Number Theory Summary, Study notes of Number Theory

A summary of number theory, focusing on the set of integers Z and its arithmetic operations. It covers topics such as divisibility, primes, unique factorization, rings, integral domains, and Fermat's principle of infinite descent. The document also explains division with remainder and the concept of m divides n. The document could be useful as study notes or a summary for a course in number theory or abstract algebra.

Typology: Study notes

2022/2023

Uploaded on 05/11/2023

ekani
ekani 🇺🇸

4.7

(26)

265 documents

1 / 71

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Number Theory Summary
Divisibility and primes
The set Z={. . . , 2,1,0,1,2, . . . }of integers, with its arithmetic operations
of addition and multiplication, is the fundamental object of study in number
theory. The structure of Zunder addition is certainly easy to understand; it is
an infinite cyclic group. The multiplicative structure of Zlies somewhat deeper.
We have unique factorization of nonzero integers into primes - this is called the
Fundamental Theorem of Arithmetic. The structure of Zunder multiplication
is then transparent given the primes, but the finer properties of the primes
themselves are quite mysterious.
Aring is an abelian group, with the group operation called addition and writ-
ten additively with +, on which there is another binary operation called multipli-
cation which is written multiplicatively with a dot or without any sign. The mul-
tiplication is required to be associative, but does not need to be commutative.
Addition and multiplication are related by distributivity; multiplication dis-
tributes over addition by the laws a(b+c)=(ab)+(ac) and (a+b)c= (ac)+(bc).
From the algebraic point of view, Zappears as a fundamental example of a
commutative ring with multiplicative neutral element and without zero divisors.
The latter property formalizes the observation that if m, n Zand mn = 0,
then m= 0 or n= 0. So though division is not in general possible in Z
without leaving its confines, nonzero common factors may be canceled, which
is convenient when solving equations. Commutative rings with a multiplicative
neutral element different from zero and without zero divisors are called factorial
rings or integral domains. An integral domain in which every nonzero element
has a multiplicative inverse is called a field.
The set N0Zof nonnegative integers 0,1,2,3, . . ., has an important prop-
erty that is the basis for the principle of mathematical induction. The prop erty
may be formulated in various ways, but we use the one called Fermat’s principle
of infinite descent: If AN0is a set of nonnegative integers so that for every
aAthere is some bAwith b<a, then A=.
Division with remainder. Suppose that mis a positive integer and na non-
negative integer. Then there exist integers qand rwith 0r < m, for which
n=mq +r. The integer qis called the quotient and rthe remainder.
Proof. Given any positive integer m, let Ambe the set of nonnegative integers
nfor which division by mwith remainder fails. Clearly nAmimplies nm
for otherwise n=m·0 + nwith 0 n < m. But then nmis a nonnegative
integer. And division of nmby mwith remainder must fail, for nm=mq+r
implies n=m(q+1)+r. Since nm<n, Fermat’s principle of infinite descent
implies that Am=.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47

Partial preview of the text

Download Number Theory Summary and more Study notes Number Theory in PDF only on Docsity!

Number Theory Summary

Divisibility and primes

The set Z = {... , − 2 , − 1 , 0 , 1 , 2 ,... } of integers, with its arithmetic operations of addition and multiplication, is the fundamental object of study in number theory. The structure of Z under addition is certainly easy to understand; it is an infinite cyclic group. The multiplicative structure of Z lies somewhat deeper. We have unique factorization of nonzero integers into primes - this is called the Fundamental Theorem of Arithmetic. The structure of Z under multiplication is then transparent given the primes, but the finer properties of the primes themselves are quite mysterious. A ring is an abelian group, with the group operation called addition and writ- ten additively with +, on which there is another binary operation called multipli- cation which is written multiplicatively with a dot or without any sign. The mul- tiplication is required to be associative, but does not need to be commutative. Addition and multiplication are related by distributivity; multiplication dis- tributes over addition by the laws a(b+c) = (ab)+(ac) and (a+b)c = (ac)+(bc). From the algebraic point of view, Z appears as a fundamental example of a commutative ring with multiplicative neutral element and without zero divisors. The latter property formalizes the observation that if m, n ∈ Z and mn = 0, then m = 0 or n = 0. So though division is not in general possible in Z without leaving its confines, nonzero common factors may be canceled, which is convenient when solving equations. Commutative rings with a multiplicative neutral element different from zero and without zero divisors are called factorial rings or integral domains. An integral domain in which every nonzero element has a multiplicative inverse is called a field. The set N 0 ⊂ Z of nonnegative integers 0, 1 , 2 , 3 ,.. ., has an important prop- erty that is the basis for the principle of mathematical induction. The property may be formulated in various ways, but we use the one called Fermat’s principle of infinite descent: If A ⊆ N 0 is a set of nonnegative integers so that for every a ∈ A there is some b ∈ A with b < a, then A = ∅.

Division with remainder. Suppose that m is a positive integer and n a non- negative integer. Then there exist integers q and r with 0 ≤ r < m, for which n = mq + r. The integer q is called the quotient and r the remainder.

Proof. Given any positive integer m, let Am be the set of nonnegative integers n for which division by m with remainder fails. Clearly n ∈ Am implies n ≥ m for otherwise n = m·0 + n with 0 ≤ n < m. But then n − m is a nonnegative integer. And division of n−m by m with remainder must fail, for n−m = mq+r implies n = m(q + 1) + r. Since n − m < n, Fermat’s principle of infinite descent implies that Am = ∅.

Given two integers m and n we say that m divides n, which we write as m|n, if there is a third integer k such that n = km. Since n = km and m = jl implies n = (kj)l, we see that l|m and m|n implies l|n. Moreover if m|n then m|cn for any integer c, since n = km implies cn = (ck)m. And if m|n and m|o then m|(n ± o) since n = km and o = lm gives n ± o = (k ± l)m. The statement 0|n holds only if n = 0. Because this case is unimportant, and might sometimes require an exception, it is often excluded. If this case is excluded, in particular, m|n is equivalent to n/m being an integer. The units in Z are the integers u satisfying u|1. Clearly these are ±1. Two elements a and b in Z are associates if a = ub with u a unit. If m|n without m and n being associates, we say that m strictly divides n. The nonzero elements in Z come in pairs n, −n of associates. We note that if both m|n and n|m then n = km = k(ln) = (kl)n. Here m = n = 0, or kl = 1 so k is a unit. Hence m and n are associates. An ideal a in Z is a nonempty subset of Z such that a, b ∈ a and n ∈ Z implies a + b ∈ a and na ∈ a. It is clear that { 0 } and Z are ideals. Moreover, if n is an integer, then nZ is an ideal. Such ideals generated by a single element are called principal ideals. Division with remainder implies that in Z all ideals are principal. The zero ideal is clearly principal. If a 6 = { 0 } is an ideal in Z and a ∈ a, then −a ∈ a, so a contains a smallest positive element m. Suppose that n is any element of a. We shall prove that m|n, so that a = mZ. If n = 0 the statement is clear, and if −n is a multiple of m, so is n. Thus we may assume that n is nonnegative. Divide n by m with remainder, so n = qm + r where 0 ≤ r < m. Since m, n ∈ a, we also have r = n − qm ∈ a because a is an ideal. Because m is the smallest positive element in a, it follows that r = 0 and hence m|n. Thus every ideal in Z is principal. A nonzero element a ∈ Z is an irreducible element if it is not a unit and if for any factorization a = bc, one of b and c is a unit. The irreducibles in Z are precisely the elements ±p where p runs through the prime numbers. A nonzero element a ∈ Z is a prime element if it is not a unit and if a|bc implies a|b or a|c. We see by induction that if a is a prime element and a|b 1 b 2 · · ·bs then a|bi for some i with 1 ≤ i ≤ s. Any prime element is an irreducible element, for if a = bc with a a prime element, then a divides one of b or c, say without of loss of generality that a|b. Then b = ak so a = akc and thus 1 = kc, hence c is a unit.

Fundamental Theorem of Arithmetic. Any nonzero integer that is not a unit is a product of irreducibles, unique up to order and associates.

Proof. Any element in Z which is neither zero nor a unit has a factorization into irreducibles. For assume that a is such an element that has no factorization into irreducibles. Then a has some factorization a = bc where neither b nor c is a unit, otherwise a would itself be an irreducible. Moreover at least one of the elements b and c has no factorization into irreducibles. Then we can find an infinite sequence (ci)∞ 0 of elements in Z such that c 0 = a and ci = bi+1ci+1 where bi+1 is never a unit. Now assume that (ci) is any infinite sequence of nonzero

That Z is a PID came from division with remainder, which is a result that is special to the integers. But for some integral domains there exists a substitute. An integral domain R is said to have a gauge g : R \ { 0 } → N if a|b implies g(a) ≤ g(b) and if for any a ∈ R and b ∈ R \ { 0 } there exist elements q, r ∈ R such that a = bq + r with r = 0 or g(r) < g(b). An integral domain that carries a gauge is called a Euclidean domain. Every Euclidean domain R is a principal ideal domain. For if b is a nonzero ideal in R then there exists some nonzero element b ∈ b for which g(b) is minimal. For any element a ∈ R, there exists elements q, r ∈ R with a = bq +r and r = 0 or g(r) < g(b). The latter possibility is impossible by the choice of b, so r = 0 and thus a = bq. Hence b = (b) and so R is a PID. If k is a field and a(x), b(x) ∈ k[x] with b(x) 6 ≡ 0, there exist polynomials q(x) and r(x) over k with a(x) = b(x)q(x) + r(x) and deg(r) < deg(b). To prove this we may clearly assume that deg(a) ≥ deg(b). Then the method of undetermined coefficients applied with q(x) a polynomial over k of degree at most deg(a) − deg(b) and r(x) a polynomial over k of degree at most deg(b) − 1 leads to a linear system of deg(a) + 1 equations over k and deg(a) − deg(b) + 1 + deg(b) = deg(a) + 1 unknowns. The system is square and choosing a(x) ≡ 0 we find the unique solution q(x) ≡ 0 and r(x) ≡ 0 by b(x) 6 ≡ 0, so the system has a solution for any choice of a(x). Since a polynomial that divides another polynomial has degree no larger than the other polynomial, the degree is a gauge and k[x] is a principal ideal domain. Thus any polynomial over k factors uniquely up to order and scalar factors into a product of polynomials irreducible over k. For the units in k[x] are the nonzero elements of k. The ring Z[

−1] = Z + Z

−1 = Z + Zi of Gaussian integers is also a Euclidean domain. We may choose g(α) = αα as gauge. For given α and β 6 = 0 Gaussian integers, there is a Gaussian integer σ with

∣ ∣ ∣ ∣Re

α β

− Re(σ)

∣ ≤^1 /^2 and

∣Im

α β

− Im(σ)

∣ ≤^1 /^2.

Choosing ρ = α − βσ we see that

g(ρ) = |α − βσ|^2 = |β|^2

α β

− σ

2 ≤ g(β)

(1/2)^2 + (1/2)^2

< g(β).

If moreover α = βγ is an equation in Gaussian integers, g(α) = αα = βγβγ = ββγγ = g(β)g(γ) shows that β|α implies that g(β) ≤ g(α), so g is a gauge. Hence the Gaussian integers constitute a PID and thus a UFD. Unique factorization into primes yields a complete description of all the positive divisors of a positive integer. Any positive integer a has a factorization

a = pα 1 1 pα 2 2 · · ·pα rr

into powers of distinct primes, where the product is empty if a = 1. If d is a positive integer with d|a, and p is a prime with p|d, then p|a. Since p is a

prime, this yields p|pi and hence p = pi for some i with 1 ≤ i ≤ r. So the prime factorization of d is of the form

d = pδ 11 pδ 22 · · ·pδ rr

where the δi are nonnegative integers. Since d|a we have a = dc where c is also a divisor of a and hence of the form

c = pγ 11 pγ 22 · · ·pγ rr

where the γi are nonnegative integers. Now

pα 1 1 pα 2 2 · · ·pα r r= a = dc = pγ 11 +δ^1 pγ 22 +δ^2 · · ·pγ rr^ +δr

and since a prime cannot divide a product of primes unless it is one of the factors, we see that γi + δi = αi for all i with 1 ≤ i ≤ r. Hence the divisors of

a = pα 1 1 pα 2 2 · · ·pα rr

are precisely the integers of the form

d = pδ 11 pδ 22 · · ·pδ rr

with 0 ≤ δi ≤ αi for all i with 1 ≤ i ≤ r. A positive integer s is squarefree if it is not divisible by any square k^2 ≥ 4. The notation pα||n signifies that pα|n, but that pα+1-n, which means that pα^ is the exact power to which p divides n. In this notation, an integer s is squarefree if and only if p|s implies that p||s. We end our discussion of unique factorization into primes with Euclid’s proof that there are infinitely many primes. Let p 1 , p 2 ,... , pr be any finite collection of primes. Consider the nonzero integer n = p 1 p 2 · · ·pr +1. It is not a unit and so it is divisible by some prime q. But if q is contained in the collection p 1 , p 2 ,... , pr then q|p 1 p 2 · · ·pr , which would imply that q|1, an impossibility. For a few arith- metic progressions the same argument may be used to show the existence of infinitely many primes in the progression, in particular for the arithmetic pro- gression 3, 7 , 11 , 15 ,... of integers of the form 4m − 1. Let p 1 , p 2 ,... , pr be any finite collection of primes from the latter progression. Consider the nonzero integer n = 4p 1 p 2 · · ·pr − 1. It is odd and it is not a unit and so it is divisible by some odd prime. Any product of integers of the form 4m + 1 is itself of this form, so n must be divisible by some prime q of the form 4m − 1. But if q is contained in the collection p 1 , p 2 ,... , pr then q|p 1 p 2 · · ·pr , which would imply that q|(−1), an impossibility.

Since every ideal in Z is principal, for arbitrary integers a 1 , a 2 ,... , an there exists an integer d such that

dZ = a 1 Z + a 2 Z + · · · + anZ.

Clearly ai ∈ dZ for each i with 1 ≤ i ≤ n, and so d|ai. On the other hand, if c|ai for 1 ≤ i ≤ n, then c divides every element in dZ, and c|d in particular. Hence d is a greatest common divisor of the ai. Thus the greatest common divisors are those integers d minimal in the partial order of divisibility for which the linear Diophantine equation

a 1 x 1 + a 2 x 2 + · · · + anxn = d

has a solution in integers xi. Moreover the equation

a 1 x 1 + a 2 x 2 + · · · + anxn = b

has a solution in integers if and only if d|b for some greatest common divisor d of the coefficients a 1 , a 2 ,... , an. Finding all the divisors of a large integer without a huge number of trial divisions generally requires knowing its prime factorization. This can be a chal- lenging problem, and the development of efficient factoring algorithms has drawn much attention. It is a remarkable fact that prime factorization can be short- circuited when finding a greatest common divisor of two integers. A procedure called the Euclidean Algorithm allows us to compute gcd(a, b) for integers a and b with great speed. The Euclidean algorithm is based on division with remain- der. Assume without loss of generality that a > b > 0 and define sequences {ak}, {bk}, {qk} and {rk} by the requirements that a 1 = a and b 1 = b, that ak+1 = bk and bk+1 = rk, and that qk is the quotient and rk is the remainder on division of ak by bk. Hence

ak = qkbk + rk

where 0 ≤ rk < bk. The algorithm must terminate since rk is nonnegative and rk+1 = bk < rk. We note that the common divisors of ak and bk coincide with the common divisors of bk and rk. But ak+1 = bk and bk+1 = rk so the common divisors of ak and bk coincide with the common divisors of ak+1 and bk+1. Hence the common divisors of ak and bk are the same as the common divisors of a and b. The algorithm terminates when rm = 0, and then am = qmbm. The common divisors of am and bm are clearly the divisors of bm. Hence bm is a greatest common divisor of a and b. As an example we compute a greatest common divisor of 411 and 171 by the Euclidean algorithm:

411 = 2·171 + 69 171 = 2·69 + 33 69 = 2·33 + 3 33 = 11·3 + 0.

Hence gcd(411, 171) = 3. We note that the maximal number of steps of the Eu- clidean algorithm is O(log(b)). A good deal of work has been done on improve- ments and extensions of the Euclidean algorithm, and on their computational complexity. The version of the Euclidean algorithm given by Euclid differs slightly from the version we use today, for it was based on repeated subtraction rather than repeated division with remainder. The basic insight underlying his version of the algorithm is that gcd(a, b) = gcd(a − b, b). The Euclidean algorithm can be used to solve the linear Diophantine equa- tion ax + by = c

in integers x and y. In order to have a nontrivial equation, we assume that a and b are nonzero. We run the Euclidean algorithm to find gcd(a, b), and then check whether gcd(a, b)|c. If the answer is no, the equation has no solution in integers. If the answer is yes, we first use the information produced by the Euclidean algorithm to solve the equation

az + bw = gcd(a, b)

in integers. We work backwards from the next to last equation produced by the Euclidean algorithm, expressing gcd(a, b) as an integer linear combination of ak and bk in each step. When we have obtained integers z 0 and w 0 that solve az + bw = gcd(a, b), we define x 0 = (c/(a, b))z 0 and y 0 = (c/(a, b))w 0. Then

ax 0 + by 0 = a(c/gcd(a, b))z 0 + b(c/gcd(a, b))w 0 = (c/gcd(a, b))(az 0 + bw 0 ) = (c/gcd(a, b))gcd(a, b) = c

so we have a particular solution of ax + by = c. To find the general solution, put x = x 0 + X and y = y 0 + Y and substitute into the equation. This yields aX + bY = 0 and hence

a gcd(a, b)

X = −

b gcd(a, b)

Y.

Since a/gcd(a, b) and b/gcd(a, b) are mutually prime, we see that (a/gcd(a, b))|Y and (b/gcd(a, b))|X. Hence X = t(b/gcd(a, b)) and Y = −t(a/gcd(a, b)) where t is an integer parameter. The general solution is

x = x 0 + t

b gcd(a, b)

and y = y 0 − t

a gcd(a, b)

where t runs through the integers. As an example we find the general solution to the Diophantine equation 411 x + 171y = 21. We already know that gcd(411, 171) = 3, so the equation has integer solutions since 3|21. Now

3 = 69 − 2 · 33 = 69 − 2 ·(171 − 2 ·69) = (−2)·171 + 5· 69 = (−2)·171 + 5·(411 − 2 ·171) = 411·5 + (−12)· 171

Chinese Remainder Theorem. If m 1 ,... , mr are pairwise coprime positive integers and b 1 ,... , br are integers, then the simultaneous congruences

n ≡ b 1 (mod m 1 ) n ≡ b 2 (mod m 2 ) .. . n ≡ br (mod mr )

have a unique solution n ≡ n 0 (mod m 1 m 2 · · ·mr ).

Proof. By induction, it is enough to establish the case r = 2. The linear Dio- phantine equation m 1 x+m 2 y = 1 has a solution (x 0 , y 0 ), because gcd(m 1 , m 2 ) =

  1. Note that m 2 x 0 ≡ 1 (mod m 1 ) and m 1 y 0 ≡ 1 (mod m 2 ), and define n 0 = b 1 m 2 x 0 + b 2 m 1 y 0. Then

n 0 ≡ b 1 m 2 x 0 ≡ b 1 (mod m 1 )

and n 0 ≡ b 2 m 1 y 0 ≡ b 2 (mod m 2 ),

so the two simultaneous congruences have a common solution. This solution is unique modulo m 1 m 2. For if n ≡ b 1 (mod m 1 ) and n ≡ b 2 (mod m 2 ) while n′^ ≡ b 1 (mod m 1 ) and n′^ ≡ b 2 (mod m 2 ), then n − n′^ ≡ b 1 − b 1 ≡ 0 (mod m 1 ) and n − n′^ ≡ b 2 − b 2 ≡ 0 (mod m 2 ). But m 1 |(n − n′) and m 2 |(n − n′) and gcd(m 1 , m 2 ) = 1 imply m 1 m 2 |(n − n′) by the Fundamental Theorem of Arith- metic.

The Chinese remainder theorem is thus termed because the method of cal- culation underlying the proof was first set forth in a handbook by the Chinese mathematician Sun Zi. He was such an obscure figure that even the century of his birth is not definitely known, but he may have lived about 1600 years ago. Every element a in the ring Z/mZ is either a zero divisor or has a multi- plicative inverse. If gcd(m, a) = c ≥ 2, then a b = d m = d 0 = 0 with b = m/c and d = a/c. If gcd(m, a) = 1 on the other hand, then the linear Diophantine equation ax + my = 1 has some solution (x 0 , y 0 ). But ax 0 + my 0 = 1 implies that ax 0 ≡ 1 (mod m), or a x 0 = 1 in Z/mZ. In particular Z/pZ is a field for every prime p. Up to isomorphism it is the only field with p elements. For if F is another such field, there is a homomorphism ϑ : Z/pZ → F defined by ϑ(1) = 1. Any nonzero homomorphism between fields is a monomorphism. Since the two fields both have p elements, ϑ is also an epimorphism. An element of Z/mZ that has a multiplicative inverse is called a reduced residue class. The set (Z/mZ)×^ of reduced residue classes forms a group under multiplication, for if a and b are both coprime with m, then so is ab. Note that 1 is the unit element. Define φ(m) to be the order of this group, that is to say

φ(m) = |(Z/mZ)×| =

1 ≤a≤m gcd(m,a)=

It is a basic result in group theory that the order of an element of a finite group divides the order of the group, hence

aφ(m)^ ≡ 1 (mod m)

if gcd(m, a) = 1. This congruence is due to Euler, and φ is called the Euler phi-function, or the Euler totient in the older literature. In the special case when the modulus is a prime, we obtain φ(p) = p − 1 because Z/pZ is a field for p prime. Then the congruence

xp^ ≡ x (mod p)

holds for all integers x, for any prime p. For either p divides x or else p and x are coprime. The last congruence is known as the little theorem of Fermat. Suppose that m 1 and m 2 are positive integers. Any integer a that is coprime with m 1 m 2 is coprime with m 1 and with m 2. Thus there are epimorphisms σ 1 : (Z/m 1 m 2 Z)×^ → (Z/m 1 Z)×^ given by σ 1 (a + m 1 m 2 Z) = a + m 1 Z and σ 2 : (Z/m 1 m 2 Z)×^ → (Z/m 2 Z)×^ given by σ 2 (a + m 1 m 2 Z) = a + m 2 Z. Then there is an epimorphism σ 1 ⊕σ 2 : (Z/m 1 m 2 Z)×^ → (Z/m 1 Z)×^ ⊕(Z/m 2 Z)×^ given by (σ 1 ⊕ σ 2 )(a + m 1 m 2 Z) = σ 1 (a + m 1 Z) ⊕ σ 1 (a + m 2 Z). This epimorphism is mono if m 1 and m 2 are coprime, for then (σ 1 ⊕σ 2 )(a+m 1 m 2 Z) = 1 is equivalent to the simultaneous congruences

a ≡ 1 (mod m 1 ) a ≡ 1 (mod m 2 ),

and these have only one solution a ≡ 1 modulo m 1 m 2 , by the Chinese remainder theorem. Thus

φ(m 1 m 2 ) = |(Z/m 1 m 2 Z)×| = |(Z/m 1 Z)×^ ⊕ (Z/m 2 Z)×| = |(Z/m 1 Z)×||(Z/m 2 Z)×| = φ(m 1 )φ(m 2 )

if m 1 and m 2 are coprime. The relation φ(m 1 m 2 ) = φ(m 1 )φ(m 2 ) for m 1 and m 2 coprime reduces the calculation of φ to the case of prime powers. This yields

φ(pα 1 1 · · ·pα r r) = (p 1 − 1)· · ·(pr − 1)pα 1 1 −^1 · · ·pα r r^ −^1 ,

because φ(pα) = pα^ − pα−^1 if p is prime. For there are pα−^1 integers a in the interval from 1 to pα^ that are divisible by p. The product of the elements of a finite abelian group equals the product of those elements that have order equal to one or two. For the others cancel in pairs, since they do not equal their inverses. Applying this observation to the group (Z/pZ)×^ for p prime, and noting that the congruence x^2 ≡ 1 (mod p) has only the solutions x ≡ ±1 modulo p when p is prime, we obtain the congruence

(p − 1)! ≡ − 1 (mod p).

The result is named after J. Wilson, who rediscovered it in the eighteenth cen- tury but did not prove it. The Arab scholar Ibn al-Haytham (Alhacen) had

the polynomial xdr^ − 1 has at least d 1 d 2 · · ·dr distinct roots modulo p. But it also has at most dr distinct roots modulo p by the theorem of Lagrange, hence r = 1 and (Z/pZ)×^ is cyclic. There is also a primitive root modulo any power pα^ of an odd prime p. Let g be a primitive root modulo p and h an integer with

h 6 ≡

gp^ − g p

(mod p),

and put r = g + hp. We will show that r is a primitive root modulo pα^ for every α ≥ 2. Denote by e the order of r as an element of the group Z/pαZ. We know that e divides |Z/pαZ| = φ(pα) and the task at hand is to show that e = φ(pα) = (p − 1)pα−^1. Then r has the maximal number of distinct powers modulo pα^ and is thus a primitive root. Now rp−^1 ≡ 1 (mod p) by Fermat’s little theorem, while r is a primitive root modulo p since g is. Thus e has to be a multiple of p − 1. Hence it will be sufficient to show that

r(p−1)p

α− 2 6 ≡ 1 (mod pα),

and this is where most of the work lies. Note that rp^ ≡ gp^ + hppp^ ≡ gp^ (mod p) by the Binomial theorem, since the exponent is prime. Thus

rp^ − r ≡ gp^ − g − hp ≡ p

gp^ − g p

− h

6 ≡ 0 (mod p^2 )

and so rp−^1 = 1 + kp with k not divisible by p. Expanding (1 + kpj^ )p^ for j ≥ 1 by the Binomial theorem, the first two terms are 1 and kpj+1^ while the other terms are either divisible by p^2 j+1^ or ppj^. Thus all these terms are divisible by pj+2^ since p ≥ 3 is an odd prime, and

(1 + kpj^ )p^ ≡ 1 + kpj+1^ (mod pj+2)

follows. In particular,

(rp−^1 )p^ ≡ 1 + kp^2 (mod p^3 )

holds. Thus (rp−^1 )p

s ≡ 1 + kps+1^ (mod ps+2)

holds for s = 1, and assuming it to hold for some s, the congruence

(1 + kps+1)p^ ≡ 1 + kps+2^ (mod ps+3)

obtained by choosing j = s + 1 above, yields

(rp−^1 )p

s+ ≡ (1 + kps+1)p^ ≡ 1 + kps+2^ (mod ps+3).

Hence (rp−^1 )p

s ≡ 1 + kps+1^ (mod ps+2)

holds for all s by induction. Then

r(p−1)p

α− 2 ≡ 1 + kpα−^1 6 ≡ 1 (mod pα),

by substituting s = α − 2. Evidently 1 is a primitive root modulo 2 and 3 is a primitive root modulo

  1. But a^2 ≡ 1 (mod 2^3 ) for any odd integer a, and if

a^2

α− 2 ≡ 1 (mod 2α),

then for α ≥ 3 we have

a^2

α− 1 ≡ (1 + b 2 α)^2 ≡ 1 + b 2 α+1^ + b^222 α^ ≡ 1 (mod 2α+1)

with b some integer. Hence

a^2

α− 2 ≡ 1 (mod 2α)

holds for α ≥ 3 by induction. Since the order of a is strictly smaller than φ(2α) for each odd integer, there is no primitive root modulo 2α^ when α ≥ 3. The Chinese remainder theorem implies that if m = pα 1 1 · · ·pα is the factor- ization of m into prime powers, then

(Z/mZ)×^ ∼= G 1 ⊕ · · · ⊕ G`

where Gi is isomorphic to (Z/pαi^ Z)×. Since any subgroup of a cyclic group is cyclic, we see that 2α^ with α ≥ 3 cannot occur in the prime factorization of m. Moreover, a direct sum of cyclic groups is cyclic if and only if all but one summand is trivial. Since (Z/pαZ)×^ is trivial only when pα^ = 2, we see that m = 2pα^ with p an odd prime are the only moduli that have primitive roots, beyond those that we have already found.

Supposing g to be a primitive root modulo m and a to be an integer coprime with m, the congruence ge^ ≡ a (mod m)

has a unique solution e in the interval 0 ≤ eφ(m) − 1. This unique exponent e is called the index of a to base g and is denoted by indg (a) (where m is assumed known from context.) The index of a depends only on the residue class of a modulo m. The formula

indg (ab) ≡ indg (a) + indg (b) (mod φ(m))

reduces multiplication modulo m to addition modulo φ(m), and also permits the calculation of powers, and of k-th roots when k and φ(m) are coprime. This technique of calculation is called the index calculus. Clearly the index is analogous to the logarithm.

It follows from Euler’s criterion that the quadratic residue classes modulo an odd prime p form a subgroup of (Z/pZ)×^ of index equal to 2. In particular, if the two congruences x^2 ≡ m (mod p) and x^2 ≡ n (mod p) have no solutions, then the congruence x^2 ≡ mn (mod p) necessarily has a solution, and this is not at all obvious.

The Law of Quadratic Reciprocity. The relation

( p q

q p

p− 21 q− 21

between Legendre symbols holds for all distinct odd primes p and q.

Proof. For every odd positive integer n denote by Nn the number of solutions in (Z/qZ)n^ of the equation x^21 − x^22 + x^23 − · · · + x^2 n = 1. Making the change of variable x 1 = y + x 2 yields y^2 + x^23 − · · · + x^2 n − 1 = 2yx 2. For each y 6 = 0 and any choice of x 3 ,... , xn there is a unique corresponding value of x 2 which also determines x 1. This yields a total of (q − 1)qn−^2 solutions. Together with y = 0 the original equation is equivalent to the system

x 1 = x 2 and x^23 − · · · + x^2 n = 1,

and so there are qNn− 2 solutions for y = 0. Thus Nn = (q − 1)qn−^2 + qNn− 2 and so

Nn = (q − 1)qn−^2 + qNn− 2 = (q − 1)qn−^2 + q((q − 1)qn−^4 + qNn− 4 ) = (q − 1)qn−^2 + (q − 1)qn−^3 + q^2 Nn− 4 = · · · = (q − 1)qn−^2 + · · · + (q − 1)qn−^1 −k^ + qkNn− 2 k.

Choosing k = (n − 1)/2 yields

Nn = (q − 1)qn−^2 + · · · + (q − 1)q(n−3)/^2 + q(n−1)/^2 N 1 = qn−^1 + q(n−1)/^2 (N 1 − 1) = qn−^1 + q(n−1)/^2 ,

and thus Np ≡ 1 + (q|p) (mod p) on taking n = p and using the definition of the Legendre symbol. We obtain the law of quadratic reciprocity by computing Np in another way. Let N (x^2 = t) denote the number of solutions of x^2 = t in Z/qZ. Then

Np =

t 1 +···+tp=

N (x^21 = t 1 )N (x^22 = −t 2 )N (x^22 = t 3 )· · ·N (x^2 p = tp)

where t 1 , t 2 ,... , tp range over Z/qZ, and so

Np =

t 1 +···+tp=

t 1 q

−t 2 q

t 3 q

tp q

for x^2 = t has two solutions if t is a quadratic residue class modulo q, one solution if t = 0 and no solutions if t is a quadratic nonresidue class. Multi- plying out the product under the last summation sign, only the terms 1 and (t 1 |q)(−t 2 |q)(t 3 |q)· · ·(tp|q) in the inner sum contribute to the outer sum. For if some but not not all the factors of the form (±tj |q) are present in a term, then at least one tj will run unrestrictedly over Z/qZ, and summing over this tj yields zero, since the sum of the Legendre symbol over a complete collection of residue classes modulo q is zero. Thus

Np = qp−^1 +

t 1 +···+tp=

t 1 q

−t 2 q

t 3 q

tp q

since t 1 + t 2 + · · · + tp = 1 has qp−^1 solutions. Now

Np = qp−^1 +

(−1)(p−1)/^2 q

t 1 +···+tp=

t 1 · · ·tp q

Each tuple (u 1 ,... , up) with u 1 + · · · + up = 1 belongs to an equivalence class under permutation, and all members of this equivalence class are also solutions of t 1 + · · ·tp = 1 and the value of the term (t 1 · · ·tp|q) is the same for all of them. If all uj are equal, that is to say if uj = p−^1 , then this equivalence class is a singleton, but otherwise the number of elements in the equivalence class is divisible by p. For this number is of the form p!/k 1 !· · ·kr! where k 1 ,... , kr are the numbers of elements of (u 1 ,... , up) that are identical in groups. Thus

t 1 +···+tp=

t 1 · · ·tp q

p−p q

(mod p),

and so

Np ≡ 1 +

(−1)(p−1)/^2 q

p−p q

(−1)(p−1)/^2

)(q−1)/ 2 (^ p q

)−p

≡ 1 + (−1)(p−1)(q−1)/^4

p q

(mod p).

Now comparison with the other congruence

Np ≡ 1 +

q p

(mod p)

yields the law of quadratic reciprocity.

This is the central result on quadratic congruences. It was first conjectured by Euler, and first proved by Gauss. The proof presented here was found recently by W. Castryck. There are many proofs of the quadratic reciprocity law. Gauss found eight proofs, some based on the following criterion for quadratic residuacy.

we have

( (^) n m

n p 1

)α 1 · · ·

n pr

)α 1

q 1 p 1

)α 1 β 1 · · ·

qk pj

)αj βk

...

qs pr

)αr βs

and similarly

( (^) m n

p 1 q 1

)α 1 β 1 · · ·

pj qk

)αj βk

...

pr qs

)αr βs .

Thus

( (^) n m

) ( (^) m n

qk pj

pj qk

))αj βk · · · = · · ·

pj − 1 2

qk − 1 2

)αj βk · · ·

if gcd(m, n) = 1, by the Law of Quadratic Reciprocity. Now (pj − 1)m^ ≡ 0 (mod 4) for odd primes pj and integers m ≥ 2, so

pα 1 1 · · ·pα r r≡ (1 + (p 1 − 1))α^1 · · ·(1 + (pr − 1))αr ≡ 1 + (p 1 − 1)α 1 + · · · + (pr − 1)αr (mod 4)

by the Binomial Theorem. Since this also holds for the qk and βk we obtain

(m − 1)(n − 1) 4

∑^ r

j=

(pj − 1)αj

( (^) s ∑

k=

(qk − 1)βk

(mod 2)

and thus (^) ( n m

) ( (^) m n

m− 1 2 n− 1 2

if m and n are odd coprime integers. This relation generalizes the Law of Quadratic Reciprocity to Jacobi symbols. The supplementary laws also gener- alize to odd positive moduli by similar calculations. If n is an integer and m an odd positive integer with (n|m) = −1, there must be some prime p|m with (n|p) = −1, so n is a quadratic nonresidue modulo p. But then n is also a quadratic nonresidue modulo m. There is no implication in the other direction, as we see by an example. The calculation

( 3 7

shows that 3 is a quadratic nonresidue modulo 7. Clearly 3 is also a quadratic nonresidue modulo 7^2 , but (3| 72 ) = (3|7)^2 = 1. Thus both quadratic residues and nonresidues may have a positive Jacobi symbol. It is not possible to carry over both the relationship with quadratic residuacy and the reciprocity law when generalizing the Legendre symbol to general odd positive moduli. One or the other has to be sacrificed, and it is generally felt that it is most useful to keep the reciprocity law.

An integer D is called a fundamental discriminant if either D is squarefree and D ≡ 1 (mod 4) or else 4|D with D/4 squarefree and D/ 4 ≡ 2 or 3 (mod 4). This terminology comes from algebraic number theory. When D is a fundamen- tal discriminant, and only then, we shall generalize the Jacobi symbol further, to the Kronecker symbol (D|m) for m a positive integer that may be even. Note that we do not require D and m to be coprime in the Kronecker symbol. The Kronecker symbol is defined by ( D m

D

p 1

)α 1 · · ·

D

pr

)αr

if m = pα 1 1 · · ·pα r ris a positive integer. Here (D|pj ) is the Legendre symbol if pj is an odd prime that does not divide D. We set (D|pj ) = 0 if pj |D, and ( D pj

D^28 − 1

if pj = 2. The multiplicativity property (D|mn) = (D|m)(D|n) is a direct consequence of the definition. It is also clear that (D|m) = 0 whenever gcd(D, m) ≥ 2. The fundamental discriminant D is a period of the Kronecker symbol. Note that if gcd(D, m) ≥ 2, then gcd(D, m + D) ≥ 2, so we may suppose D and m coprime. Write m = 2αm′^ with m′^ odd if D ≡ 1 (mod 4). Then ( D m

D

)α ( D/|D| m′

|D|

m′

= (−1)α^

D^28 − 1

sgn(D) m′

m′ |D|

m′ 2 − 1 |D|− 21

|D|

)α ( m′ |D|

sgn(D) m′

m′

) |D|− 21

m |D|

sgn(D)(−1)

|D|− 1 2 m′

m |D|

by quadratic reciprocity, the supplementary laws for the Jacobi symbol, and

sgn(D)(−1)

|D|− 1 (^2) = (−1) D− 1 (^2).

If D = 4D′^ with D′^ ≡ 3 (mod 4) then ( D m

m |D′|

m

for m odd by the same kind of calculation. The second factor is periodic with period 4. If D = 8D′^ with D′^ ≡ 1 (mod 2) then ( D m

m |D′|

D′− 1 2 m

The second factor is one of (± 2 |m) and is therefore periodic with period 8. So D is a period of (D|m) in all three cases.