊂ I or 〈y〉 ⊂ I. The following shows that we can do the same withmore general ideals:

Lemma 3.2.7. If I is a prime ideal in a ring R, and we have AB ⊂ I, for A, B ideals, then A ⊂ I or B ⊂ I.

Proof. If neither A nor B is a subset of I, then we can find elements a ∈ A and b ∈ B, neither of which arein I. Then ab ∈ AB, so ab ∈ I (since AB is contained in I), but by assumption neither a nor b is in I. Thiscontradicts the assumption that I is prime.

Prime ideals are related to maximal ideals: recall that an ideal I is maximal if there is no ideal J 6= R such thatJ ) I, and I is maximal iff the quotient R/I is a field.

Proposition 3.2.8. Let R be any ring.

(i) I is prime iff R/I is an integral domain.

(ii) Maximal ideals are prime.

(iii) If R is the ring of integers of a number field, any non-zero prime ideal is maximal.

Proof. (i) Let I be prime and x, y ∈ R/I. Choose representatives x, y ∈ R. If xy = 0, then xy ∈ I, so we musthave x ∈ I or y ∈ I, which implies that one of x and y is 0. So R/I is an integral domain. The converseimplication is similar.

(ii) A field is an integral domain, so I maximal⇒ R/I a field⇒ R/I an integral domain⇒ I prime.

(iii) I claim that if I is a non-zero ideal of OK, not necessarily prime, then OK/I is finite. Let x ∈ I be nonzero;then N = |Nm(x)| is a multiple of x in OK, so I contains N, which is a positive integer. Hence OK/I is aquotient of OK/〈N〉, but OK ∼= Zd as an abelian group, so OK/〈N〉 ∼= (Z/NZ)d is finite.

Now, if I is prime, this shows that OK/I is a finite integral domain; but a finite integral domain must be afield, because multiplication by any non-zero element is an injective map from a finite set to itself and musttherefore also be surjective. So OK/I is a field, and therefore I is maximal.

Notice that (iii) is not true in more general rings; for instance, in Q[X, Y] the prime ideal 〈X〉 is properlycontained in the prime ideal 〈X, Y〉.

3.3 Fractional ideals and unique factorization

In this section we’ll prove the following rather hard theorem:

Theorem 3.3.1. Let K be a number field and a any non-zero ideal in OK. Then there are prime ideals p1, . . . , pn suchthat

a = p1 . . . pn,

and the pi are unique up to re-ordering.

In order to do this we’ll introduce a certain technical convenience called a fractional ideal. A fractional idealin K is like an ideal of OK, except that it isn’t necessarily contained in OK:

Definition 3.3.2. A fractional ideal of OK is a subset a ⊂ K such that

28

• a is an abelian group under addition,

• xa ⊆ a for every x ∈ OK,

• there exists some x ∈ OK such that xa ⊆ OK.

Note that the first two conditions say that a is an OK-submodule of K. The last condition says that a isn’t toolarge – for instance, K itself is not a fractional ideal of OK. Lecture

14Notice that a subset of K contained in OK is a fractional ideal if and only if it’s an honest ideal. Thus fractionalideals are somehow “ideals of OK divided by things” – hence the name.

Notation 3.3.3. Given x1, . . . , xn ∈ K we write

〈x1, . . . , xn〉 ={∑ rixi : ri ∈ OK

}.

We can multiply fractional ideals in the same way we multiply usual ideals: if a and b are ideals, then ab isthe set {a1b1 + · · ·+ anbn : ai ∈ a, bi ∈ b} which is also a fractional ideal, and we can find a generating setfor the product by multiplying generators of a and b as before.

The reason we care about these objects is that we’ll prove Theorem 3.3.1 together with a second theorem:

Theorem 3.3.4. The non-zero fractional ideals of OK form a group under multiplication.

In these two theorems, it’s really essential to use all the properties of OK. Before we start on the proofs, Iwant to explain why if we use the wrong ring, then it definitely fails.

Definition 3.3.5. An order in a number field K is a subring R ⊆ OK such that the abelian group OK/R is finite.

For example, Z[√−3] is an order in Q(

√−3), with index 2 in the ring of integers Z

[1+√−3

2

]. Finding any

old order is much easier than finding OK; in Chapter 2 we started by writing down an arbitrary order andthen gradually enlarged it to find OK.

One can define fractional ideals of R for any order R exactly as above: they are the R-submodules of K of theform x−1 I where x ∈ R is nonzero and I is an ideal of R.

It’s a confusing, but true, statement that if R is any order, then OK is a fractional ideal of R! This showsimmediately that the fractional ideals of an order R 6= OK can’t be a group: it would have to have twoidentities R and OK (as RR = R and OKOK = OK) and a group has to have exactly one identity element.

Now let’s start on the proof of Theorems 3.3.1 and 3.3.4. Following Stewart and Tall, we’ll do it in 9 steps, ofwhich steps 1-3 work for any order R, and steps 4 onwards require us to use OK.

Step 1: Every nonzero ideal of an order R contains a product of prime ideals. This is almost identical toProposition 3.1.4. Let a be a nonzero ideal in R. Let’s say a is good if there exist primes p1, . . . , pr such thatp1 . . . pr ⊆ a, and bad otherwise.

Let a be a bad ideal. Since a is a non-zero ideal of R, the index R/a is finite (we saw this above for R = OK,but the proof works for any order R). Let us assume WLOG that a has the smallest possible index among allbad ideals, so in particular any ideal strictly containing a is good.

Since it’s bad, a cannot be prime. So there exist elements x1, x2 ∈ R such that x1x2 ∈ a but x1 /∈ a, x2 /∈ a.Let a1 be the ideal generated by a and x1, and similarly a2 generated by a and x2. Since these are bothstrictly bigger than a, they must both be good, so we can find primes p1, . . . , pr and pr+1, . . . , ps such thatp1 . . . ps ⊆ a1 and ps+1 . . . pr ⊆ a2.

Consider the product p1 . . . pr. This is contained in a1a2; but a1a2 is contained in a, since x1x2 ∈ a. So thisgives a product of prime ideals which is contained in a, contradicting the assumption that a was bad.

29

Step 2: Definition of (what will turn out to be) the inverse of a fractional ideal.

Definition 3.3.6. Let a be a fractional ideal of R. We define

a−1 = {x ∈ K : xa ⊆ R}.

This is evidently an R-submodule of K. If a is an ideal of R, then a−1 ⊇ R.

If a is not zero, then it contains some non-zero element c, and we have ca−1 ⊆ OK, so in this case a−1 is alsoa fractional ideal. (If a = 0 then a−1 = K, which is not a fractional ideal!)

Exercise. Check that for c ∈ K we have 〈c〉−1 = 〈c−1〉.

From the definition, we have aa−1 ⊆ R. The goal of the next two steps is to show that if R = OK then aa−1 isactually equal to OK.

Step 3: If a is a proper ideal of R, then a−1 ) R. Any proper ideal a is contained in a maximal ideal p, andif a ⊆ p then p−1 ⊆ a−1, so it suffices to assume a = p is maximal (or, equivalently, prime).

We will use Step 1 to do this. Take any nonzero a ∈ p. Using step 1 we can write

p1 . . . pr ⊆ 〈a〉

for some prime ideals p1 . . . pr. Since 〈a〉 ⊆ p, this shows that

p1, . . . , pr ⊆ p

so p must contain one of the pi by Lemma 3.2.7. Without loss of generality, we can assume that p1 ⊆ p; butnon-zero prime ideals of R are maximal, so we must have p1 = p.

If p2, . . . , pr ⊆ p then we can repeat the argument again to show that p2 = p etc, so we can assume that

p2, . . . , pr 6⊆ 〈a〉.

So there is some b ∈ p2, . . . , pr which isn’t in 〈a〉, but such that bp ⊆ 〈a〉. So x = ba /∈ R. But b

ap ⊆ R. Thisshows that x ∈ p−1 and thus p−1 is strictly bigger than R.

Step 4: If a is a non-zero fractional ideal of OK, and θ ∈ K is such that θa ⊆ a, then θ ∈ OK. Since a is afractional ideal, it is isomorphic as an abelian group to an ideal of OK, and hence it’s finitely-generated (sinceOK is). It’s also torsion-free, so it must be isomorphic to Zm for some integer m ≤ d. Let a1, . . . , am be a basisof a as an abelian group.

If θa ⊆ a then we must be able to write θai as a Z-linear combination of the ai for all i. So we can write

θai =m

∑j=1

bjiaj

for some m×m matrix B = (bij) with integer entries.

This shows that θ is an eigenvalue of B considered as a complex matrix. So θ is a root of the characteristicpolynomial of B. But that shows that θ is an algebraic integer, so θ ∈ OK.

Remark. This step goes horribly wrong if we work with subrings of OK rather than the whole of OK, andthat’s why these non-maximal orders don’t have a nice factorization theory.

Lecture15

30

Step 5: If p is prime then pp−1 = OK. We’ll get this by playing the two previous steps off against eachother. Since p−1 ⊇ OK we must have pp−1 ⊇ pOK = p; and p is maximal, so we must have either pp−1 = OKor pp−1 = p.

Step 4 says that pp−1 = p could only happen if we had p−1 = OK; but Step 3 says precisely that p−1 is notcontained in OK, which is a contradiction. So pp−1 must be OK.

Remark. There is a small but crucial typographical error in Stewart & Tall (3rd edition) at this point: theyaccidentally claim that pp−1 = OK leads to a contradiction!

Step 6: For any nonzero ideal a we have aa−1 = OK. Suppose a is a nonzero ideal such that aa−1 6= OK.By induction on the size of the quotient |OK/a| (as in Step 1), we can assume that bb−1 = OK for all ideals bwhich strictly contain a.

We obviously cannot have a = OK, so there is a maximal ideal p containing a. Let b = ap−1.

Firstly, b is indeed an ideal of OK, because p−1 ⊆ a−1 and so ap−1 ⊂ aa−1 ⊂ OK. Clearly we have b ⊇ a. Ifb = a then Step 4 would imply p−1 = OK, contradicting Step 3. So b is strictly larger than a; hence, by ourassumption on a, we must have bb−1 = OK. We now have:

bb−1 = OK

⇒ ap−1b−1 ⊆ OK (definition of b)

⇒ p−1b−1 ⊆ a−1 (definition of the set a−1)

⇒ ap−1b−1 ⊆ aa−1 (multiply everything by a)

⇒ bb−1 ⊆ aa−1.

Since bb−1 = OK, we must have aa−1 = OK as well.

Step 7: Nonzero fractional ideals are a group under multiplication (Theorem 3.3.4). All the axioms areobvious except for existence of inverses. Let a be a fractional ideal; then we have a = c−1b for some genuineideal b and some nonzero c ∈ OK, and hence a−1 = cb−1.

We have aa−1 = cc−1bb−1 = bb−1, and Step 6 shows that bb−1 = OK. So a−1 is genuinely the inverse of aunder multiplication, as the notation suggests.

Step 8: Every non-zero ideal is a product of prime ideals. Let a be a nonzero ideal that’s not the productof prime ideals. If such an a exists, then there is one of smallest index, so we may assume without loss ofgenerality that every ideal b strictly containing a is a product of prime ideals.

Clearly a 6= OK so we can find some prime p such that a ⊆ p. Then ap−1 is strictly bigger than a (by Step 4)so ap−1 = p1 . . . pr for some primes pi.

But then a = ap−1p = p1 . . . prp, so a is a product of primes itself.

Step 9: Prime factorization is unique up to ordering. Suppose we have a nonzero ideal a such thata = p1, . . . , pr = q1, . . . , qs for prime ideals p1, . . . , pr and q1, . . . , qs. We want to show that r = s and we canre-order the qi such that qi = pi for all i.

WLOG r ≥ s ≥ 0. If r = s = 0 there is nothing to prove; so assume that r ≥ 1 and that the claim is true forr− 1. The product q1, . . . , qr is contained in p1, so one of the qi is contained in p1 by primality; without lossof generality, q1 ⊆ p1. But q1 is maximal, so q1 = p1.

Then we have p−11 a = p2, . . . , pr = q2, . . . , qs. By the induction hypothesis we are done.

31

Remark. Note that this is exactly the same argument as you used to prove existence of unique factorizationinto prime elements in a PID, but it is now even simpler, because there is no messing around with units andassociates.

This completes the proof of Theorems 3.3.1 and 3.3.4.Remark. Let’s just take stock for a minute. What did we use about OK here? The key ingredients were:

1. OK is an integral domain.

2. Any non-empty set of non-zero ideals of OK must contain a minimal element (used for the WLOG’ingin Steps 1,6, and 8).

3. Every nonzero prime ideal of OK is maximal.

4. If θ ∈ K satisfies a monic polynomial in Z[X], then θ ∈ OK.

Rings satisfying (2) are said to be Noetherian, and rings satisfying (3) are said to be of Krull dimension one. Forstep 4, one can check that this is equivalent to the (apparently) stronger statement

4’. If θ ∈ K = Frac OK satisfies a monic polynomial in OK[X], then θ ∈ OK.

Rings satisfying 4’ are said to be integrally closed in their field of fractions. So Theorems 3.3.1 and 3.3.4 work forany ring R which is an integral domain, is Noetherian, has Krull dimension one, and is integrally closed inits field of fractions. Such rings are often called Dedekind Domains.

Other than the rings OK, another vital example of a Dedekind domain is K[X] for any field K.

We’ll conclude this section by isolating two useful ideals that come up in the course of the proof:

Proposition 3.3.7 (“To contain is to divide”). Let a, b be fractional ideals of OK. If a ⊇ b then there is an ideal csuch that b = ac.

Proof. We can assume a, b are both non-zero (the other cases are trivial). If a ⊇ b then a−1 ⊆ b−1, soa−1b ⊆ b−1b = OK. Thus c = a−1b is a fractional ideal contained in OK, so it’s an ideal of OK, and it clearlysatisfies ac = aa−1b = OKb = b.

Exercise. This is not true in for all rings, or even all orders of number fields. Can you find a counterexamplein the ring Z[

√−3]?

We now define norms for ideals.

Definition 3.3.8. If a is a non-zero ideal of OK, then we define NmK/Q(a) = |OK/a|.

By abelian-group theory from Algebra 1, we have Nm(〈x〉) = |Nm(x)| for any nonzero element x, so thisnotation is reasonably consistent with the definition for elements. Lecture

16Proposition 3.3.9. If a, b are non-zero ideals of OK then we have Nm(ab) = Nm(a)Nm(b).

Proof. By induction we can suppose b = p is prime. It’s clear that

Nm(ap) = |OK/ap| = |OK/a||a/ap|.

So it suffices to show that |a/ap| = |OK/p|.Since p 6= OK and fractional ideals are a group, ap 6= a, so we can pick a ∈ a \ ap. Then x 7→ ax + ap is a mapOK → a/ap whose kernel contains p. It is not the zero map, since a /∈ ap. So its kernel is a proper ideal ofOK containing p. Since prime ideals are maximal, it must be an injection OK/p→ a/ap. It is also surjective,because there are no ideals strictly between ap and a by unique factorisation; so we are done.

32

Example 3.3.10. The first part of the proposition does not work for orders R 6= OK. We can still de-fine Nm(a) = |R/a|, and this still agrees with the definition for elements, but the relation Nm(ab) =Nm(a)Nm(b) stops working.

For instance, in the order Z[√−3], the ideal a = 〈2, 1 +

√−3〉 clearly has Nm(a) = 2. But it satisfies

a2 = 〈4, 2 + 2√−3,−2 + 2

√−3〉 = 〈4, 2 + 2

√−3〉

and hence a2 = 〈2〉a. So if Nm were multiplicative on ideals of R, we’d have 22 = 4 × 2, which is acontradiction.

Proposition 3.3.11. For any integer N ≥ 1, any number field K, and any order R ⊆ OK, the ring R has only finitelymany ideals of norm N.

Proof. If a is an ideal of norm N, then |R/a| = N, so multiplication by N kills the group R/a and hence〈N〉 ⊆ a. So it suffices to prove that there are only finitely many ideals containing 〈N〉.By the isomorphism theorems, the ideals of R containing 〈N〉 biject with the ideals of the quotient ringR/〈N〉. This ring is finite, of size N[K:Q], so it only has finitely many ideals.

3.4 Prime ideals

The big theorems of the previous chapter show that you can build up all ideals in the ring of integers of anumber field from the prime ideals. So let’s find out a bit more about prime ideals of rings of integers.

From Proposition 3.3.9 it’s clear that if Nm(a) is a prime integer then a is a prime ideal. The converse is false(the ideal 〈3〉 is prime in Z[i], but its norm is 9), but something weaker is true:

Proposition 3.4.1. If p is a prime ideal of OK, then there is a unique prime integer p such that p ⊇ 〈p〉, andNm(p) = pn for some integer n ≥ 1.

Proof. The intersection P = p∩Z is an ideal of Z, and we get an injective map Z/P→ OK/p. Since OK/p is afinite integral domain, and a subring of a finite integral domain is also a finite integral domain, we concludethat Z/P is a finite integral domain. Hence P is a nonzero prime ideal of Z, meaning that P = pZ for someprime integer p, and p is the only prime integer contained in p.

It remains to show that Nm(p) is a power of p. Since p ∈ p, every element of the finite group OK/p iskilled by multiplication by p. Thus OK/p must be a finite product of copies of Z/pZ, by the classification offinitely-generated abelian groups, so |OK/p|must be a power of p as required.

We say p lies over p. The integer f such that Nm(p) = pn is the degree of the field extension[

OKp : Fp

]; it’s

sometimes called the degree of the prime p.

Proposition 3.4.2. For any prime integer p, there are only finitely many distinct primes p1, . . . , pg of OK lying overthe prime p, and we have a factorization

pe11 . . . p

egg = 〈p〉

where ei ≥ 1 are integers. If ni is the degree of pi, then we have ∑gi=1 eini = [K : Q].

Proof. The first part is immediate from the unique factorization theorem, and the second follows by takingnorms of both sides.

Definition 3.4.3. We give names to some of the possibilities as follows:

33

• If all the ei’s and ni’s are 1 (so 〈p〉 is a product of distinct degree 1 primes), we say p is split in OK.

• If g = 1 and e1 = 1 (so 〈p〉 is prime), we say p is inert in OK.

• If one of the ei is > 1, we say p is ramified in OK.

Ramified primes are quite special. For instance, 〈2〉 is a ramified prime in Z[√−5], since we saw that

〈2 = 〈2, 1 +√−5〉2.

The next theorem will tell us how to completely determine the factorisation of 〈p〉:

Theorem 3.4.4 (Dedekind–Kummer). Let α ∈ OK be a primitive element of K, and suppose that p is a prime integernot dividing the index [OK : Z[α]].

Let f be the minimal polynomial of α, and let f ∈ Fp[X] be the reduction of f modulo p. Write f as a product of powersof irreducible polynomials

f (X) = f1(X)e1 f2(X)e2 . . . fr(X)er .

For each i, pick a polynomial fi ∈ Z[X] whose mod p reduction is fi, and let Pi be the ideal 〈p, fi(α)〉 of OK. Then:

• The ideals Pi are independent of the choice of fi.

• The ideals Pi are distinct, and they are precisely the prime ideals of OK lying above p.

• We have

〈p〉 =r

∏i=1

Peii .

We’ll do the proof next time; first let’s do some examples. We’ll usually be interested in the case whenOK = Z[α] (so we can take p to be any prime).Example 3.4.5. Let K = Q(

√−41), so OK = Z[

√−41]. We take α =

√−41, so f (X) = X2 + 41.

Modulo 2, we have X2 + 41 = X2 + 1 = (X + 1)2. So 〈2〉 = P2 where P is the ideal 〈2,√−41 + 1〉. Notice

that P has norm 2, but there are no solutions to a2 + 41b2 = 2 with a, b ∈ Z, so P is not principal.

Modulo 3, we have X2 + 41 = X2 − 1 = (X − 1)(X + 1), so 〈3〉 = 〈3, 1 +√−41〉〈3,−1 +

√−41〉. Again,

these two primes are not principal.

Something similar to this happens modulo 5, 7 and 11 as well – in each case 〈p〉 is the product of two distinctprime ideals of norm p.

Modulo 13 we have X2 + 41 = X2 + 2 which is irreducible (because −2 is not a square modulo 13), so 〈13〉 isa prime ideal of OK. Lecture

17Proof of Dedekind–Kummer. Although it may look scary, the proof is actually not that difficult (far easier thanthe unique factorization theorem).

The key to the proof is that there is an isomorphism of rings

OKpOK

∼=Fp[X]⟨f (X)

⟩ . (?)

Once we have this, virtually everything else will be easy.

We’ll build up (?) by using the ring Z[α]/pZ[α] as a stepping stone. We’ll show that we have isomorphisms

Z[α]/pZ[α] ∼= OK/pOK, (†)

Z[α]/pZ[α] ∼=Fp[X]⟨f (X)

⟩ , (‡)

34

Let’s do (†) first. The second isomorphism theorem tells us that

Z[α]Z[α] ∩ pOK

∼=Z[α] + pOK

pOK,

so we need to check that pOK + Z[α] = OK, and that pOK ∩ Z[α] = pZ[α]. We only know one thing aboutZ[α], which is that its index is coprime to p, so let’s use this: the index of Z[α] + pOK in Z[α] must divide[OK : pOK], which is a power of p, and it must divide [OK : Z[α]], which is coprime to p, so it cannot beanything but 1. That means that the right-hand side of the above isomorphism must have order p[K:Q], soZ[α] ∩ pOK is a subgroup of Z[α] containing pZ[α] and having the same index as pZ[α], and hence they’reequal.

Now let’s do (‡). Here we use the third isomorphism theorem. We have Z[α] = R/〈 f (X)〉R where R = Z[X],so we have

Z[α]/pZ[α] ∼=R/〈 f 〉R

〈p, f 〉R/〈 f 〉R∼=

R〈p, f 〉R

∼=R/〈p〉R

〈p, f 〉R/〈p〉R∼= Fp[X]/〈 f 〉.

Putting these together gives us (?).

Now we’re more or less home and dry. The ideals of OK containing 〈p〉 are precisely the ideals of OK/pOK,but this is the same ring as Fp/〈 f 〉; and the prime ideals of the latter are just the ideals 〈 fi〉. Unwinding theisomorphisms, we see that these correspond to the ideals Pi above, and in particular it comes for free thatthe Pi are independent of the choice of fi lifting fi.

Since ∏i〈 fi〉ei is the zero ideal of Fp/〈 f 〉, the product ∏i Peii is contained in the ideal 〈p〉. To check it’s an

equality, we compute norms: each Pi has norm |OK/Pi| = |Fp[X]/ fi| = pni , where ni = deg fi, so that∏i Nm(Pi)

ei = pdeg( f ) = Nm(〈p〉).For the final statement, let us suppose that p - ∆K. Then the determinant of multiplication by f ′(α) is coprimeto p, so f ′(α) is a unit in OK/p. Running through our isomorphisms above, this shows that f ′(X) is a unit inFp[X]/ f (X). If any of the ei are > 1, then fi(X) divides f ′(X) in this quotient, which is a contradiction; soall the ei must be 1 in this case.

Remark. 1. For any number field K, we can always find some primitive element α lying in OK. Then∆K(1, . . . , αd−1) is a non-zero integer, so there are only finitely many primes which divide it. If p is notin this set, then p - [OK : Z[α]] and we can use Dedekind–Kummer to factorise p in OK, without havingto know exactly what OK looks like.

2. If you choose a prime p, it may happen that there is no α such that [OK : Z[α]] is coprime to p, so thereis no way to apply the Dedekind–Kummer theorem to factorise p. Such a prime is called an “essentialdiscriminant divisor”.

We can also get a new light on Eisenstein’s criterion using this:

Proposition 3.4.6. If α ∈ OK is a primitive element whose minimal polynomial satisfies Eisenstein’s criterion at p,then we have

〈p〉 = P[K:Q],

where P = 〈p, α〉.

35

(In other words, p ramifies “as badly as possible” – we say p is totally ramified.)

Proof. If α has Eisenstein minimal polynomial at p, then [OK : Z[α]] has no element of order p by Lemma2.6.2, so its order is coprime to p. Hence we may apply the Dedekind–Kummer theorem. Since all coefficientsof f except the leading one are divisible by p, we have f (X) = X[K:Q], so 〈p〉 = 〈p, α〉[K:Q].

Exercise. Can you see how to show the following converse statement? If p is a prime which is totally ramified,so 〈p〉 = P[K:Q] for some prime P of OK, then there exists α ∈ OK such that α is a primitive element for Kand the minimal polynomial of α is Eisenstein at p.

Proposition 3.4.7. The prime p ramifies in K if and only if p | ∆K.

Proof (sketch). (The proof I gave in the lectures was incorrect; here’s a better one.)

Suppose (for simplicity) that there exists an α such that [OK : Z[α]] is coprime to p. Then each of the followingstatements is equivalent to the next:

• p | ∆K.

• p | ∆K(1, . . . , αd−1) (since [OK : Z[α]] is coprime to p)

• p | Nm( f ′(α)) (by our discriminant formulae).

• Some prime Pi above p occurs in the factorisation of 〈 f ′(α)〉 in OK (because the primes not dividing phave norm coprime to p).

• f ′(X) is divisible by one of the factors fi of f mod p.

• Some factor fi divides f to a power ei > 1.

• p is ramified in K.

Remark. This proof actually shows that a prime P divides p more than once if and only if P | 〈 f ′(α)〉, sothe ideal d = 〈 f ′(α)〉 encodes more subtle information about ramification in K than the crude informationprovided by ∆K. This ideal d is called the different. It can be defined for arbitrary number fields by writing

d−1 := {x ∈ K : Tr(xy) ∈ Z for all y ∈ OK}

andd := (d−1)−1.

3.5 The Class Group

Let K be a number field. We’ve shown that the non-zero fractional ideals of OK are an abelian group undermultiplication.

Sitting inside this group there is a natural subgroup: the principal fractional ideals 〈a〉 for a ∈ K×.

Definition 3.5.1. The class group of OK is the quotient group

Cl(K) ={non-zero fractional ideals of OK}

{principal ones} .

The elements of Cl(K) are called ideal classes.

36

Lecture18Notice that Cl(K) is the trivial group if and only if OK is a PID, and a Dedekind domain is a PID if and only

if it’s a UFD; so Cl(K) = {1} if and only if we have unique factorisation (of elements) in OK. Thus Cl(K)“measures” how badly unique factorisation fails in OK.

The second main theorem of this course is the following one:

Theorem 3.5.2. The class group of OK is finite for any number field K.

We define the class number of K to be the order of this finite group.

We’ll deduce Theorem 3.5.2 from another theorem, whose proof will come in the next chapter. This onedepends on the embeddings of K. If ϕ is an embedding, we say ϕ is real if ϕ(K) ⊆ R. If ϕ is an embeddingwhich isn’t real, then its complex conjugate ϕ is another embedding different from ϕ, so the non-realembeddings come in conjugate pairs.

Theorem 3.5.3. Suppose K has s real embeddings and t conjugate pairs of non-real embeddings, and let d = [K :Q] = s + 2t. Let a be an ideal of OK. Then there is an element x ∈ a such that

|Nm(x)| ≤ d!dd

(4π

)t√|∆K|Nm(a).

The quantity d!dd

(4π

)t√|∆K| is sometimes called the Minkowski constant for K, and written µK, so the theorem

says that we can find an x with |Nm(x)| ≤ µK Nm(a).

Proposition 3.5.4. Let C be an ideal class in K. Then C contains an ideal a of OK such that

Nm(a) ≤ µK.

Proof. Let C be an ideal class. Then C has an inverse C−1, and C−1 has a representative which is an ideal ofOK, say b. By part (a), there is an x ∈ b such that |Nm(x)| ≤ µK Nm(b).

We set a = b−1 · 〈x〉. This is in the class C, since it differs from b−1 by a principal ideal. Moreover, it is agenuine ideal (not just fractional), since x ∈ b; and its norm is

Nm(a) =|Nm(x)|Nm(b)

≤ µK.

Proof of Theorem 3.5.2. By the preceding proposition, every ideal class C ∈ Cl(K) must contain an ideal ofnorm at most µK. But we saw in Proposition 3.3.11 that there are only finitely many such ideals, so there areonly finitely many possible C.

3.6 Lots of Examples

We can determine the class group of a number field by using Dedekind–Kummer to factor all the ideals ofnorm ≤ µK. The only difficult bit is recognising which ideals are principal; but for imaginary quadratic fieldsthis is easy (because we can easily see whether or not an equation of the form x2 + |d|y2 = n has solutions ornot).Example 3.6.1. We already know that Z[i] has is a PID (it’s a Euclidean domain) but let’s prove this againusing Minkowski’s theorem.

The discriminant is −4 and we have s = 0, t = 1, so

µK =2!22

(4π

)√4 = 4

π ≈ 1.273.

37

So every ideal class contains an ideal of norm ≤ 1. However, the only ideal with norm 1 is the trivial ideal,so there is only one ideal class, and thus Z[i] is a PID.

Example 3.6.2. Consider the field K = Q(√−19). As −19 ≡ 1 (mod 4), an integral basis of K is 1, τ, where

τ = (1 +√−19)/2 is a root of the polynomial f (X) = X2 − X + 5. As before, we have s = 0 and t = 1 so

every ideal class contains an ideal of norm

≤ 2√

19π≈ 2.775,

i.e. of norm ≤ 2.

Suppose now that a has norm 2. Then a must be prime, and must lie above 2. But the polynomial

f (t) ≡ t2 + t + 1 (mod 2)

is irreducible mod 2, so by Dedekind–Kummer the only prime above 2 is 〈2〉 which has norm 4, so there areno ideals of norm 2. Hence OK is a PID.


6). Then K has 2 real embeddings and no non-real ones, so s = 2 and t = 0, and∆K = 24, so the Minkowski constant is

2!22

√24 =

√6 ≈ 2.449.

The only rational prime ≤√

6 is 2. Using Dedekind’s criterion, we see that (2) = p22, where p2 = 〈2,

√6〉

is the unique ideal of norm 2 in OK. Hence Cl(K) is generated by C = [p2], and C2 is the identity class, soCl(K) is either trivial or cyclic of order 2.

In fact, after some experimentation we spot that there is an element of norm −2, namely 2 +√

6. So thismust generate p2, and hence p2 is trivial and K has class number 1.

Remark. It is an open problem to determine if there are infinitely many real quadratic fields with classnumber 1. There are known to be exactly nine imaginary quadratic fields of class number 1, by a theorem ofHeegner, Baker and Stark from the 1950’s.

Example 3.6.4. Let K =√−10, so OK = Z[α] where α is a root of X2 + 10. We compute

µK =4√

10π≈ 4.026.

The only rational primes ≤ µK are 2 and 3. To study their factorisation, use Dedekind’s criterion:

prime f (t) (mod p) factorisation norm2 t2 (2) = p2

2 N(p2) = 23 irred. prime N((3)) = 9

Hence Cl(K) is generated by [p2]. Is p2 principal? Suppose that there exist a, b ∈ Z such that p2 =〈a + b

√−10〉. Then

2 = N(p2) =∣∣N(a + b

√−10)

∣∣ = a2 + 10b2.

However, there are no integers a, b which satisfy this equation, so p2 is not principal. We deduce that [p2] hasorder 2 and hence Cl(K) ∼= Z/2Z.

Lecture19

38

Example 3.6.5. Let’s do K = Q(√−14). The ring of integers is Z[

√−14] and the Minkowski constant is

µK =4√

14π

< 5,

so the class group is generated by primes dividing (2) and (3). We factorise (2) and (3) using Dedekind’scriterion:

prime f (X) (mod p) factorisation norm2 X2 (2) = p2 N(p) = 23 (X− 1)(X + 1) qq′ N(q) = N(q′) = 3

where p = 〈2,√−14〉, q = 〈3, 1−

√−14〉 and q′ = 〈3, 1 +

√−14〉.

Note that p2 ∼ 1 (notation: this means p2 is in the same ideal class as 1) and q′ ∼ (q)−1, so the ideal classgroup is generated by p and q.

To find relations between these, we look around for elements whose norms are smallish powers of 2 and 3.We spot that 18 = 22 + 14 · 12 = Nm(2 +

√−14). The element 2 +

√−14 is in both p and q. Since p and q are

distinct prime ideals, by unique factorisation there exists an ideal r such that

〈2 +√−14〉 = pqr.

Taking norms, we deduce that N(r) = 3, so r = q or r = q′. If r = q′, then qq′ = 〈3〉 | 〈2 +√−14〉, which is

impossible. Hence〈2 +

√−14〉 = pq2,

so

q2 ∼ p−1 ∼ p,

q3 ∼ pq ∼ q−1.

Hence 1, [q], [q2], [q3] are all the ideal classes, and q4 ∼ 1. To show that these classes are distinct, it is sufficientto show that q2 6∼ 1. But q2 ∼ p, and p cannot be principal (as there is obviously no element of norm 2), sowe conclude that Cl(K) ∼= C4, generated by the class of q.

39

Chapter 4

Geometry of Numbers

In this section we’ll prove Theorem 3.5.3, and hence complete the proof of the finiteness of the class group.Perhaps surprisingly, the methods involved are geometrical, not algebraic.

4.1 Blichfeldt’s theorem

Theorem 4.1.1 (Blichfeldt). Let S be a subset of Rn which is compact (i.e. closed and bounded), and has volume1

strictly greater than 1. Then S contains two distinct points whose difference lies in Zn.

[pictures not transcribed]

Proof. Let the standard tile in Rn be the set

T =

x1

...xn

: 0 ≤ xi < 1

.

We call a tile any set of the form T + `, where ` = {m1, . . . , mn} ∈ Zn. Notice that every point in Rn lies inexactly one tile. Moreover, any bounded subset of Rn is contained in a union of finitely many tiles.

Let S be a compact subset of volume > 1, and let `1, . . . , `N be the finite set of vectors ` ∈ Zn such thatS ∩ (T + `) 6= ∅.

For each i, let Si be the set S ∩ (T + ì). Since each tile T + ì has well-defined volume, so does Si; and wehave

S =⊔

iSi ⇒ vol(S) =

N

∑i=1

vol(Si).

We set S′i = Si − ì ⊆ T. Then vol(S′i) = vol(Si).

[picture]

1Strictly speaking, by “volume” I mean “Lebesgue measure”; but this is not a real analysis course, so you can safely assume thatthere’s a well-defined notion of volume for sufficiently nice subsets of Rn that has the properties you’d expect.

40

If the S′i were pairwise disjoint, then we’d have to have

vol

(⋃i

S′i

)= ∑

ivol(S′i)

= ∑i

vol(Si)

= vol(S) > 1.

This is impossible since⋃

i S′i ⊆ T, and T has volume 1. Hence the S′i cannot be pairwise disjoint: there mustexist i, j such that S′i ∩ S′j 6= ∅.

Let x ∈ S′i ∩ S′j. Then xi = x + `i and xj = x + `j are two distinct points of S, and their difference is`i − `j ∈ Zn, as required.

Remark. Answer to an audience question: One can weaken the assumption that S be compact; it suffices toassume that S is Lebesgue measurable.

4.2 Minkowski’s Lattice Theorem

We’re now going to take Blichfeldt’s theorem and dress it up in a rather trivial way to make it seem moreclever.

Definition 4.2.1. A subset S ⊆ Rn is called

• convex if whenever x, y ∈ S, the line segment joining x to y is contained in S.

• centrally symmetric if whenever x ∈ S, then −x ∈ S.

Note that a non-empty convex centrally-symmetric set must contain 0.

Proposition 4.2.2. Let S be a compact convex centrally-symmetric subset of Rn such that vol(S) ≥ 2n. Then Scontains a non-zero point of Zn.

Proof. First suppose that we have a strict inequality vol(S) > 2n.

Consider the “shrunken” set 12 S = { 1

2 x : x ∈ S}. Then vol( 12 S) > 1. By Blichfeldt’s theorem, there are two

distinct points in 12 S whose difference lies in Zn, say x and y = x + ` with ` ∈ Zn non-zero.

Since y ∈ 12 S and S is centrally-symmetric, we have −y ∈ 1

2 S. By convexity, the midpoint of the line segmentjoining x and −y, which is 1

2 (x− y), lies in 12 S. But 1

2 (x− y) = 12 ` ∈

12 Zn; that is, ` is a non-zero point of

S ∩ Zn.

If the volume of S is exactly 2n we have to grub around a bit! We need to use the assumption that S is closed(it’s clearly false otherwise) so we have to do some analysis. Consider the sets (1 + ε)S for 0 < ε < 1. Notethat (1 + ε)S ⊇ S by convexity. If ε > 0, then vol((1 + ε)S) = (1 + ε)n vol(S) > 2n, so (1 + ε)S containsa non-zero point of Zn for every ε > 0. But there can be only finitely many points of Zn in (1 + ε)S forany ε < 1, since S is bounded; so there must be some non-zero point of Zn which is in (1 + ε)S for every0 < ε < 1. Because S is closed, this point is actually in S.

Lecture20Remark. If we assume vol(S) > 2n then we can drop the assumption that S is compact (we don’t even need

to assume it’s measurable, because it can be shown that every convex set is automatically measurable). Forthe case vol(S) = 2n, compactness is really needed.

41

Let’s now dress this up even further.

Definition 4.2.3. A lattice in Rn is a subgroup of Rn (under addition) which is generated as a group by a set e1, . . . , enwhich is a basis of Rn as an R-vector space.

Remark. Notice that any lattice in Rn is isomorphic as a group to Zn, but not every subgroup isomorphic toZn is a lattice, because it’s harder for vectors to be R-linearly independent than Z-linearly independent; for

instance, the subgroup of R2 generated by(

10

)and

(√2

0

)is isomorphic to Z2 but it is not a lattice in R2.

Definition 4.2.4. Let L be a lattice in Rn generated by n linearly independent vectors v1, . . . , vn. We define thecovolume of L to be the volume of the set

TL ={∑ λivi : 0 ≤ λi < 1

}.

Note that this set is a “parallelepiped” (a sort of n-dimensional analogue of a parallelogram). In particular itsvolume is well-defined, finite, and non-zero. As we’ve defined it, this depends on the generating set we’vechosen, but in fact it doesn’t:

Proposition 4.2.5. The covolume of L is given by |det A| where A is the matrix with the v’s as columns. In particular,any two generating sets for L give the same covolume.

Proof. We’ll start by giving a different interpretation of the covolume. By hypothesis, v1, . . . , vn is a basis ofRn, so there is an invertible linear map Rn → Rn which sends the standard basis {e1, . . . , en} to {v1, . . . , vn}.This is precisely the map given by the matrix A. It maps Zn to L, and the standard tile T to TL.

This linear map won’t preserve volumes, though: it scales all volumes by |det A|. So we conclude that

vol(TL) = |det A| · vol(T) = |det A|.

Any other basis of L is given by multiplying the v’s by a matrix with integer entries and determinant ±1, soit doesn’t change the covolume.

Theorem 4.2.6. Let L be a lattice in Rn, and let S be a compact convex centrally-symmetric subset of Rn such that

vol(S) ≥ 2n covol(L).

Then S contains a non-zero point of L.

Proof. We do a basis-change mapping L back onto the standard lattice Zn. This sends S to a new set S′ ofvolume vol(S)

covol(L) . Applying Proposition 4.2.2 to the set S′ gives a nonzero point of Zn ∩ S′, and hence ofL ∩ S.

4.3 The Canonical Embedding

Now let’s go back to the world of number fields. Let K be a number field, and let ϕ1, . . . , ϕd be its embeddings.Let’s suppose that K has s real embeddings and t conjugate pairs of non-real ones, and we number them sothat ϕ1, . . . , ϕs are the real ones, ϕs+1 is the first non-real one and ϕs+2k = ϕs+2k−1 for k = 1, . . . , t.

42

Definition 4.3.1. The canonical embedding is the map

Φ : K → Rn, x 7→

ϕ1(x)...

ϕs(x)Re ϕs+1(x)Im ϕs+1(x)Re ϕs+3(x)

...Re ϕs+2t−1(x)Im ϕs+2t−1(x)

.

Example 4.3.2. If K = Q(√

6) then there are two embeddings a + b√

6 7→ a ± b√

6, and the canonicalembedding is given by

a + b√

6 7→(

a + b√

6a− b

√6

)= a

(11

)+ b

( √6

−√

6

).

On the other hand, if K = Q(i) then the canonical embedding is just

a + bi 7→(

ab

)= a

(10

)+ b

(01

).

Proposition 4.3.3. Let B = {b1, . . . , bd} be a basis of K as a Q-vector space. Then the image of B under Φ is a basisof Rn, and Φ sends the subgroup of K generated by the bi to a lattice of covolume 1

2t

√|∆K(B)|.

In particular an ideal a ⊆ OK maps to a lattice of covolume

12t

√|∆K|Nm(a).

Proof. Concretely, what we have to show is that the determinant of the matrix with columns Φ(bi) is equalto 1

2t

√|∆K(B)|. Since this is always non-zero, it follows that the columns of the matrix generate a lattice, and

that the covolume of this lattice is equal to this determinant by Proposition 4.2.5.

First suppose K is totally real (i.e. t = 0). Then Φ maps the b’s to the matrix with (i, j) entry ϕi(bj),which is precisely the matrix we called T′B in Proposition 2.4.1. We saw there that ∆K(B) = (Det T′B)

2, so|Det T′B| =

√|∆K(B)| (and in particular the bj do map to a lattice).

When there are complex embeddings, this doesn’t quite work because T′B doesn’t have real entries. But onechecks that the matrix with columns Φ(bj) is just T′B multiplied on the left by a matrix looking like

1. . .

1

1/2 1/2−i/2 i/2

. . .1/2 1/2−i/2 i/2

with s ones and t two-by-two blocks, and the determinant of this matrix is ( i

2 )t, so |Det Φ(bj)j=1...d| =

|( i2 )

t Det T′B| =12t

√|∆K(B)|.

43

In particular, taking B to be an integral basis, OK maps to a lattice of covolume 2−t√|∆K|; and an ideal

a ⊆ OK is a subgroup of index Nm(a) in OK, so it maps to a lattice of covolume Nm(a) times as large.

We want to use this to find elements of ideals having smallish norm, so let’s work out how to see the norm ofan element on the Rn side. We define a function Rn → R by∥∥∥∥∥∥∥

x1...

xn

∥∥∥∥∥∥∥

s,t

= |x1x2 . . . xs|(x2s+1 + x2

s+2)(x2s+3 + x2

s+4) . . . (x2s+2t−1 + x2

s+2t),

so that ‖Φ(x)‖s,t = |NmK/Q(x)| for x ∈ K.

Exercise. Check this.

We’d like to use Minkowski theory to find points in the sets {y ∈ Rn : ‖y‖s,t ≤ c}. Sadly these aren’t convexin general, but we’ll put convex sets inside them: Lecture

21Corollary 4.3.4. Suppose that X is a compact, convex, centrally-symmetric subset of Rn such that vol(X) > 0 and‖x‖s,t ≤ 1 for all x ∈ X.

Then for any number field K with s real embeddings and t pairs of complex embeddings, with s + 2t = n, and anybasis B of K, the subgroup generated by B contains a non-zero y such that

|Nm(y)| ≤ 2n−t√|∆K(B)|

vol(X).

Proof. Consider the set λX, where λ is any positive real number. Then the volume of λX is λn vol(X). So ifL is a lattice, and

λn vol(X) ≥ 2n covol(L), (†)

then L contains a non-zero point of λX, so L contains a non-zero element x such that ‖x‖s,t ≤ λn.

Choosing λ as small as possible, so that (†) is an equality, we deduce that any lattice L must contain anon-zero element x such that

‖x‖s,t ≤2n covol(L)

vol(X).

Applying this to the lattice spanned by Φ(B) we deduce that the subgroup generated by B contains anon-zero element of norm at most

2n−t√|∆K(B)|

vol(X)

as required.

It’s clear that an X with vol(X) > 0 exists, and this is already enough to prove the finiteness of the classgroup. To get the exact Minkowski bound we need to choose the best possible X:

Proposition 4.3.5. For any integers s, t ≥ 0 such that n = s+ 2t, there exists a compact, convex, centrally symmetricsubset Xs,t ⊆ Rn with the property that ‖x‖s,t ≤ 1 for all x ∈ Xs,t and

vol(Xs,t) = 2s(π

2

)t nn

n!.

We won’t give a full proof of this, because in order to prove the finiteness of the class group it suffices justto know that the set {‖x‖s,t ≤ 1} contains some compact convex centrally-symmetric subset of non-zerovolume, which is obvious.

44

Example 4.3.6. When s = 2 and t = 0 (the case of a real quadratic field),∥∥∥∥(x

y

)∥∥∥∥2,0

= |xy|, so we want to find

the largest possible convex centrally-symmetric set contained in the star-shape |xy| ≤ 1. We choose the tiltedsquare with vertices at (±2, 0) and (0,±2), whose area is 8. [draw picture]

When s = 0 and t = 1 (the case of an imaginary quadratic field), the set {x : ‖x‖0,1 ≤ 1} is itself convex (it’sthe unit circle, of area π) so we’d be crazy to use anything other than the whole of that set.

Partial proof. We define Xs,t to be the following set:x1

...xn

: |x1|+ · · ·+ |xs|+ 2√

x2s+1 + x2

s+2 + · · ·+ 2√

x2s+2t−1 + x2

s+2t ≤ n

.

This is obviously compact and centrally-symmetric. It’s also convex (exercise). Moreover, for any n positivereal numbers z1, . . . , zn, we have

(z1 . . . zn)1/n ≤ 1

n ∑ zi

(the Arithmetic-Geometric Mean inequality); applying this with z1, . . . , zn taken to be the real numbers

|x1|, . . . , |xs|,√

x2s+1 + x2

s+2, . . . ,√

x2s+2t−1 + x2

s+2t with the latter taken twice each, we get that ‖x‖s,t ≤ 1 forevery x ∈ Xs,t.

Computing the volume of Xs,t is an exercise in volume integrals; see Lang’s book, or Brian Osserman’sonline notes (http://www.math.uiuc.edu/~r-ash/Ant/AntChapter5.pdf).

Proof of Theorem 3.5.3. We compute that

2n−t√|∆K(B)|

vol(Xs,t)=

n!nn

(4π

)t√|∆K(B)|.

Applying this with B a basis for a non-zero ideal a, we have |∆K(B)| = Nm(a)2|∆K|, so we obtain thetheorem.

4.4 Discriminants are Nontrivial

Here’s a pretty consequence due to Minkowski:

Theorem 4.4.1. Let K be a number field. If K 6= Q, then |∆K| 6= 1. In particular, some prime ramifies in K.

Proof. We’ll show that if we assume |∆K| = 1 then Minkowski’s bound for the trivial ideal is nonsense. Thebound would be: OK contains a non-zero element of norm at most(

4π

)s n!nn ≤

(4π

)n/2 n!nn

which is easily seen to be strictly decreasing as a function of n, and is ≈ 0.637 < 1 for n = 2. Since OK cannotcontain a non-zero element with |Nm(x)| < 1 this is absurd.

45

http://www.math.uiuc.edu/~r-ash/Ant/AntChapter5.pdf

Chapter 5

Dirichlet’s Unit Theorem

Lecture22Week 8

The goal of this chapter is to use a bit more lattice theory to attack another important aspect of number fields:their unit groups O×K .

5.1 Roots of Unity

Proposition 5.1.1. Let K be a number field and let R < ∞ be a real number. Then the set

{x ∈ OK : |ϕ(x)| ≤ R for all embeddings ϕ}

is finite.

Proof. This follows from the fact that Φ(OK) is a lattice in Rn, so it has finite intersection with any boundedset.

Theorem 5.1.2. Let K be a number field. Then the set

WK = {x ∈ K× : xn = 1 for some n ≥ 1}

of roots of unity in K is a finite cyclic group, contained in O×K ; and if x ∈ OK, then

x ∈WK ⇐⇒ |ϕ(x)| = 1 for all embeddings ϕ.

Proof. It is clear that that WK is a group, and that it is contained in O×K (because xn − 1 is a monic integralpolynomial).

If x ∈ K is a root of unity, then it is clear that |ϕ(x)|must be 1 for every ϕ. In particular, there are only finitelymany x ∈ OK with this property, by the Proposition 5.1.1. This shows that WK is finite. It is a standard resultthat any finite subgroup of K×, for any field K, is cyclic.

Now suppose x ∈ OK is such that |ϕ(x)| = 1 for all ϕ. Then the same is true of xn for every n; hence thepowers xn all lie in a finite set (by Proposition 5.1.1, again) and hence some two of them must be equal,i.e. we must xm = xm+n for some m, n > 0. Thus x ∈WK.

Remark. The finiteness of WK can also be seen without lattice theory: there are only finitely many rootsof unity in C of any given order, and the degrees of the cyclotomic fields Q(ζN) tend to infinity with N(exercise).

It is not true that every x ∈ K such that |ϕ(x)| = 1 ∀ϕ must be in WK; can you find a counterexample?

46

5.2 Logarithmic Space

We’ll now consider a new embedding which is good for studying units. Let K be a number field with s realembeddings and t conjugate pairs of complex ones, as usual.

Definition 5.2.1. The logarithmic embedding of K is the map L : O×K → Rs+t given by

x 7→

log |ϕ1(x)|...

log |ϕs(x)|

log |ϕs+1(x)|2log |ϕs+3(x)|2

...log |ϕs+2t−1(x)|2

.

Notice that log |x|2 means log(|x|2), not (log x)2, here!

Proposition 5.2.2. The logarithmic embedding is a group homomorphism. It its kernel is the finite group WK, and itsimage is a discrete subgroup of Rs+t contained in the subspace

x1...

xs+t

:s+t

∑i=1

xi = 0

.

Proof. The group homomorphism property is obvious from log(xy) = log(x) + log(y); and the fact that thekernel of L is WK is part of Theorem 5.1.2. The sum of the coordinates of L(x) is given by

log

(n

∏i=1|ϕi(x)|

)= log |Nm(x)| = log 1 = 0,

since every unit has norm ±1.

It remains to show that the image of L is discrete. To see this, we use Proposition 5.1.1 again to show that Lhas finite intersection with any bounded set.

Lemma 5.2.3. Let Γ be a discrete subgroup of Rn. Then Γ ∼= Zr for some r ≤ n, where r is the dimension of theR-subspace of Rn spanned by Γ.

Proof. Let V be the subspace of Rn spanned by the elements of Γ, and fix a basis b1, . . . , br of V contained inΓ. Then these generate a subgroup Γ′ of Γ, and Γ′ ∼= Zr.

Let’s define T′ = {∑ λibi : 0 ≤ λi < 1} as usual. Then every element of V can be written in the form t′ + γ′

where γ′ ∈ Γ′ and t′ ∈ T′ (just chop off the integral parts of the coordinates).

Since T′ is bounded and Γ is discrete, it follows that Γ/Γ′ is finite, so Γ is also isomorphic to Zr.

Corollary 5.2.4 (Dirichlet’s Unit Theorem, weak form). The group O×K is isomorphic to WK × Zr for an integer rsuch that 0 ≤ r ≤ s + t− 1.

Proof. The lemma shows that Image(L) must be isomorphic to Zr for some r ≤ s + t− 1, so O×K /WK ∼= Zr.The result now follows by the classification of finitely-generated abelian groups.

47

5.3 Proof of the strong Unit TheoremLecture23Theorem 5.3.1. The group O×K is isomorphic to WK × Zs+t−1.

The statement of this theorem is examinable knowledge, but the proof is not. Here it is anyway.

Idea of the proof. The ring OK has lots of elements of small norm (because of lattice theory), but not very manyideals (it has finitely many ideals of each norm, because of Proposition 3.3.11). Since two elements generatethe same ideal if and only if they differ by a unit, this means there must be lots of units.

Proof. Let Γ be the image of O×K under the logarithmic embedding L, and let V be the subspace x1

...xs+t

:s+t

∑i=1

xi = 0

.

We want to show that Γ is a lattice in V. To do this, it suffices to show that there is a bounded subset T ⊆ Ssuch that Γ + T = V.

To concoct T we’ll go back to “additive” space and use Minkowski theory, again. If x ∈ Rn we define

`(x) =

log |x1|...

log |xs|log |x2

s+1 + x2s+2|

...log |x2

s+2t−1 + x2s+2t|

,

wherever this makes sense (i.e. when the things we’re taking logarithms of aren’t zero). Then `(Φ(x)) isdefined for any x ∈ K×, and coincides with L(x).

Set S = {y ∈ Rn : ‖y‖s,t = 1}; then ` sends S to V. It’s easy to see that the restriction of ` to S is well-definedand continuous, so it sends compact subsets to compact subsets. Hence it suffices to find a compact subsetS0 of S such that every y ∈ S can be written as Φ(u)s0 with u ∈ O×K and s ∈ S0.

We define a ring structure on Rn in such a way that the canonical embedding Φ is a ring homomorphism(that is, we identify Rn with Rs × Ct, and we multiply coordinate-wise). Then for any y ∈ Rn we have alinear operator my on Rn, the multiplication-by-y operator. It’s easy to see that |det my| = ‖y‖s,t, so that|det my| = 1 if y ∈ S.

Fix some compact convex centrally-symmetric subset X of Rn. Then for any y ∈ Rn we can considermy(X) = yX. If y ∈ S then y is certainly invertible, so we can also consider y−1X, and it has the same volumeas X.

If we choose X big enough, then it follows that y−1X ∩Φ(OK) is non-zero. So we have x = yΦ(α) for somex ∈ X and α ∈ OK. Since X is compact, there is some Q such that ‖x‖s,t ≤ Q for all x ∈ X, and henceNm(α) ≤ Q.

There are only finitely many ideals of OK of norm ≤ Q, so we can pick a finite set α1, . . . , αm such that everyα with norm ≤ Q can be written as αiu with u ∈ O×K .

Let’s take stock. We’ve shown that there is a compact set X, and a finite set α1, . . . , αm, such that for everyy ∈ Rn with ‖y‖s,t = 1, we can find x ∈ X, u ∈ O×K and i ∈ {1, . . . , m} such that

y = Φ(αi)−1Φ(u)−1x.

48

Let S0 = S ∩(∪m

i=1Φ(αi)−1X

), which is clearly a compact subset of S. Then every element of y ∈ Rn can be

written as Φ(u)s0 with x ∈ S0 and u ∈ O×K , as required.

5.4 Real Quadratic Fields and Pell’s Equation

We’ll now use some of these ideas to study a classical topic: the Pell equation, which is the equationx2 − dy2 = 1 (for a given square-free integer d > 1), or more generally x2 − dy2 = n for an integer n. This isclearly closely related to unit groups of fields Q(

√d).

Proposition 5.4.1. Let K = Q(√

d), where d > 1 is squarefree. Then O×K is isomorphic to Z× {±1}, and there is aunique unit u ∈ O×K such that u generates O×K /± 1 and u > 1 (in the standard embedding).

(This unit is called the fundamental unit of K.)

Proof. We have s = 2 and t = 0 so the unit group has rank 1, and since K is a subfield of R, it has no roots ofunity except ±1.

It’s easy to see that if u is any unit mapping to a generator of O×K /± 1, then the other units with this propertyare precisely the set {u, u−1,−u,−u−1}, and this set contains one element from each of the four intervals{(−∞,−1), (−1, 0), (0, 1), (1, ∞)}. So there is a unique u > 1 with this property.

Remark. Fundamental units can be quite large, e.g. the fundamental unit of Q(√

19) is 170 + 39√

19, and thefundamental unit of Q(

√46) is 24335 + 3588

√46.

Lecture24

Proposition 5.4.2. The fundamental unit is given by a + b√

d, where (a, b) is the solution to

a2 − db2 = ±1

with a, b positive integers (if d 6= 1 mod 4) or half-integers (if d = 1 mod 4) having the smallest possible value of a.

Proof. If u is the fundamental unit, then any other unit v > 1 must be un for some n > 1, so in particularv > u. Thus u is the smallest unit > 1. We now have to check that “smallest u” means “smallest a”.

If Nm(u) = +1, then any other unit v > 1 also has Nm(v) = +1 and by definition we have v > u. If wewrite v = x + y

√d, we want to show that x > a. If x ≤ a, then x2 ≤ a2 and hence y2 = x2−1

d ≤ b2 = a2−1d .

Thus y ≤ b. So x + y√

d ≤ a + b√

d, a contradiction. Thus x > a as required.

If Nm(u) = −1, then the same argument shows that any other unit x + y√

d of norm −1 must have x > a.Moreover, u2 is the smallest unit of norm +1, so running the same argument on units of norm +1 showsthat u2 gives the solution to x2 − by2 = +1 with the smallest value of x. So it suffices to check that ifx + y

√d = (a + b

√d)2 then x > a. But we have x = a2 + db2 = 2a2 + 1 and this is always > a.

Example 5.4.3. Consider the field Q(√

6). Since 6 6= 1 mod 4, we must look for solutions to a2 − 6b2 = ±1with a, b positive integers.

If a = 1, then 6b2 = 1± 1, which gives only the trivial solution a = 1, b = 0 (which doesn’t count, becausewe’re looking for positive b).

If a = 2 then 6b2 = 22 ± 1 = 3 or 5, which doesn’t work

If a = 3 then 6b2 = 32 ± 1 = 8 or 10,

If a = 4 then 6b2 = 42 ± 1 = 15 or 17,

49

If a = 5, then 6b2 = 24 or 26, and 24 = 6× 22, so we’ve found a solution, and it’s the smallest solution witha, b > 0. Thus 5 + 2

√6 is the fundamental unit.

So the units u > 1 of Z[√

6] are precisely the elements (5 + 2√

6)n for n ≥ 1. Since 5 + 2√

6 has norm 1, weconclude that every unit of Z[

√6] has norm 1. That is:

• The solutions to the Pell equation x2 − 6y2 = 1 with x, y ∈ N are given by x + y√

6 = (5 + 2√

6)n forn ∈ N;

• The negative Pell equation x2 − 6y2 = −1 has no solutions.

Remark. We could have been a bit more clever in finding the fundamental unit: if a2 − 6b2 = ±1 thena2 = ±1 mod 6, so a is odd and not divisible by 3, which immediately rules out a = 2, 3, 4. But “chalk ischeaper than grey matter”, as the saying goes.

Example 5.4.4. Consider the field Q(√

13). Since 13 = 1 mod 4, we need to look for solutions to a2 − 13b2 =±1 with a, b half-integers, or a2 − 13b2 = ±4 with a, b integers.

a = 1⇒ 13b2 = 1± 4 = −3 or 5

a = 2⇒ 13b2 = 4± 4 = 0 or 8

a = 3⇒ 13b2 = 9± 4 = 5 or 13⇒ (a, b) = (3, 1)

So u = 3+√

132 is the fundamental unit (and its norm is −1).

As the previous example shows, if d = 1 mod 4 the fundamental unit might not be in Z[√

d] and hencewon’t give an integer solution to the Pell equation. But we can get around this:

Proposition 5.4.5. If d = 1 mod 4 and R = Z[√

d] ⊂ OK, then R× is a subgroup of O×K of index either 1 or 3.

Proof. Consider the finite ring Q = OK/2OK. By Dedekind–Kummer we know that this is isomorphic to

F2[X]/(

X2 − X +1− d

4

).

There are now two cases to consider. If d = 1 mod 8, the polynomial is X2 + X = X(X + 1) mod 2, so 2splits in K and Q is isomorphic to F2 × F2. If d = 5 mod 8, the polynomial is X2 + X + 1 mod 2, which isirreducible, so 2 is inert in K and Q is the finite field F4.

So Q× has order either 1 or 3; and hence the kernel of the reduction map O×K → Q× has index either 1 or 3 inO×K . But anything in the kernel is in 1 + 2OK, so in particular it’s in Z + 2OK = R. So the index of R× in O×Kis 1 or 3.

Example 5.4.4, continued: In our example above, we calculate that u3 = 18 + 5√

13 is the fundamental unitof Z[

√13]. This has norm −1, so the solutions of the positive and negative Pell equations for are given by

x + y√

13 = (18 + 5√

13)n for even (respectively, odd) n ∈ N.

Remark. The negative Pell equation has solutions if, and only if, the fundamental unit has norm −1. Some-times this is obviously impossible because of congruences: if p is a prime dividing d, then x2 − dy2 = −1implies that x2 ≡ −1 mod p, which is impossible when p = 3 mod 4. So the example of Q(

√6) is not very

surprising. But this isn’t the whole story: the fundamental unit of Q(√

34) is 35 + 6√

34 which has norm 1,so the negative Pell equation for d = 34 is not solvable in Z, although it has solutions in Q and in Z/NZ forevery integer N.

50

It has been conjectured by Stevenhagen that if d is a randomly chosen square-free integer > 1 with no primefactor that is 3 mod 4, then the probability that the fundamental unit of Q(

√d) has norm 1 is

∞

∏n=0

(1− 1

22n+1

)≈ 0.41.

5.5 Class Groups of Real Quadratic Fields

We want to use this theory to study class groups. The key issue is to understand whether a given ideal isprincipal or not; equivalently, for each integer n, we want to find coset representatives for the elements of OKof norm ±n, up to multiplication by units. Lecture

25Sometimes one can rule out the existence of elements of norm ±n by congruences:

Example 5.5.1. Consider the field K = Q(√

10). The prime 2 is ramified in K: we have 2 = p2 wherep = 〈2,

√10〉. We’d like to know if p is principal. Equivalently, does Z[

√10] contain an element of norm ±2?

In fact it doesn’t: we can’t have x2 − 10y2 = ±2, because if this happened, we’d have x2 = ±2 mod 5 andthese are not quadratic residues mod 5.

The Minkowski bound is√

10 ≈ 3.16, and 3 splits, 3 = 〈3, 1 +√

10〉〈3, 2 +√

10〉. The element 2 +√

10 hasnorm −6, so as usual we deduce that the primes above 3 are in the same ideal class as p and thus the classgroup is cyclic of order 2.

Once you have determined the class group of Q(√

d) and its fundamental unit, you know everything thereis to know about equations of the form x2 − dy2 = n (for any n).

Example 5.5.2 (Example 5.5.1, continued). For which n is the Pell equation x2 − 10y2 = n solvable in N, andwhat can we say about the solutions?

Since the fundamental unit is 3 +√

10, which has norm −1, the equation for n is solvable if and only if theequation for −n is solvable. So let’s restrict to the case of n ≥ 1.

• n = 1: we know how to do this. The smallest norm 1 unit is (3 +√

10)2 = 19 + 6√

10, so the solutionsto x2 − 10y2 = 1 are

x + y√

10 = (19 + 6√

10)n, n ≥ 1.

• n = 2: there’s a unique ideal of norm 2 and it’s not principal, so x2 − 10y2 = 2 is not solvable.

• n = 3: we’ve just shown that the ideals of norm 3 are not principal, so x2 − 10y2 = 3 is not solvable.

• n = 4: since 〈2〉 is the only ideal of norm 4, the solutions are just twice the solutions for n = 1, namely

x + y√

10 = 2 · (19 + 6√

10)n, n ≥ 1.

• n = 5: there is a unique prime ideal of norm 5, since 〈10〉 = p25 where p5 = 〈5,

√10〉; but there is an

element of norm −10, namely√

10, so p5 must be in the same ideal class as the prime above 2 and thusx2 − 10y2 = 5 has no solutions.

• n = 6: there are exactly two ideals of norm 6 (because there is one ideal of norm 2 and two ofnorm 3). We’ve seen that they’re both principal: one has generator 4 +

√10 and the other 4−

√10.

The latter isn’t > 1, so we multiply it by our minimal norm 1 unit to make it so, which gives us(4−

√10)(19 + 6

√10) = 16 + 5

√10.

51

http://projecteuclid.org/euclid.em/1048516217

We conclude that the positive integer solutions to x2 − 10y2 = 6 are given by

x + y√

10 ∈{(4 +

√10)(19 + 6

√10)n : n ≥ 0

}∪{(16 + 5

√10)(19 + 6

√10)n : n ≥ 0

},

and these two sets of solutions are disjoint.

In the above example, we got lucky: we found a way to prove the ideal above 2 wasn’t principal by usingcongruences. But this doesn’t always work. Here’s an example where one has to be a bit craftier:

Example 5.5.3. Consider the quadratic field K = Q(√

79). In this field, 2 is ramified, and the prime above 2 isprincipal (it’s generated by the norm 2 element 9 +

√79). The prime 3 is split,

3 = 〈3, 1 +√

79〉〈3, 2 +√

79〉.

We want to know if these primes are principal; equivalently, whether there’s a solution to x2 − 79y2 = ±3.There’s no solution to x2 − 79y2 = +3 modulo 4, but we can’t rule out solutions to x2 − 79y2 = −3 so easily1.

So we use Dirichlet unit theory. The fundamental unit is u = 80 + 9√

79 (which has norm +1). So if there’sany element x = a + b

√79 of norm −3, there’s one with 1 < x < u.

Since x has norm −3, we have 3/x = −a + b√

79, so that 3/u < −a + b√

79 < 3. Combining theseinequalities we have 1 + 3/u < 2b

√79 < 3 + u, or 0.057 < b < 9.169. As b must be an integer, this reduces

us to 1 ≤ b ≤ 9, and none of these nine possibilities for b actually work. Thus the primes above 3 are reallynot principal.

Remark. This approach is guaranteed to work: you do a finite amount of computation and it’ll either producean element of norm n, or prove that none exists. Notice that the size of the “search space” – the numberof possible a’s and b’s we have to check – depends on how large the fundamental unit u is. If u is verylarge, then there are lots of a’s and b’s, so it’s more plausible that one of them should work. Hence largefundamental units mean that it’s easier for ideals to be principal, and hence that the class group is likely tobe smaller.

5.6 Unit groups modulo primes

If K is a number field and p is a prime ideal of OK, then the homomorphism of rings

OK → OK/p

gives a homomorphism of groupsO×K → (OK/p)×.

Because OK/p is a field, (OK/p)× is just the non-zero elements of OK/p, so it has order |OK/p| − 1 = p f − 1(where f is the degree of p). It’s always a cyclic group (you’ve seen this before for K = Q, but the same proofworks for any finite field).


2). Then 〈3〉 is a prime ideal of K of norm 8.

1In fact the equation x2 − 79y2 = −3 has solutions modulo N for every N, because it has two different rational solutions (x, y) =(2/5, 1/5) and (x, y) = (17/3, 2/3) with coprime denominators.

52

We’ll show that the fundamental unit u = 1 +√

2 is a primitive root modulo 3. We have

u = 1 +√

2 ≡ 1 +√

2u2 = 3 + 2

√2 ≡ 2

√2

u3 = 7 + 5√

2 ≡ 1 + 2√

2u4 = 17 + 12

√2 ≡ 2

u5 = 41 + 29√

2 ≡ 2 + 2√

2u6 = 99 + 70

√2 ≡ 0 +

√2

u7 = 239 + 169√

2 ≡ 2 +√

2u8 = 577 + 408

√2 ≡ 1.

Sometimes, we can use reduction modulo primes to find out things about the unit group:

Proposition 5.6.2. Suppose u ∈ O×K and p is a prime of K. If n ≥ 1 is an integer such that u is not an n-th power in(OK/p)×, then u is not an n-th power in O×K .

Proof. This is trivial: if u = vn, then u mod p = vn mod p.

Although this is trivial, it can be rather useful in practice. We’ll see in the next chapter that one can often usenumber fields to solve equations in the integers. When doing this, one needs to know something about theunits; but one usually doesn’t need to know generators for O×K , just generators for the quotient O×K /NO×K forsome integer n, and one can often find these quickly by reducing modulo p. Lecture

26Example 5.6.3. Suppose we didn’t know that u = 1 +√

2 was the fundamental unit of Q(√

2), and we justwanted to know what O×K /3O×K looked like.

We know (by Dirichlet’s unit theorem) that O×K /3O×K must be cyclic of order 3, and it’s generated by any unitthat isn’t a cube. So we want to know that 1 +

√2 is not a cube of a unit.

The first thing that comes to mind is: reduce modulo a prime. We probably want the norm of this prime tobe 1 mod 3, so that not everything is a cube mod p. Working mod a prime above 7 sounds like a good idea;there are two, and one of them is p = 〈7, 3 +

√2〉 whose residue field is F7. Modulo p, we have

√2 = −3 so

u = −2 = 5, which is not a cube in F×7 (it’s even a primitive root mod 7).

So u generates O×K /3O×K .

Remark. Of course, we knew this would work because u is the fundamental unit. The advantage of thismethod is that it works, with no fuss, for pretty much any number field, while finding generators for O×Kwhen K has degree ≥ 3 is much harder.

53

Chapter 6

Diophantine Equations

A Diophantine equation is an equation in some finite set of variables a, b, c, . . . that we want to solve for integervalues of the variables. Some examples are

• The Fermat equation xn + yn = zn.

• Pell’s equation x2 − dy2 = n (solving for x, y, with d and n being given).

• The Ramanujan–Nagell equation 2n − 7 = x2.

In this last chapter, we’ll use number fields to solve some Diophantine equations.

6.1 Factorisation and n-th powers

Here’s an easy lemma about integers:

Lemma 6.1.1. If r and s are coprime integers, and rs is an n-th power (for some n ≥ 1), then r and s are both of theform ±xn.

To prove this, just think about the prime factorisations of r and s. If n is odd, then we can ignore the signs,because −xn = (−x)n. This little lemma is surprisingly useful in solving Diophantine equations:

Example 6.1.2. Suppose we want to find all integer solutions to y2 = x3 + 16. There’s one obvious pair ofsolutions (x, y) = (0,±4); are there any others?

We can rewrite the equation as y2 − 16 = x3, or (y− 4)(y + 4) = x3.

Now y must be either even or odd. If y is odd, then y− 4 and y + 4 have no common factors; so, by thelemma, they must both be cubes. But cubes get further and further apart, so there aren’t very many pairs ofcubes that differ by 8, and in fact there are none where the cubes are odd.

If y is even, then x is even; so x3 + 16 is divisible by 8, hence y = 4y′ for some y′. But then x3 = 16y′2 − 16 isdivisible by 16, so x is also a multiple of 4, say x = 4x′. Then we have

16y′2 = 64x′2 + 16⇒ y′2 = 4x′3 + 1,

so that y′ is odd. Finally, writing y′ = 2y′′ + 1 we end up at

x′3 = y′′(y′′ + 1)

54

so y′′ and y′′ + 1 are cubes that differ by 1, which means that y′′ is 0 or −1. Thus y′ = ±1 and hence y = ±4as required.

Now suppose we want to solve y2 = x3 + k for some other value of k. This class of equation is called aMordell equation. If k is a square, then we can argue as above: we factorise y2 − k, and either y is coprime tok, in which case y± k are both cubes, and there are not many possibilities; or we can divide out by somecommon factor and reduce to another equation (which we can often reduce to another Mordell-type equation,as above).

If k isn’t a square, then what? With the training that we have by this point, the obvious thing to do is tofactorise y2 − k in the ring of integers of Q(

√k). But does the lemma still hold? Sadly no, because its proof

relies on unique factorisation:Example 6.1.3. In the field K = Q(

√−26), we have (1+

√−26)(1−

√−26) = 27 = 33. I claim that 1+

√−26

is not a cube.

If we had 1 +√−26 = (a + b

√−26)3 then we’d have{

a3 − 78ab2 = 13a2b− 26b3 = 1

and the first factorises as a(a2 − 78b2) = 1, which implies that a = ±1 and 78b2 = (±1)2 ± 1, which isobviously impossible.

So non-trivial class groups can really screw things up. Kummer’s fantastic insight was that one can rescuesomething from this mess:

Theorem 6.1.4. Let K be a number field, n ≥ 1, and r, s ∈ OK such that rs is a nonzero n-th power in OK and rand s are coprime (i.e. 〈r, s〉 is the unit ideal). If n is coprime to the class number of K, then r = uxn, s = vyn wherex, y ∈ OK and u, v are units.

Proof. Because we do have unique factorisation for ideals of OK, the same argument as in the proof of thelemma shows that the ideals 〈r〉 and 〈s〉 are both n-th powers of ideals; that is, we have 〈r〉 = an, 〈s〉 = bn

for some ideals a, b.

Since an is principal, the order of [a] in Cl(K) must divide n. But it also divides the class number of K, andsince these two numbers are coprime, [a] must be the trivial class, so a = 〈x〉 for some x. Hence 〈r〉 = 〈xn〉,i.e. r = uxn for some unit u, and similarly for s.

Remark. Kummer famously used this to prove that xp + yp = zp has no integer solutions if p ≥ 3 is primeand p doesn’t divide the class number of Q(ζp), which happens for all p ≤ 100 except 37, 59, and 67. You canprobably see now how he did this: he factored xp + yp in Q(ζp), and then used the theorem to conclude thatx + ζpy was a p-th power times a unit, which puts a pretty strong constraint on x and y. There’s a (nearly)full description of Kummer’s proof in Stewart and Tall.

6.2 Some Examples

Example 6.2.1. Here’s an easy example of a Mordell equation:

y2 = x3 − 2.

There’s an obvious solution, namely 52 = 33 − 2. The class group of Q(√−2) is trivial, so we should be able

to get some mileage out of the factorisation

(y−√−2)(y +

√−2) = x3.

55

First we check whether the factors on the left-hand side are coprime. Any common factor would have todivide 2

√−2 and thus be a power of the prime 〈

√2〉 above 2. This would force y to be even; but if y is even,

then x is also even and hence x3 − 2 is 2 mod 4, which is a contradiction.

Since O×K = {±1} and −1 is a cube, we conclude that y +√−2 must be a cube, and that gives us the

equations

y +√−2 = (a + b

√−2)3 ⇒

{a3 − 6ab2 = y3a2b− 2b3 = 1

.

The last equation factors as b(3a2 − 2b2) = 1. So b must be ±1. If b = +1 then 3a2 − 2b2 = 1 ⇒ 3a2 = 3,so a = ±1. If b = −1 then 3a2 − 2b2 = −1, so 3a2 = 1 which is impossible. So (a, b) = (±1, 1), and thusy = ±5. So the solution we spotted is the only one, up to signs.

Remark. Apparently, some British mathematicians sent this problem to Fermat as a challenge, to see if hecould solve it. In typical Fermat style, he responded that he could prove that (3,±5) were the only solutionsbut didn’t say how!

Lecture27Example 6.2.2. Consider the Mordell equation for k = +2, that is y2 = x3 + 2.

As before, we see by reducing mod 4 that y must be odd, so (y +√

2)(y−√

2) = x3 is a factorisation of acube into coprime factors in Z[

√2]. If we set up the equation y +

√2 = (a + b

√2)3 and expand out, we get{

a(a2 + 6b2) = yb(3a2 + 2b2) = 1

so 3a2 + 2b2 = ±1, which is obviously impossible.

But something has gone wrong here, because it’s easy to see that x = −1, y = 1 is a solution! The reasonis that we’ve forgotten the unit group: because Q(

√2) is a real quadratic field, its unit group is {±1} × Z.

Thus O×K /3O×K is nontrivial, generated by the fundamental unit u = 1 +√

2, so we have to consider multiplecases: y +

√2 must be of the form (1 +

√2)iz3 for some z ∈ Z[

√2] and 0 ≤ i < 3.

We’ve shown that i = 0 doesn’t work. Let’s see what happens for i = 1: we need to solve

y +√

2 = (1 +√

2)(a + b√

2)3

and this does have a solution, with a = 1, b = 0, which gives the solution (x, y) = (−1, 1) we saw above.(In fact this is the only possibility for i = 1, and i = 2 just gives (−1,−1), but this takes a bit more work toprove.)

6.3 The Ramanujan–Nagell Equation

This section is just for fun, and not examinable.

Theorem 6.3.1 (Nagell; conjectured by Ramanujan). The only solutions to the equation

2n = x2 + 7

with n, x ∈ N are(n, x) = {(3, 1), (4, 3), (5, 5), (7, 11), (15, 81)}.

The proof below is due to Helmut Hasse. I think it’s rather elegant.

56

Proof. First, let’s suppose n = 2m is even, and x ≥ 0. Then we can factor 2n − x2 = (2m − x)(2m + x).

Since x > 0, 2m + x is obviously positive, and since 7 is prime, we must have 2m + x = 7 and 2m − x = 1.Thus 2x = (2m + x)− (2m − x) = 6, so x = 3 and 2m = 4. This gives the solution (n, x) = (4, 3).

Now we come to the more difficult case of n odd. We use the factorisation

2n = (x +√−7)(x−

√−7)

in the ring of integers of K = Q(√−7). Since 2n is even, x must be odd; hence x+

√−7

2 is in OK and we have

2n−2 =

(x +√−7

2

)(x−√−7

2

).

Let’s write m = n− 2; note that we must have m ≥ 0 (since n = 1 obviously doesn’t give a solution). So(x +√−7

2

)(x−√−7

2

)=

(1 +√−7

2

)m (1−√−7

2

)m

.

The factors on the left-hand side are coprime (since otherwise they’d have to be in 2OK, which they clearlyaren’t). So we must have either(

x +√−7

2

)= ±

(1 +√−7

2

)m

,

(x−√−7

2

)= ±

(1−√−7

2

)m

or (x +√−7

2

)= ±

(1−√−7

2

)m

,

(x−√−7

2

)= ±

(1 +√−7

2

)m

Subtracting the two equations, we see that in both cases we get the equation(1 +√−7

2

)m

−(

1−√−7

2

)m

= ±√−7.

(Notice that x has disappeared completely from consideration here: any solution to this one-variable equationgives a solution (n, x) to the original two-variable equation.)

For m = 1 we obviously get a solution (with the plus sign), and this corresponds to (n, x) = (3, 1) above. Weclaim that the plus sign cannot occur for m > 1. Suppose it does; let us write a = 1+

√−7

2 , b = 1−√−7

2 . Thenwe have am − bm = a− b. We shall obtain a contradiction by reducing modulo b2. Since ab = 2 and a + b = 1we have a2 = (1− b)2 = 1− (ab)b + b2 = 1 + b2(1− a) ≡ 1 mod b2, so that we obtain a = a− b mod b2,which is impossible since b 6= 0 mod b2.

Thus we must have am − bm = b − a. Expanding the LHS using the binomial theorem and comparingcoefficients, we have

−2m−1 =

(m1

)− 7(

m3

)+ . . .

so −2m−1 = m mod 7. This implies that m must be 3, 5, or 13 modulo 42; and m = 3, m = 5, m = 13 do allwork!

We conclude by showing that there cannot be two solutions that are congruent modulo 42. Suppose m1 < m2are two solutions, and suppose ` ≥ 1 is such that 7` exactly divides m′ −m.

Lemma 6.3.2. If 6× 7` divides h, then ah = 1 + h√−7 mod 7`+1OK.

57

Proof of Lemma. First suppose ` = 0. We have a6k = (1+√−7)6k

26k . By Fermat’s little theorem we have 26 =

1 mod 7, so the denominator is no problem, and the numerator is 1 + 6k√−7 + (6k

2 )√−72

+ · · · = 1 +

6k√−7 mod 7OK.

Now suppose ` ≥ 1 and the result holds for `− 1. Then for some A ∈ OK we have

ah = (1 + h7

√−7 + 7`A)7

= (1 + h7

√−7)7 mod 7`+1

= 1 + h√−7 + . . . mod 7`+1

and all the neglected terms are divisible by 7`+1.

Now, back to the main proof: using the lemma, we have

am2 = am1(

1 + (m1 −m2)√−7)

mod 7`+1OK

and similarlybm2 = bm1

((1− (m1 −m2)

√−7)

mod 7`+1OK.

and since by assumption am2 − bm2 = am1 − bm1 = −√−7, subtracting the two equations gives

(m2 −m1)√−7(am1 + bm1) = 0 mod 7`+1OK.

Since am1 + bm1 = am1 − bm1 + 2bm1 = −√−7 + 2bm1 6= 0 mod 7OK, we have

(m2 −m1)√−7 = 0 mod 7`+1OK

and since m1, m2 are integers, this actually forces m2 = m1 mod 7`+1, which contradicts the definition of `.Hence there is at most one solution for each congruence class modulo 42, and thus the solutions we havefound are all the solutions.

The End

58

ma3a6 algebraic number theory - university of warwick€¦ · this is a module about algebraic...

Documents