Springer Undergraduate Mathematics Series

Franz Lemmermeyer

Quadratic
Number
Fields
Springer Undergraduate Mathematics Series

Adivsory Editors
Mark A. J. Chaplain, St. Andrews, UK
Angus Macintyre, Edinburgh, UK
Simon Scott, London, UK
Nicole Snashall, Leicester, UK
Endre Süli, Oxford, UK
Michael R. Tehranchi, Cambridge, UK
John F. Toland, Bath, UK
The Springer Undergraduate Mathematics Series (SUMS) is a series designed for
undergraduates in mathematics and the sciences worldwide. From core foundational
material to final year topics, SUMS books take a fresh and modern approach.
Textual explanations are supported by a wealth of examples, problems and fully-
worked solutions, with particular attention paid to universal areas of difficulty. These
practical and concise texts are designed for a one- or two-semester course but the
self-study approach makes them ideal for independent use.

More information about this series at http://www.springer.com/series/3423

Franz Lemmermeyer

Quadratic Number Fields

Franz Lemmermeyer
Jagstzell, Germany

ISSN 1615-2085 ISSN 2197-4144 (electronic)

Springer Undergraduate Mathematics Series
ISBN 978-3-030-78651-9 ISBN 978-3-030-78652-6 (eBook)
https://doi.org/10.1007/978-3-030-78652-6

Mathematics Subject Classification: 11R11, 11D09, 11D25

Translation from the German language edition: Quadratische Zahlkörper by Franz Lemmermeyer,
© Springer-Verlag GmbH Deutschland 2017. Published by Springer Spektrum. All Rights Reserved.

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland
AG 2021
This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether
the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse
of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and
transmission or information storage and retrieval, electronic adaptation, computer software, or by similar
or dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or
the editors give a warranty, expressed or implied, with respect to the material contained herein or for any
errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG.
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface

This book evolved from a manuscript for an introductory lecture series at the
University of the Saarland in Saarbrücken in 1999. The goal was to present the
arithmetic of quadratic number fields and to explain how to apply the results to
problems in elementary number theory.
I expect the readers to be familiar with notions such as prime numbers and residue
class rings from elementary number theory, and with fundamental theorems such as
unique factorization, Fermat’s Little Theorem, and the quadratic reciprocity law.1
The theory of quadratic number fields deals with similar theorems in bigger rings of
integers, for example the ring of Gaussian integers, which consists of all numbers
of the form a + bi, where a and b are ordinary integers and where i 2 = −1. In this
ring, 5 is not a prime anymore because 5 = (1 + 2i)(1 − 2i). Whether an ordinary
prime number p remains prime in this ring depends on the Legendre symbol ( −1 p );
in general quadratic number rings, the behaviour of prime numbers also depends
on Legendre symbols. In this connection, we will learn that quadratic reciprocity,
which is perhaps perceived as a curiosity by someone who has never looked beyond
the horizon of elementary number theory, is a fundamental result that governs the
behaviour of prime numbers in quadratic number rings.
Finally, the theory of quadratic number fields has numerous applications to
elementary number theory. It puts several results such as the Two-Squares Theorem,
which asserts that primes of the form p = 4n + 1 can be written as the sum of two
squares, into a bigger perspective, and it allows you to solve Diophantine equations,
in particular certain Bachet–Mordell equations y 2 = x 3 + k, special cases of the
Catalan equation x p + y q = 1, or the Fermat equations x n + y n = zn for n ≤ 5.
Any book on quadratic number fields has to cover a set of standard topics such as
rings of integers, unique factorization into ideals, finiteness of the class group and
the solvability of the Pell equation. It is the topics outside the standard curriculum
that “define” this book, so I would like to say a few words about them here.

1 This result will be proved in several ways in this book, but I assume that the readers know how to

apply it.

v
vi Preface

Chapter 1 on the “prehistory” of algebraic number theory is a reflection of my

occupation with the history of number theory. Mathematics is not an accumulation
of true results, it is a development of ideas. One such idea in number theory is
Dedekind’s definition of prime numbers by their property that primes divide a factor
whenever they divide some product; another one is his definition of ideals, which
shaped the development of algebra. Similarly, the proof of the Unique Factorization
Theorem is not difficult once it is formulated; a lot more important than the mere
truth of this results is the idea that it may serve as the foundation of elementary
number theory. Some of the concepts used in Chap. 1 are defined and studied
properly only in subsequent chapters; readers should regard this chapter as a view
on the promised land—all the concepts showing up there will be discussed properly
in subsequent chapters.
Another unusual topic is the arithmetic of Pell conics presented in Chap. 2. I find
the interpretation of the technique of Vieta jumping in terms of group laws on conics
immensely pleasing; its ultimate goal is making the theory of elliptic curves more
accessible to beginners.
Chapter 3 on the quadratic reciprocity law is a new addition. As in the last
chapter on quadratic Gauss sums, the presentation I have given differs from the
usual approach. I am convinced that importing the idea of modularity, which is
central in class field theory and in the arithmetic of elliptic curves, to elementary
number theory is a step that is long overdue. The notion of modularity is taken
up again in the last chapter, where we formulate several results whose proofs are
beyond the scope of the present book.
The topics covered in the other chapters up to the ambiguous class number
formula are classical, and I am sure that much of it comes from the books on
algebraic number theory by Harvey Cohn (in particular [22]). These chapters
contain the basic arithmetic of quadratic number fields: rings of integers, units,
ideals and ideal class groups.
Prerequisites for reading this book are basic notions of linear algebra (vector
spaces, linear maps, matrices) and a familiarity with elementary number theory.
Quadratic reciprocity will be proved from scratch in Chap. 3, but I assume some
familiarity with its use in theoretic problems. Only in the last two chapters some
abstract algebra (the basic isomorphism theorems, or the irreducibility of cyclotomic
polynomials) is required.
I have profited from a number of useful comments by Dirk Bachmann and Heiko
Hellwig. Chip Snyder deserves a huge thank you for reading a first draft of the
English translation and for correcting many errors and pointing out gaps. The two
anonymous referees and Remi Lodh provided me with lots of useful comments—I
thank them all for their support.

Jagstzell, Germany Franz Lemmermeyer

March 2021
Contents

1 Prehistory.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 1
1.1 Pythagoras and Euclid . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 1
1.2 Diophantus.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 5
1.3 Bachet .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 8
1.4 Fermat.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 10
1.4.1 Integral Solutions of y 2 + 2 = x 3 . . . . .. . . . . . . . . . . . . . . . . . . . 11
1.4.2 The Fermat Equation x 4 + y 4 = z2 . . .. . . . . . . . . . . . . . . . . . . . 12
1.5 Euler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 13
1.5.1 The Two-Squares Theorem . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 14
1.5.2 Euler’s Algebra . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 19
1.5.3 Bachet’s Equation y 2 + 2 = x 3 . . . . . . . .. . . . . . . . . . . . . . . . . . . . 19
1.5.4 The Cubic Fermat Equation .. . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 20
1.5.5 Euler and the Problem of Units . . . . . . . .. . . . . . . . . . . . . . . . . . . . 21
1.6 Gauss. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 22
1.7 Kummer and Dedekind . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 23
1.7.1 From Ideal Numbers to Ideals . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 26
1.8 Exercises .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 26
2 Quadratic Number Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 31
2.1 Quadratic Number Fields . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 31
2.1.1 Quadratic Extensions as Vector Spaces.. . . . . . . . . . . . . . . . . . . 32
2.2 Rings of Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 33
2.3 The Unit Circle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 37
2.4 Platon’s Hyperbola . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 38
2.4.1 Platon’s Side and Diagonal Numbers ... . . . . . . . . . . . . . . . . . . . 40
2.5 Fibonacci’s Hyperbola . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 41
2.5.1 Generating Functions .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 42
2.5.2 Group Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 44
2.6 Vieta Jumping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 45
2.6.1 The IMO Problem . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 45

vii
viii Contents

2.6.2 Markov’s Equation . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 46

2.6.3 Summary .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 47
2.7 Exercises .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 47
3 The Modularity Theorem .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 53
3.1 Pell Conics Over Fields . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 53
3.1.1 Parametrization of Conics . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 54
3.1.2 Pell Conics Over Finite Fields . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 54
3.2 The Symbols of Legendre, Kronecker, and Jacobi . . . . . . . . . . . . . . . . . 56
3.2.1 Kronecker Symbol .. . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 57
3.2.2 Gauss’s Lemma .. . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 57
3.2.3 Composite Moduli .. . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 59
3.2.4 Zolotarev and Frobenius . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 60
3.2.5 A Few Applications . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 63
3.3 Euler’s Modularity Conjecture.. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 64
3.3.1 The Quadratic Reciprocity Law.. . . . . . .. . . . . . . . . . . . . . . . . . . . 66
3.3.2 Proof of Euler’s Modularity Conjecture . . . . . . . . . . . . . . . . . . . 68
3.3.3 The Strong Modularity Theorem . . . . . .. . . . . . . . . . . . . . . . . . . . 69
3.4 Fp -Rational Points on Curves . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 71
3.4.1 Another Proof of the Quadratic Reciprocity Law .. . . . . . . . 78
3.5 Terjanian’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 81
3.5.1 Summary .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 85
3.6 Exercises .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 86
4 Divisibility in Integral Domains . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 91
4.1 Units, Primes, and Irreducible Elements . . . . . . . .. . . . . . . . . . . . . . . . . . . . 91
4.1.1 Elements with Prime Norm Are Prime . . . . . . . . . . . . . . . . . . . . 94
4.2 Unique Factorization Domains . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 96
4.3 Principal Ideal Domains . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 97
4.4 Euclidean Domains.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 100
4.4.1 Summary .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 101
4.5 Exercises .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 102
5 Arithmetic in Some Quadratic Number Fields . . . . . .. . . . . . . . . . . . . . . . . . . . 107
5.1 The Gaussian Integers .. . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 107
5.1.1 Z[i] Is Norm-Euclidean . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 107
5.1.2 Fermat’s Last Theorem in Quadratic Number Fields . . . . . 112
5.2 The Eisenstein Integers . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 113
5.2.1 The Cubic Fermat Equation x 3 + y 3 + z3 = 0 . . . . . . . . . . . 116
5.3 The Lucas–Lehmer Test . . . . . √ . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 118
5.3.1 The Arithmetic in Z[ 3 ] . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 119
5.3.2 The Lucas–Lehmer Test . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 121
5.4 Fermat’s Last Theorem for the Exponent 5 . . . . .. . . . . . . . . . . . . . . . . . . . 122
5.5 Euclidean Number Fields . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 126
5.5.1 Dedekind–Hasse Criterion . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 128
Contents ix

5.6 Quadratic Unique Factorization Domains .. . . . . .. . . . . . . . . . . . . . . . . . . . 129

5.6.1 Euler’s Polynomial . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 130
5.6.2 Summary .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 131
5.7 Exercises .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 132
6 Ideals in Quadratic Number Fields . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 135
6.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 135
6.1.1 From Ideal Numbers to Ideals . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 136
6.1.2 Products of Ideals .. . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 137
6.1.3 The Class Group at Work . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 140
6.2 Unique Factorization into Prime Ideals . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 140
6.2.1 Classification of Modules . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 140
6.2.2 Ideals as Modules .. . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 143
6.2.3 The Cancellation Law . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 145
6.2.4 Divisibility of Ideals .. . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 146
6.2.5 Description of Prime Ideals . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 147
6.3 Ideal Class Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 148
6.3.1 Equivalence of Ideals .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 149
6.3.2 Finiteness of the Class Number .. . . . . . .. . . . . . . . . . . . . . . . . . . . 150
6.3.3 Class Group Calculations . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 152
6.4 The Diophantine Equation y 2 = x 3 − d . . . . . . . .. . . . . . . . . . . . . . . . . . . . 155
6.4.1 Summary .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 159
6.5 Exercises .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 159
7 The Pell Equation .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 165
7.1 The Solvability of the Pell Equation . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 167
7.1.1 The Negative Pell Equation . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 171
7.2 Which Numbers Are Norms? .. . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 172
7.2.1 Davenport’s Lemma . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 174
7.3 Computing the Solution of the Pell Equation .. .. . . . . . . . . . . . . . . . . . . . 177
7.4 Parametrized Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 181
7.5 Factorization Algorithms . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 185
7.6 Diophantine Equations .. . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 187
7.6.1 Summary .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 190
7.7 Exercises .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 190
8 Catalan’s Equation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 193
8.1 Lebesgue’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 193
8.2 Euler’s Theorem .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 195
8.2.1 Monsky’s Proof .. . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 195
8.3 The Theorems of Størmer and Ko Chao . . . . . . . .. . . . . . . . . . . . . . . . . . . . 197
8.3.1 Application to Catalan’s Equation . . . . .. . . . . . . . . . . . . . . . . . . . 199
8.4 Euler’s Equation via Pure Cubic Number Fields . . . . . . . . . . . . . . . . . . . 200
8.4.1 Units in Pure Cubic Number Fields . . .. . . . . . . . . . . . . . . . . . . . 201
8.4.2 The Equation x 3 + 2y 3 = 1 .. . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 203
8.4.3 The Theorem of Delaunay and Nagell.. . . . . . . . . . . . . . . . . . . . 205
x Contents

8.5 Mihailescu’s Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 206

8.5.1 Summary .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 207
8.6 Exercises .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 207
9 Ambiguous Ideal Classes and Quadratic Reciprocity . . . . . . . . . . . . . . . . . . 209
9.1 Ambiguous Ideal Classes . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 209
9.1.1 Exact Sequences . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 211
9.1.2 Ambiguous Ideal Classes. . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 212
9.1.3 Hilbert’s Theorem 90 .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 212
9.2 The Ambiguous Class Number Formula .. . . . . . .. . . . . . . . . . . . . . . . . . . . 213
9.3 The Quadratic Reciprocity Law . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 218
9.3.1 Summary .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 219
9.4 Exercises .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 219
10 Quadratic Gauss Sums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 223
10.1 Dirichlet Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 223
10.1.1 Primitive Characters .. . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 224
10.1.2 The Character Group of Finite abelian Groups . . . . . . . . . . . 225
10.1.3 Classification of Quadratic Dirichlet Characters .. . . . . . . . . 227
10.1.4 Modularity and Reciprocity .. . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 229
10.2 Pell Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 229
10.3 Fekete Polynomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 235
10.3.1 Gauss’s Sixth Proof .. . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 238
10.4 The Analytic Class Number Formula . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 240
10.5 Modularity .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 243
10.5.1 Modularity of Polynomials .. . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 244
10.5.2 Modularity of Number Fields . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 245
10.5.3 Pell Forms.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 246
10.6 Modularity of Elliptic Curves.. . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 248
10.6.1 Group Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 248
10.6.2 Curves with Complex Multiplication ... . . . . . . . . . . . . . . . . . . . 249
10.6.3 Hasse’s Theorem.. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 249
10.6.4 Modularity of Elliptic Curves . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 250
10.7 Exercises .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 252

A Computing with Pari and Sage.. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 255

A.1 Pari .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 255
A.1.1 Arithmetic in Integers . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 255
A.1.2 Arithmetic in Quadratic Number Fields . . . . . . . . . . . . . . . . . . . 256
A.2 Sage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 258
A.2.1 Number Fields . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 258
A.2.2 Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 259

B Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 261

Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 331
Contents xi

Name Index .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 337

Subject Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 341

Chapter 1
Prehistory

The idea of transferring the arithmetic of the ordinary integers to quadratic number
rings appears to be so natural to those who are familiar with some abstract algebra
that we tend to underestimate the achievement by Carl √ Friedrich Gauss, who paved
the way by studying integers of the form a + b −1 in the early nineteenth
century. Before I discuss the contributions of Gauss and his successors Ernst Eduard
Kummer and Richard Dedekind, I would like to show the immense difficulties that
Leonhard Euler had to cope with when he used algebraic numbers for solving
problems going back to Pierre Fermat, Claude Gaspard Bachet de Meriziac and
ultimately even to Diophantus. Those who would like to familiarize themselves
with the number theoretical work of Fermat are well advised to study André Weil’s
excellent book [132] (and, if they read German, [88]).

1.1 Pythagoras and Euclid

One of the oldest nontrivial theorems in geometry is the Theorem of Pythagoras,

according to which the sides a, b, and c of a right triangle, where c is the side
opposite to the right angle, satisfy the equation a 2 +b2 = c2 . All ancient cultures (in
particular, those living near the silk road (a trade route connecting the Mediterranean
area with China and India), namely the Babylonians, the Chinese, the Hindus, and
the Greeks) realized that this equation has integral solutions. The cuneiform tablet
Plimpton 322 shows that already the Babylonians around 1800 BC knew how to
generate arbitrarily many integral solutions of this equation. One possible way of
discovering a method for generating triples (a, b, c) of integers satisfying a 2 + b 2 =
c2 is the following.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 1

F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6_1
2 1 Prehistory

In some of the Babylonian problems1 the task is computing a pair of rational

reciprocal numbers m and m1 from their sum a = m + m1 . The numbers m and m1 are
solutions of the quadratic equation (x − m)(x − m1 ) = x 2 − ax + 1 = 0, and we
know that this equation has a rational solution if and only if its discriminant a 2 −4 is
a rational square. Working backwards we see that this is easily achieved by setting
a = m + m1 for a rational number m, and in fact

 1 2 m4 + 2m2 + 1  1 2
m+ −4= − 4 = m − .
m m2 m
Clearing the denominators yields the solution

(m2 + 1)2 − (2m)2 = (m2 − 1)2 (1.1)

of the Pythagorean equation. If we set m = t

u and clear denominators again we
obtain

(t 2 − u2 )2 + (2tu)2 = (t 2 + u2 )2 . (1.2)

With hindsight we can see that the basis of our derivation of (1.1) is the fact that
the equation x 2 + y 2 = z2 can be written as x 2 = z2 − y 2 , and that a difference of
squares can be factored:

(m2 + 1)2 − (2m)2 = (m2 + 2m + 1)(m2 − 2m + 1)

= (m + 1)2 (m − 1)2 = (m2 − 1)2 .

We can also find Pythagorean triples starting with the famous diagram of the “square
in the middle” in Fig. 1.1. The area of the large square (Fig. 1.1) is (a + b)2 ; since
it is composed of the small square in the middle and four rectangles, this must be
equal to (a − b)2 + 4ab. Thus (a − b)2 + 4ab = (a + b)2 , or, after dividing through
by 4,
 a + b 2  a − b 2
ab = − , (1.3)
2 2
which again shows that the difference of two squares is a product.
In order to find Pythagorean Triples we make ab equal to a square, for example,
by setting a = m2 and b = n2 . Then we obtain

(m2 − n2 )2 + (2mn)2 = (m2 + n2 )2 .

1 For learning more about the methods used in “Babylonian algebra” see [63].
1.1 Pythagoras and Euclid 3

Fig. 1.1 Geometric derivation of Pythagorean triples

If we draw four diagonals into the Babylonian square in Fig. 1.1, we get a proof
of the Pythagorean Theorem for free. In fact, the area of the shaded square is c2 ,
where c denotes the hypotenuse of the right triangle with legs a and b; on the other
hand, it is also equal to 4 · ab
2 + (a − b) = 2ab + a − 2ab + b = a + b .
2 2 2 2 2

The verification that the triples (t −u , 2tu, t +u ) are solutions of the equation
2 2 2 2

x 2 +y 2 = z2 requires only elementary algebra, and it shows that Pythagorean triples

exist in arbitrary commutative rings. The proof that there are no other solutions in
ordinary integers, on the other hand, requires arithmetic; one such proof uses the
Unique Factorization Theorem for integers. We regard unique factorization as the
natural foundation of elementary number theory, and we do so to such an extent
that we find it hard to believe that this is a modern insight. As a matter of fact
you will look in vain for the concept of unique factorization in Euclid’s Elements:
Euclid based number theory on the Four Numbers Theorem (see [79, 102]), which
is Proposition 19 in Book VII of his Elements:

Theorem 1.1 (Four Numbers Theorem) Let a, b, c, d be natural numbers with

ab = cd. Then there exist natural numbers x, y, z, w such that a = xy, b = zw,
c = xz, and d = yw.
The basic idea behind the Four Numbers Theorem is rather natural: Each
decomposition of a number into different factors can be explained by a refined
decomposition. The factorization 2 · 12 = 4 · 6, for example, may be refined to
2 · (2 · 6) = (2 · 2) · 6. The Four Numbers Theorem quickly implies Euclid’s Lemma
(Prop. VII.30):
Lemma 1.2 (Euclid’s Lemma) If a prime number p (in the classical sense, i.e., a
number > 1 only divisible by 1 and itself) divides a product ab of natural numbers,
then p divides one of the factors a or b (or both).
In fact, since p is a divisor of ab we can write ab = pc for some c ∈ N.
According to the Four Numbers Theorem 1.1 we must have a = xy, b = zw,
p = xz, and c = yw for integers x, y, z, and w. Since p does not have a nontrivial
4 1 Prehistory

factorization, we must have x = 1 or z = 1. In the first case we get a = y, that is

c = aw and hence ab = paw; but then b = pw and p divides b. In the second case
we conclude similarly that p is a divisor of a.
Euclid’s investigation of Pythagorean triples is based on the theory of plane
numbers. These are products ab of two natural numbers a and b; two such products
ab and cd are called similar if the rectangle with sides a and b is similar to the
rectangle with sides c and d, that is, if a : b = c : d or, equivalently, ad = bc. This
implies the equation ab · d 2 = cd · b2 , which tells us that if two products are similar,
then they differ by square factors. The main theorem of similar plane numbers is
contained in Euclid’s Propositions IX.1 and IX.2:
Theorem 1.3 The product2 of two natural numbers is a square if and only if these
numbers are similar.

As an example consider the product 6·24 = 122 , which is a square; in accordance

with Euclid the products 6 = 2 · 3 and 24 = 4 · 6 are similar plane numbers.
The connection with Pythagorean triples arises from an identity that Euclid
presents in geometric clothing in Book II of his Elements and that already the
Babylonians were aware of, namely Eq. (1.3), from which we already have derived
a parametrization of Pythagorean triples.
From Theorem 1.3 we deduce an observation which is the basis of many
applications to Diophantine problems, and which occurs in Euclid’s Elements as
a very special case of Proposition VIII.7:
Theorem 1.4 (Square Lemma) If a and b are coprime natural numbers and if ab
is a square, then a and b must be squares.

According to Theorem 1.3 we have a = rs, b = tu, as well as r : t = s : u;

the last relation yields ru = st. According to the Four Numbers Theorem 1.1 there
exist numbers x, y, z, w such that r = xy, u = zw, s = xz, and t = yw. Since
a = rs = x 2 yz and b = tu = yzw2 are coprime, we must have y = 1 and z = 1,
and thus a = x 2 and b = w2 are squares.
Without invoking the Four Numbers Theorem we can conclude from gcd(r, t) =
gcd(s, u) = 1 and ru = st that r divides s and that s divides r, which in turn implies
r = s. In the same way we deduce that t = u, and this shows again that a and b are
squares.
We now would like to use these methods for showing that the Euclidean equation
(1.2) contains all primitive Pythagorean triples; these are triples (a, b, c) with
pairwise coprime natural numbers a, b, and c. Assume that (a, b, c) is such a triple.
Then it is easily seen that c must be odd, and that a and b have different parity. We

2 For Euclid, the product of a number is the representation of a number as a product, not the result.

When Euclid wants the result of a product, he uses a clumsy phrase such as “if two numbers
multiplied make a number.”
1.2 Diophantus 5

may therefore assume that a is odd and b = 2u is even and then obtain

c−a c+a
(2u)2 = b2 = c2 − a 2 = (c − a)(c + a), i.e., u2 = · .
2 2
Observe that the last equation is just (1.3). Since a and c are coprime, so are the two
factors on the right hand side (as a matter of fact, any number dividing both c−a 2
and c+a
2 divides their sum c and their difference a), and according to Theorem 1.4
both numbers must be squares. Thus c−a 2 = t and 2 = s , which immediately
2 c+a 2

implies c = s + t and a = s − t . Since u = st we also have b = 2u = 2st, and

2 2 2 2

we have shown that each primitive Pythagorean triple is contained in (1.2):

Proposition 1.5 If (x, y, z) is a primitive Pythagorean triple and if x is even, then

there exist numbers a and b such that x = 2ab, y = a 2 − b 2 and z = a 2 + b 2 .
We will meet the main idea behind Euclid’s classification of Pythagorean triples
in Prop. X.29a over and over again: The transformation of an additive into a
multiplicative problem. This idea already occurred in the derivation of Pythagorean
triples using the Babylonian “square in the middle.”
Just as the Babylonians, the Chinese3 solved numerous geometric problems in
which they gave rational values to the side lengths of right triangles, and so did
Hindu mathematicians such as Brahmagupta. Diophantus, and later also Fermat and
his contemporaries, solved a huge number of problems in which the rational or
integral sides of right triangles with additional properties had to be determined. This
shows that one of the sources of number theory is metrical geometry.

1.2 Diophantus

During the European Middle Ages, sciences in Europe were almost non-existent.
Even Euclid’s Elements had been largely forgotten. Only the contact with the
Muslim occupants of Spain and Sicily in the eleventh and twelfth century AD
made the few European scientists (almost all of them were monks and bishops,
since the monastery schools—the only schools where Latin was taught—were
reserved for the future clergy) aware of the existence of classical works on medicine,
astronomy, and mathematics. The invention of the printing press by Gutenberg made
the Elements available to people outside of monasteries (in particular once they had
been translated into other languages) and without access to the large libraries.
The most important event for the development of algebra and number theory
was without doubt the discovery of the Arithmetica by Diophantus, who must
have lived between 200 BC and 300 AD in Alexandria, a city near the Nile Delta
founded by Alexander the Great in 331 BC shortly before his death. Alexander’s

3 Presentations of their work may be found in Vogel [126, 127] and in Chemla and Guo [19].
6 1 Prehistory

successor decided to build a library there, which attracted scientists from the
whole Mediterranean world4 and made it the scientific center of antiquity. Among
the most famous scientists who have worked there are Euclid, the author of the
Elements, Archimedes, one of the greatest mathematicians and, like Heron, also an
exceptionally gifted engineer, the astronomer Ptolemy and Diophantus. Six of his
thirteen books on arithmetic problems have survived in Greek, and another four
(discovered only in the 1970s) in Arabic translation.
In this chapter we will discuss the following two problems solved by Diophantus
in his Arithmetica: His construction of Pythagorean triples and Problem VI.19,
which was to play an important role in the development of algebraic number theory.
We remark in advance that Diophantus already used some algebraic notation: He
had symbols for one unknown and its powers up to the sixth.
Pythagorean Triples Diophantus treats the problem of finding Pythagorean triples
in the following form:
II.10 To decompose a given square number into two squares.

Diophantus shows how to decompose 16 into a sum of two squares; he sets the
first square equal to x 2 , and then the second square is 16 − x 2 . Now he writes:
We form the square of an arbitrary multiple of x reduced by the side of the given square,
say 2x − 4.

The side of the square 16 is 4; subtracting 4 from a multiple of x we get mx − 4.

Since Diophantus does not have symbols for more than one unknown, he picks
m = 2, but it is clear that any other choice of m would work equally well. The
square of 2x − 4 then must equal the second number, that is, we have the equation

(2x − 4)2 = 4x 2 − 16x + 16 = 16 − x 2 .

Now we see the idea behind the choice of 2x − 4: On both sides of the equation we
have the constant term 16, which can be canceled; adding x 2 we obtain 5x 2 = 16x,
hence x = 16 256 144
5 . Thus one square is 25 , the other 25 .
Many centuries later it was observed that the substitution y = 2x − 4 may
be interpreted as the equation of a line in the Euclidean plane. The equations of
Diophantus then may be visualized geometrically as intersecting this line with the
circle with radius 4 around the origin (see Fig. 1.2).
In order to decompose a 2 into a sum of two squares let us call the smaller square
x ; then a 2 − x 2 = y 2 must also be a square. The substitution y = mx − a yields
2

a 2 − x 2 = m2 x 2 − 2amx + a 2 ,

hence 2amx = (m2 + 1)x 2 and thus x = 2am

m2 +1
.

4 This included the Hellenistic world. Among the scientists believed to have studied in Alexandria

are Archimedes from Syracuse in Sicily and Eratosthenes from Cyrene in North Africa. It is also
conceivable that well-educated scribes from Mesopotamia preferred the boomtown Alexandria to
the declining cities in Mesopotamia.
1.2 Diophantus 7

Fig. 1.2 Parametrization of

Pythagorean triples

Now we find that the second square number is the square of y = mx − a =

m2 −1
a· m2 +1
. This shows that

 2am 2  m2 − 1 2
+ a· 2 = a2,
m2 + 1 m +1

and after canceling a 2 and getting rid of the denominator we recover (1.1).
Problem VI.19
To find a right-angled triangle in which the area increased by the hypotenuse is a square,
and the perimeter is a cube.
Diophantus solves this problem5 as follows. He denotes the area by x and the
hypotenuse as a square minus x, say c = 16 − x. The product of the legs is 2x; if
one leg was equal to 2, the other would be x, and the perimeter 2 + x + 16 − x = 18,
which is not a cube. Thus, says Diophantus, we need a square which increased by 2
makes a cube.
If one side of the square is m + 1 and the side of the cube is m − 1, then we must
solve m3 − 3m2 + 3m − 1 = m2 + 2m + 3, which gives m = 4. Thus the side of
the square is 5 that of the cube 3.
If x denotes the area of the original triangle and 25 − x its hypotenuse, and if 2
and x are its legs, then the theorem of Pythagoras gives us x 2 − 50x + 625 = x 2 + 4,
i.e., x = 621
50 , and the problem is solved.
Diophantus was forced to choose the substitution c = 16 − x; his calculations,
however, may be transferred to the general substitution c = k 2 − x. At one point,

5 This is problem VI.17 in Heath [59]; some problems are enumerated in a different way in different

editions.
8 1 Prehistory

however, Diophantus “cheated”: The solution m = 4 of the cubic equation m3 −

3m2 +3m−1 = m2 +2m+3 can be found by writing it in the form m3 +m = 4m2 +4,
which implies m(m2 + 1) = 4(m2 + 1), from which the solution can be read off.
This does not work for general values of k, and there were no techniques available
for solving general cubics in the times of Diophantus.
Moreover, even if we know how to solve cubics we do not know how to choose
the sides of the square and the cube in such a way that the resulting cubic has a
rational solution.

1.3 Bachet

We do not know whether or how much Diophantus was studied in antiquity. Hypatia
(355–415), the daughter of Theon of Alexandria (335–405), is often said to have
written a comment on Diophantus Arithmetica; this story seems to be based on a
misguided interpretation by Tannery. Diophantus was studied by many Muslim (and
a few Byzantine) scientists; in Western Europe, Diophantus remained unknown until
Johannes Regiomontanus from Königsberg (Lower Franconia, Bavaria) discovered
a copy of six of the 13 books in a library in Venice in 1463.
The first edition of the Arithmetica was prepared a century later by Wilhelm
Holtzmann (1532–1576) under the name of Guilielmus Xylander; based on this
work Claude Gaspard Bachet de Mériziac (1581–1638) published an improved
version in 1621—not only the text had to be translated from Greek into Latin, Bachet
(like Xylander before him) also had to correct many corrupted passages that had
crept into the manuscript over the centuries, and he tried to make the text accessible
to his readers by detailed comments.
In his edition of Diophantus’ Arithmetica Bachet asked whether the equation
y 2 + 2 = x 3 that showed up in Problem VI.19 possesses other rational solutions
except the one given by Diophantus, and he answered this question in the positive
by presenting a method that allowed him to find a new solution of such an equation
from a known one.
Bachet achieved his result using the Diophantine technique of clever substitu-
tions, which we may interpret geometrically (see Fig. 1.3): If we intersect the curve
y 2 = x 3 − 2 (such a curve is called an elliptic curve) and its tangent

y= 27
10 (x − 3) + 5
 
in P (3, 5), then we obtain a second point of intersection 129 383
100 , 1000 .
Of course Bachet did not think of tangents at all, and he did not determine the
tangent using analytic means: Differential calculus had not yet been discovered,
and neither did coordinate systems exist, which came into being under the hands of
Pierre Fermat and René Descartes. Bachet rather chose his Diophantine substitution
1.3 Bachet 9

 
Fig. 1.3 Left: Tangent method on the elliptic curve y 2 = x 3 − 2; construction of 129 383
100 , 1000 from
(3, 5). Right: The elliptic curve y 2 = x 3 + 1 with the five integral points (−1, 0), (0, ±1) and
(2, ±3), two lines through three points and the tangents in (2, ±3)

in such a way that a linear equation resulted, which then necessarily has a rational
solution.
Bachet knew, as did his readers, that this calculation is a “proof by example,” that
is, this solution is general in the sense that it may be applied without any problems to
any equation of the form y 2 + k = x 3 . In fact, if we set y1 = y − η and x1 = x − rη,
then the equation y12 + k = x13 yields

y 2 − 2yη + η2 + k = x 3 − 3rx 2 η + 3r 2 xη2 − r 3 η3 .

Since y 2 + k = x 3 this means that

−2yη + η2 = −3rx 2 η + 3r 2 xη2 − r 3 η3 ,

and after dividing through by η = 0 we obtain

r 3 η2 + (1 − 3r 2 x)η + 3rx 2 − 2y = 0. (1.4)

10 1 Prehistory

2y
The constant term vanishes if 3rx 2 − 2y = 0, that is, if r = 3x 2
. Plugging this into
(1.4) and solving for η we obtain

27 6 9 3
η=− x + x ,
8y 3 2y

hence

9x 4 − 8y 2 x x 4 + 8kx
x1 = x − rη = = , (1.5)
4y 2 4y 2
27 6 9 3
y1 = y − η = y + x − x
8y 3 2y
8y 4 + 27x 6 − 36y 2x 3 −x 6 + 20kx 3 + 8k 2
= = . (1.6)
8y 3 8y 3

In these calculations we have replaced each y 2 in the numerator by x 3 − k.

In the modern literature the Eqs. (1.5) and (1.6) are called Bachet’s duplication
formula. This name is explained by the fact that the rational points on the elliptic
curve E : y 2 = x 2 − k form a group (whose neutral point is the “point at infinity”).
In fact, Bachet’s construction of a new point on E from a known one corresponds
algebraically to the addition of the original point to itself, or, more precisely, to the
multiplication of this point by −2; indeed, in our notation we have −2(x, y) =
(x1 , y1 ) and 2(x, y) = (x1 , −y1 ).
We also point out that Bachet could not solve the problem of finding a solution of
the equation y 2 + 2 = x 3 except by trial and error; today we know a lot more about
solving equations y 2 = x 3 − k in integers or rational numbers, but we do not know
an algorithm that produces a solution in finitely many steps or shows that there is no
solution (there are such algorithms for quadratic equations such as ax 2 +by 2 +cz2 =
0 and the Pell equation y 2 = Nx 2 + 1). Bachet’s accomplishment is having shown
how to find (in general infinitely many) rational points from a known one.

1.4 Fermat

In Fermat’s time, the problems studied in number theory were about perfect numbers
(numbers that are equal to the sum of their proper divisors such as 2p−1 (2p − 1)
for prime numbers 2p − 1), amicable numbers (pairs of numbers such as 220 and
284, for which the sum of the proper divisors of one number is equal to the other)
and figurate numbers (patterns in the sequences of triangular numbers and square
numbers). It was the study of Bachet’s edition of Diophantus’ Arithmetica that made
Pierre Fermat (1607–1665) start his own investigations in number theory. On the
margin of a page in his copy he wrote his remark that the equation x n + y n = zn
1.4 Fermat 11

is not solvable in natural numbers for any exponent n ≥ 3, and even claimed to
have a wonderful proof which the margin of his book was too small to contain.
Since he never made this claim public (it was published posthumously by his son
Samuel) and since Fermat was not exactly suffering from modesty we may assume
that he eventually discovered that his idea for proving the case n = 4 could not be
transferred to other exponents n.
In his copy of Diophantus’ Arithmetica, Fermat also made the following remark
concerning Bachet’s equation y 2 + 2 = x 3 :
Is there another square in integers apart from 25 that, increased by 2, gives a cube? This
seems difficult to investigate; but I can show by a rigorous demonstration that 25 is the only
square that is smaller by 2 than a cube. In rational numbers, Bachet’s method yields many
such squares, but the theory of integers, which is very beautiful and very subtle, was so far
known to nobody, neither to Bachet, or to any other author whose works I have seen.

In his letter to Carcavi written in 1657, Fermat tried to make Carcavi believe that
he was able to prove the following assertions using infinite descent:
• There is no cube that can be decomposed into two cubes.
• There is only one square which is 2 less than a cube, namely 25.
• There exist only two squares that, when you add 4, give a cube, namely 4 and
121.
• All squared powers6 of 2, increased by 1, are prime numbers.
n
The last claim is Fermat’s conjecture that all numbers of the form 22 + 1 are prime,
which Euler disproved by observing that F5 = 232 + 1 = 641 · 6700417. It seems
to me that Fermat did not know how to prove any of these claims but was convinced
that the key to their proofs was infinite descent.

1.4.1 Integral Solutions of y 2 + 2 = x 3

We now will have a closer look at Bachet’s method of constructing rational points
on elliptic curves y 2 = x 3 − k. To this end, let P ( M
m n
, N ) be such a rational point,
and assume that the fractions are written in reduced form and with M, N > 0. It
follows from ( Nn )2 = ( M ) −k that n2 M 3 = m3 N 2 −kM 3 N 2 . Since N 2 divides the
m 3

right side, N 2 must also divide n2 M 3 . But n and N are coprime, so we can conclude
that7 N 2 | M 3 . In a similar way we obtain M 3 | N 2 . Thus the natural numbers M 3
and N 2 divide themselves, hence we must have M 3 = N 2 . This is only possible if
M is a square and N a cube, and thus there exists a natural number e with M = e2
and N = e3 .

6 Fermat means the sequence 2, 22 = 4, 42 = 16, 162 = 256, etc.

7 The notation a | b stands for “a divides b”.
12 1 Prehistory

Proposition 1.6 Each rational point on the elliptic curve y 2 = x 3 − k has the form
( em3 , en2 ), where gcd(m, e) = gcd(n, e) = 1.

If we now plug x = m
e3
and y = n
e2
into Bachet’s duplication formula, we find

m4
e12
+ 8k em3 m4 + 8kme9
x1 = = ,
4 n2 4n2 e8
e4
6 3
− em18 + 20k me9 + 8k 2 −m6 + 20km3e9 + 8k 2 e18
y1 = = .
3
8 ne6 8n3 e12

Thus if ( em3 , en2 ) is a rational point on E, for which m and n are both odd and e is
even, then m1 = m4 + 8kme9 and n1 = −m6 + 20km3e9 + 8k 2 e18 are again odd,
and e1 = 2ne4 is not only even, but divisible by a much higher power of 2 than e.
This shows
Proposition 1.7 Bachet’s method applied to the point (3, 5) on the elliptic curve
E : y 2 = x 3 − 2 yields only points whose coordinates have even denominator
(when written in lowest terms) and thus does not produce any point with integral
coordinates.

The proof of this proposition may have been within Fermat’s reach despite the
very modest tools he had at his disposal. But it does not follow from this proposition
that there are no integral solutions of y 2 + 2 = x 3 except (3, ±5) since Bachet’s
method does not yield all rational solutions. Similarly, Bachet’s method applied to
the equation y 2 + 4 = x 3 and the integral point (2, 2) does not yield any integral
points beyond (5, 11) (see Exer. 1.8.).

1.4.2 The Fermat Equation x 4 + y 4 = z2

Already Diophantus showed that there exist Pythagorean triples in which one leg or
the hypotenuse is a square number, i.e., that the Diophantine equations a 4 + b 2 = c2
and a 2 + b 2 = c4 have nontrivial solutions (see Exercise 1.2). Fermat asked why
Diophantus did not discuss the question of finding Pythagorean triples in which two
sides are square numbers, and he answered this question by observing that this is
due to the unsolvability of the problem:

Theorem 1.8 The integral solutions of the Diophantine equation x 4 + y 4 = z2 are

the obvious solutions with x = 0 or y = 0. In particular, the equation x 4 + y 4 = z4
does not possess any nontrivial solutions in integers.
This theorem is one of the few for which Fermat left at least a sketch of a proof.
His correspondence partner Frénicle de Bessy published a detailed presentation
1.5 Euler 13

of the proof, but it is not known just how big Fermat’s contribution to Frenicle’s
publication actually was.
The proof is based on an application of infinite descent: Starting with a
hypothetical solution (x, y, z) in natural numbers one constructs a new solution
(x1 , y1 , z1 ) that is “smaller” (in a suitable way) than the original solution. Since
natural numbers cannot decrease indefinitely, this will lead to a contradiction.
For the proof of Fermat’s claim we assume that there is a solution (x, y, z) of
x 4 + y 4 = z2 in natural numbers with xy = 0. If p is a common divisor of x and
z, then p | y, hence p4 | z2 and p2 | z; but then we may cancel p4 , and applying
this reasoning repeatedly we arrive at a solution (x, y, z) in which x, y, and z are
pairwise coprime.
Clearly x and y have different parity, and we may assume that x is even and y is
odd. According to Proposition 1.5 there exist natural numbers a, b with x 2 = 2ab,
y 2 = a 2 − b2 and z = a 2 + b2 . Since y is odd, a and b have different parity. If
a is even and b is odd, then we obtain 1 ≡ y 2 = a 2 − b2 ≡ 0 − 1 ≡ −1 mod 4:
Contradiction. Thus a is odd and b is even, and applying Proposition 1.5 to the
equation b2 + y 2 = a 2 we obtain the existence of integers c, d ∈ N with b = 2cd,
y = c2 − d 2 and a = c2 + d 2 . This gives us x 2 = 4cd(c2 + d 2 ), hence (x/2)2 =
cd(c2 + d 2 ). Now c, d and c2 + d 2 are pairwise coprime (a common factor would
divide a and b, hence x and y) and their product is a square. Applying the Square
Lemma 1.4 twice (first to the pair cd and c2 + d 2 , then to c and d) we find that these
factors must be squares, up to possible factors ±1. By choosing c and d positive we
obtain c = e2 , d = f 2 and c2 + d 2 = g 2 for e, f, g ∈ N.
But now we have e4 + f 4 = g 2 , hence we have found a new solution of the
equation x 4 + y 4 = z2 . Since

z = a 2 + b2 = (c2 + d 2 )2 + 4c2 d 2 > g 4 ≥ g,

this solution is smaller than our original solution. In other words: To every solution
(x, y, z) ∈ N3 with xy = 0 there exists another solution (e, f, g) ∈ N3 with 0 <
g < z (if we had g = 0, it would follow that e = f = 0 and thus b = 0, hence
x = 0: Contradiction). Thus there cannot exist a solution (x, y, z) ∈ N3 with xy = 0
since after finitely many steps we would obtain an integral solution (e, f, g) with
0 < g < 1. This proves Fermat’s claim.
As impressive as this proof is, it only uses descent and a repeated application of
the Square Lemma.

1.5 Euler

Leonhard Euler (1707–1783) was perhaps the most productive mathematician of

all times; almost half of his books and articles were published after he had become
blind. It was Christian Goldbach who infected Euler with the virus of number theory
in 1729 (see [89]) by asking him in his first letter whether Euler knew about Fermat’s
14 1 Prehistory

n
conjecture that all numbers of the form 22 + 1 are prime. Euler was not impressed,
but Goldbach did not let go. He showed Euler how to prove that no Fermat number
4
> 22 + 1 is divisible by any prime number below 100, and when Euler eventually
n
discovered that each prime factor of 22 + 1 has the form p = 2n k + 1 and that
5
22 + 1 is divisible by 541 = 40 · 16 + 1, he was hooked. Euler was the only
prominent mathematician8 of his time who studied number theory until Lagrange
appeared on the mathematical stage.
For explaining the idea behind Euler’s attempt at proving Fermat’s conjecture
that x = 3 and y = 5 are the only solutions of y 2 = x 3 − 2 in natural numbers,
we will look into his Algebra [38]. Euler’s proof contained a gap, but it displays his
originality.
In order to understand Euler’s reasoning it is necessary to study Euler’s proof
of one of the most beautiful results of elementary number theory, the Two-Squares
Theorem, according to which each prime number of the form 4n + 1 can be written
as a sum of two squares.

1.5.1 The Two-Squares Theorem

The first statement that every prime number of the form p = 4n + 1 can be written
as a sum of two squares shows up in Albert Girard’s (1595–1632) edition of Simon
Stevin’s (1548–1620) Arithmetique published in 1625. This edition contains the first
four books of the Arithmetica Diophantus translated by Stevin, and the fifth and
sixth book translated by Girard. In connection with Problem V.12, Girard writes:
Determination of a number that can be divided into two squares of integers.
I. Each square number.
II. Each prime number that exceeds a multiple of 4 by a unit.
III. The products of such numbers.
IV. And the double of each of these.

The first proof that every prime number of the form p = 4n + 1 can be written
uniquely as a sum of two squares is due to Fermat, and the first published proof to
Euler [37]. Euler approaches his proof slowly and thoughtfully and he explains why,
apart from p = 2 = 12 + 12 , only primes of the form 4n + 1 can be sums of two
squares.
His first considerations are concerned with the representation of 2p as sums of
two squares: If p = a 2 + b 2 , then

2p = 2a 2 + 2b2 = (a − b)2 + (a + b)2 (1.7)

8 There were numerous less known mathematicians interested in Diophantine problems or the

investigation of perfect and amicable numbers.

1.5 Euler 15

is also a sum of two squares. If, conversely, 2p = c2 + d 2 is a sum of two squares,

then c and d must be both odd, hence
 c + d 2  c − d 2
p= + (1.8)
2 2
is a sum of two squares of integers.
Euler’s goal in the last part of his Algebra was convincing his readers that
quadratic irrationalities were the actual reason for the existence of such identities.
In the present case (1.7) and (1.8) may be explained via the multiplication and the
division by 1 + i in integers of the form a + bi: Taking the norm9 of

(1 + i)(a + bi) = (a − b) + (a + b)i

yields the identity (1.7). Conversely, (1.8) is a consequence of

c + di (c + di)(1 − i) c + d + (d − c)i
= = .
1+i (1 + i)(1 − i) 2

Euler now plays the same game with two odd prime numbers: If p = a 2 + b 2
and q = c2 + d 2 , then

pq = (a 2 + b 2 )(c2 + d 2 ) = (ac + bd)2 + (ad − bc)2 .

This identity also follows easily by using complex numbers:

(a − bi)(c + di) = (ac + bd) + (ad − bc)i,

whereas the product (a + bi)(c + di) leads to the representation

pq = (ac − bd)2 + (ad + bc)2. (1.9)

The existence of two expressions for pq as sums of two squares suggests that
products of two primes of the form 4n + 1 can always be written as sums of two
squares in two different ways. In the second part of his article Euler uses this idea
to develop an algorithm for finding the prime factors of sums of two squares.
The idea behind Euler’s proof of the Two-Squares Theorem is reversing the
process above. We have seen (see Eqs. (1.7) and (1.8)) that a prime number p is
a sum of two squares if and only if 2p is. It is therefore a natural idea to show that
some multiple mp of a prime p ≡ 1 mod 4 is a sum of two squares, and then to
reduce m via the product formula (1.9) until we end up with m = 1.

9 The norm of a Gaussian integer x + iy is (x + iy)(x − iy) = x 2 + y 2 .

16 1 Prehistory

Euler follows this idea using induction (Fermat had chosen the equivalent method
of infinite descent):
(1) The prime numbers p = 4n + 1 are those for which −1 is a quadratic residue;
it follows from x 2 ≡ −1 mod p that x 2 + 1 = mp for some natural number m.
(2) For each prime number p = 4n + 1 there is a multiple mp that can be written
as a sum of two squares, where we may choose m < p.
(3) If m is even, then m2 p is also a sum of two squares.
(4) Each odd prime factor q of m is sum of two squares by induction hypothesis,
and then mq p is a sum of two squares.

Claim (2) follows from (1): If p = 4n + 1, then x 2 ≡ −1 mod p has a solution,

hence p divides x 2 + 1 and so x 2 + 1 = mp. By picking the residue class of x
2
modulo p between − p2 and p2 we obtain mp = x 2 + 1 < p4 + 1 < p2 and thus
m < p. Since we have already proved (3) it only remains to show (1) and (4).
The basis of Euler’s proof of the first claim (1) is Fermat’s Theorem that a p−1 ≡
1 mod p for all integers a coprime to p. For primes p = 4n + 1 this shows that for
all integers a and b coprime to p, the expression

a p−1 − b p−1 = a 4n − b 4n = (a 2n − b 2n )(a 2n + b 2n )

is divisible by p. Since the expression in the last bracket is a sum of two squares
(a n )2 + (bn )2 , everything boils down to showing that a and b can be chosen in such
a way that p does not divide the expression a 2n − b 2n in the first bracket.
As Euler was to find out later, this can be seen quite easily: Just pick b = 1 and
show that there is at least one integer a not divisible by p for which a 2n − 1 is not
divisible by p. In fact, if all integers a = 1, 2, . . . , p − 1 had the property that p is
a divisor of a 2n − 1, then the polynomial x 2n − 1 would have more than 2n = p−1 2
roots modulo p, which is impossible.
It remains to prove the last claim, the induction step. We assume that each prime
q = 4n + 1 less than p is a sum of two squares and then show that p is also a sum
of two squares.
Thus let mp = x 2 + y 2 for an integer m < p. If d is a common divisor of x and
y, then m is divisible by d 2 , and division by d 2 yields m1 p = x12 + y12 , where x1
and y1 are coprime. Moreover we may assume that m1 is odd.
Now write mp = a 2 + b2, where m is odd and where a and b are coprime. From
a + b2 ≡ 0 mod m we obtain the congruence (a/b)2 ≡ −1 mod m. In particular,
2

(a/b)2 ≡ −1 mod q for each prime divisor q of m. Since q < p, we know by

2 +b2
induction assumption that q = c2 + d 2 . Thus ac2 +d 2 is an integer. Therefore, the
numbers

c2 (a 2 + b 2 ) = a 2 c2 + b 2 c2 and a 2 (c2 + d 2 ) = a 2 c2 + a 2 d 2
1.5 Euler 17

are divisible by q = c2 + d 2 , hence so is their difference

b2 c2 − a 2 d 2 = (bc − ad)(bc + ad).

Since q = c2 + d 2 is prime, q divides one of the two factors by Euclid’s Lemma 1.2.
Changing the sign of d if necessary we may assume that q divides bc − ad. Then

mpq = (a 2 + b2)(c2 + d 2 ) = (bc − ad)2 + (ac + bd)2,

and here the left side as well as the square (bc − ad)2 are divisible by q. Thus q also
divides ac + bd, and canceling q 2 yields

m  bc − ad 2  ac + bd 2
·p = + .
q q q

q = 1, then we are done; if not, consider a prime factor q1 of q and repeat the
If m m

last step. After finitely many steps we have found a presentation of p as a sum of
two squares.
As a corollary of Euler’s investigation we observe
Theorem 1.9 (Euler’s Decomposition Theorem) If m = x 2 + y 2 is a sum of two
coprime squares, and if m = p1 p2 · · · pt is the prime factorization of m, then we
can choose integers xj , yj ∈ Z for which pj = xj2 + yj2 , and the decomposition of
m into two squares can be obtained by a repeated application of the identity (1.9)
to the decompositions of the primes pj as sums of two squares.

x 2 + y 2 = (x12 + y12 )(x22 + y22 ) · · · (xt2 + yt2 ).

The condition that x and y be coprime is necessary: Although 32 + 32 = 2 · 3 · 3,

the number 3 cannot be written as a sum of two squares.
For the induction proof to go through it was important that there is a a multiple
mp of p for which mp is a sum of two squares and m < p. Such a multiple existed
because it follows from |x|, |y| < p2 that x 2 + y 2 < 12 p2 . This step also works for
numbers of the form x 2 +2y 2, and even for numbers of the form x 2 +3y 2 if we avoid
that x and y are both odd. Thus for numbers of the form x 2 + 2y 2 and x 2 + 3y 2 there
are similar decomposition theorems. For numbers of the form x 2 +5y 2 , however, our
proof does not work any more, and as a matter of fact, the decomposition theorem
does not hold: Although 12 + 5 · 12 = 6, neither 2 nor 3 can be written in the form
x 2 + 5y 2.
It is hard to believe that Euler did not see this; even though he did not formulate
the decomposition theorem anywhere, it follows from his work that he must have
believed the following result to be true:

Theorem 1.10 (Euler’s Decomposition Theorem) If N = x 2 + my 2 for coprime

integers x and y and positive squarefree numbers m, if N = p1 · · · pt is a product
18 1 Prehistory

of prime numbers, and if each prime factor pj has the form pj = xj2 +myj2 , then the
signs of the yj can be chosen in such a way that the decomposition N = x 2 + my 2
is obtained by a repeated application of the identity

(a 2 + mb 2 )(c2 + md 2 ) = (ac − mbd)2 + m(ad + bc)2

from

(x12 + my12 )(x22 + my22 ) · · · (xt2 + myt2 ).

The usual counterexamples, which we will discuss repeatedly in the next few
chapters, do not apply to this result, which can be proved using tools available
to Euler. For solving Diophantine equations one needs a stronger version of the
decomposition theorem, namely the analogue of Theorem 1.9 for numbers of the
form x 2 + 2y 2 . The strong version would follow from the weak one if we could
show that prime divisors of numbers of the form x 2 + my 2 with gcd(x, y) = 1 again
have this form. But as we have already seen, this is false already for m = 5.
Euler eventually must have realized that there is a serious problem with his
approach. In one of the many posthumous papers of Euler [39, Art. 44] we find
the following question:
The formula 1812 + 7 = 323 is worthy of our whole attention; although 32 = 52 + 7 it is
not true that
√ √
181 + −7 = (5 + −7 )3 ,

although we have
√
√ 1 − 3 −7 √
181 + −7 = (5 + −7 )3 .
8
We also remark that
√ √
1 + 3 −7 1 − 3 −7
· = 1.
8 8
which shows that the development into imaginary factors requires further investigations.

This problem “worthy of our√

whole attention” disappears by introducing alge-
braic integers of the form a+b2 −7 with a ≡ b mod 2. In particular, Euler’s question
remained open until Dedekind succeeded in clearing up the notion of algebraic
integers (see Exercise 2.25).
1.5 Euler 19

1.5.2 Euler’s Algebra

The part of Euler’s exposition in his Algebra that is of interest to us in connection

with the arithmetic of surds begins in § 162, where he investigates the factorization
of the expression ax 2 + bxy + cy 2 . Euler recalls that such an expression is a square
if the discriminant b2 − 4ac = 0, a product of rational linear factors if b2 − 4ac is
a square, and a product of irrational (and even complex) factors otherwise.
The first two cases are quickly dealt with; in the third case, Euler gets rid of the
term bxy by completing the square, and he ends up with the problem of factoring
expressions of the form ax 2 + cy 2 .
In § 168 he begins with the simplest case x 2 + y 2 , where the method used for
solving the first two cases (where the discriminant was a square) does not work:
In this case, the method above does not apply since this expression cannot be written as a
product of two rational factors; yet the irrational √
factors into which
√ this expression can be
factored and which represent this product (x + y −1 )(x − y −1 ) may be just as useful
for us. If the expression xx + yy has actual factors, then the irrational factors must again
have factors, since if they did not have any divisors, then its product could not have any.
But since these factors are irrational and even complex, and since the numbers x and y do
not have a common divisor, they cannot have any rational factors; rather they have to be
irrational and even imaginary of the same kind.

Behind these considerations is the observation that composite values of x 2 + y 2

may be explained by factorizations of x + yi. For example, 12 + 82 = 65 = 5 · 13
is composite, and Euler’s claim is that this is a consequence of the fact that 1 + 8i
can be factored. In fact, we have 1 + 8i = (−1 + 2i)(3 − 2i).
As we have seen above, Euler has proved this implicitly in his proof that each
prime of the form p = 4n + 1 is a sum of two squares.

1.5.3 Bachet’s Equation y 2 + 2 = x 3

Euler discusses the equation y 2 + 2 = x 3 in § 193 of his Algebra:

It is required to find square numbers of integers that, if 2 is added, become cubes, as happens
in the case of the square 25. We ask whether there are any other such squares.

Euler’s solution is the following:

Since x 2 + 2 must be a cube and 2 is the double of a square, we first look for the cases in
which the expression x 2 + 2y 2 becomes a cube, which happens according to what we have
seen above in § 188 when x = p3 −6pq 2 and y = 3p2 q −2q 3 . Since here we have y = ±1
we must have 3p2 q − 2q 3 = q(3p2 − 2q 2 ) = ±1, and thus q must divide 1. Therefore
q = 1, and so 3p2 − 2 = ±1; if the positive sign holds, then 3p2 = 3 and p = 1, hence
x = 5; the negative sign yields an irrational value for p, which is impossible here. This
implies that 25 is the only square in integers with the desired property.

Here Euler uses his decomposition theorem: If x 2 + 2 = m3 , then there is a

representation m = p2 + 2q 2 such that x 2 + 2 = (p2 + 2q 2 )3 .
20 1 Prehistory

One√can often read that Euler used unique factorization 2for integers of the form
a + b −2 in his solution of the √ Bachet-Fermat equation y + 2 = z3 ; as a matter
of fact, primes of the form x + y −2 do not occur anywhere in Euler’s work, and
it would be more precise to say that Euler’s proof had a gap that we can fill with
the unique factorization theorem for such numbers. What is true is that Euler tried
to transfer the
√ Square Lemma (Theorem 1.4) and its cubic analog to numbers of the
form a + b c.

1.5.4 The Cubic Fermat Equation

In § 243 of his Algebra, Euler discusses the following

Theorem. It is not possible to find two cubes whose sum or difference is a cube.

Of course it is sufficient to prove the impossibility of x 3 + y 3 = z3 in integers,

since x 3 − y 3 = z3 is equivalent to x 3 = y 3 + z3 .
Euler first proves that x and y may be assumed to be coprime and odd. Then their
sum and difference are even, and setting x = p + q and y = p − q he finds

x 3 + y 3 = 2p(p2 + 3q 2 ),

and Fermat’s claim boils down to the question whether the product 2p(p2 + 3q 2 )
can be a cube or not. Elementary congruences show that p must be divisible by 4,
so that p4 (p2 + 3q 2 ) is a cube.
We can easily show that p4 and p2 + 3q 2 are either coprime or have greatest
common divisor 3. In the first case, p2 + 3q 2 must be a cube:
Now let us make pp + 3qq a cube, which may be achieved, as we have shown above, by
setting
√ √ √ √
p + q −3 = (t + u −3 )3 and p − q −3 = (t − u −3 )3 .

This makes pp + 3qq = (tt + 3uu)3 into a cube, and now we find p = t 3 − 9tuu =
t (tt − 9uu) and q = 3ttu − 3u3 = 3u(tt − uu).

Next Euler uses the condition that

2p = 2t (t 2 − 9u2 ) = 2t (t − 3u)(t + 3u)

must be a cube in order to find a contradiction using infinite descent. In fact, the
coprimality of the factors implies that 2t = e3 , t − 3u = f 3 and t + 3u = g 3 must
be cubes. This implies

e3 = 2t = (t − 3u) + (t + 3u) = f 3 + g 3 ,
1.5 Euler 21

and we have found a new solution (e, f, g) of the cubic Fermat equation, which
easily can be shown to be smaller than the solution we started with unless xyz = 0.
The problematic point in Euler’s proof is the following, as was pointed out to
Euler by the Berlin mathematician and calculator Abraham Wolff in a letter to Euler
written on August 9, 1770:
The difficulty lies in the fact that I lack the trick by which I can convince myself that if
pp + 3qq = (tt + 3uu)3 , that is
√ √ √ √
(p + q −3 ) · (p − q −3 ) = (t + u −3 )3 (t − u −3 )3 ,
√ √
the value of p + q −3 must necessarily be (t + u −3 )3 .

It is not known whether Euler answered this letter; but he certainly knew that
others felt there was a gap.

1.5.5 Euler and the Problem of Units

√ such as ax +cy
In § 188, Euler discusses the question of how to make expressions 2 2
√
into a cube. To this end he uses numbers of the form x a + y −c. Euler obtains
his solutions by setting
√ √ √ √
x a + y −c = (p a + q −c )3 .

This yields

x = ap3 − 3cpq 2 and y = 3ap2 q − cq 3.

It is correct that these values of x and y satisfy the equation

ax 2 + cy 2 = z3 (1.10)

for z = ap2 + cq 2 . But what Euler uses (and needs) in his applications is the
converse, namely that each solution is given by these equations. Euler’s occasional
remarks concerning the coprimality of the coefficients show that he has seen that this
converse must be proved. Numerous examples that perhaps were known to Euler
show, however, that such a proof cannot be as simple as Euler may√ have √ thought.
Euler’s digression into the theory of numbers of the form x a +√ y c cannot
be avoided: For example, we have 72√− 10 · 22 = 9 = 32 , yet 7 + 2 10 is not a
square of a number of the form a + b 10. In the√present√case, the obstacle may be
overcome by considering numbers of the form a 2 + b 5, because now
√ √ √
7 + 2 10 = ( 2 + 5 )2 .
22 1 Prehistory

In Euler’s Algebra, this example does not occur. He came across these numbers
when trying to make expressions such as 2x 2 − 5y 2 into cubes. In this case, Euler
observes, it is not sufficient to set
√ √ √ √
x 2 + y 5 = (p 2 + q 5)3 ;

rather one has to consider equations of the form

√ √ √ √ √
x 2 + y 5 = (p 2 + q 5)3 (3 + 10 )n
√ √ √
for arbitrary integers n. Since −(3 + 10 )(3 − 10 ) = 1, the powers of 3 + 10
are divisors of 1, or, in words
√ that Euler could not have used, units in the ring of
numbers of the form x + y 10. In this connection, see Exercise 9.19.

1.6 Gauss

The final step in the direction of algebraic number theory was taken by Carl
Friedrich Gauss (1777–1855). Gauss is one of the greatest mathematicians of all
time. He was only 18 years old when he solved a 2000-year-old problem by showing
that a regular polygon with 17 sides can be constructed using ruler and compass—
he obtained the proof by developing the (algebraic!) theory of cyclotomy, which
he included in his Disquisitiones Arithmeticae, one of the most famous textbooks
on number theory. The Disquisitiones also contained the first complete proofs of
the quadratic reciprocity law. Another fundamental discovery by Gauss was elliptic
functions (doubly periodic functions C −→ C, obtained by inverting elliptic
integrals that Euler and Legendre had studied extensively and which appear in the
computation of the circumference of ellipses—whence their name), about which he
published almost nothing at all.
In his Disquisitiones Arithmeticae [43] published in 1801, Gauss gave a quite
modern presentation of elementary number theory (in the sense that he covered
congruences, unique factorization, residue class groups and primitive roots), erected
on a safe foundation: After the proof of Euclid’s Lemma 1.2 in [43, Art. 14] he
states and proves the theorem of unique factorization. Before Gauss, the uniqueness
of prime factorization had been known, but it was not regarded as a fundamental
property: As in Euclid’s Elements, it was rather regarded as an auxiliary result, e.g.,
for finding all the divisors of numbers of the form 2p−1 (2p − 1) for primes 2p − 1 in
the construction of perfect numbers. The observation that all divisors of a number N
are obtained exactly once by multiplying the divisors of the prime powers dividing
N is essentially equivalent to unique factorization as far as the content is concerned.
For Gauss (and the number theorists after him), unique factorization was a principle
on which elementary number theory is founded. In particular, Gauss realized that
unique factorization may be used to prove results about integers. Only after this
1.7 Kummer and Dedekind 23

conceptual progress did it become √ possible to ask whether unique factorization

holds for numbers of the form a + b −2.
Exactly this question, for numbers of the form a + bi, was discussed by Gauss a
quarter of a century later in his second memoir [45] on biquadratic residues:
After having begun to think about this topic already in 1805 we soon became convinced
that the natural source of a general theory has to be found in an extension of the field of
arithmetic [. . . ].
In fact, whereas the higher arithmetic in the questions discussed so far deals only with
real numbers, the theorems concerning biquadratic residues only appear in their whole
simplicity and natural beauty if the field of arithmetic is extended to the imaginary numbers,
so that its objects are, without√any restriction, the numbers of the form a+bi, where as usual
i denotes the imaginary unit −1, and where a and b run through all real integers between
−∞ and +∞.

Gauss uses the numbers a + bi not only as servants for finding identities, as
Euler and Lagrange have done, but develops the arithmetic in this domain ab ovo:
He defines divisibility, units, prime numbers and shows, with the help of binary
quadratic forms, that the integers a + bi can be factored uniquely, up to unit factors
and ordering, into prime elements. Both Dirichlet (1805–1859) and Jacobi (1804–
1851) were surprised and highly impressed by the idea of allowing these numbers
a + bi as modules, which allowed Gauss to transfer his theory of congruences to
these numbers.
Dirichlet later even extended Gauss’s theory of binary quadratic forms to the
ring of “Gaussian integers” (parts of his lectures on the elementary arithmetic of
this ring have survived as lecture notes by Gustav Arendt [3]), and he realized that
unique prime factorization in such domains is a consequence of the existence of a
Euclidean algorithm.
For a few number fields, unique factorization could be proved in this way, but
it was not clear what to do with number rings in which unique factorization does
not hold. It was more or less taken for granted that a general theory would have to
be based on a generalization of the theory of binary quadratic forms to forms of
higher degree. Eisenstein (1823–1852) developed a theory of cyclic cubic fields in
the language of cubic forms, and Dirichlet worked out the analytic class number
formula for cyclotomic fields using the language of forms before Kummer (1810–
1893) succeeded in creating an arithmetic of cyclotomic number fields based on
his notion of ideal numbers. Dedekind (1831–1916) extended Kummer’s ideas to
general number fields using his theory of ideals.

1.7 Kummer and Dedekind

In Euclid’s books on number theory (volumes 7, 8, and 9 of his Elements), a prime

number was a natural number greater than 1 without any proper divisors. It was
Kummer who first realized that this definition of primality was not the right one in
algebraic number fields. In his article [71] he wrote:
24 1 Prehistory

I have noticed that, even if α cannot be decomposed into complex factors, it might not
have the true nature of a complex prime number, since in general it lacks the first and most
important property of primes, namely that the product of two primes is not divisible by any
prime number different from them.

Instead of looking at Kummer’s examples taken from cyclotomic number fields,

we will verify Kummer’s claims in suitable quadratic rings. We begin by presenting
a non-example, namely the factorization
√ √
6 = 2 · 3 = (2 + −2 )(2 − −2 ) (1.11)
√ √ √
in Z[ −2 ] (by Z[ m ] we denote the set of numbers of the form a + b m with
a, b ∈ Z). These factorizations look different but may be explained by the fact that
the factors can be decomposed further, just as those in 12 = 2 · 6 = 3 · 4. In fact, we
have
√ 2 √ √ √
2 = − −2 , 2+ −2 =
−2 · (1 − −2 ),
√ √ √ √ √
3 = (1 + −2 )(1 − −2 ), 2 − −2 = − −2 · (1 + −2 ).

Thus the two factorizations result from combining the factors in the “prime
decomposition”
√ 2 √ √
6 = − −2 (1 + −2 )(1 − −2 )

in two different ways.

The example
√ √
6 = 2 · 3 = (1 + −5 )(1 − −5 )
√
in the ring R = Z[ −5 ] looks similar to the one above, but is different. It is true
that 2 is not prime in R√because the product is divisible
√ by 2, yet 2 divides none
of the two
√ factors 1 ± −5 since the elements (1 ± −5 )/2 do not belong to
R = Z[ −5 ]). √
This factorization cannot be refined. In fact, in Z[ −5 ], the element 2 is
irreducible, that is, it cannot be written as a product√of nonunits. For proving
√ by N(x + y −5 ) = x + 5y . Since
this claim√we need the norm 2 2
√ map defined
N(x + y −5 ) = (x + y −5 )(x − y −5 ), the norm is multiplicative, i.e., we
have N(α)N(β) = N(αβ) for elements α, β ∈ R.
Now assume that 2 does have a factorization into nonunits, say 2 = αβ with
α, β ∈ R. Taking the norm of both sides we obtain 4 = N(2) √ = N(α)N(β). The
smallest norms in R are N(±1) = 1, N(±2) = 4, and N(± −5 ) = 5. Thus the
only solutions of the equation 4 = N(α)N(β) with α, β ∈ R are α = ±2 and β =
±1, or β = ±2 and α = ±1. But these are trivial factorizations since the elements
1.7 Kummer and Dedekind 25

±1 are units since they obviously divide 1. The result of these considerations is that
√ √
6 = 2 · 3 = (1 + −5 )(1 − −5 ) (1.12)

are two essentially different factorizations of 6 into irreducible elements of R.

Richard Dedekind was one of the pioneers of abstract algebra. Notions such as
ring, field, and ideal are due to him. The invasion of algebra by these originally
number theoretic concepts took place in the 1920s under the massive influence of
Emmy Noether (1882–1935).
When Dedekind transferred the arithmetic of the ordinary integers to algebraic
number rings in [28, III, p. 239], he gave a lot of thought to the question of how best
to define the notion of a prime number in a number ring.
In order to explain why the classical definition of prime as irreducible is not
suitable for doing arithmetic in number rings he considers the ring A of all algebraic
integers and observes that the usual definition is of no use here:
If we would define prime numbers as elements that do not possess any divisors essentially
different from itself and units, then it is easily seen that such a number does not exist at all
[in A]; for if α is an algebraic integer,
√ then
√it always
√ has infinitely many essentially different
divisors, for example, the numbers α, 3 α, 4 α, etc., which [. . . ] are algebraic integers.

Dedekind goes on to say that, on the other hand, it is easy to define the notion of
coprime elements without using the decomposition into irreducibles:
Two non-zero algebraic integers α and β are called coprime if each element divisible by α
and β is also divisible by αβ.

Today we are accustomed to definitions such as this one; for constructivists such
as Leopold Kronecker this was a bad definition: it does not allow you to decide a
priori whether two given integers are coprime since the definition requires checking
infinitely many conditions. In fact we have to verify that the infinitely many integers
divisible by α and β are also divisible by the product αβ. It is therefore clear that for
computing with such numbers, one has to find an algorithm that allows us to decide
in finitely many steps whether two given elements are coprime or not.
A little later (p. 250) Dedekind observes that in algebraic number rings there
often exist essentially different decompositions of elements into irreducible ele-
ments and then continues as follows:
This contradicts the notion of the character of primality that holds in the number theory of
the rational integers to such an extent that we shall not accept an irreducible element as a
prime; thus we need to look out for a stronger criterion than the inadequate irreducibility,
similar to what we did earlier for the notion of coprimality [. . . ], by not decomposing the
integer we are investigating but by studying how it behaves as a module:
An integer μ shall be called prime if it is not a unit, and if every product ηρ divisible by
μ has at least one factor η or ρ divisible by μ.

Here Dedekind has turned a characteristic theorem on primes, namely Euclid’s

Lemma 1.2, into a definition, because this property is well suited for building a
theory.
26 1 Prehistory

1.7.1 From Ideal Numbers to Ideals

The fact that in some algebraic number fields there exist irreducible elements that
lack the defining properties of primes implies that the theorem of unique prime
factorization does not hold in such rings. In the case of quadratic number rings it was
possible to justify calculations needed for solving certain Diophantine equations by
invoking the language of binary quadratic forms; for example, Dirichlet proved the
unsolvability of the quintic Fermat equation x 5 + y 5 = z5 in positive integers by
using the theory of the quadratic forms x 2 − 5y 2.
In order to be able to say something about certain Diophantine equations even
if the corresponding number field does not have unique factorization, Kummer
invented the notion of an “ideal” prime number. His basic idea is, from today’s
point of view, a very modern one: Investigate an algebraic structure by studying
homomorphisms into simpler structures (see [81]). √
Let us once more consider the ring R = Z[ −5 ]. We have seen above that
the elements 2 and 3 are irreducible in R, but not prime. If there was an element
π of norm 2, then we could consider the residue class ring of R modulo π; this
quotient ring would have two elements, because it can be shown that the number
of residue classes modulo an element of R is equal to its norm. Reduction modulo
π thus would give us a ring homomorphism f : R −→ Z/2Z. Kummer realized
that such a ring homomorphism exists √ even when there is no element of norm 2. In
fact, all we have to do is set f (a + b −5 ) = a + b + 2Z. Thus although there
is no prime element π of norm 2, we can work modulo π by simply applying f .
Such ring homomorphisms (or, less anachronistically, such procedures for attaching
a residue class to each element) were called “ideal primes” by Kummer.
Heinrich Jung has shown in [69] how to develop the whole theory of quadratic
number fields based on this notion of ideal primes as ring homomorphisms. The
only obstacle in this approach is the fact that it is not at all obvious how to multiply
ideal numbers. Dedekind later replaced these ideal numbers by the kernels of the
associated ring homomorphisms and called them ideals. In his theory, the product
of two ideals is simply the ideal generated by the products of the elements from each
ideal.

1.8 Exercises

1.1. Already the Babylonians, about 4000 years ago, knew how to calculate the
space diagonal of a door, and composed problems from integral solutions of
equations such as x 2 +y 2 +z2 = w2 . To this end they looked for Pythagorean
triples such as (3, 4, 5) and (5, 12, 13), in which the hypotenuse of one
triangle is equal to the leg of the other one, and then obtained the solution
32 + 42 + 122 = 132 .
Show how to find infinitely many such solutions.
1.8 Exercises 27

1.2. Show that there are infinitely many Pythagorean triples (a, b, c) in which a
or c is a square
 2number.
 4
1.3. The vectors 2 and 4 with lengths 3 and 9, respectively, suggest that
1 7 a √
there exist infinitely many vectors a whose length a 2 + a 2 + b 2 is an
b
integer. Clearly this holds if and only if 2a 2 + b2 = c2 is the square of an
integer c.
Write this equation in the form 2a 2 = c2 − b2 = (c − b)(c + b) and
conclude that setting c − b = 4s 2 and c + b = 2r 2 yields solutions. Deduce
that a = 2rs, b = r 2 − 2s 2 and c = r 2 + 2s 2 .
Parametrize the ellipse x 2 + 2y 2 = 1 also using the lines through the point
(−1, 0).
1.4. Parametrize the unit sphere x 2 + y 2 + z2 = 1 using lines through the point
(−1, 0, 0).
1.5. If a and b are represented by the form x 2 − my 2 , then so is their product. The
content of this identity was already known to Brahmagupta, who used it for
solving the equation x 2 = my 2 + 1 in integers.
1.6. Derive Bachet’s duplication formula using analytic geometry. The slope of
the tangent in a point may be obtained by implicit differentiation: 2yy = 3x 2
2
implies y = 3x 2y .
1.7. Show that Bachet’s duplication formula applied twice to the point (3, 5) on
y 2 = x 3 − 2 yields the rational point
 2340922881 113259286337292 
, .
76602 76603
1.8. Apply Bachet’s duplication formula to the point (2, 2) on the elliptic curve
y 2 + 4 = x 3 and show that the only integral point resulting by repeated
duplication is (5, 11).
1.9. Show that there is no Pythagorean triple whose legs are prime numbers.
Show moreover that if (p, b, q) is a Pythagorean triple in which one leg p
and the hypotenuse q are primes, then b = q − 1.
1.10. Show that if (a, b, c) is a Pythagorean triple, then so is (t − a, t − b, t + c).
Similarly, consider the triple (t + a, t + b, 2t − c) and find more ways of
constructing a new Pythagorean triple from a known one.
Show moreover that this method also works for sums of three squares.
1.11. Find a counterexample to the following statement: If p is prime and kp =
a 2 +mb2, and if k can be written in the form k = c2 +md 2 , then p = e2 +mf 2 .
1.12. Show that there are infinitely many primes of the form p = 4n + 1 as well as
of the form q = 4n + 3.
Hint: As in Euclid’s proof, consider the integers N1 = (p1 · · · pt )2 + 1 and
N3 = 4q1 · · · qt − 1.
1.13. The following trick due to Ernst Trost [123, 124] is simple but often
remarkably useful. Given a Diophantine equation at 2 + bt + c = 0 with a
28 1 Prehistory

√
rational solution t, the solution formula t1,2 = −b±2a
Δ
for quadratic equations
tells us that the discriminant Δ = b − 4ac must be a square.
2

This almost trivial observation is turned into a useful method by the

following trick: If x 4 − 4y 4 = z2 is solvable in integers (or rationals), then
the quadratic equation x 4 − tz2 − 4y 4 t 2 = 0 has a rational solution for t = 1.
Thus the discriminant Δ of the quadratic equation in t must be a square, i.e.,
Δ = z4 + 16x 4 y 4 = w2 must be solvable (in rational numbers and thus in
integers). Since the only solutions of this equation are the trivial solutions
with xy = 0 or z = 0, the only solutions of the original equation are y = 0
(and z = x 2 ).
Show using Trost’s discriminant trick that the only integral solutions of the
equation x 4 − 2y 2 = 1 are the trivial solutions (x, y) = (±1, 0).
1.14. Show using Trost’s discriminant trick that if y 2 = x 3 − dx has nontrivial
rational solutions, then so does y 4 + 4dx 4 = w2 . Hint: dxt 2 + y 2 t − x 3 = 0.
1.15. Show that −2 is a quadratic residue modulo prime numbers p ≡ 1, 3 mod 8.
Hint: For primes p ≡ 1 mod 8, Euler’s proof that −2 is a quadratic residue
modulo p works fine. For primes p ≡ 3 mod 8 you have to show that −1 and
2 are quadratic nonresidues modulo p.
1.16. Transfer Euler’s proof of the Two-Squares Theorem to primes of the form
x 2 + 2y 2 .
1.17. Show that the representations 212 = 112 + 5 · 82 = 192 + 5 · 42 of 212 = 441
may be explained by the two representations of 21 by the form x 2 + 5y 2 .
What about 212 = 62 + 5 · 92 = 142 + 5 · 72 ?
1.18. Is it possible to solve the equation y 2 + 2 = x 3 in integers using methods
from elementary number theory?
√ √ √ √
1.19. Euler shows that setting y 2 + 5 = (a 2 + b 5 )3 does not lead to the
solution (x, y) = (3, 4) of the equation 2y 2 − 5 =√x 3 . Verify this and deduce
the solution by invoking factors of the form (3 + 10 )n .
1.20. Let q ≡ 3, 7, 11 mod 16 be a prime number. Show that the equation a 4 −
qb4 = 1 has (a, b) = (±1, 0) as its only integral solutions.
1.21. Show that the Diophantine equation y 2 = x 3 + 7 does not have a solution in
integers.
Hint: First show that x must be odd and then consider the equation y 2 +1 =
(x + 2)(x 2 − 2x + 4).
1.22. Show that the Diophantine equation y 2 = x 3 − 17 does not have a solution in
integers.
1.23. Let k = A3 + B 2 for natural numbers A ≡ 3 mod 4 and B ≡ 0 mod 2, and
assume that B is not divisible by a prime number q ≡ 3 mod 4. Show that the
Diophantine equation y 2 = x 3 − k does not have an integral solution with y
even.
1.24. Let k = A3 +B 2 for coprime integers A and B, and assume that A ≡ 2 mod 4
and that B is not divisible by any prime q ≡ 3 mod 4. Show that y 2 = x 3 − k
does not have any integral solutions.
1.8 Exercises 29

1.25. Prove that the Diophantine equation y 2 = x 3 − k always has an integral

solution if k = A3 − B 2 . Use sage to find all integral points on y 2 = x 3 + 17
(observe that 17 = 23 + 32 ).
1.26. (Hermite) Set

a = p + qi, b = r + si, c = −r + si, d = p − qi,

a = p + q i, b = r + s i, c = −r + s i, d = p − q i

in the product
     
a b  a b  aa + bc ab + bd 
 · = 
c d c d ca + dc cb + dd

of the determinants (ad −bc)·(a d −b c ) and derive Euler’s product formula

for sums of four squares.
1.27. The Pythagorean equation x 2 + y 2 = z2 can be written in factored form
y 2 = z2 − x 2 = (z − x)(z + x). The same is true for x 2 + y 2 = 2z2 after
multiplying it through by 2: 4z2 = 2x 2 + 2y 2 = (x + y)2 + (x − y)2 yields
(x + y)2 = (2z)2 − (x − y)2 = (2z + x − y)(2z − x + y).
Euler realized that such a decomposition is possible for the equation ax 2 +
by = cz2 whenever this equation has a rational solution. Prove this claim.
2
Chapter 2
Quadratic Number Fields

In this chapter we provide the foundations for doing arithmetic in quadratic number
rings. We will explain what a quadratic number field is, and which elements we will
regard as “integers.” In addition, we will visualize certain aspects of the arithmetic
of quadratic number fields geometrically by introducing Pell conics.

2.1 Quadratic Number Fields

This book deals with the arithmetic of quadratic number fields, and in this and the
next section we will present the main actors in our play. In Chap. 4 we will give a
precise definition of what we mean by notions such as divisibility, units, and prime
elements, and only then will we return to the question how to put Euler’s solution of
the Diophantine equation y 2 + 2 = x 3 in integers onto a solid foundation and apply
his reasoning to other examples.
Let m ∈ Z \ {0, 1} be a squarefree integer; then the set
√ √
k = Q( m ) = {a + b m : a, b ∈ Q}
√
of numbers of the form a + b m, where a and b are rational numbers, is called a
quadratic number field (the fact that k is actually a field is proved in Exercise 2.1).
We call k real or complex quadratic
√ according as m > 0 or m < 0.
The element α = a + b m ∈ k is a root of the quadratic √ polynomial Pα (x) =
x 2 − 2ax + a 2 − mb 2 ∈ Q[x]; its other root α = a − b m is called the conjugate
of α. Moreover we call

Nα = αα = a 2 − mb 2 the norm of α,
Tr α = α + α = 2a the trace of α, and
disc (α) = (α − α )2 = 4mb2 the discriminant of α.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 31

F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6_2
32 2 Quadratic Number Fields

√ √
The conjugate, the norm, the trace, and the discriminant of α = 3+ 5
2 ∈ Q( 5 ),
for example, are
√
3− 5 32 − 5
α = , Nα = = 1, Tr α = 3 and disc (α) = 5.
2 4
√
As we have seen, Euler first used numbers of the form a + b c for solving
Diophantine equations in ordinary integers. In order to get equations in integers from
relations in quadratic number rings we need maps R −→ Z. Since we will mainly
exploit multiplicative relations (decomposition into factors, divisibility, units), maps
respecting the multiplicative structure such as the norm are particularly important
(see, e.g., Exercise 2.7, and for the proof of the proposition below, Exercise 2.6).
Proposition 2.1 For all α, β ∈ k we have

N(αβ) = Nα Nβ and Tr(α + β) = Tr α + Tr β.

Moreover Nα = 0 if and only if α = 0, and disc (α) = 0 if and only if α ∈ Q.

The map σ : k −→ k : α −→ σ (α) := α is called the nontrivial automorphism

of k/Q. Since σ ◦ σ = id (the identity map; observe that σ ◦ σ (α) = σ (σ (α)) =
σ (α ) = α = α), {id, σ } is a group of order 2 with respect to composition, called
the Galois group of k/Q and denoted by Gal (k/Q). Instead of σ (α) we will often
write1 α σ .
The Galois group of a field extension is named after Évariste Galois (1811–
1832), a French mathematician who died in a duel at age of 20. Galois revolutionized
algebra by introducing group theoretic methods into the theory of the solution
of polynomial equations by radicals. Over time, “Galois theory” evolved from a
theory of polynomials to a theory of field extensions (apart from Richard Dedekind,
Ernst Steinitz must be mentioned in this connection). The immense importance for
the arithmetic of number fields even in such a simple case as that of quadratic
extensions, where the Galois group has only two elements, will become clear in
Chap. 9.

2.1.1 Quadratic Extensions as Vector Spaces

If k ⊆ K are fields, then we may interpret K as a k-vector space. The vectors

are the elements of K (these elements form an additive group), the scalars are the
elements of k, and scalar multiplication is the usual multiplication of elements of k

1 In extensions with non-abelian Galois groups one has to distinguish carefully between these

notations since σ τ (α) is often meant to be σ (τ (α)), whereas α σ τ = (α σ )τ .

2.2 Rings of Integers 33

with elements of K inside K. The dimension of K as a k-vector space is called the

degree of the field extension and is denoted by (K √ : k) := dimk K. √
Quadratic extensions K/Q, where K = Q( m ), have degree 2 since {1, m }
is a Q-basis of K because
√ each element of K can be written uniquely as a Q-linear
combination of 1 and m. In Exercise 2 we will investigate connections between
different Q-bases.
The interpretation of quadratic field extensions as vector spaces allows us to
interpret the norm and the trace
√ as maps  that show up naturally√ in linear algebra.

If we identify 1 = 10 and m = 01 and write α = a + b m = ab , then
multiplication by α is a linear map that can be described by a 2 × 2-matrix Mα
whose columns are formed by the √ images of √ the basis vectors.√Therefore this matrix
is given by Mα = ( ab mba ) since m · (a + b m ) = mb + a m. Now observe that
the determinant of Mα is the norm of α and that the trace of Mα is the trace of α (see
Exercise 2.12). This observation explains once more that the norm is multiplicative
and the trace additive.

2.2 Rings of Integers

In order to ask (and answer) questions concerning the arithmetic of quadratic

number rings we first have to identify the√ “integers” in our fields. The obvious
√
solution would be working in the rings Z[ m ] of elements of the form a + b m
with a, b ∈ Z. This choice is not always the right one, as will become clear later
(see, e.g., Exercise 2.15).
When Kummer studied higher reciprocity laws and Fermat’s Last Theorem in
cyclotomic fields he worked in the more or less obvious rings

Z[ζ ] = a0 + a1 ζ + a2 ζ 2 + . . . + ap−1 ζ p−1 ,

where ζ is a primitive p-th root of unity (see Exercise √ 2.45), and used Gaussian
periods in√ their subfields. If p = 3, then Q(ζ ) = Q( −3 ) since we can choose
√
ζ = −1+2 −3 ; in this case we see that the ring Z[ζ ] is strictly larger than Z[ −3 ].
Dirichlet solved the quintic Fermat equation x 5 + y 5 = z√5 using elements in
√
the ring Z[ 5 ]; he did not consider elements of the form p+q2 5 although this was
more or less suggested by equations such as
√
√ (φ + ψ 5 )5
P +Q 5= ,
24
which would look a lot more symmetric if they were written in the form
√ √
P + Q 5  φ + ψ 5 5
= .
2 2
34 2 Quadratic Number Fields

Dirichlet also proved his unit theorem (a generalization of the solvability of the Pell
equation) in rings of the form Z[α], where α is a root of a monic polynomial

x n + an−1 x n−1 + . . . + a1 x + a0

with coefficients aj ∈ Z.
It is not clear whether the question how to define algebraic integers was perceived
as a problem before Dedekind gave the definition. The quote that
Talent hits a target no one else can hit;
Genius hits a target no one else can see

is credited to Schopenhauer. This definition of genius certainly applies to

Dedekind.
The correct idea is to look for a ring that is as large as possible, but which does not
contain any rational numbers except the ordinary
√ integers. More precisely, we will
denote by O the maximal ring2 in K = Q( m ) with the following properties:
• O ∩ Q = Z: The integral elements of the subfield of the rational numbers in K
are exactly the ordinary√integers. √
• Oσ = O: If α = r + s m is integral, then so is its conjugate α σ = r − s m.
√ √
If α = r + s m is in O, then so is α σ = r − s m by the second condition,
hence Tr α = α + α σ = 2r and Nα = αα σ = r 2 − ms 2 are elements of O ∩ Q
and therefore must be ordinary integers. Thus if α is an algebraic integer, then the
monic polynomial

Pα (x) = (x − α)(x − α σ ) = x 2 − Tr(α)x + Nα = x 2 − 2rx + r 2 − ms 2 ∈ Q[x]

must have integral coefficients. We will call α ∈ K an algebraic integer if Pα (x) has
coefficients in Z. More generally, algebraic integers are roots of monic polynomials

x n + an−1 x n−1 + . . . + a1 x + a0
√ √ √
with coefficients in Z. The numbers 2, −3 and 1+2 5 , for example, are algebraic
integers because they are roots of the monic polynomials x 2 −2, x 2 +3 and x 2 −x−1,
√
respectively, all of which have integral coefficients. On the other hand, √1 and 1+2 3
2
are algebraic numbers, but not algebraic integers because they are roots of the monic
polynomials x 2 − 12 and x 2 − x − 12 , respectively. It can be shown that algebraic
numbers form a field, and that the algebraic integers form an integral domain (or
simply a domain from now on).

2 It is not clear a priori that such a maximal ring always exists.

2.2 Rings of Integers 35

The set of all integral elements in a number field k is called the ring Ok of
(algebraic) integers in k. For quadratic number fields we will show that this set
is actually a ring after having characterized these integers.
√
Theorem 2.2 The integral elements in the quadratic number field k = Q( m ) are
given by
 √
{a + b m : a, b ∈ Z} if m ≡ 2, 3 mod 4,
Ok = √
{ a+b2 m : a, b ∈ Z, a ≡ b mod 2} if m ≡ 1 mod 4.
√
Proof Assume that α = r + s m is an algebraic integer with r, s ∈ Q; then
Tr α = 2r and Nα = r 2 − ms 2 are ordinary integers. If we plug 2r ∈ Z into the
second equation, then we find that 4ms 2 must be an integer. Since m is squarefree,
4s 2 and thus finally 2s must be an integer. In fact, write 4s 2 = x 2 /y 2 for coprime
integers x, y ∈ Z; since 4ms 2 is an integer, we find y 2 | mx 2 ; since gcd(x, y) = 1
we find y 2 | m, and since m is squarefree this implies y = ±1.
Thus we may write 2r = a and 2s = b for integers a, b ∈ Z. Now we exploit
once more the fact that Nα = r 2 − ms 2 is an integer and find that a 2 − mb2 ≡
0 mod 4.
• If m ≡ 2 mod 4, then 2 |√a, 4 | a 2 and 2 | b, hence r, s ∈ Z: Each algebraic
integer has the form r + s m with r, s ∈ Z.
• If m ≡ 3 mod 4, then 0 ≡ a 2 − mb 2 ≡ a 2 + b2 mod 4; this is only possible if a
and b are even, and as above this implies that r and s must be integers.
• If m ≡ 1 mod 4, then we obtain the congruence 0 ≡ a 2 − mb 2 ≡ a 2 − b 2 mod 4,
which holds if and only √ if a ≡ b mod 2. Thus the algebraic integers in this case
have the form 12 (a + b m ), where a and b are either both even or both odd. It is
easily verified that these numbers are indeed algebraic integers.
This completes the proof. 

√ √
The field k = Q( m ) consists of all Q-linear combinations of 1 and m. Does
something similar hold for the ring Ok of integers, that is, does there exist an ω ∈ Ok
such that every α ∈ Ok is a Z-linear combination of 1 and ω? In this case we write
Ok = Z ⊕ ωZ and call {1, ω} an integral basis. The answer to our question is in fact
positive:
Corollary 2.3 We have Ok = Z ⊕ ωZ for
√
m, if m ≡ 2, 3 mod 4;
ω= √
1+ m
2 , if m ≡ 1 mod 4.

In particular, Ok is a ring.
Proof Only in the second case√there is something to show. Assume therefore that
m ≡ 1 mod 4 and α = 12 (a + b m ) with a ≡ b mod 2; setting c = a−b 2 and d = b
we find α = c + dω with c, d ∈ Z; the proof of the converse is just as simple.
36 2 Quadratic Number Fields

The fact that Ok is a ring is now easily seen to be true by showing that the sum,
difference, and the product of two elements of the form a + bω with a, b ∈ Z again
have this form. To this end we have to show that the product of two elements has
this form, and this boils down to showing that ω2 = r + sω for integers
√
r and s. But
clearly ω2 = m = m + 0ω for m ≡ 2, 3 mod 4, and ω2 = 1+m+2 4
m
= 4 +ω
m−1

for m ≡ 1 mod 4. 

 1 ω 2
The number Δ = disc k :=  1 ω  = (ω − ω )2 is called the discriminant3 of
the quadratic number field k. We find

4m if m ≡ 2, 3 mod 4,
disc k =
m if m ≡ 1 mod 4.
√
It is easily seen that {1, Δ+2 Δ } is an integral basis for any quadratic number field.
Our next result justifies our choice of the ring of integers in quadratic number
fields:
Proposition 2.4 The rational numbers contained in Ok are the ordinary integers:
Ok ∩ Q = Z.

Proof Clearly Z ⊆ Ok ∩ Q, so we have√to prove the reverse inclusion. Assume

therefore that α ∈ Ok ; then α = 12 (a + b m ) with a ≡ b mod 2. If α ∈ Q, then
we must have b = 0; since b is even, so is a hence α = a2 ∈ Z. 

It can be shown that Ok is the maximal subring of k with the property that Ok ∩
Q = Z; for this reason, Ok is often called the maximal order of k. A domain O ⊂ Ok
is called an order if O properly contains the ring Z, i.e., if Z  O ⊆ Ok . By
Proposition 2.4 we deduce immediately that each order O has the property O ∩ Q =
Z.
Examples of number fields that are not quadratic are pure cubic number fields

3√ 3√ 3√
Q( 2 ) = {a + b 2 +c 4 : a, b, c ∈ Q},

which have degree 3, and cyclotomic fields

Q(ζ ) = {a0 + a1 ζ + a2 ζ 2 + . . . + ap−2 ζ p−2 : aj ∈ Q},

−1p
where ζ is a root of xx−1 = 1 + x + . . . + x p−1 and p ≥ 5 is prime, and which have
degree p−1. We will occasionally use these fields as examples that lie outside of the
scope of this book, and in the last chapter we will show for a deeper understanding
of quadratic number fields we cannot avoid studying cyclotomic fields.

3 The discriminant of a quadratic number field does not depend on the choice of the integral basis;

see Exercise 2.3.

2.3 The Unit Circle 37

2.3 The Unit Circle

The elements of a quadratic number field with norm 1 form a group with respect
to multiplication, since if Nα = 1 and Nβ = 1, then clearly N(αβ) = 1 and
N(α/β) = 1. The elements x + yi with norm 1 in the field Q(i) are characterized
by N(x + yi) = x 2 + y 2 = 1, i.e., the corresponding points (x, y) lie on the unit
circle. Elements with norm 1 may be easily constructed by forming the quotient of
m2 +n2
m−ni has norm m2 +n2 = 1, and from
two elements with the same norm: Thus m+ni

m + ni (m + ni)2 m2 − n2 + 2mni
= =
m − ni (m − ni)(m + ni) m2 + n2

we can read off the parametrization

m2 − n2 2mn
x= , y=
m2 + n2 m2 + n2

of the rational points on the unit circle. The fact that we get all rational points on the
unit circle in this way, i.e., that all elements of norm 1 can be written as quotients
m+ni
m−ni , is the content of Hilbert’s Theorem 90, which will be important in Chap. 9.
It is a natural question whether the group structure of rational points on the unit
circle given by the multiplication of the corresponding elements in Q(i) can be
interpreted geometrically. This is indeed the case (see Fig. 2.1):

Theorem 2.5 The elements a + bi ∈ Q(i) with norm 1 correspond to the rational
points (x, y) on the unit circle x 2 + y 2 = 1. If P (a, b) and Q(c, d) are two rational
points, then we obtain the point R corresponding to the product (a + bi)(c + di) as
follows:

Fig. 2.1 Addition on the unit circle P ⊕ Q = R and 2P = R

38 2 Quadratic Number Fields

• If P and Q are distinct, R is the second point of intersection of the unit circle
and the parallel to P Q through the point N(1, 0).
• If P = Q, then R is the second point of intersection of the unit circle and the line
through N that is parallel to the tangent in P .
The point R corresponding to the product (a + bi)(c + di) = ac − bd + (ad + bc)i
has coordinates (ac − bd, ad + bc). We have to show that the lines NR and P Q are
parallel; to this end we first assume that the x-coordinates of P and Q are distinct.
We then have to show that the slopes are equal:

d −b ad + bc
= .
c−a ac − bd − 1

Clearing the denominators we find

(d − b)(ac − bd − 1) = (ad + bc)(c − a),

which is equivalent to

(a 2 + b 2 − 1)d = (c2 + d 2 − 1)b.

The last equation holds since a 2 + b 2 = c2 + d 2 = 1.

If P = Q, but both points have the same x-coordinate, then the line P Q is
parallel to the y-axis, and the parallel to P Q through N is a tangent to the circle in
N; thus in this case R = N. Algebraically this corresponds to the product

(a + bi)(a − bi) = a 2 + b 2 = 1.

If finally P = Q, then the tangent is orthogonal to the line connecting the origin
with P , and thus has slope m = − ab . On the other hand, (a + bi)2 = a 2 − b 2 + 2abi,
i.e., the line through N and R(a 2 − b 2 , 2ab) has slope a 2 −b
2ab
2 −1 . Since a = 1 − b
2 2

we have a 2 − b2 − 1 = (1 − b2) − b2 − 1 = −2b2, hence a 2 −b

2ab
2 −1 = −2b2 = − b
2ab a

as desired.
Since the argument of a product of two complex numbers is the sum of their
arguments, the group law on the unit circle is based on the addition of the
corresponding angles: We have P ⊕ Q = R if and only if NOP + NOQ =
NOR. Similar remarks apply for the group law on the elements with norm 1 in
arbitrary complex quadratic number fields.

2.4 Platon’s Hyperbola

√
The points (x, y) corresponding to elements α = x + y m with norm Nα =
x −my = 1 in real quadratic number fields lie on a hyperbola. Whereas in complex
2 2
2.4 Platon’s Hyperbola 39

quadratic number fields there can only be finitely many integral points on the norm-
1 ellipses for simple geometric reasons (and in fact only the points (±1, 0) except
when Δ = −3 or Δ = −4), the situation is fundamentally different in real quadratic
number fields. √
As √
a simple example consider the elements of norm 1√ in Z[ 2 ], that is, numbers
x + y 2 with x 2 − 2y 2 = 1. It is easy to see that 3 + 2 2 is such an element, and
that (3, 2) is an integral point on the hyperbola H : x 2 − 2y 2 = 1. Since N(1, 0)
is another integral point, we can define a geometric group law on the set of integral
(or rational) points on H by calling a point R = P ⊕ Q the sum of the points P and
Q if R is the second point of intersection of the parallel to P Q through N with the
hyperbola H (see Fig. 2.2).
Just as in the case of the unit circle we find
√ √
Theorem 2.6 The numbers a + b 2 ∈ Q( 2 ) with norm 1 correspond bijectively
to the rational points P (a, b) on the hyperbola H : x 2 − 2y 2 = 1. If P (a, b)
and Q(c, d) are√two such points,
√ then we obtain the point R corresponding to the
product (a + b 2 )(c + d 2 ) as the second point of intersection of the parallel
to P Q through N(1, 0) with the hyperbola H if P and Q are distinct, and as the
second point of intersection of the tangent in P if P = Q.

The proof is similar to the one for the unit circle. But as we shall see in a moment,
the hyperbola H contains infinitely many integral points, whereas the unit circle
only contains four such points. These integral points on H arise from √ P (3, 2) by
repeated addition. The point n · P corresponds to the element (3 + 2 2 )n . We claim

Fig. 2.2 Addition of points on Platon’s hyperbola

40 2 Quadratic Number Fields

that the only integral points on the right branch of the hyperbola
√ are given by the
integral multiples of P , which correspond to the powers (3 + 2 2 )n with n ∈ Z.
To this end let Q be an arbitrary integral point on the upper right branch of H,
and assume that Q does not have the form nP . Since the x-coordinates of nP are
not bounded, there must exist a natural number n such that Q lies properly between
nP and (n + 1)P . Subtracting nP shows that Q  nP is an integral point lying
properly between N(1, 0) and P (3, 2); but such a point does not exist.
The integral points on the lower right branch are obtained by reflection at the x-
axis, which corresponds geometrically to conjugation, i.e., to multiplication of the
exponent by −1. Thus every integral point on the right branch of the hyperbola is
an integral multiple of P .
Since the integral points on the left branch of the hyperbola H are obtained by
a reflection at the y-axis, which corresponds algebraically to multiplication by −1,
we have shown:
√
Theorem 2.7 The units of norm 1 in the ring Z[ 2 ] are given by
√
ε = (−1)m (3 + 2 2 )n

with 0 ≤ m ≤ 1 and n ∈ Z.
√ From these elements
√ we obtain
√ √ −1 via multiplication by 1 +
all units with norm
2. Since 3 + 2 2 = (1 + 2 )2 , each unit in Z[ 2 ] has the form
√
ε = (−1)m (1 + 2 )n

with 0 ≤ m ≤ 1 and n ∈ Z.
√
The map ε → (n, m) induces an isomorphism between the unit group in Z[ 2 ]
and√the abstract group Z/2Z ⊕ Z. In Chap. 7 we will show that the unit group of
Z[ m ] for any nonsquare integer m ≥ 2 is isomorphic to Z/2Z ⊕ Z.

2.4.1 Platon’s Side and Diagonal Numbers

We have already mentioned that Euler was initiated to number theory by his friend
Christian Goldbach (1690–1764). In one of his letters to Euler (see [89]) Goldbach
claimed not only to have proved Fermat’s theorem that 1 is the only triangular
number that is a fourth power, but that actually 1 was the only square among them.
Triangular numbers are numbers of the form Tn = n(n+1) 2 ; the reason behind their
name is the fact that Tn pebbles may always be arranged in the form of a triangle
(see [85]). Euler replied immediately that there are infinitely many squares among
the triangular numbers. In fact, setting Tn = m2 and completing the square gives
(2n + 1)2 − 2(2m)2 = 1, hence x = 2n + 1 and y = 2m satisfy the equation
x 2 − 2y 2 = 1. The smallest solution in positive integers clearly is (x, y) = (3, 2),
2.5 Fibonacci’s Hyperbola 41

which leads to (m, n) = (1, 1). The next solution is (x, y) = (17, 12), which yields
the triangular number T8 = 36, which clearly is a square.
These pairs of numbers (x, y) are called Platon’s side and diagonal numbers.
Platon (427–347) remarked that the square with side s = √ 5 has a diagonal
√ that
differs not much from d = 7. In fact, this diagonal has length √2 · 52 = 50 by the
Theorem of Pythagoras, whereas 72 = 49. The approximation 2 ≈ 75 thus comes
from the equation 72 − 2 · 52 = −1. Theon of Smyrna (ca. 70–135 A.D.; Smyrna
is today called Izmir) explained that if xn and yn are numbers with xn2 − 2yn2 = ±1,
2
then xn+1 − 2yn+1
2 = ∓1, where we have set

xn+1 = xn + 2yn and yn+1 = xn + yn .

As we have seen above we obtain the integral solutions of the equation x 2 −

2y 2= ±1 by setting
√ √
xn + yn 2 = ±(1 + 2 )n .

If we choose the positive sign, then

√ √ √ √
xn + yn 2 = (1 + 2 )n , xn − yn 2 = (1 − 2 )n ,

and this implies

√ n √ √ √
(1 + 2 ) + (1 − 2 )n (1 + 2 )n − (1 − 2 )n
xn = , yn = √ .
2 2 2

2.5 Fibonacci’s Hyperbola

In this section we will discuss a few connections between Fibonacci numbers and
certain quadratic irrationalities, and will derive Binet’s4 Formula. Fibonacci (1170–
1250), also named Leonardo of Pisa, was the son of a merchant from Pisa. During
his education in North African countries he became familiar with the Hindu-Arabic
numbers. In his famous book Liber Abaci he presented these numbers and methods
for computing with them.
The Fibonacci numbers Un named after him show up in this book and are defined
recursively by

U1 = U2 = 1, Un+1 = Un + Un−1 for n ≥ 2.

4 Binet published his formula in 1843; it was already known to Daniel Bernoulli in 1728—see [11,

p. 90].
42 2 Quadratic Number Fields

Thus the first few Fibonacci numbers are

1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, 233, . . .,

and it is a natural question to ask whether there is an explicit formula for Un .

2.5.1 Generating Functions

Generating functions are a powerful tool for investigating sequences

 of numbers.
Here we will only use generating functions of the form f (q) = an q n associated
with a sequence (an ). In the case of Fibonacci numbers, the generating function is
given by
∞
f (q) = Un q n .
n=1

The recursion formula Un+1 = Un + Un−1 then provides us with the relation

f (q) − qf (q) − q 2 f (q) = q. (2.1)

In fact we have

f (q) = q + q 2 + 2q 3 + 3q 4 + . . . + Un q n + . . .
qf (q) = q 2 + q 3 + 2q 4 + . . . + Un−1 q n + . . .
q f (q) =
2 q 3 + q 4 + . . . + Un−2 q n + . . . ,

and this clearly implies (2.1). Solving for f (q) we obtain

q
f (q) = . (2.2)
1 − q − q2

At this point we recall the dictum of Erich Hecke, who wrote in [60, p. 201] that the
precise knowledge of the behaviour of an analytic function in the neighbourhood of its
singular points is a source of number-theoretic theorems.

In the present case, the poles of f are given by q = 1

and q = 1
, where
√ √ ω ω
ω= 1+ 5
2 and ω = 1− 5
2 .
The computation of the partial fraction decomposition
of a rational function f (q) = A(q)
B(q) is simplified by employing Euler’s formulas. If
B is a monic polynomial with simple roots, and if deg A < deg B, then we can set

A(q) aj
= (2.3)
B(q) q − bj
j
2.5 Fibonacci’s Hyperbola 43

with aj , bj ∈ C. For determining the coefficients ak we multiply (2.3) by q − bk

and let q → bk . On the right side we obtain
aj
lim (q − bk ) = ak
q→bk q − bj
j

since clearly

q − bk 1 if k = j,
lim =
q→bk q − bj 0 if k = j.

In order to evaluate the left side, we use L’Hospital’s rule and find
A(q) A(q) + (q − bk )A (q) A(bk )
lim (q − bk ) = lim = .
q→bk B(q) q→bk B (q) B (bk )
This shows
Proposition 2.8 (Euler’s Formulas) Let A(q) and B(q) be polynomials in C[q],
where B is assumed to have only simple roots. Then the coefficients ak in the partial
fraction decomposition (2.3) are determined by

A(bk )
ak = . (2.4)
B (bk )

Thus the partial fraction decomposition of f is given by

q 1  1 1 
f (q) = = √ − .
1 − q − q2 5 1 − ωq 1−ωq

Developing this into a geometric series we obtain

1  2 3

f (q) = √ 1 + ωq + ω2 q 2 + ω3 q 3 + . . . − 1 − ω q − ω q 2 − ω q 3 − . . .
5
1  2 3

= √ (ω − ω )q + (ω2 − ω )q 2 + (ω3 − ω )q 3 + . . . .
5

Comparing the coefficients of q n here and in the definition of the generating function
yields
Theorem 2.9 (Binet’s Formula) The Fibonacci numbers Un admit the explicit
representation

ωn − ω n
Un = , (2.5)
ω−ω

where ω and ω are the roots of the quadratic equation x 2 − x − 1 = 0.

44 2 Quadratic Number Fields

2.5.2 Group Law

It is hardly surprising that the Fibonacci numbers show up in connection with the
hyperbola F : x 2 − xy − y 2 = 1 since the denominator of the function f (q) is
Q(1, q), where Q(x, y) = x 2 − xy − y 2 is a quadratic form with discriminant 5.
Theorem 2.10 The group law on the hyperbola F : x 2 − xy − y 2 = 1 with neutral
element N(1, 0), in which the sum of two points P and Q is the second point of
intersection of the parallel to P Q through N with F , is given by the equation
(x1 , y1 ) ⊕ (x2 , y2 ) = (x3 , y3 ) with

x3 = x1 x2 + y1 y2 , y3 = x1 y2 + x2 y1 − y1 y2 .

The simple proof is left to the readers as Exercise 2.33.

By computing multiples of the integral point P = (2, 1) on the Fibonacci
hyperbola (see Fig. 2.3) we obtain the points

2P = (5, 3), 3P = (13, 8), 4P = (34, 21), . . . .

Using induction it is easily proved that kP = (U2k+1 , U2k ) for all k ∈ N.

As in the case of Platon’s hyperbola we can show that all integral points on the
right branch of the Fibonacci hyperbola are integral multiples of (2, 1).

Fig. 2.3 Integral points on the Fibonacci hyperbola

2.6 Vieta Jumping 45

2.6 Vieta Jumping

We can also generate infinitely many integral points on the Fibonacci hyperbola
using a technique that has become known as “Vieta jumping” in recent years, and
we can then show that there are no others.
The fundamental observation is the following: If P = (x, y) is any integral point
on the Fibonacci hyperbola, then there is a second integral point P ∗ = (x, y ) with
the same x-coordinate. This is because for a fixed value of x, the quadratic equation
x 2 − xy − y 2 = 1 in y has two solutions y1 , y2 , and that if y1 is an integer, so is
y2 = −x − y1 . For the same reason there must be an integral point P∗ = (x , y)
with the same y-coordinate as P .
Vieta jumping on conics is connected with the group law; in our case, P ⊕ P ∗ =
(1, −1) and P ⊕ P∗ = (−1, 0), as is easily seen from the geometric interpretation
of the group law (see Fig. 2.4).
In order to show that all integral points on the Fibonacci hyperbola have the form
kP or kP ⊕ (−1, 0) we consider an arbitrary integral point Q(x, y). If x > y ≥ 1,
then Q∗ = (x , y) is an integral point with y < x; if y > x > 1, on the other hand,
then Q∗ = (x, y ) is an integral point with y < x . Repeating this descent eventually
leads to an integral point with x = ±1, thus one of the four points (±1, 0) or
(±1, ∓1). Conversely we have to show that all points arising by the two operations
P ∗ and P∗ from P (1, 0) have the form kP or kP ⊕(−1, 0). We will leave the details
once more to the reader (see Exercise 2.34).

2.6.1 The IMO Problem

The following problem due to Stephan Beck was posed at the International
Mathematical Olympiad in 1988.

Fig. 2.4 P ⊕ P ∗ = (1, −1) and P ⊕ P∗ = (−1, 0)

46 2 Quadratic Number Fields

Fig. 2.5 Vieta jumping on the Fibonacci hyperbola (left) and on C4 : x 2 − 4xy + y 2 = 4 (right)

a 2 +b2
Let a and b be positive integers such that ab + 1 divides a 2 + b2 . Prove that ab+1 is a
perfect square.

For the proof, assume that P (a, b) is an integral point on the conic Ck : x 2 −
kxy + y 2 = k, and that k is not a square. Since k is not a square, we must have
k ≥ 2 (and as a matter of fact k ≥ 3, since k = 2 implies 2 = (x − y)2 , which is
impossible in integers) (Fig. 2.5).
Next we claim that as long as a = b we can find an integral point (a , b ) on Ck
lying in the first quadrant with a + b < a + b. Applying this step sufficiently often
we obtain an integral point of the form (A, A); but then A2 = 2−k k
implies k = 1
contradicting our assumptions.
The construction of (a , b ) is easy: Assume that b > a; then P ∗ (a, b ) with
b = ka − b is an integral point on Ck , and ab = a 2 − k shows that b < a. If a > b,
then P∗ = (kb − a, b) has the desired properties. This proves our claims.

2.6.2 Markov’s Equation

In [64], Adolf Hurwitz investigated Diophantine equations such as this one:

x12 + x22 + x32 = kx1 x2 x3 .

If (x1 , x2 , x3 ) is an integral solution, then so are, by Vieta jumping,

(kx2 x3 − x1 , x2 , x3 ), (x1 , kx1 x3 − x2 , x3 ) and (x1 , x2 , kx1 x2 − x3 ).

For k = 3, this equation has the obvious integral solution (1, 1, 1), and Vieta
jumping gives rise to a whole tree of integral solutions.
2.7 Exercises 47

For more on Markov’s equation, its history and unsolved problems connected
with it, see Aigner [1].

2.6.3 Summary

We have introduced the following notions, which will be fundamental for the
following chapters:
• quadratic number fields
• norms, traces, and discriminants
• Galois groups of quadratic extensions of Q
• rings of integers (maximal order)
• integral bases
For an introduction to the theory of group laws on conics see [86].

2.7 Exercises
√
2.1. Show that a quadratic number field k = Q( m ), where m is a squarefree
integer = 1, is a field. √
2.2. Show that elements α, β ∈ K = Q( m ) form a Q-basis of K if and only
α  
if the 2 × 2-matrix M defined by β = M √1m is a matrix in the group
GL2 (Q), i.e., if and only if det M = 0.
2.3. Show√ that elements α, β ∈ OK , where OK is the ring of integers of K =
Q( m ), form   basis of OK if and only if the 2 × 2-matrix M
  an integral
defined by βα = M ω1 is a matrix in the group SL2 (Z), i.e., if and only if
the matrix has integral entries and determinant det M = ±1.
2.4. Verify the equation

n+1
Un Un+1 01
=
Un+1 Un+2 11
 
for Fibonacci numbers Un . Diagonalize T = 01 11 (i.e., find an invertible
 
matrix S ∈ M2 (C) with D = S −1 T S = α0 β0 ) and observe that T n =
(S −1 DS)n = S −1 D n S. Since it is very easy to take powers of diagonal
matrices, one now obtains a formula for the numbers Un .
2.5. Prove that p | Up±1 by expanding ωp using the binomial theorem. Also show
that for primes p ≡ ±1 mod 5 we have p | Up−1 , for primes p ≡ ±2 mod 5,
on the other hand, p | Up+1 . The last result is due to Lagrange.
Joseph Louis Lagrange (1736–1813) was a French mathematician with
Italian origins. In number theory, he is known for his proofs of the Four-
48 2 Quadratic Number Fields

Squares Theorem (each natural number is the sum of at most four square
numbers) and the solvability of the Pell equation, as well as for his theory of
reduction of binary quadratic forms.
Hint: Show that the congruence (a + b)p ≡ a p + b p mod p holds in
arbitrary rings. √ √
2.6. Prove Proposition 2.1. In particular if α = a + b m ∈ Q( m ), where m is
not a square, show the following:
1. Tr(α) = 0 if and only if a = 0.
2. disc α = 0 if and only if b = 0.
3. Nα = 0 if and only if a = b = 0.
2.7. Show that if α | β in Ok , then Nα | Nβ in Z.
2.8. Let x 2 +px +q = 0 be a quadratic equation with the solutions ω and ω . Show
that disc ω = (ω − ω )2 = p2 − 4q coincides with the discriminant of the
quadratic equation. What happens in case of the equation ax 2 + bx + c = 0?
2.9. Let m be a nonzero integer. Show that the following assertions are equiva-
lent:
√ √
1. Q( m ) = {a + b m, a, b ∈ Q} is a field.
2. x 2 − m is irreducible in Q[x].
√ m is not a square in Q.
3. The integer
4. N(a + b m ) = a 2 − mb 2 = 0 implies a = b = 0.
√
√ m be a squarefree integer and K = Q( m ). Show that the2square root
2.10. Let
b of an integer b is an element of K if and only if either b = r is a square
or b = s 2 m for some integer s.
2.11. Show that σ : k −→ k is a ring homomorphism, i.e., show that σ (α + β) =
σ (α) + σ (β) and σ (αβ) = σ (α)σ (β) for all α, β ∈ k. Show moreover that
α ∈ k is in Q if and only if α = σ (α).
2.12. Let K/Q be a quadratic extension. Verify√that K is a Q-vector space.
Show that multiplication by α = a+b √m ∈ K is a Q-linear map K → K;
 Q-basis {1, m } of K, the√
show that, with respect to the map is described by
x → Ax, where  x =

r
s describes the element r + s m and where A is
given by A = ab mb a .
Show that Nα = det A and Tr α = Tr A, and that norm and trace do not
depend on the choice of the basis.
2.13. Show that an element α of a quadratic number field is integral if and only if
α = σ (α) is integral.
2.14. Show that if {1, ω} is an integral basis of Ok , then so is {1, ω − a} for any
integer a ∈ Z.
Show more generally: If {ω1 , ω2 } is an integral basis and if a, b, c, d are
integers such that ad − bc = 1, then {aω1 + bω2 , cω1 + dω2 } is also an
integral basis. √
2.15. Determine all m < 0 for which the ring Ok of integers in k = Q( m )
contains an element of norm 2 or 3.
2.7 Exercises 49

2.16. An abelian group M is called a G-module, if the group G acts on M, that

is, if there is a map G × M −→ M : (g, m) −→ gm with the following
properties:
1. g(m + m ) = gm + gm ,
2. (gg )m = g(g m),
3. 1m = m
for all g, g ∈ G and all m, m ∈ M. Show that the Galois group G =
Gal (k/Q) of a quadratic number field k acts on the abelian groups k, k × and
Ok via (σ, α) −→ σ (α).
2.17. Solve the equation x 2 + y 2 = 2z2 using “Euler’s trick”: Write the equation in
the form (x + y)2 + (x − y)2 = (2z)2 .
2.18. An integral basis of the form {ω, σ (ω)} is called a normal integral basis.
Show that Ok has a normal integral basis of and only if m ≡ 1 mod 4, i.e., if
and only if disc
√ k is odd. √ √
Show that Q( 2 ) = {a + b 2 + c 4√: a, b, c ∈ Q} is a field, but that the
3 3 3
2.19.
subset of all elements of the form a + b 2 is not a field.
3

√ 2 + 5 · 1√= 9 is a square, it does not result from a decomposition

2.20. Although 2 2

2 + −5 = (a + b −5 )2 . Show, however, that

√  i + √5 2  1 − √−5 2
2 + −5 = i =− √ .
1+i 2

Explain
√ the relation 312 − 26 · 62 = 52 by a similar decomposition of 31 +
6 26. √ √
2.21. The norm of 17√+ 4 15 √ is a square. Show that the square root of 17 + 4 15
has the form a 3 + b 5, and find more examples.
2.22. Let m√be a positive integer. Show that if a 2 − mb 2 = c2 and√1 ≤ a ≤ m, then
a +b m cannot be the square of a number of the form r +s m with r, s ∈ Z
and s = 0. Show moreover that such examples exist for every composite
positive integer m. √
2.23. Consider the quadratic number fields K = Q( −m ) with squarefree m =
u2 − 4 for an odd integer u √≥ 3. Show that 22 + m = u2 is a counterexample
to the Square Lemma in Z[ −m ].
2.24. An entry in Joseph Liouville’s notebook, probably written while the French
mathematicians struggled with Gabriel Lamé’s purported proof of Fermat’s
Last Theorem, contains the following equation:
√ √
169 = 13 · 13 = (4 + 3 −17 )(4 − 3 −17 ).

Show
√ that this is a counterexample to the Square Product Theorem in
Z[ −17 ].
√ equation 32 = 5 + 7 are due to the
2.25. Show that Euler’s problems with the 2

fact that he worked in the ring Z[ −7 ] instead of in the ring of integers

50 2 Quadratic Number Fields

√
Z[ 1+ 2 −7 ]. Verify that
√  −1 − √−7 3
5+ −7
= ,
2 2
√
and factorize 181+2 −7 similarly.
2.26. Use the fact that addition of points on the unit circle corresponds to the
addition of angles to derive the addition formulas for trigonometric functions.
2.27. Project the points on the unit circle from the point Z(−1, 0) to the tangent t
in N, and associate the point Z with the “point at infinity” on t. Which group
law on t is induced by the group law on the unit circle under this projection?
2.28. The inverse of the duplication formula 2(x, y) = (x 2 − y 2 , 2xy) for rational
points on the unit circle corresponds to taking the square root of the complex
number x + yi corresponding to the point(x, y). Show that the two solutions
of 12 (x, y), where x, y > 0, are given by ε 1+x2 ,ε
1−x
2 for ε = ±1.
Convince yourself that a repeated application of halving points to cos π4 =
√
sin π4 = 12 2 yields the formulas

π 1 √ π 1 √
cos = 2 + 2, sin = 2 − 2,
8 2 8 2
π 1 √ π 1 √
cos = 2+ 2+ 2, sin = 2− 2+ 2,
16 2 16 2
etc.
2.29. Show that the group law on the hyperbola xy = 1 with neutral element
N(1, 1) is given by (x1 , y1 ) ⊕ (x2 , y2 ) = (x1 x2 , y1 y2 ).
2.30. Show that the group law on the parabola y = x 2 with neutral element N(0, 0)
is given by (x1 , y1 ) ⊕ (x2 , y2 ) = (x1 + x2 , y1 + y2 + 2x1 x2 ).
2.31. Show that the generating function f (q) of the Fibonacci numbers satisfies the
functional equation
1
f = f (−q).
q

2.32. Show that for Fibonacci numbers Un we have

√
Un+1 5+1
lim = .
n→∞ Un 2

2.33. Prove Theorem 2.10: Show that

1. P3 (x3 , y3 ) lies on the Fibonacci hyperbola x 2 − xy − y 2 = 1, and that
2. the slope of the line through P1 and P2 is equal to that through P3 and N.
2.7 Exercises 51

2.34. Determine all integral points on the Fibonacci hyperbola using Vieta jumping.
2.35. Consider the Lucas–Lehmer hyperbola x 2 − 3y 2 = 1. Show that the group
law with neutral element N(1, 0) is given by

(x1 , y1 ) + (x2 , y2 ) = (x1 x2 + 3y1 y2 , x1 y2 + x2 y1 ).

Show that the integral points on this hyperbola are the multiples of P (2, 1)
and their negatives. Show in addition that 2k P = (xk , yk ) with xk+1 = 2xk2 −
1.
2.36. Let n be an odd natural number. Show that n is prime if and only if there is
an integer a with a n−1 ≡ 1 mod n and a k ≡ 1 mod n for each proper divisor
k of n − 1.
Deduce that n = 2m + 1 is prime if and only if 3(n−1)/2 ≡ −1 mod n (this
is called Pépin’s test).
We can formulate this primality test in the language of conics. An odd
integer n is prime if and only if there is a point P on the hyperbola xy = 1
defined over Z/nZ for which (n − 1)P = (1, 1) and kP = (1, 1) for each
proper divisor k of n − 1.
For n = 17 and P = (3, 6) (the coordinates have to be read modulo
17), for example, we have 2P = (9, 2), 4P = (13, 4), 8P = (−1, −1) and
16P = (1, 1), and this proves that 17 is prime.
For more on primality tests using conics see Hambleton [50]. Factorization
algorithms based on the arithmetic of Pell conics are studied in Eelkema [33].
We also mention a proof of the quadratic reciprocity law based on Pell conics
due to Hambleton and Scharaschkin [52].
2.37. Let p be a prime number with ( p3 ) = −1. Show that the points modulo p on
the conic x 2 − 3y 2 = 1 form a cyclic group of order p + 1.
Show moreover that p = 2q − 1 is prime if and only if p+1 2 P = (−1, 0)
for P = (2, 1). Show also that this is equivalent to p+1 4 P = (0, b) for a
suitable b modulo p.
2.38. Find all integral points on the Beck conic x 2 − 4xy + y 2 = 4.
For Q = (a, b) let Q∗ = (a, b ) and Q∗ = (a , b) denote the points
derived from Q by Vieta jumping. With P = (2, 0) and T = (0, 2) show that
P ⊕ P = T∗ and P ⊕ T = P∗ .
2.39. Find all integral points on the conic x 2 + y 2 − 3xy + 1 = 0.
2.40. (Romanian Team Selection Test 1991) Let a and b be positive integers. Prove
that if the number a+1b + a is an integer, then it is equal to 3.
b

2.41. Vieta jumping works for Platon’s hyperbola H : x 2 − 2y 2 = 1 after a

coordinate transformation. Use the substitution x = Y + Y , y = Y for finding
all integral points on H using Vieta jumping.
2.42. Transform the hyperbola x 2 − 3y 2 = 1 using x = X + 2Y and y = Y , and
determine all integral points on these conics using Vieta jumping.
2.43. Determine all integral points on the hyperbolas x 2 − (n2 − 1)y 2 = 1 using
Vieta jumping.
52 2 Quadratic Number Fields

√
2.44. Show√that algebraic integers form a ring using the example α = 3 and
β = 3 2, i.e., find monic polynomials with integral coefficients whose roots
are α + β and αβ, respectively.
2.45. Let ζ be a primitive n-th root of unity, i.e., an algebraic number with the
n = 1.
property that n is the smallest positive exponent satisfying ζ 
Show that the set Z[ζ ] consisting of all elements α = n−1 j
j =0 aj ζ with
aj ∈ Z forms a ring.
2.46. Let α be a root of an irreducible monic polynomial f of degree n and with
integral coefficients, and let K = Q(α) be the smallest field extension of Q
containing α. Show that K consists of all expressions ω = a0 + a1 α + a2 α 2 +
. . . + an−1 α n−1 with aj ∈ Q.
The conjugates of α are the roots α1 = α, α2 , . . . , αn of f , and the
conjugates of ω are ωj = a0 + a1 αj + a2 αj2 + . . . + an−1 αjn−1 . Define the
norm of ω to be the product of its conjugates: N(ω) = ω1 ω2 · · · ωn . Show
that N(ω) is an integer, and that ω is a unit if and only if N(ω) = ±1.
2.47. A natural number n is called powerful if p | n for some prime p implies that
p2 | n; in other words: if the exponent of each prime in the prime factorization
of n is at least 2.
Show that there are infinitely many consecutive powerful numbers; the
smallest example is (8, 9).
Chapter 3
The Modularity Theorem

In the last chapter we have investigated a few Pell conics such as x 2 − 2y 2 = 1 and
x 2 − xy − y 2 = 1. For finding all integral points on Pell conics Q(x, y) = 1, where
Q(x, y) = ax 2 + bxy + cy 2 is a binary quadratic form, it is natural to ask whether
this equation has solutions in rational numbers or in residue class rings.
The general philosophy behind this way of investigating a mathematical problem
in the integers is to study the object in question in simpler rings such as the field of
rational numbers or finite fields.1

3.1 Pell Conics Over Fields

The solvability of the Pell equation x 2 −my 2 = 1 in integers is a nontrivial problem.

Describing the solutions in fields, in particular in the field Q of rational numbers or
in finite fields Fp = Z/pZ, is a rather simple problem. In this section, we will
explain how to find all rational solutions of a Pell equation; in the next section we
will discuss the solutions in finite fields, which will lead us to the definition of
Kronecker symbols. Quadratic number fields will not play a big role in this chapter,
which belongs to elementary number theory; but Kronecker symbols will turn out
to play a central role in the arithmetic of quadratic number fields later on.

1 Beginners in mathematics may find it hard to believe that mathematicians think of finite fields

(and even p-adic numbers) as being simpler objects than integers. One possible way of measuring
the simplicity of structures A and B is counting homomorphisms from A and B into structures
C. For example, there are many homomorphisms from Z to finite fields Fp , whereas the only
homomorphisms from Fp to Z or to finite fields are either the trivial homomorphism mapping
everything to 0 or (in the case of Fp −→ Fp ) an isomorphism.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 53

F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6_3
54 3 The Modularity Theorem

3.1.1 Parametrization of Conics

Let m be a nonzero integer, and consider the Pell equation x 2 − my 2 = 1.

This equation has two trivial solutions (±1, 0), and like each quadratic equation
describing a smooth curve (parabolas, ellipses and hyperbolas), it has infinitely
many rational solutions as soon as it has a single one. In fact, there is a simple
geometric method of finding these rational solutions. The basic idea is that a line
with rational slope t through one known rational point, say Q(−1, 0), will intersect
the conic in a second point P , and this point must have rational coordinates because
of Vieta’s formulas.
Let us go through this procedure step by step. The line through Q(−1, 0) with
slope t is given (in a standard Cartesian coordinate system) by the equation y =
t (x + 1). Intersecting this line with the Pell conic x 2 − my 2 = 1 yields the equation
x 2 − 1 − mt 2 (x + 1)2 = 0, which we can write in the form

(x + 1)(x − 1 − mt 2 (x + 1)) = 0.

This product is 0 if either x1 = 1 or if the second factor equal to 0, which leads to

1 + mt 2 2t
x= , y = t (x + 1) = .
1 − mt 2 1 − mt 2

If m = n2 is a square, we have to exclude the values t = ± n1 . Since we have, by the

choice of our coordinate system, not considered the line x = −1 with slope ∞, this
parametrization gives every rational point on the Pell conic P : x 2 − my 2 = 1 with
the exception of Q itself.
If we set t = rs for integers r = 0 and s, the parametrization derived above yields

Theorem 3.1 The rational points (x, y) = (−1, 0) on the Pell conic P : x 2 −
my 2 = 1, where m is a nonsquare integer, are given by

r 2 + ms 2 2rs
x= , y= . (3.1)
r 2 − ms 2 r 2 − ms 2

Finding the rational points on a Pell conic C is thus a rather easy task. It is much
more difficult to find the integral points on C.

3.1.2 Pell Conics Over Finite Fields

The parametrization of rational points on a Pell conic P : x 2 − my 2 = 1 carries

over word for word to arbitrary fields:
3.1 Pell Conics Over Fields 55

Theorem 3.2 Let m be a nonzero integer and p an odd prime number not dividing
m. Every point P (x, y) = (−1, 0) on the Pell conic P : x 2 − my 2 = 1 with
x, y ∈ Fp is given by

1 + mt 2 2t
xt = , yt = ,
1 − mt 2 1 − mt 2

where t is an arbitrary element of Fp with mt 2 = 1.

We say that a conic Q(x, y) = ax 2 + bxy + cy 2 + dx + ey + f = 0 is defined
over a field F if Q ∈ F [x, y] has coefficients in F . A point (ξ, η) on the conic
is called an F -rational point if ξ, η ∈ F . We can find all F5 -rational points on the
Pell conic x 2 − 2y 2 = 1, for example, by plugging t = 0, 1, 2, 3, 4 ∈ F5 into the
parametrization in the theorem above; we find (keeping in mind that we are working
modulo 5):

x0 = 1, y0 = 0,
x1 = 2, y1 = −2,
9
x2 = − ≡ −2, y2 = −2,
7
19
x3 = − ≡ −2, y3 = 2,
17
x4 = 2, y4 = 2.

This shows that there are, together with (−1, 0), exactly six F5 -rational points on
the Pell conic x 2 − 2y 2 = 1.
Counting the number of Fp -rational points on an arbitrary Pell conic x 2 − my 2 =
1 is not hard (we are still assuming that p  2m). The number of Fp -rational points
on P depends on whether the equation mt 2 = 1 has a solution in Fp . Such a solution
exists if and only if m is a square in F× ×
p ; in fact, if m = n in Fp , then mt = 1 for
2 2

t = ± n1 . In this case, the parametrization yields Fp -rational points for p − 2 values

of p, so including (−1, 0) there are p − 1 points in P(Fp ). If m is not a square in
Fp , then all p values of t yield points in P(Fp ), so in this case there are p + 1 points
in P(Fp ).

Theorem 3.3 Let m be an integer and p an odd prime not dividing 2m. Then the
number of Fp -rational point on the Pell conic P : x 2 − my 2 = 1 is given by

p−1 ifm is a square in F×
p,
#P(Fp ) =
p+1 otherwise.

Whether an integer m is a square modulo an odd prime p or not is described by

Legendre symbols, which we introduce next.
56 3 The Modularity Theorem

3.2 The Symbols of Legendre, Kronecker, and Jacobi

Let p be an odd prime number and a an integer. If a is not divisible by p, then

we say that a is a quadratic residue modulo p if the congruence x 2 ≡ a mod p
is solvable in integers, and a quadratic nonresidue otherwise. Then we define the
Legendre symbol ( pa ) by
⎧
⎪
⎪ if p | a,
a ⎨0
= +1 if p  a, a is a quadratic residue modulop, (3.2)
p ⎪
⎪
⎩−1 if p  a, a is a quadratic nonresidue modulop.

Algebraically, the Legendre symbol provides us with a group homomorphism from

the group (Z/pZ)× of coprime residue classes modulo p to the group {−1, +1}.
This follows easily from the fact that ( pa ) only depends on the residue class of a mod
p and the multiplicativity of the Legendre symbol:
Proposition 3.4 The Legendre symbol is multiplicative:
 ab   a  b 
= .
p p p

This property is a consequence of the fact that (Z/pZ)× is cyclic. Recall that
an integer g is called a primitive root modulo N if each coprime residue class a
modulo N has the form a ≡ g k mod N. It is known that there exist primitive roots
modulo every prime. A primitive root modulo an odd prime p is always a quadratic
p−1
nonresidue: If g ≡ h2 mod p, then g 2 ≡ hp−1 ≡ 1 mod p, which would imply
that the powers of g represent at most half of the coprime residue classes modulo p.
For the same reason, all odd powers g 2k+1 are quadratic nonresidues since if
g 2k+1 ≡ h2 mod p, then g ≡ (g −k h)2 mod p would be a quadratic residue. Thus
k
g is a quadratic residue modulo p if and only if k is even. But now multiplicativity
follows: If, e.g., a and b are quadratic nonresidues modulo p, then a ≡ g k and
b ≡ g h mod p for odd exponents k and h, hence ab ≡ g k+h mod p is a quadratic
residue.
The existence of primitive roots also implies Euler’s criterion:
Proposition 3.5 (Euler’s Criterion) For all integers a not divisible by the prime p
we have
a p−1
≡ a 2 mod p.
p
p−1
If a is a quadratic residue, then a ≡ g 2k mod p, hence a 2 ≡ g (p−1)k] ≡
p−1
1 mod p; if a is a quadratic nonresidue, then a ≡ g 2k+1 mod p, hence a 2 ≡
p−1 p−1 p−1
g (p−1)k g 2 ≡ g 2 ≡ −1 mod p. This follows from the fact that x ≡ g 2 mod
3.2 The Symbols of Legendre, Kronecker, and Jacobi 57

p is a solution of the congruence x 2 ≡ 1 mod p, hence p divides (x − 1)(x + 1),

and since Fp is a field, we must have x ≡ ±1 mod p. Since g is a primitive root,
we cannot have x ≡ 1 mod p.

3.2.1 Kronecker Symbol

The Kronecker symbol is a slight modification of the Legendre symbol and will
turn out to be useful for describing the behavior of prime numbers in quadratic
number fields. The numerator of a Kronecker symbol is restricted to discriminants
Δ of quadratic number fields. For odd prime numbers p, the Kronecker symbol
(Δp ) coincides with the ordinary Legendre symbol. If Δ is odd, we set, in addition,
( Δ2 ) = +1 or −1 according as Δ ≡ 1 mod 8 or Δ ≡ 5 mod 8. In other words, we
define ( Δ2 ) = ( Δ2 ), where ( Δ2 ) is a Kronecker symbol and ( Δ2 ) a Legendre symbol.

3.2.2 Gauss’s Lemma

Gauss’s Lemma in the theory of quadratic residues is an elementary technique for

studying properties of Legendre and Kronecker symbols. Let p = 2m + 1 denote
an odd prime number; then any set of integers {a1, . . . , am } with the property that
every coprime residue class is represented by an element of the form ±aj is called
a half system modulo p. The standard half system modulo p = 2m + 1 is the set
Ap = {1, 2, 3, . . . , m}.
Now let a be an integer coprime to p, and write, for each 1 ≤ j ≤ m,

a · aj ≡ εj aj

for εj = ±1 and some aj ∈ Ap . Taking the product over all m such congruences
yields
  
am aj = εj aj .
 
Since no aj occurs twice, we must have aj = aj , and since this product is
coprime to p, it follows that

am ≡ εj mod p.

By Euler’s criterion we have

p−1
a
a 2 ≡ mod p,
p

and this implies

58 3 The Modularity Theorem

Lemma 3.6 (Gauss’s Lemma) Let p = 2m + 1 be an odd prime number and A =

{a1 , . . . , am } a half system modulo p. If we write a · aj ≡ εj aj for each 1 ≤ j ≤ m
with εj = ±1 and aj ∈ A, then the Legendre symbol ( pa ) is given by
a 
= εj .
p

For determining ( 27 ), for example, we take the half system {1, 2, 3} modulo 7 and
write

2 · 1 ≡ +2 mod 7,
2 · 2 ≡ −3 mod 7,
2 · 3 ≡ −1 mod 7,

hence ( 27 ) = (−1)2 = +1.

Next we determine a few Legendre and Kronecker symbols. We begin with
( −1 −4
p ) = ( p ). The value of this symbol follows immediately from Euler’s criterion:

 −1  p−1
 −1  p−1
≡ (−1) 2 mod p implies the equation = (−1) 2 .
p p

Since the power of −1 on the right side only depends on the residue class of p mod
4, we find
p−1
Proposition 3.7 We have ( −1
p ) = (−1)
2 . In particular, the Legendre symbol ( −1 )
p
for primes p ≥ 3 only depends on the residue class of p mod 4; in fact, for positive
prime numbers p we have

 −1  +1 if p ≡ 1 mod 4,
=
p −1 if p ≡ 3 mod 4.

In order to become familiar with Gauss’s Lemma we now use it for giving a
second proof of this proposition. To this end we write p = 2n + 1 and multiply the
representatives of the half system {1, 2, . . . , n} by −1:

−1 · 1 ≡ −1 mod p,
−1 · 2 ≡ −2 mod p,
... ...
−1 · n ≡ −n mod p.

p−1
Gauss’s Lemma then tells us that ( −1
p ) = (−1) = (−1)
n 2 .
3.2 The Symbols of Legendre, Kronecker, and Jacobi 59

In a similar way we can now determine the Legendre symbol ( p2 ). We first assume
that p = 4m + 1 and write

2 · 1 ≡ 2 mod p,
2 · 2 ≡ 4 mod p,
... ...
2 · m ≡ 2m mod p,
2 · (m + 1) ≡ 2m + 2 ≡ −(2m − 1) mod p,
2 · (m + 2) ≡ 2m + 4 ≡ −(2m − 3) mod p,
... ...
2 · 2m ≡ 4m ≡ −1 mod p.

This shows that


2 +1 if p ≡ 1 mod 8,
= (−1)m =
p −1 if p ≡ 5 mod 8.

Repeating this calculation for primes p = 4m + 3 will show that


2 −1 if p ≡ 3 mod 8,
=
p +1 if p ≡ 7 mod 8.

Thus we have proved

Proposition 3.8 The Kronecker symbol ( p8 ) = ( p2 ) only depends on the residue

class of p modulo 8 and is given by

2 p2 −1 +1 if p ≡ ±1 mod 8,
= (−1) 8 =
p −1 if p ≡ ±3 mod 8.

3.2.3 Composite Moduli

a
The Jacobi symbol ( m ) is defined for odd integers m > 1 and coincides with the
Legendre symbol if m is prime.
 For composite m it is defined via multiplicativity of
the denominator: if m = p is a product of odd primes, then we set
a a 
= .
m p
p
60 3 The Modularity Theorem

We also generalize the Kronecker symbol ( Δ m ) to all positive integers m by

multiplicativity.
a
Observe that if ( m ) = −1, then the congruence a ≡ x 2 mod m is not solvable.
In fact, ( m ) = −1 implies that there is a prime p dividing m with ( pa ) = −1, hence
a

a is a quadratic nonresidue modulo p and therefore modulo m. On the other hand,

(ma
) = +1 does not imply that a is a quadratic residue modulo m for composite
values of m, as the example ( 15 2
) = ( 22 )( 25 ) = (−1)2 = +1 shows.
We now ask whether Gauss’s Lemma also holds for composite values of m. The
answer is positive, but there is a catch: If we only consider residue classes coprime
to m, then the sign is trivial in too many cases.

3.2.4 Zolotarev and Frobenius

Gauss’s Lemma requires the choice of a half system, but the resulting quadratic
character of a modulo p does not depend on this choice. Zolotarev and Frobenius2
have found a modification of Gauss’s Lemma that does not require choosing a half
system. Let n be an odd integer and a an integer coprime to n. Then multiplication
by a induces a permutation πa of the residue classes modulo n. Each permutation
of finitely many objects can be written (in many different ways) as a product of
transpositions (permutations that switch two elements). The sign of a permutation
is −1 or +1 according as this number of transpositions is odd or even.
For describing permutations
 we can use the matrix and the cycle notation. The
permutation π = 12 21 33 of the set {1, 2, 3} maps 1 to 2 and 2 to 1, thus switches
1 and 2, and leaves 3 fixed. We can write π also as the product of the cycles (1 2)
and (3), where the cycle (1 2) maps 1 to 2 and 2 to the beginning 1 of the cycle,
whereas (3) leaves 3 (and all the other elements) fixed. We can even omit (3) and
simply write π = (1 2) when we demand that elements that do not occur in a cycle
are fixed.  
Multiplication by 2 on Z/7Z induces the permutation π2 = 00 12 24 36 41 53 65 . We
can also write π2 as a product of cycles: π2 = (124)(365). Decomposing these
cycles into transpositions (here we read from right to left; see Exercise 3.7) we find
π2 = (12)(24)(36)(65). Thus π2 has sign +1.
We now define the Zolotarev symbol [ an ] for odd integers n > 1 by
a 
= sign πa .
n

2 See [136] and [41]; our presentation is a simplification of the one given in [62].
3.2 The Symbols of Legendre, Kronecker, and Jacobi 61

Clearly [ an ] only depends on the residue class of a modulo n. Since multiplication

by ab is multiplication by a followed by multiplication by b, we have
 ab   a  b 
= .
n n n
Thus the Zolotarev symbol is multiplicative in the numerator.
Proposition 3.9 The Zolotarev symbol is multiplicative in the denominator: If m
and n are odd integers and if a is coprime to m and n, then
 a  a   a 
= .
m n mn

This follows from the isomorphism Z/mnZ  Z/mZ × Z/nZ, i.e., the Chinese
Remainder Theorem. If α : A −→ A and β : B −→ B are permutations, then α ×β
denotes the induced permutation on A × B. Clearly (see Exercise 3.8)

sign(α × β) = (sign α)#B · (sign β)#A . (3.3)

Now multiplication by a induces permutations α on Z/mZ and β on Z/nZ, and this

gives us a permutation α × β on Z/mZ × Z/nZ.
Since gcd(m, n) = 1, any integer k can be written in the form k = xn + ym for
integers x, y that are uniquely determined modulo m and modulo n, respectively.
Associating k mod mn with the pair (x mod m, y mod n) induces the isomorphism
Z/mnZ  Z/mZ × Z/nZ.
Multiplication by a on Z/mnZ induces multiplication by a on Z/mZ × Z/nZ
since ak = a(xn + ym) = (ax)n + (ay)m. Thus
 a   a n  a m  a  a 
= =
mn m n m n
for odd coprime integers m and n.
It remains to evaluate [ an ] for prime powers n = pk . We will show that the
Zolotarev symbol [ an ] coincides with the Jacobi symbol ( an ).
Proposition 3.10 (Zolotarev’s Lemma) For all odd integers n, the symbols of
Zolotarev and Jacobi coincide:
a  a 
= .
n n
We first prove the claim for an odd prime modulus p. We choose a primitive root
g modulo p; then multiplication by g induces the permutation
 g g 2 g 3 . . . g p−2 g p−1 
πg =
g 2 g 3 g 4 . . . g p−1 g
62 3 The Modularity Theorem

on (Z/pZ)× whose sign is given by sign πg = (−1)p−2 = −1. This can be seen by
writing the permutation as a product of cycles:

πg = (gg 2 . . . g p−1 ) = (gg 2 )(g 2 g 3 ) · · · (g p−2 g p−1 ).

By multiplicativity, the sign of the permutation induced by multiplication by g r is

(−1)r ; thus the permutation induced by multiplication by a modulus a has sign +1
if and only if a is a square modulo p; since the residue class 0 mod p is fixed, this
is the content of the equation [ pa ] = ( pa ).
Now consider the case where n = pk is an odd prime power. Assume that
we already know that the sign of the permutation induced by multiplication by
an integer a coprime to p on Z/pk−1 Z is [ pk−1 a
]. Observe that this multiplication
preserves the set A = (Z/nZ)× of residue classes coprime to p as well as the set
B = Z/nZ \ (Z/nZ)× of multiples of p. The action of multiplication by a on B
is the same as on the set B = { pb : b ∈ B}, and this implies that the sign of this
permutation is simply [ pk−1
a
].
The sign of the permutation on A is [ pa ], which can be proved in exactly the same
way as for k = 1. Equation (3.3) now tells us that the sign of the permutation πa is
given by
 a  a   a 
= .
p pk−1 pk

We now prove that Zolotarev’s Lemma is equivalent3 to Gauss’s Lemma.

Consider a half system a1 , . . . , am modulo n = 2m + 1. The remaining nonzero
residue classes are n − am , . . . , n − a1
. If we write a · ai ≡ εi aj for εj ∈ {−1, +1},
then Gauss’s Lemma says that ( an ) = εi .
We will give a proof “by example”: Consider the nonzero residue classes modulo
n = 15 and the permutation induced by multiplication with 2. We will write the n−1
residue classes in pairs (ai , n − ai ) as follows:

1 2 3 4 567
14 13 12 11 10 9 8

We now multiply all residue classes by 2 and reduce modulo 15:

2 4 6 8 10 12 14
13 11 9 7 5 3 1

3 This proof is essentially due to Frobenius [41].

3.2 The Symbols of Legendre, Kronecker, and Jacobi 63

The vertical pairs coincide with the original pairs except that some pairs are flipped.
This is because if (a, p − a) is such a pair and if 2a ≡ b mod p, then 2(p − a) ≡
p − b mod p.
Now we perform the permutation γ that interchanges the entries at the top and
at the bottom if the number on top is larger than the one at the bottom; observe that
the number of swaps is the number of sign changes in Gauss’s Lemma:

2 467 5 3 1
13 11 9 8 10 12 14

Finally we apply a permutation σ that puts the vertical pairs in the original order.
Since we are always changing the place of two residue classes at the same time,
sign σ = +1:

1 2 3 4 567
14 13 12 11 10 9 8

Now σ γ πa is the trivial permutation, hence sign σ γ πa = 1. Since sign σ = 1

we deduce that sign γ = sign πa , and this proves the equivalence of Gauss’s and
Zolotarev’s Lemma. In particular we have
Proposition 3.11 Gauss’s Lemma holds for composite odd values of m = 2n+1: If
{a1 , . . . , an } is a half system modulo m and a · aj ≡ εj aj mod m for suitable signs

εj = ±1, then ( m a
) = εj .

3.2.5 A Few Applications

Using Gauss’s Lemma for composite values we now can determine the value of
( −1
m ) for all positive odd integers m:

Proposition 3.12 The value of the Jacobi symbol ( −1

m ), where m is an odd natural
number, is given by

 −1  −1 if m ≡ 3 mod 4,
=
m +1 if m ≡ 1 mod 4.

The proof via Gauss’s Lemma for prime moduli (see Prop. 3.7) carries over word
for word. The following result follows painlessly from this proposition:
Proposition 3.13 Let Δ be a quadratic discriminant, and set N = |Δ|. Then

 Δ  +1 if Δ > 0,
= sgn(Δ) = (3.4)
N −1 −1 if Δ < 0.
64 3 The Modularity Theorem

Assume first that N is even (and thus divisible by 4 since Δ is a discriminant).

Then
   1 
 Δ  N
= = +1 if Δ = N > 0,
=  −N   N−1
N−1
−1

N −1
N−1 = N−1 = −1 if Δ = −N < 0,

where we have used Prop. 3.12.

If N is odd, then either N = Δ ≡ 1 mod 4, or N = −Δ ≡ 3 mod 4. If N ≡
1 mod 4, then N − 1 = 2j n for some odd integer n and ( N−1 N
) = ( N2 )j ( Nn ) =
−1
( N2 )j ( Nn ) = ( N−1
N ) = ( N ) = +1; if N is negative, then j = 1, and the same
calculation yields ( N−1 ) = ( −N
−N −N −1
2 )( n ) = ( N )( N ) = ( N ) = ( N ) = −1.
2 n N−1

As a corollary we observe that if Δ < 0, then there always exists a prime number
p < |Δ| such that ( Δ p ) = −1. This is also true for positive discriminants (see
Theorem 3.21), but in this case we seem to need more than just the modularity of
the Kronecker symbol ( −4 · ).

3.3 Euler’s Modularity Conjecture

We have seen above that the Kronecker symbol ( −4 −1

m ) = ( m ) only depends on the
residue class of m mod 4. Similarly, the Kronecker symbol ( m8 ) = ( m2 ) only depends
on the residue class of m mod 8; we have proved this only for prime values of m,
but the proof via Gauss’s Lemma also works for composite values of m.
If we look at the Legendre symbol ( 12
m ), then a few quick calculations provide us
with the following table:

p 5 7 11 13 17 19 23 25 29 31
( p3 ) −1 −1 +1 +1 −1 −1 +1 +1 −1 −1

The pattern is obvious: The values have period 12. Numerical experiments with
other small integers a suggest the following conjecture due to Euler:4
Theorem 3.14 (Euler’s Modularity Conjecture) For each nonzero integer a there
a
exists a modulus N such that the Jacobi symbol ( m ) for natural numbers m only
depends on the residue class of m modulo N. In other words: For all natural
numbers m and n we have
 a  a 
= if m ≡ n mod N. (3.5)
m n
In fact, we can always choose N = 4|a|. If a > 0, Eq. (3.5) also holds if m ≡
−n mod N.

4 See, e.g., [36].

3.3 Euler’s Modularity Conjecture 65

Euler formulated this conjecture for prime numbers m and n, and of course without
using Legendre or Jacobi symbols.
The following result holds in many similar situations in which some notion of
modularity shows up:
a
Proposition 3.15 If Euler’s Modularity Conjecture for ( m ) for the moduli N1 and
N2 , then it also holds modulo N = gcd(N1 , N2 ).
Proof Assume that the Jacobi symbol ( a· ) is modular for the moduli N1 and N2 ,
and let N = gcd(N1 , N2 ). If m is a natural number coprime to 2a, then we have to
show that ( ma
) = ( m+N
a
).
To this end we write N = rN1 −sN2 , where we assume without loss of generality
that r, s > 0 (if not, we simply switch N1 and N2 ). Then
a  a 
= modularity moduloN1
m m + rN1
 a 
= modularity moduloN2
m + rN1 − sN2
 a 
= N = rN1 + sN2 .
m+N
This completes the proof. 

This property allows us to define the conductor of the Kronecker symbol as the
smallest positive integer N for which ( Δ· ) is modular.
We have already seen that the Kronecker symbol ( −4 · ) is defined modulo 4; since
−4 −4
−1 = ( 3 ) = ( 5 ) = +1, the conductor cannot be a proper divisor of 4 and
thus is equal to 4. In a similar way we can see that the Kronecker symbols ( 8· ) and
( −8
· ) have conductor 8. We will prove below that the Kronecker symbol ( m ) has
Δ

conductor N = |Δ|.
Next we show that it is sufficient to prove Euler’s Modularity Conjecture for
a = −1 and prime values of a:
Proposition 3.16 Assume that the Jacobi symbols ( a· ) and ( b· ) are defined modulo
4|a| and 4|b|, respectively. Then the Jacobi symbol ( ab
· ) is defined modulo 4|ab|.

m ) = ( m+4|ab| ) for all natural numbers m coprime to

Proof We have to show that ( ab ab

ab. In fact we have

 ab   a  b 
= multiplicativity of Jacobi symbols
m + 4|ab| m + 4|ab| m + 4|ab|
 a  b     
= modularity of a· and b·
m m
 ab 
= multiplicativity of Jacobi symbols
m
This completes the proof. 

66 3 The Modularity Theorem

As a corollary we obtain
Corollary 3.17 If Euler’s Modularity Conjecture holds for a = −1 and for prime
values of a, then it holds in general.

3.3.1 The Quadratic Reciprocity Law

This Modularity Theorem is equivalent to the quadratic reciprocity law and should
be seen as its essential content. Legendre’s formulation of the reciprocity law, which
determines the value of the product ( pq )( pq ), is an historical accident.
Kronecker was the first to emphasize that the heart of the quadratic reciprocity
law is not Legendre’s formula
 p  q  p−1 q−1
= (−1) 2 · 2 . (3.6)
q p

In connection with higher reciprocity laws and the class fields of complex multipli-
cation [70] he pointed out that Euler’s formulation catches the essence of quadratic
reciprocity better than that of Legendre:
Very early on Euler had made the observation that the prime divisors of quadratic forms
with discriminant D are contained in certain linear forms mD + α, but only in 1783 he
formulated this observation, which was highly important for the development of number
theory, in the remarkable way which gave rise to the name reciprocity law.† The elegance
of the correlation, which was—rightly—emphasized, pushed the meaning and the aim of
Euler’s original observation to the background. When I recently found a specific new law
by applying the arithmetic theory of singular modules to the power residues of complex
numbers I was reminded of this first formulation with which Euler had published the
essential content of the quadratic reciprocity law; and since this law in the theory of power
residues is particularly important not only because of its analogy with the historical point of
departure but also because it suggests a new phase of the development of reciprocity laws,
I would like to present this observation briefly to the Academy today.
† Compare my remarks in the Monatsbericht from April 1875, p. 268. [Werke II, p. 3–4].

Euler’s Modularity Theorem is equivalent to the quadratic reciprocity law in the

form given by Legendre (we formulate it more generally for the Jacobi symbol):
Theorem 3.18 (Quadratic Reciprocity Law) Let m and n be odd coprime natural
numbers. Then
 m  n 
= (−1) 2 · 2 .
m−1 n−1
(3.7)
n m
In addition, there are the supplementary laws
 −1  m−1
2 m2 −1
= (−1) 4 and = (−1) 8 .
m m
3.3 Euler’s Modularity Conjecture 67

It is not difficult to prove the equivalence of Euler’s Modularity Theorem (3.5)

and Legendre’s quadratic reciprocity law.
Reciprocity Implies Modularity We have to show that, for positive integers m and
a
a, we have ( m ) = ( a+4m
a
). Assume first that a is odd; then we have
 a  
a−1 m−1 m + 4a
   a
a−1 m−1 m
= (−1) 2 · 2 = (−1) 2 · 2 =
m + 4a a a m

because m + 4a ≡ m mod 4.
If a = 2b is even we may assume that a is squarefree, so b is odd. Then
 a   2  b   2  m + 8b 
= (−1) 2 · 2
m−1 b−1
=
m + 4a m + 8b m + 8b m b
 
2 m   2  b   a 
= (−1) 2 · 2
m−1 b−1
= = .
m b m m m
Modularity Implies Reciprocity The modularity of the Kronecker symbol with
conductor 4 implies that ( −1
m ) only depends on the residue class of m mod 4. Since
( −1
3 ) = −1 and ( −1
5 ) = +1, we have ( −1
m ) = +1 or −1 according as m ≡ 1 mod 4
or m ≡ −1 mod 4. But this is the exact content of the first supplementary law.
Similarly, the second supplementary law follows from the fact that ( m2 ) only
depends on the residue class of m modulo 8; this implies that ( m2 ) = +1 when
m ≡ ±1 mod 8 and ( m2 ) = −1 otherwise, which is the second supplementary law.
For deriving (3.7) in the case m ≡ n mod 4 and m > n from the modularity
theorem, for example, we set a = m−n
4 and verify that

a  4a  m − n  −n  a   4a  m − n m
= = = , = = = .
m m m m n n n n

This implies ( −n m −1
m ) = ( n ). If m ≡ 1 mod 4, we have ( m ) = +1, hence ( n ) = ( n ),
m m

which is the quadratic reciprocity law in this case. If m ≡ n ≡ 3 mod 4, on the

−n m−1 −n m−1 n−1 −n
2 · 2 (
n ) = ( m ) = (−1)
other hand, then ( m m ) = (−1) m ), since here
2 (
m−1
2 ≡ n−1
2 ≡ 1 mod 2.
If m ≡ −n mod 4 we set a = m+n 4 and find, using m = 4a − n and n = 4a − m:

 m  n   4a − n  4a − m   a  a 
= = = 1,
n m n m n m
where the last equality follows from the modularity conjecture since m ≡ −n mod
4a and a > 0.
68 3 The Modularity Theorem

3.3.2 Proof of Euler’s Modularity Conjecture

Before we turn to the proof of Euler’s Modularity Conjecture we look at yet another
special case.

Proposition 3.19 The Kronecker symbol ( 12

· ) is modular with conductor 12.

We proceed as in the proof of Proposition 3.8. Since ( 12· ) = ( 3· ), we apply

Gauss’s Lemma to a = 3 and the modulus m. We choose A = {1, 2, . . . , m−1 2 }
as our half system and then have to count the number of integers k for which either
m 3m 5m
2 < 3k < m, 2 < 3k < 2m or 2 < 3k < 3m. Dividing through by 3 we find
that we have to count the number of integers k in the intervals [ m6 , m3 ], [ m2 , 2m
3 ] and
[ 6 , m].
5m

What happens to the number of integers k in the interval [ m6 , m3 ] if we replace

m by m + 12? Then we have to count the integers in the interval [ m6 + 2, m3 +
4]; obviously this interval for m + 12 contains exactly 2 integers more than the
corresponding interval for m, hence the number of integers has the same parity. The
same thing happens for the other two intervals. By Gauss’s Lemma, we conclude
m ) = ( m+12 ); in particular, the Kronecker symbol ( · ) has conductor dividing
that ( 12 12 12

12.
The fact that the conductor is not a proper divisor of 12 follows from
 12   12   12   12 
−1 = = =1 and −1= = = 1.
5 11 7 11

The proof of the general case5 proceeds in the same way. We claim that if m is an
a
odd natural number coprime to a, then the Jacobi symbol ( m ) only depends on the
residue class of m modulo 4a; in particular we claim that ( m a
) = ( m+4a
a
). We may
assume that a is positive: If a is negative, the claim follows from the observation
(m a
) = ( −1 −a
m )( m ) since the symbols on the right only depend on m modulo 4 and
modulo 4|a|, hence modulo 4|a|.
Now consider the half system A = {1, 2, 3, . . . , n} modulo m = 2n + 1. The
number of sign changes is equal to the number of integers ak lying in the intervals
(2b−1)m
( m2 , m), ( 3m
2 , 2m), . . ., until ( 2 , bm), where b = a2 or b = a−12 according as
a is even or odd.
Dividing through by a we see that this number is the same as the number of
integers in the intervals
 m m   3m 2m   (2b − 1)m bm 
, , , , ..., , . (3.8)
2a a 2a a 2a a

5 This proof is lifted from Davenports beautiful book [27]; its basic idea goes back to the proof

given by Arnold Scholz in [112].

3.3 Euler’s Modularity Conjecture 69

If we replace m by m + 4a, the number of integers in each of these intervals changes

a
by an even number. This proves the weak modularity theorem that ( m ) only depends
on m modulo 4a.
a
It remains to prove the claim that ( m ) = ( 4a−m
a
) for positive integers a and m. If
we replace m by a − m, the intervals (3.8) become
 m m  3m 2m   (2b − 1)m bm 
2− ,4 − , 6− ,8 − , . . . , 4b − 2 − , 4b − .
2a a 2a a 2a a

Now the number of integers in the interval (2 − 2a m

, 4− ma ) has the same parity as the
m m m
number of integers in the interval ( 2a , a ). Indeed, if we subtract the numbers 2− 2a
and 4 − a from 4 we see that the number of integers in (2 − 2a , 4 − a ) is equal
m m m

to the number of integers in ( m a , 2 + 2a ). The union of this interval and ( 2a , a ) is

m m m

( 2a , 2 + 2a ) minus the point a , so this union contains exactly two integers. Similar
m m m

arguments show the same for the other intervals, and now the claim follows.

3.3.3 The Strong Modularity Theorem

The strong modularity theorem (which controls the conductor) is a consequence of

the quadratic reciprocity law.
Theorem 3.20 (Strong Modularity Theorem) Let Δ be the discriminant of a
quadratic number fields. Then the Kronecker symbol ( Δ· ) is modular with conductor
N = |Δ|.

We first prove the claim for prime discriminants. We have already proved the
claim if Δ ∈ {−4, ±8}, so we may assume that Δ is an odd prime number. Since
( p· ), where p ≡ 1 mod 4 is prime, is defined modulo p, its conductor is either N =
p
p or N = 1. In the second case the symbols ( m ) would all have the same values,
p
and by multiplicativity we conclude that we must have ( m ) = 1 for all natural
numbers m coprime to p. If p ≡ 5 mod 8 we obtain the desired contradiction from
the observation ( p2 ) = −1. Thus it remains to prove, for each prime p ≡ 1 mod 8,
the existence of a natural number q with ( pq ) = −1.
The existence of such primes (satisfying a few additional conditions) played a
large role in the first proofs of the quadratic reciprocity law. Legendre’s proof was
incomplete since he did not succeed in proving the existence of such primes, and
Gauss gave a highly ingenious proof of the existence of such a prime q (with the
additional condition that q < p, which he needed for his induction proof to work)
in his first proof of the quadratic reciprocity law.
Let us formulate the existence of such primes in the following form:
Theorem 3.21 Let a be a nonzero integer. If ( pa ) = +1 for all prime numbers p  a,
then a is a square number.
70 3 The Modularity Theorem

Proof Assume that a is not a square number. We distinguish two cases:

n
• a is odd. Let n be an integer such that ( |a| ) = 1. One of n, n + a, n + 2a, and
n + 3a is an integer ≡ 1 mod 4. Replacing n by this number we have found a
natural number n ≡ 1 mod 4 with ( |a|n
) = 1. By quadratic reciprocity we have
( |a|
n ) = −1. Since n ≡ 1 mod 4, the first supplementary law implies ( n ) = −1.
a

Thus there exists a prime number p | n with ( p ) = −1.

a

• a is even. Then we may assume that a = 2b for b odd. Choose an integer n with
n
( |b| ) = −1; adding multiples of b to n we can make sure that n ≡ 1 mod 8.
As above, the quadratic reciprocity law and the first supplementary law implies
( nb ) = −1, and since n ≡ 1 mod 8 we have ( n2 ) = +1, hence ( an ) = ( 2b
n ) = −1.
But then n must have a prime factor p such that ( pa ) = −1.


We call a discriminant Δ = disc k of a quadratic number field k a prime
discriminant if Δ is one of −4, ±8, p, or −q for primes p ≡ 1 mod 4 and
q ≡ 3 mod 4. It is easy to see that each discriminant can be factored into prime
discriminants:
Theorem 3.22 Each discriminant of a quadratic number field can be written
uniquely (up to order) as a product of prime discriminants.

The proof is not difficult. First observe that either Δ ≡ 1 mod 4 is odd, or Δ
is divisible exactly by 4, or exactly by 8. In the second case, Δ = 4m for some
m ≡ 3 mod 4, hence Δ = −4Δ1 for some Δ1 ≡ 1 mod 4. In the last case we can
always write Δ = ±8Δ1 for some Δ1 ≡ 1 mod 4.
Since −4 and ±8 are prime discriminants it is sufficient to prove that any
squarefree odd integer Δ1 ≡ 1 mod 4 is the product of prime discriminants. To this
end, write Δ1 = p1 · · · pr q1 · · · qs for primes pj ≡ 1 mod 4 and qj ≡ 3 mod 4.
Since Δ1 ≡ 1 mod 4, the number of primes factors qj ≡ 3 mod 4 is even. But now

Δ1 = p1 · · · pr (−q1 ) · · · (−qs )

is a factorization into prime discriminants.

At this point we know that Kronecker symbols ( Δ· ) for prime discriminants Δ
are modular with conductor N = |Δ|. Now let Δ be an arbitrary discriminant, and
let Δ = Δ1 · · · Δr be its factorization into prime discriminants. For proving that the
corresponding Kronecker character has conductor N = |Δ| we need to prove the
following
Lemma 3.23 Let κ1 = ( Δ·1 ) and κ2 = ( Δ·2 ) be Kronecker characters with coprime
conductors N1 and N2 , respectively. Then the Kronecker character ( Δ· ), where Δ =
Δ1 Δ2 , has conductor N = N1 N2 .
3.4 Fp -Rational Points on Curves 71

It is easy to see that ( Δ· ) is modular with defining modulus N. Let q be a prime

number dividing N1 , write N1 = qn1 , and assume that ( Δ· ) is defined modulo n =
n1 N2 . Then
Δ  Δ 
=
a a + nk

for all a > 0 and k ∈ N. But

 Δ   Δ1  Δ2   Δ1  Δ 
2
= = ,
a + nk a + n1 N2 k a + n1 N2 k a + n1 N2 k a
 Δ   Δ  Δ 
1 2
= .
a + nk a a

Thus we deduce that

 Δ1  Δ 
1
= .
a + n1 N2 k a

This shows that κ1 is defined modulo N1 and modulo n1 N2 ; but then it is defined
modulo gcd(N1 , n1 N2 ) = n1 contradicting our assumptions.
The strong modularity theorem now follows by induction on the number of prime
discriminants dividing Δ.

3.4 Fp -Rational Points on Curves

We will close this chapter by returning to the problem of counting points on

algebraic curves such as Pell conics defined over the finite field Fp = Z/pZ. We
will express this number as a character sum and then evaluate such sums in a few
simple cases (e.g., for Pell conics) as well as in a less trivial case, namely that of an
elliptic curve.
Let K be a field and f (x) ∈ K[x] a polynomial; we say that C : y 2 = f (x) is a
plane algebraic curve. A point (x, y) ∈ K × K satisfying this equation is called an
affine point on C (if we think of C as living in the projective plane, then there might
be additional points at infinity). If deg f = 2, then the curve C : y 2 = f (x) is called
a conic. We claim
Lemma 3.24 Consider the algebraic curve C : y 2 = f (x), where f (x) ∈ Z[x].
The number of affine Fp -rational points on C is given by

p−1 
f (t) 
Np (C) = #C(Fp ) = p + .
p
t =0
72 3 The Modularity Theorem

For a given x ∈ Z/pZ, the congruence y 2 ≡ f (x) mod p has 0, 1, or 2 solutions

according as the Legendre symbol ( f p(x) ) has the value −1, 0, and +1, respectively.
Thus for a given integer x, the congruence y 2 ≡ f (x) mod p has 1 + ( f p(x) )
solutions, hence
∞   f (t)  ∞  f (t) 
#C(Fp ) = 1+ =p+
p p
t =0 t =0

is the number of solutions of the congruence y 2 ≡ f (x) mod p.


Character sums of the form ( f p(x) ) are called Jacobsthal sums after Ernst
Jacobsthal (1882–1965); the results in this section are all taken from his dissertation
(see [67, 68]; for a different elementary evaluation see Monzingo [96]). L. von
Schrutka [129] generalized Jacobsthal’s results to primes p ≡ 1 mod 3 written in
the form p = a 2 + 3b2 (see also Chan et al. [17]). In his thesis [133], Widmer
covered the cases above as well as primes of the form p ≡ 1 mod 8 written in the
form p = a 2 + 2b2 . Hashimoto et al. [56] worked out the connection between
Jacobsthal sums for primes p = a 2 + 2b2 and the L-function of certain elliptic
curves; for similar connections to elliptic curves see also [13, Section 6.4].
A simple observation that we will often use is the following:
Lemma 3.25 For each odd prime number p We have
p t 
= 0.
p
t =0

This is a consequence of the fact that there are as many quadratic residues as there
are nonresidues modulo p. For a formal proof, let n be a quadratic nonresidue
modulo p, and set S = ( pt ). Then −S = ( pn )S = ( nt p ). But if t runs through
a system of coprime residue classes modulo p, so does nt, hence the last sum is S.
Now −S = S implies that S = 0.
For polynomials f with degree 1 we have
Proposition 3.26 Let f (t) = at + b with p  a. Then

p  at + b 
= 0.
p
t =0

This is clear since at +b runs through a complete system of residue classes if t does.
Jacobsthal Sums for Quadratic Polynomials For quadratic polynomials f (x) =
ax 2 + bx + c we assume that p  a and that p is odd; completing the square we
3.4 Fp -Rational Points on Curves 73

obtain 4af (x) = (2at + b)2 − Δ for Δ = b2 − 4ac and

p  f (t)  a p  t2 − Δ 
= · .
p p p
t =0 t =0

It is therefore sufficient to compute the character sum for polynomials of the form
f (t) = t 2 − D. We now set

p−1  2
t − D
ψ(D) = .
p
t =0

Clearly ψ(0) = p − 1.
Lemma 3.27 We have ψ(a 2 D) = ψ(D) for all integers a with p  a.
This is easily seen to be true as

p−1  2
− a 2D 
p−1  2 2
− a 2D 
p−1  2
t a s s − D
ψ(a 2 D) = = = = ψ(D),
p p p
t =0 s=0 s=0

where we have used that s runs through a complete system of residues modulo p
when t = as does.
Next we show:
Lemma 3.28 We have ψ(1) = −1.

p−1  2
− 1
p−1 
t t − 1  t + 1 
ψ(1) = =
p p p
t =0 t =0
p−1 
s  s + 2 
= s =t −1
p p
s=1
p−1 
s −1  s + 2 
p−1 
1 + 2s −1 
= =
p p p
s=1 s=1
p−1 
1 + 2r 
= rs ≡ 1 mod p
p
r=1
p−1 
1 + 2r 
= −1 + = −1
p
r=1

which is what we wanted to prove.

74 3 The Modularity Theorem

When studying a family of objects it is often a good idea to consider them all at
once; in the present case we can form the sum over all ψ(D) and find
p−1  2
− D  t2 − D 
p p p−1 p
t
ψ(D) = = =0 (3.9)
p p
D=1 D=0 t =0 t =0 D=0

by Proposition 3.26.
We will now compute this sum in a different way. We know that ψ(D) only
depends on ( D
p ); thus if n denotes an arbitrary quadratic nonresidue modulo p, then
we have
p
p−1  
ψ(D) = ψ(0) + · ψ(1) + ψ(n) .
2
D=1

Since this sum is 0 and since ψ(0) = p − 1, we deduce that ψ(1) + ψ(n) = −2.
Thus ψ(1) = −1 implies ψ(n) = −1, and we have shown
Proposition 3.29 We have

p−1  2

t − D −1 if p  D,
ψ(D) = =
t =0
p p−1 if p | D.

Jacobsthal Sums for a Cubic Polynomial The determination of Jacobsthal sums

for cubic polynomials f is difficult. We will do this in the special case of the
polynomial f (x) = x 3 − x. To this end we set

p−1 
t  t 2 − k 
φp (k) = φ(k) = . (3.10)
p p
t =1

Lemma 3.30 We have φ(a 2 k) = ( pa )φ(k) for each a coprime to p.

This is a simple calculation: Since at runs through a complete system of residue
classes modulo p if t does, we have
p−1 
t  t 2 − a 2 k 
p−1 
at  (at)2 − a 2 k   a 
p−1 
t  t 2 − k 
φ(a 2 k) = = = .
p p p p p p p
t=1 t=1 t=1

Now we claim
Theorem 3.31 Let p ≡ 1 mod 4 be a prime number, and write p = a 2 + 4b2 . Then
p−1 
t  t 2 − 1 
φ(1) = = 2a, (3.11)
p p
t =1

where the sign of a is chosen in such a way that a ≡ −( p2 ) mod 4.

3.4 Fp -Rational Points on Curves 75

In particular, the number of Fp -rational points on the elliptic curve y 2 = x 3 − x

is Np = p + 1 − 2a.
If we set 2x = φ(r) and 2y = φ(n), where r and n denote a quadratic residue
and nonresidue modulo p, respectively, then the claim is that x 2 + y 2 = p. Since
there are p−1 p−1
2 residues and 2 nonresidues modulo p, we have

p−1
φ(k)2 = 2(p − 1)(x 2 + y 2 ).
k=1


We now compute φ(k)2 directly. In our calculation we need the following
Lemma 3.32 We have
p−1 

k  k + b  −1 if p  b,
=
k=1
p p p−1 if p | b.

This follows from Proposition 3.29 since

p−1 
k  k + b 
p−1  2
+ bk 
p−1 
k 4k 2 + 4bk 
= =
p p p p
k=1 k=1 k=1
p−1 
(2k + b)2 − b 2 
p−1  2
t − b2 
= = .
p p
k=1 t =1

Now we have
p−1 p−1 
s  s 2 − k 
p−1 
t  t 2 − k 
p−1
φ(k)2 =
p p p p
k=1 k=1 s=1 t =1
p−1  st  p−1  s 2 − k  t 2 − k 
= .
p p p
s,t =0 k=1

Setting s 2 − k = l and applying Lemma 3.32 we find

p−1  2

− k  t 2 − k 
p−1 
s l  l + t 2 − s 2  −1 if s ≡ ±t,
= =
k=1
p p
l=1
p p p−1 if s ≡ ±t.
76 3 The Modularity Theorem

Thus
 
p−1  t2   −t 2   st 
φ(k) = (p − 1)
2
+ − = 2(p − 1)p.
p p p
k=1 s=t s=−t s=±t

p−1 2
In fact, t =1 ( tp ) = p − 1, so the sums in the brackets have value 2(p − 1). Since

 st  p−1 
s
p−1 
t
= =0
p p p
s,t s=1 t =1

we have
 t2 
= −2(p − 1).
p
s=±t

Thus the whole sum is 2(p − 1)2 + 2(p − 1) = 2(p − 1)p as claimed.
It remains to determine the sign of a. To this end we have to compute φ(1)
modulo 4. Let R denote the number of residue classes t with ( t p−t ) = +1 and
3

N those with ( t p−t ) = +1. Clearly R + N = p − 3 since the Legendre symbol

3

vanishes for the residue classes t ≡ ±1 mod p. The two residue classes t = ±i,
p−1
where i 2 ≡ −1 mod p, give rise to the value ( t p−t ) = (−1) 4 ( −2
3
p ) = +1. The
remaining p−5 residue classes can be divided into 4-tuples consisting of the residue
classes (r, −r, s, −s), where rs ≡ 1 mod p. The residue classes in each 4-tuple
clearly give rise to the same value ( t p−t ); thus R ≡ 2 mod 4 and N ≡ 0 mod 4.
3

Since R +N = p −3 and R −N = φ(1), we find φ(1)+p −3 = 2R ≡ 4 mod 8,

hence 2a = φ(1) ≡ 7 − p mod 8. This implies a ≡ 1 mod 4 if p ≡ 5 mod 8 and
a ≡ 3 mod 4 if p ≡ 1 mod 8.
This result has a corollary, which is notoriously difficult to prove,6 and which is
going back to Gauss’s work on biquadratic residues:
Corollary 3.33 Let p = 4n + 1 be a prime number, and write p = a 2 + b 2 with
a ≡ 1 mod 4. Then

1 2n
a≡ mod p.
2 n

6 See the beautiful article [24] by Cosgrave and Dilcher for an introduction to such congruences.
3.4 Fp -Rational Points on Curves 77

This is an almost incredible congruence, but we can easily verify it for some
small primes p:
2n 1 2n
p a n 2 n mod p
5 1 2 1
13 −3 20 −3
17 1 70 1
29 5 3432 5

The key to the proof is a useful congruence also going back to Gauss:
Lemma 3.34 For each odd prime number p we have
p−1

0 mod p if (p − 1)  m,
x ≡
m
(3.12)
x=1 −1 mod p if (p − 1) | m.


Set S = x m and let g denote a primitive root modulo p. Then

p−1
gm S = (gx)m ≡ S mod p,
x=1

since gx runs through a coprime system of residue classes modulo p when x does.
Thus p divides (g m − 1)S. Now g m ≡ 1 mod p if and only if m is a multiple of
p − 1; thus if (p − 1)  m, then p | S. If (p − 1) | m, on the other hand, then
x p−1 ≡ 1 mod m implies that
p−1 p−1
S= xm ≡ 1 = p − 1 ≡ −1 mod p
x=1 x=1

as claimed.
We now apply this to the character sum (3.11); using p = 4n + 1 we find
p−1  3
−t
p−1
t
φ(1) = ≡ (t 3 − t)2n
p
t =1 t =1
p−1 2n p−1 2n
2n 3k 2n 2n+2k
≡ t (−t)2n−k = (−1)k t
k k
t =1 k=0 t =1 k=0
2n p−1
2n
≡ (−1)k t 2n+2k mod p.
k
k=0 t =1
78 3 The Modularity Theorem

The only exponent 2n + 2k divisible by p − 1 = 4n occurs for k = n; this shows

that

2n
φ(1) ≡ −(−1)n mod p.
n

Since (−1)n = ( p2 ) this implies a ≡ 1 mod 4.

3.4.1 Another Proof of the Quadratic Reciprocity Law

As an application of the techniques introduced in this section we will give another

proof of the quadratic reciprocity law. The idea is to count the number of Fp -rational
points on affine varieties

An : x12 + x22 + . . . + xn2 = 1.

If we let x1 , . . . , xn run through Fp , we expect that y = 1 − x12 − . . . − xn−1

2 is a
square half the time, and if it is, then y = xn has (in general) two solutions. This
2

suggests that we should expect about pn−1 points on An .

Victor Amédée Lebesgue determined the number of Fp -rational points on An in
[73] and showed that this implies the quadratic reciprocity law. As in the proof of
Lemma 3.24 it can be shown that
t t ···t 
1 2 n
#An (Fp ) = pn−1 + ,
p

where the sum is over all t1 , . . . tn ∈ Fp with t1 + t2 + . . . + tn = 1. Eisenstein used

such sums for proving the quadratic reciprocity law in [35]; a modern version of his
proof can be found in [65].
We will now present a version of this proof due to Wouter Castryck [16]. Instead
of An , he considered

An : x12 − x22 + x32 − . . . + xn2 = 1

for an odd integer n. Let Nn (p) denote the number of Fp -rational points on An , i.e.,
the number of solutions of the congruence

x12 − x22 + x32 − . . . + xn2 ≡ 1 mod p

3.4 Fp -Rational Points on Curves 79

for an odd prime number p. Then N1 (p) = 2 since x12 ≡ 1 mod p has exactly two
solutions. Next N2 (p) = p − 1 since for solving the congruence

x12 − x22 = (x1 − x2 )(x1 + x2 ) ≡ 1 mod p

we can assign x1 − x2 an arbitrary nonzero value t (there are p − 1 choices), and

then x1 and x2 are uniquely determined by the system of equations x1 − x2 ≡ t and
x1 + x2 ≡ 1t mod p.
The quadratic reciprocity law will follow from counting Nq (p) in two different
ways; in fact, we will now prove

Proposition 3.35 The number Nn (p) of Fp -rational points on An has the following
properties:
1. It satisfies the recursion

Nn = pn−2 (p − 1) + pNn−2 . (3.13)

2. If n is odd, then Nn (p) is given by

n−1
Nn = pn−1 + p 2 . (3.14)

3. For all integers n ≥ 1 we have

 −1  n−1 t t ···t 
2 1 2 n
Nn = pn−1 + . (3.15)
p p
t1 +...+tn =1

Proof of (3.13) In the equation of An , substitute x1 + x2 for x1 ; then we obtain

x12 + x32 − . . . + xn2 − 1 = −2x1x2 .

If x1 = 0, then for each choice of x3 , . . . xn there is a unique value x2 ; the number

of such points is (p − 1)pn−2 since there are p − 1 choices for x1 and p choices for
each x3 , . . . , xn . If x1 = 0, then there are p choices for x2 if x32 − . . . + xn2 = 1 and
none otherwise; the number of solutions in this case is pNn−2 . This proves (3.13).
Proof of (3.14) This equation holds for n = 1 since N1 = 1 + 1 = 2. Assume that
n−3
Nn−2 = pn−3 + p 2 for some odd integer n ≥ 3; then by (3.13) we have
n−3
Nn = pn−2 (p − 1) + pNn−2 = pn−2 (p − 1) + p(pn−3 + p 2 )
n−1 n−1
= pn−1 − pn−2 + pn−2 + p 2 = pn−1 + p 2 ,

and the claim follows by induction.

80 3 The Modularity Theorem

Proof of (3.15) If N(x 2 = a) denotes the number of solutions of the equation

x 2 = a in Fp , then

Nn = N(x12 = t1 ) · N(x22 = −t2 ) · · · N(xn2 = tn )

t1 +...+tn =1
  t   −t    t 
1 2 1
= 1+ 1+ ··· 1 +
p p p
t1 +...+tn =1
 −1  n−1 t t · · · t 
2 1 2 n
= pn−1 + .
p p
t1 +...+tn =1

  
Here we have used the fact that the sums ( tp1 ), ( t1pt2 ), . . . , ( t1 t2 ···t
p
n−1
), etc.
vanish. For a proof it is, after reordering the ti , sufficient to show that
t  t 
1 s
··· =0
p p
t1 +...+tn =1

when 1 ≤ s < n. Clearly tn is uniquely determined by t1 , . . . , tn−1 , hence we can

sum over all t1 , . . . tn−1 instead and get
t  t  t  t 
1 s 1 s
··· = ···
p p p p
t1 +...+tn =1 t1 ,...,tn−1
t  t 
1 s
= pn−s−1 ···
t1 ,...,ts
p p
  t    t 
1 s
= pn−s−1 ··· =0
t1
p ts
p

since all the character sums in the brackets vanish. This finishes the proof of (3.15).
A more conceptual proof of the vanishing of these character sums is the
following: Let a denote a quadratic nonresidue modulo p and set u1 = at1 , u2 = t2 ,
. . . , us−1 = ts−1 and un via u1 +. . .+un = 1. If S denotes the character sum above,
then aS = S as in the proof of Lemma 3.25, and this implies S = 0.
Proof of the Quadratic Reciprocity Law We know by (3.14) that the number of
Fp -rational points on Aq , where q is an odd prime different from p, is

q−1
p 
Nq = pq−1 + p 2 ≡1+ mod q (3.16)
q

by Fermat’s Little Theorem and Euler’s criterion.

3.5 Terjanian’s Theorem 81

Now let us count this number in a different way. If (t1 , . . . , tq ) satisfies t1 + . . . +

tq = 1, then so does (t2 , t3 , . . . , tq , t1 ), and do the other shifts. There is a single
element for which these shifts do not produce p distinct q-tuples, namely (t, t, . . . t)
with qt = 1. This shows that the number of (t1 , . . . , tq ) with t1 + . . . + tq = 1 is
≡ 1 mod q. Using (3.15) we find

 −1  q−1 t t · · · t 
2 1 2 n
Nq = pn−1 +
p p
t1 +...+tn =1

p−1
 
q−1 t q p−1 q−1
q 
≡ 1 + (−1) 2 · 2 = 1 + (−1) 2 · 2 mod q,
p p

where we have used Fermat’s Little Theorem, the first supplementary law, the fact
that distinct shifts give rise to q identical terms that vanish modulo q, and finally
q
that ( tp ) = ( pt ) = ( pq ) since t = q1 .
Comparing this with (3.16) yields the congruence
p  p−1 q−1
q 
≡ (−1) 2 · 2 mod q,
q p

which implies the quadratic reciprocity law since for odd primes q, a congruence of
the form ±1 ≡ ±1 mod q implies equality.

3.5 Terjanian’s Theorem

The quadratic reciprocity law can often be used for proving that certain Diophantine
equations do not have solutions in integers. A prominent example is the Fermat
equation for even exponents:
Theorem 3.36 (Terjanian) Let p be an odd prime number, and assume that x 2p +
y 2p = z2p for integers x, y, and z. Then 2p | x or 2p | y.
As for the usual Fermat equation x p +y p = zp , the “second” case where p | xyz
is much more difficult than the “first case”
Clearly we may assume that x, y, and z are pairwise coprime. Since x and y
cannot both be odd (otherwise z2p ≡ 2 mod 4), we may assume that x is even and
y and z are odd. Now

z2p − y 2p
x 2p = z2p − y 2p = (z2 − y 2 ) · . (3.17)
z2 − y 2
82 3 The Modularity Theorem

mp −np
Set Qp (m, n) = m−n ; then x 2p = (z2 − y 2 )Qp (z2 , y 2 ). For coprime integers m
and n we have

gcd(Qp (m, n), m − n) = gcd(p, m − n). (3.18)

For a proof, let d = gcd(m − n, Qp (m, n)). Since d divides m − n, we have n ≡

m mod d, hence

Qp (m, n) = mp−1 + mp−2 n + . . . + np−1 ≡ pmp−1 mod d.

If q is a prime divisor of d and if q | m, then q | n contradicting the assumption

that m and n are coprime. Thus d and m are coprime, hence d | p and thus d = 1
or d = p. This finishes the proof of (3.18).
By Eq. (3.18), there are only two possibilities:
(a) The two factors in (3.17) are coprime; then Qp (z2 , y 2 ) is a square.
(b) The prime p divides both factors; in particular p | x 2p and therefore p | x.
Since x was assumed to be even, we actually have 2p | x.
Thus Theorem 3.36 follows if we can show that Qp (z2 , y 2 ) cannot be a square for
odd integers z and y. Now there are many squares among the numbers Qp (m, n),
for example:

35 − 1 53 − 33 74 − 1
= 112 , = 72 , = 202 , 83 − 73 = 132 .
3−1 5−3 7−1

The following theorem provides us with a large class of nonsquares of the form
Qp (m, n):
Theorem 3.37 Let p be an odd prime number, and let m and n be coprime integers
m ≡ n ≡ 1 mod 4. Then Qp (m, n) is not a square number.
Theorem 3.37 (and therefore Terjanian’s Theorem 3.36) follows immediately
from the following calculation of a Jacobi symbol:
Theorem 3.38 If q is an odd integer, and if m and n are coprime natural numbers
with m ≡ n ≡ 1 mod 4, then
 Q (m, n)   p 
p
= (3.19)
Qq (m, n) q

for all integers p coprime to q.

In fact, all we have to do is choose an odd prime number q with ( pq ) = −1; by
Theorem 3.38, Qp (m, n) is a quadratic nonresidue modulo Qq (m, n), hence cannot
be a square.
For proving Theorem 3.38 we need a few elementary properties of the numbers
Qp (m, n).
3.5 Terjanian’s Theorem 83

mp −np
Lemma 3.39 Let Qp (m, n) = m−n .
(a) If p is odd and m = n, then Qp (m, n) is positive.
(b) If p = aq + r, then

Qp (m, n) = mr Qq (ma , na ) + np−r Qr (m, n). (3.20)

(c) If p = aq − r, then

Qp (m, n) ≡ −np−q mq−r Qr (m, n) mod Qq (m, n). (3.21)

(d) If gcd(p, q) = gcd(m, n) = 1, then gcd(Qp (m, n), Qq (m, n, ) = 1.

(e) For positive integers m and n with mn ≡ 1 mod 8 and odd integers p we have

Qp (m, n) ≡ p mod 8.

Proof
(a) Since Qp (−m, −n) = Qp (m, n) for odd integers p we may assume that m ≥ 0.
Next Qp (0, n) = np−1 > 0 since n = 0 in this case. If m > n ≥ 0, then both
numerator and denominator of Qp (m, n) are positive, and if 0 < m < n, then
both numerator and denominator of Qp (m, n) are negative, hence Qp (m, n) >
0.
(b) Using p = aq + r we find

maq+r − naq+r maq+r − mr naq + mr naq − naq+r

Qp (m, n) = =
m−n m−n
= mr Qq (ma , na ) + np−r Qr (m, n)

as claimed.
(c) If p = aq − r, then we have7

mp − np maq−r − naq−r
Qp (m, n) = =
m−n m−n
maq−r − mq−r naq−q mq−r naq−q − naq−r
= +
m−n m−n
maq−q − naq−q mq−r nr − nr nq−r
= mq−r + naq−q−r
m−n m−n
= mq−r Qa−1 (mq , nq ) + naq−q−r [−mq−r Qr (m, n) + Qq (m, n)]
= mq−r [Qa−1 (mq , nq ) + naq−q−r Qq (m, n)] − naq−q−r mq−r Qr (m, n).

7 There is a misprint in Terjanian [121, Equation (2)].

84 3 The Modularity Theorem

Since

(mq )a−1 − (nq )a−1 (mq )a−1 − (nq )a−1 mq − nq

Qa−1 (mq , nq ) = = ·
m−n mq − nq m−q
≡ 0 mod Qq (m, n),

the claim now follows since the first factor is clearly an integer.
(d) Let  > 1 be a common prime divisor of Qp (m, n) and Qq (m, n) with p+q ≥ 1
minimal. If p = q, then p = q = 1 since gcd(p, q) = 1, and then Q1 (m, n) =
1: Contradiction. Since we may assume that p > q we can write ep = aq + r.
Equation (3.20) and the fact that Qq (m, n) divides Qq (ma , na ) shows that d
divides nm−r Qr (m, n). If  | n, then  | Qp (m, n) implies  | m, which is
impossible. Thus  | Qr (m, n). Thus Qp (m, n) and Qr (m, n) have a common
divisor, and since m + r < m + n this contradicts the minimality of m + n.
(e) Observe that m2 ≡ 1 mod 8; now

Qq (m, n) = mp−1 + mp−2 n + . . . + np−1

≡ 1 + mn + 1 + . . . + mn + 1 ≡ p mod 8

since each of the p terms in this sum is ≡ 1 mod 8.



Next we give the
Proof of Theorem 3.38 If p = q, then p = q = 1 and Qp (m, n) = 1. If there is
a pair (p, q) for which the theorem fails, i.e., for which (Qp (m, n)/Qq (m, n)) =
−(p/q), then choose one such pair for which the sum p + q is minimal. Then
 Q (m, n)  
p−1 q−1 Qp (m, n)
 p−1 q−1
  p  q 
= (−1) 2 · 2 = (−1) 2 · 2 · −
q
=− ;
Qp (m, n) Qq (m, n) q p

in fact, the first step is an application of the quadratic reciprocity law together with
the congruences Qp (m, n) ≡ p and Qq (m, n) ≡ q mod 4 that we have proved
in Lemma 3.39.(f), the second step is our assumption (Qp (m, n)/Qq (m, n)) =
−(p/q), and the last step is another application of the quadratic reciprocity law.
This shows that the result also fails for the pair (q, p).
Thus we may assume that p > q. Write p = aq ± r with 0 ≤ r < q and r odd.
If p = aq + r, then by (3.20) we have
 Q (m, n)   nm−r Q (m, n)   Q (m, n) 
p r r
= =
Qq (m, n) Qq (m, n) Qq (m, n)
3.5 Terjanian’s Theorem 85

since m − r is even. But this implies

 Q (m, n)   Q (m, n)  p  aq + r  r 
r p
= =− =− =− ,
Qq (m, n) Qq (m, n) q q q

hence the result also fails for the pair (r, q). Since r + q < p + q, this contradicts
the minimality of m + n.
If p = aq − r for some odd natural number r, then by (3.21) we have

Qp (m, n) ≡ −np−q mq−r Qr (m, n) mod Qq (m, n);

since p − q and q − r are even, both np−q and mq−r are squares, hence
 Q (m, n)   −Q (m, n)   −Q (m, n) 
p r r
= = .
Qq (m, n) Qq (m, n) Qq (m, n)

Therefore
 −Q (m, n)   Q (m, n)  p  aq − r   −r 
r p
= =− =− =− ,
Qq (m, n) Qq (m, n) q q q

and now Qq (m, n) ≡ q mod 4 implies

 Q (m, n)  r 
r
=− ,
Qq (m, n) q

so the pair (r, q) with r + q < p + q is another pair for which the theorem fails, and
this again contradicts the minimality of p + q. 

For an alternative proof of Theorem 3.38 see Exercises 3.14–3.16.

3.5.1 Summary

In this chapter we have

• explained the notions of Legendre, Jacobi, Kronecker, and Zolotarev symbols;
• shown the equivalence between the modularity of Kronecker symbols and the
quadratic reciprocity law;
• given several proofs of the quadratic reciprocity law;
• determined the points on Pell conics over fields such as Q and Fp .
We will return to the concept of modularity in Chap. 10.
86 3 The Modularity Theorem

Fig. 3.1 The cubic curves y 2 = x 3 with a cusp and y 2 = x 3 + x 2 with a double point at the origin

3.6 Exercises

3.1. Parametrize the Pell conic P : x 2 + xy − my 2 = 1 with discriminant Δ =

1 + 4m. Show that the number of Fp -rational points is given by #P(Fp ) =
p − (Δ p ).
3.2. Curves of degree 3 can be parametrized only if they possess a singular point,
i.e., a cusp as for the cubic y 2 = x 3 (Fig. 3.1, left graph) or a double point
as for y 2 = x 3 + x 2 (Fig. 3.1, right graph). In these cases, the curves may be
parametrized by lines through the singular point (0, 0) (see [83]).
Parametrize the cubic curves y 2 = x 3 and y 2 = x 3 + x 2 . Also determine
the number of Fp -rational points on these curves.
3.3. We can think of the group R/Z as the additive group of real numbers whose
parts left of the decimal points are removed. For example, the sum of α =
0.7 + Z and β = 0.8 + Z is α + β = 0.5 + Z.
Show that the map λ : R/Z → S 1 defined by λ(t+Z) = (cos 2πt, sin 2πt)
from R/Z to the unit circle S 1 is a group homomorphism, i.e., that

λ(s + t + Z) = λ(s + Z) + λ(t + Z),

and that λ is a bijection.

The element t = n1 + Z generates a cyclic subgroup of order n in R/Z.
Deduce that λ(t) generates a cyclic subgroup of order n on the unit circle.
Show also that by identifying (x, y) with the complex number x + yi this
torsion group of order n consists exactly of the n-th roots of unity in C.
3.6 Exercises 87

3.4. Assume that a = bc2 for nonzero integers a, b, c. Show that ( pa ) = ( pb ) for
all primes p  c.
2 3
3.5. Compute ( 15 ) and ( 35 ) using Gauss’s Lemma.
3.6. Prove that ( −1
m−1
m ) = (−1)
2 for positive odd integers using the corresponding

result for primes and the multiplicativity of the Jacobi symbol.

3.7. Show that (a1 a2 . . . an ) = (a1 a2 )(a2 a3 ) · · · (an−1 an ).
3.8. Let π and ρ be permutations of the finite sets A and B, respectively. Show
that they induce a permutation π × ρ on the product set A × B, and that

sign(π × ρ) = (sign π)#B · (sign ρ)#A .

3.9. Show that Gauss’s Lemma does not do what it is supposed to do when we
restrict to coprime residue classes: Let N = mn be the product of two coprime
integers m, n > 1. Let A = {a1 , . . . , aφ(N) } denote a (coprime) half system
modulo N. If a is an integer coprime to N and a · aj ≡ (−1)sj aj for some

aj ∈ A, then (−1) sj = 1.
3.10. (Romanian Team Selection Test 2008) Let m, n ≥ 2 be integers with (2m −
1) | (3n − 1). Prove that n is even.
3.11. Show that φ(k) = 0 (see 3.10) for all primes p ≡ 3 mod 4.
3.12. Show that Jacobsthal sums φm are multiplicative: φm (1)φn (1) = φmn (1) for
coprime values of m and mn.
3.13. Let p be a prime number ≡ 1 mod 4. Show that the number of residue classes
t 3 −t
t mod p with 1 ≤ t ≤ p−1 2 for which ( p ) = −1 is a multiple of 4.
3.14. Prove that for odd coprime integers m ≡ n ≡ 1 mod 4 with mn ≡ 1 mod 8
we have
 Q (m, n)   m + n   2 
2
= = . (3.22)
Qq (m, n) Qq (m, n) q

3.15. Prove the following result: If r = 2t is even, then

 Q (m, n)   2  Q (m2 , n2 ) 
r t
= .
Qq (m, n) q Qq (m, n)

3.16. Prove Theorem 3.38 for odd natural numbers m, n with mn ≡ 1 mod 8 using
induction on q.
3.17. Let RR denote the number of pairs of consecutive quadratic residues modulo
an odd prime number p:

RR = #{(a, a + 1) : 1 ≤ a < p, ( pa ) = ( a+1

p ) = +1},

and define the numbers RN, NR, and NN correspondingly.

88 3 The Modularity Theorem

1. Compute these numbers for p = 13.

2. Show that RR + RN + NR + NN = p − 2.
3. Show that the number of pairs (a, a + 1) with ( pa ) = ( a+1
p ) is equal to
p−3
RR +NN = 2 . Similarly, the number of (a, a +1) with ( p )
a
= −( a+1
p )
is equal to RN + NR = p−1 2 .
4. Let p ≡ 1 mod 4 be a prime number. Show that pairs of consecutive
squares modulo p correspond to sets of point (±x, ±y) on the conic
H : X2 − Y 2 = 1.
5. Show that the points on C0 corresponding to a pair of consecutive
quadratic residues form a subgroup of index 2 in C. Check that multi-
plication by 2 induces a map

C0 −→ C : (X, Y ) → (4X(X + 1), 2Y (2X + 1)).

Deduce that if (n, n + 1) is a pair of consecutive quadratic residues or

nonresidues, then (4n2 + 4n, 4n2 + 4n + 1) is a pair of quadratic residues
and verify this directly. Derive formulas for RR and NN.
6. Show that

  a   a + 1  4 if ( pa ) = ( a+1
1+ 1+ = p ) = +1,
p p 0 otherwise.

Deduce that
p−2   a   a + 1 
4RR = 1+ 1+ . (3.23)
p p
a=1

p−1  a 
Expand the product and show, using a=1 p = 0, that

p−2 
a  −1  p−2 
a + 1
=− and = −1.
p p p
a=1 a=1

3.18. Show that, for primes p ≡ 3 mod 4, the quadratic residues modulo p form a
half system. Show that Gauss’s Lemma holds trivially in this case.
3.19. Let p be an odd prime number. Show that the number Nn of Fp -rational points
on An for even integers n is given by
n−2
Nn = pn−1 − p 2

for all n ≥ 2.
3.6 Exercises 89

3.20. Show that here exist infinitely many positive odd integers m and n with m ≡
n mod 4 such that Q4 (m, n) is a square. Is it true that all such integers have a
common divisor > 1?
3.21. The following proof of the quadratic reciprocity law based on Gauss’s Lemma
is due to Christian Zeller [135]. We will give it for p = 5 and q = 23.
• Write down the absolutely smallest remainders of kp mod q and hq mod
p:

k 1 2 3 456 7 8 9 10 11
kp mod q 5 10 −8 −3 2 7 −11 −6 −1 4 9

h 12
hq mod p −2 1

• Let μ denote the number of negative remainders; then ( pq )( pq ) = (−1)μ

by Gauss’s Lemma; here μ = 6.
• The negative remainders −r = −1, −2 with 0 < r < p2 occur exactly
once in these tables (for k = 9 and h = 1);
• The other negative remainders −r for p2 < r < q2 , with a few exceptions,
come in pairs: The pairs (k, k ) = (3, 8) and (4, 7) satisfy k + k = 11 =
q−1
2 .
• The possible exceptions are the following: There exists a degenerate pair
(k, k ) with k = k = q−1 4 if q ≡ 1 mod 4; in this case, the remainder is
negative if p ≡ 3 mod 4. Observe that the value k = q−1 2 yields a positive
remainder.
Now deduce the quadratic reciprocity law by counting the number of
negative remainders. In our case, there are p−1
2 remainders −r with 0 < r <
p
2 and an even number of negative remainders −r with p2 < r < q2 , hence
5 ) = +1.
5
( 23 )( 23
Chapter 4
Divisibility in Integral Domains

In this chapter we will study the notion of divisibility in general domains. We will
restrict our attention to commutative domains R containing a unit1 1, i.e., an element
with the property 1r = r for all r ∈ R. Recall that a ring R is called a domain if it
does not contain any zero divisors, that is, if ab = 0 for elements a, b ∈ R implies
that a = 0 or b = 0. Subrings of fields are always domains, and every domain may
be interpreted as a subring of its field of quotients (see Exercise 4.3). Our goal is the
definition of units, primes, and irreducible elements and a first investigation of the
question in which quadratic number rings the theorem of unique factorization holds.

4.1 Units, Primes, and Irreducible Elements

It is easy to transfer the notion of divisibility of integers in Z to arbitrary domains

R: Given a, b ∈ R, we say that b divides a if there is a c ∈ R such that a = bc, and
we write b | a in this case. More generally we write a ≡ b mod mR if m | (a − b)
in R. Congruences in R have the usual properties; we leave the proofs as exercises
(see Exercise 4.9).
Proposition 4.1 Let R be a domain; for all a, b, c, d, m, n ∈ R, we have
(a) a ≡ b mod m, c ≡ d mod m ⇒ a + c ≡ b + d mod m;
(b) a ≡ b mod m, c ≡ d mod m ⇒ ac ≡ bd mod m; and
(c) n | m und a ≡ b mod m ⇒ a ≡ b mod n.
The properties (a) and (b) are equivalent to the statement that a ≡ b mod m implies
f (a) ≡ f (b) mod m for all polynomials f ∈ Z[x]. The following result shows

1 The standard example of a domain without 1 is the ring of even integers.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 91

F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6_4
92 4 Divisibility in Integral Domains

that certain congruences in Ok imply congruences in Z; it allows us to work in the

bigger ring Ok and then pull back results from there to the ring of ordinary integers.
Proposition 4.2 Let a, b, m ∈ Z. Then a ≡ b mod m in Ok if and only if a ≡
b mod m in Z.
Proof The congruence a ≡ b mod m in Ok is equivalent to a − b = mγ for some
γ ∈ Ok . Since γ = a−b
m , we have γ ∈ Ok ∩ Q, and now Proposition 2.4 shows that
γ ∈ Z, and hence a ≡ b mod mZ in Z. The converse is trivial. 

The following result is also useful for computing with quadratic irrationalities;
the simple proof is given in Exercise 4.10.
Proposition 4.3 Let {1, ω} be an integral basis of a quadratic number field, and let
m ∈ Z be an integer. Then m | (a + bω) in Ok if and only if m | a and m | b.
Elements of a domain R that divide 1 are called units of R. The set R × of all
units forms a group with respect to multiplication; it is called the unit group of R.
Examples of unit groups of some well-known rings are the following:
√ √
R Z Z[x] Q[x] Z[ −2 ] Z[i] Z[ 2 ]
√
R × {±1} {±1} Q× {±1} {±1, ±i} {±(1 + 2 )n }

The computation of units in number fields is often challenging; checking whether

a given element is a unit is rather easy:
Proposition
√ 4.4 An element ε ∈ Ok is a unit if and only if Nε = ±1. If we write
ε = t +u2 m for integers t ≡ u mod 2, then ε is a unit if and only if t 2 − mu2 = ±4.
Proof Let ε ∈ Ok be a unit; then εη = 1 for some η ∈ Ok , and taking the norm
yields NεNη = N(1) = 1. Since Nε and Nη are integers whose product is 1, we
either have Nε = Nη = 1 or Nε = Nη = −1. Conversely, Nε = ±1 for some
ε ∈ Ok means√±εε = 1, and hence ε is a unit.
If ε = t +u2 m is a unit, then clearly t 2 −mu2 = ±4. If conversely t 2 −mu2 = ±4
and m ≡ √ 2, 3 mod √4, then it follows that t and u both must be even, and hence
ε = 2t + u2 m ∈ Z[ m ]. If m ≡ 1 mod 4, on the other hand, then t ≡ u mod 2. In
both cases, ε is a unit in Ok . 

It follows that the norm yields a group homomorphism Ek −→ EQ = {±1},
where Ek = Ok× and EQ = Z× are the unit groups of Ok and Z.
The unit groups in complex quadratic number fields can be described explicitly.
√
Theorem 4.5 Let m < 0 be squarefree, k = Q( m ), and R = Ok the ring of
integers in k. Then
⎧
⎨ i if m = −1;
R × = −ρ if m = −3;
⎩
−1 otherwise.
4.1 Units, Primes, and Irreducible Elements 93

√ √
Here i = −1 denotes a primitive fourth and ρ = 12 (−1 + −3 ) a primitive cube
root of unity.
√
Proof Assume first that m ≡ 1, 2 mod 4, and let ε = a + b −m be a unit. Then
1 = Nε = a 2 + mb2 (the case Nε = −1 cannot occur since m > 0). For m > 1,
this implies a = ±1 and b = 0, and hence ε = ±1 (and of course ±1 are units). If
m = 1, there are four possibilities,
√ namely a = ±1, b = 0 and a = 0, b = ±1. All
these units are powers of i = −1. √
If m ≡ 3 mod 4, we set ε = 12 (a + b −m ) for integers a, b and find 4 =
a 2 + mb 2 as a necessary and sufficient condition for ε to be a unit. For m > 3, there
are again only the trivial solutions corresponding to ε = ±1; if m = 3, then we
obtain the units
√ √
−1 + −3 1 + −3
±1, ± , ± .
2 2
√
Setting ρ = −1+2 −3 (this is a cube root of unity since ρ 3 = 1), we find that Ek is
generated by −ρ (a primitive sixth root of unity). 

The determination of the unit group of rings of integers in real quadratic number
fields boils down to solving the Pell equation t 2 − mu2 = ±4; we will prove in
Chap. 7 below that this equation has integral solutions√ whenever m ≥ 2 is not a
square.
√ At this point we only observe that ε = √1 + 2 is a unit with infinite order
in Z[ 2 ] (see Theorem 2.7): If we had√(1 + 2 )n = ±1 for some n ≥ 1, then
taking absolute values (after identifying
√ n 2 with the positive real square root
√ ofn 2),
we obtain
√ 1 = | ± 1| = |1 + 2 | > 1, and√similarly 1 = | ± 1| = |1 + 2| =
|1 − 2 |−n < 1 if n ≤ −1. In particular, Z[ 2 ] has infinitely many units.
John Pell (1611–1685) was an English mathematician. His name got attached to
the Pell equation through a mistake by Euler, who apparently confused him with
Lord William Brouncker. It was Brouncker who developed a method for solving
such equations in integers in connection with Fermat’s challenge in 1657 for the
English mathematicians. The proof that Brouncker’s method always leads to a
solution was given much later by Lagrange.
A method for solving the Pell equation similar to Brouncker’s had already been
developed by Indian mathematicians, in particular Brahmagupta (ca. 598–670) and
Bhaskara II (1114–1185); their contributions (see Plofker [104]) became known in
Europe only during the nineteenth century. We will present a method for solving the
Pell equation in Chap. 7.
Elements a, b ∈ R are called associated, if there is a unit e ∈ R × such that
a = be; we write a ∼ b and verify easily that this defines an equivalence relation
on R.
Irreducible and Prime Elements An element a ∈ R \R × is called irreducible if a
has only trivial divisors, that is, units and associates. More exactly: a is irreducible
in R if a = bc implies that b or c is a unit. An element p ∈ R \ R × is called prime if
94 4 Divisibility in Integral Domains

p | ab implies that p | a or p | b. Observe that units are by definition neither prime

nor irreducible.
Proposition 4.6 Prime elements are irreducible.

Proof Let a be prime. If we could factor a, there would exist b, c ∈ R \ R × with

a = bc. Now a | bc; if a | b, i.e., b = ad for some d ∈ R, then a = acd, hence
1 = cd, and c is a unit in contradiction to our assumption. 

A simple criterion for the primality of an element in a ring is the following:
Proposition 4.7 An element p ∈ R is prime if and only if the residue class ring
R/pR of the residue classes modulo p is a domain.
The proof is simple. The residue class ring modulo p does not have a zero divisor
if ab ≡ 0 mod p implies that a ≡ 0 mod p or b ≡ 0 mod p. But this is just a
version of the definition of a prime element, which states that an element is prime if
p | ab implies that p | a or p | b.

4.1.1 Elements with Prime Norm Are Prime

We have already seen that elements π ∈ Ok for which p = |Nπ| is a rational prime
are always irreducible. As a matter of fact, such elements are always prime. This
will follow easily from the theory of ideals that we will develop later; here we will
give a direct proof based on Proposition 4.7.
Proposition 4.8 If k is a quadratic number field with ring of integers Ok , then each
π ∈ Ok with prime norm is prime.

This is easy to see if Ok is a unique factorization domain (see the next section):
Elements with prime norm are irreducible, and in unique factorization domains,
irreducible elements are prime. In order to prove this for general rings Ok , we show
that the residue class ring Ok /πOk does not have zero divisors. In fact, we will
show that Ok /πOk  Fp = Z/pZ is isomorphic to the field with p elements.
To this end, let {1, ω} be an integral basis of Ok ; then π = a + bω for integers
a, b ∈ Z. We claim that b is not divisible by π (and thus not divisible by p = |ππ |).
In fact, π | b implies π | a since a = π − bω, and taking norms, we find p | a 2 and
p | b2 . Since p is prime, this implies that p | a and p | b. But then π = a + bω
would be divisible by p, and hence π would be a unit: a contradiction.
Thus there exists an integer c ∈ Z with bc ≡ 1 mod p, and in particular, we
have bc ≡ 1 mod πOk . We find bω ≡ −a mod π, after multiplying through by c,
thus ω ≡ −ac mod πOk . If any γ = r + sω ∈ Ok is given, then we find γ ≡
r − sac mod πOk , and thus modulo π every element is congruent to an ordinary
integer. Reducing this number modulo p (and p is a multiple of π), we find that γ
is congruent to one of the numbers 0, 1, 2, . . . , p − 1 modulo π.
4.1 Units, Primes, and Irreducible Elements 95

Now it is easy to show that there are no zero divisors in the ring of residue
classes: If we had αβ ≡ 0 mod π and if A, B ∈ {0, 1, . . . , p − 1} are integers
with α ≡ A mod πOk and β ≡ B mod πOk , then π | AB; taking norms yields
p | A2 B 2 , and hence p | A or p | B. Thus A = 0 or B = 0, and therefore
α ≡ A = 0 mod π or β ≡ B = 0 mod π.
Proposition
√ 4.9 Let p be an odd prime number and Ok the ring of integers in k =
Q( m ). Then p is prime in Ok if and only if the congruence x 2 ≡ m mod p is not
solvable.
√ √ √
Proof If x 2 ≡ m mod p is solvable, then p | (x+ m )(x− m ), but p  (x± m ).
Thus p is not prime.
Now we show that p remains prime in Ok if ( m p ) = −1. This case is not covered
by Proposition 4.8 since here N(p) = p2 is not prime. The idea for proving the
result is the same as in the proof of Proposition 4.8: We show that the residue classes
modulo p in Ok form a field. √
We will give the proof in the case where Ok = Z[ m ].√ Here the residue classes
modulo p in Ok are represented by the p2 elements a + b m with 0 ≤ a, b < p;
clearly every α ∈ Ok is congruent modulo p to one of these elements, and they are
pairwise distinct. These residue classes form a ring, and we want to show that they
form a√field. This will follow if we can write down an inverse for each residue class
a + b m mod p different from 0 mod p. Now
√
1 a−b m
√ = 2 ,
a+b m a − mb 2

and the denominator is ≡ 0 mod p if and only if a and b are divisible by p

(otherwise m would be a quadratic residue modulo p). Since 0 ≤ a, b < p, this
implies a = b = 0. In fact, a 2 ≡ mb 2 mod p implies either (if b = 0) that
( ab )2 ≡ m mod p, and then x 2 ≡ m mod p is solvable and m is a quadratic residue
modulo p, or (if b = 0) that a 2 ≡ 0 mod p and hence a = 0.
√ Thus for each nonzero
√
residue class a + b m mod p, the inverse is given by aa−b m
2 −mb2 mod p.
In the case m ≡ 1 mod 4, the residue classes modulo p are represented by
elements a + bω with 0 ≤ a, b < p; the rest of the proof is left to the readers
as an exercise. 

For p = 2, there is a corresponding criterion that may be proved in a similar
manner.
Proposition 4.10 The element√p = 2 is prime in the ring of integers Ok of the
quadratic number field k = Q( m ) if and only if m ≡ 5 mod 8.
We leave the proof as an exercise for the readers.
96 4 Divisibility in Integral Domains

4.2 Unique Factorization Domains

A domain in which the theorem of unique factorization holds is called a unique

factorization domain (UFD). More exactly, we demand
UFD–1. Each non-unit = 0 is a product of finitely many irreducible elements.
UFD–2. Irreducible elements are prime.
There are domains in which UFD–1 fails: In the domain A that is obtained by
√ 4√ 8√
adjoining all 2n -th roots of 2 to Z, namely A = Z[ 2, 2 , 2 , . . .], the element
2 cannot be written as a finite product of irreducible elements since
√ √ 4√ 4√ 4√ 4√
2= 2 2 = 2 2 2 2 = ....

The defining property of unique factorization domains is that the factorization

guaranteed by UFD–1 should be unique:
UFD–3. Let a ∈ R \ {0} and a = ep1 · · · ps = e q1 · · · qt , where e, e ∈ R × are
units and where the pj and qj are irreducible elements in R. Then s = t, and we
can rearrange the qj in such a way that pi ∼ qi for i = 1, . . . , s.
Clearly, UFD–3 holds in any unique factorization domain.
Proposition 4.11 Conditions UFD–2 and UFD–3 are equivalent in every domain
R in which UFD–1 holds.
Proof UFD–2 ⇒ UFD–3: Since the pi are irreducible, they are prime by
assumption. In particular, p1 divides one of the factors qj , say q1 . Since q1 is
irreducible, we must have p1 ∼ q1 . Since R is a domain, p1 may be canceled,
and we obtain e1 p2 · · · ps = e1 q2 · · · qt . Induction now yields the claim.
UFD–3 ⇒ UFD–2: Let a be irreducible and a | xy, where x, y ∈ R. Then
there exists an element b ∈ R with ab = xy. Because of UFD–3, the decomposition
into irreducible elements is unique up to order and units; thus an associate of a must
occur in the factorization of x or y, and we find a | x or a | y. Thus a is prime. 
√ √
Since 1 + −5 is irreducible in R = Z[ −5 ], but not prime, R is not a unique
factorization domain. This fact also proves that the theorem of unique factorization
in Z, which often seems obvious to beginners in number theory, requires a proof.
We call an element d in some domain a common divisor of elements a, b ∈ R
if d | a and d | b. How should we choose a “greatest” common divisor among
these common divisors? In the ordinary integers, we can choose the greatest divisor
with respect to the absolute value, but this is not a suitable definition for general
domains R. What we want is a definition of the greatest common divisor in terms of
divisibility alone: We call d ∈ R a greatest common divisor of a, b ∈ R and write
d ∼ gcd(a, b) if d has the following properties:
GCD–1. d is a common divisor of a and b, i.e., d | a and d | b.
4.3 Principal Ideal Domains 97

GCD–2. Every common divisor of a and b divides d, i.e., if c | a and c | b for some
c ∈ R, then c | d.
Again we would like to emphasize the fact that this definition is well suited for
building a theory of greatest common divisors but cannot easily be used for finding
a greatest common divisor of two elements in some domain.
In unique factorization domains, the greatest common
 divisor oftwo elements
can be written down explicitly. In fact, if a = u pαp and b = v pβp are the
prime factorizations
 min(αp ,βof a and b (with units u, v ∈ R × ), then we can easily show
that d = p )
p is a greatest common divisor of a and b. One has to remark

that even in the case of the ordinary integers, finding the prime factorization of two
(large) integers can be very difficult.
Two elements a and b of some unique factorization domain R are called coprime
(or relatively prime) if their greatest common divisor is a unit. Observe that we
demand that R be a unique factorization domain. In fact, in domains without unique
factorization, a greatest common divisor need not exist, and if it does, it need not
have the properties we expect from a greatest common divisor, such as gcd(a, b)2 =
gcd(a 2 , b 2 ).
Proposition 4.12 If R is a unique factorization domain, if a, b ∈ R are coprime,
and if ab = ex n (n ≥ 2) for some unit e ∈ R × and some x ∈ R, then there exist
units e1 , e2 ∈ R × and elements c, d ∈ R such that a = e1 cn and b = e2 d n , where
cd = x and e1 e2 = e.
Proof We prove this by induction on the number of prime factors of a. If a is a unit,
then the claim follows with c = 1, d = x, e1 = a, and e2 = ea −1 .
Assume that the claim is true for all a ∈ R with at most t different prime factors,
and let p ∈ R be a prime with p | a. Assume that ph  a (we write ph  a if ph | a
and ph+1  a, i.e., if ph is the largest power of p that divides a). Since ph  x n (here
we use the fact that a and b are coprime), we must have h = nk for some k ∈ N and
pk  x. Thus a = ph a1 , x = pk x1 and a1 b = ex1n . By induction assumption, we
have a1 = e1 cn and b = e2 d n , and now the claim follows since a = e1 (cpk )n .  
Corollary 4.13 If R is a unique factorization domain, if gcd(a, b) = p for elements
a, b, p ∈ R, where p is prime, and if ab = ex n (n ≥ 2) for some e ∈ R × and x ∈ R,
then there exist units e1 , e2 ∈ R × and c, d ∈ R with a = e1 pcn and b = e2 pn−1 d n
(after switching a and b, if necessary).
Proof Exercise 4.28. 


4.3 Principal Ideal Domains

Principal ideal domains will play a minor role in this chapter, mainly as a link in the
chain of inclusions
Euclidean Domains ⊂ Principal Ideal Domains ⊂ Unique Factorization Domains
98 4 Divisibility in Integral Domains

that we will use for constructing unique factorization domains. Both inclusions
are proper; for rings of integers in quadratic number fields (and in fact of general
number fields), the second inclusion is in fact an equality.
First we will have to explain the notion of a principal ideal domain. To this end,
consider a domain R; a subring I of R is called an ideal of R if I · R ⊆ I . Thus an
ideal is a subset of a domain that is closed with respect to addition (I + I ⊆ I ) as
well as with respect to multiplication by arbitrary elements of the domain R.
Observe that I is a subring of R if the weaker condition I · I ⊂ I is satisfied.
In the domain R = Z, it can be shown that each subring is an ideal. The following
example shows that this is not true for general domains: The set
√ √
M = Z + 2 m Z = {a + 2b m : a, b ∈ Z }
√
is a subring of Z[ m ], but not an ideal. This is because MR √ = R; in fact, 1 ∈ M
implies that each element of R is contained in MR. Since m ∈ R \ M, the subring
M is not an ideal.
It is very easy to write down examples of ideals. If we are given elements
a1 , . . . , an ∈ R, then the set of all R-linear combinations

I = (a1 , . . . , an ) := {a1 r1 + . . . + an rn : rj ∈ R}

of these elements is an ideal called the ideal generated by a1 , . . . , an . Clearly I is

closed with respect to addition; thus it remains to verify that I R ⊆ I . But this is
easy: Since a = a1 r1 + . . . + an rn ∈ I , clearly ar = a1 (r1 r) + . . . + an (rn r) is an
element of I .
In our proofs we have to consider ideals generated by infinitely many elements
a1 , a2 , . . . These ideals I = (a1 , a2 , . . .) are by definition the set of all finite R-linear
combinations of the elements ai ∈ I .
Remark In fields R = K, there are only two different ideals, namely the zero ideal
(0) and the unit ideal (1) = R.
Ideals generated by a single element a are called principal ideals. These have the
form I = (a) = {ar : r ∈ R}; occasionally, we will write I = aR. Principal ideals
(a) consist of all multiples of a.
The transition from elements to principal ideals consists essentially in disregard-
ing units.
Lemma 4.14 For a, b ∈ R, the following assertions are equivalent:
1. (a) = (b);
2. There is a unit e ∈ R × with a = be.
The proof is a simple exercise.
A domain in which each ideal is principal is called a principal ideal domain
(PID). Clearly, the ring Z of ordinary integers is a PID; in fact, the ideal (a1 , . . . , an )
is generated by the greatest common divisor d = gcd(a1 , . . . , an ). Not every unique
4.3 Principal Ideal Domains 99

factorization domain is a principal ideal domain; the best known example is the
domain C[x, y] of polynomials in two variables with complex coefficients; here,
(x, y) is not principal, as is easily seen.
Remark The fact that C[x, y] is a unique factorization domain follows from a well-
known theorem in algebra: If R is a UFD, then so is the polynomial ring R[y]. Since
R = C[x] is a UFD (this ring is even Euclidean—see Sect. 4.4), the claim follows.
Now we prove that principal ideal domains have unique factorization.
Theorem 4.15 Principal ideal domains are unique factorization domains.
Proof Assume that UFD–1 is not satisfied. Then there is an a1 ∈ R that cannot
be written as a product of irreducible elements (in particular, a1 is not irreducible).
Thus, a1 = a2 b2 (for non-units a2 , b2 ∈ R \R × ), where one of the factors, say a2 , is
not a product of irreducible elements. Thus, a2 = a3 b3 , etc., and we obtain a chain
of elements a1 , a2 , a3 . . . ∈ R with a2 | a1 , a3 | a2 , . . . , where ai and ai+1 are not
associated.
Now consider the ideal I = (a1 , a2 , . . .) generated by the ai . By assumption,
there is an element a ∈ R with I = (a), and thus there exist m ∈ N and ri ∈ R
such that a = r1 a1 + . . . + rm am . Since am | am−1 | · · · | a1 , we have am | a. Since
am+1 ∈ (a), there is an element r ∈ R such that am = ar, i.e., with a | am+1 . By
construction of the ai , we have am+1 | am , and hence am and am+1 are associated in
contradiction to the construction of the ai .
Now we show that irreducible elements are prime (UFD–2). To this end, let a ∈
R be irreducible, and let x, y ∈ R be given with a | xy and a  x; then we have to
show that a | y. Now (a, x) = (d) for some d ∈ R; thus d | a and d | x. If we
had d ∼ a, it would follow that a | x in contradiction to our assumption. Since a
is irreducible, d must be a unit. Thus d −1 ∈ R, and therefore 1 = d −1 d ∈ (d) =
(a, x), i.e., there exist m, n ∈ R with 1 = ma + nx. Multiplication by y yields
y = may + nxy, and since a | xy, we find a | y. This is what we wanted to show.


An important property of principal ideal domains is the fact that they are Bézout
domains:2 A domain R is called a Bézout domain if for all a, b ∈ R there exists
a d ∼ gcd(a, b) such that d = ar + bs is an R-linear combination of a and b.
Principal ideal domains are always Bézout domains: Given a, b ∈ R, we form the
ideal I = (a, b); since R is a principal ideal domain, there is an element d ∈ R with
(a, b) = (d). We claim that d ∼ gcd(a, b). In fact, since a ∈ (d), there is a t ∈ R
with a = dt; this shows that d | a, and similarly we find that d | b, and hence d is
a common divisor of a and b. On the other hand, d ∈ (a, b) implies that there are
elements r, s ∈ R with d = ar + bs; if e is any common divisor of a and b, then e

2 Étienne Bézout (1730–1783) was a French mathematician, an author of textbooks. Bézout proved

the existence of Bézout elements for polynomial rings; in the case of integers, they already occurred
in the work of Bachet.
100 4 Divisibility in Integral Domains

divides ar + bs = d, and hence d is a greatest common divisor of a and b. Observe

that we have proved the Bézout property en passant.

4.4 Euclidean Domains

In his Lectures on number theory [31, p. 20], Dirichlet (actually we do not know how
much of this is due to Dedekind) discusses the foundations of elementary number
theory and then writes the following:
It is now clear that the whole structure rests on a single foundation, namely the algorithm for
finding the greatest common divisor of two numbers. [. . . ] any analogous theory, for which
there is a similar algorithm for the greatest common divisor, must also have consequences
analogous to those in our theory.

In order to show that some domain R is a unique factorization domain, we will

at first use the Euclidean algorithm. A function f : R −→ N0 is called a Euclidean
function if it has the following properties:
EA–1. f (a) = 0 if and only if a = 0.
EA–2. For all a ∈ R and b ∈ R \ {0}, there exists a c ∈ R such that f (a − bc) <
f (b).
If there exists a Euclidean function on R, then R is called a Euclidean domain.
The ring of integers Z is Euclidean with respect to the absolute value | · |. Other
examples of Euclidean domains will be given in the Exercises section. The first
domain R = Z that was shown to be Euclidean was the ring Q[X] of polynomials
with rational (or real) coefficients. The existence of a Euclidean algorithm in this
domain was proved by the Dutch mathematician Simon Stevin (1548–1620). Stevin
wrote almost a dozen textbooks and helped to popularize the decimal system in
Europe.
Theorem 4.16 Euclidean domains are principal ideal domains.

Proof Let f be a Euclidean function on R, and let A ⊆ R be an ideal in R. Among

the elements in A\{0}, there is one, say a, for which f is minimal (in fact, the values
of f are natural numbers). We claim that A = (a). Since a ∈ A, we clearly have
(a) ⊆ A; it remains to prove the reverse inclusion. To this end, take an arbitrary
b ∈ A; by EA–2, there is a q ∈ R with f (b − aq) < f (a); since f (a) was chosen
minimal on A \ {0}, we have f (b − aq) = 0, and EA–2 implies that b = aq. Thus
b ∈ (a), and since b ∈ A was arbitrary, we even have A ⊆ (a). 

In particular, Euclidean domains have the Bézout property, i.e., given an ideal
(a, b), an element d ∼ gcd(a, b) can be written as d = ar + bs with r, s ∈ R. The
advantage of working in a Euclidean ring is that given a, b ∈ R, we can compute
the greatest common divisor d ∼ gcd(a, b) as well as the Bézout elements r and s
using the Euclidean algorithm.
4.4 Euclidean Domains 101

To this end, take elements a, b ∈ R \ {0}; applying the Euclidean algorithm,

we find q0 , r1 ∈ R with a − bq0 = r1 and f (r1 ) < f (b). Similarly, there exist
q1 , r2 ∈ R with b − r1 q1 = r2 and f (r2 ) < f (r1 ) (unless we already have r1 = 0;
in this case, a = bq1 and d = b = 0a + 1b, so everything is trivial). Continuing in
this way, we find a chain of equations

a − bq0 = r1 f (r1 ) < f (b),

b − r1 q1 = r2 f (r2 ) < f (r1 ),
r1 − r2 q2 = r3 f (r3 ) < f (r2 ),
.. ..
. .
rn−2 − rn−1 qn−1 = rn f (rn ) < f (rn−1 )
rn−1 − rn qn = rn+1 f (rn+1 ) < f (rn ).

Now the natural numbers f (rj ) cannot become arbitrarily small; thus there exists
an index n ∈ N with rn+1 = 0. We then claim that rn ∼ gcd(a, b). In fact, it follows
from the last row that rn | rn−1 , and then the next to last row gives rn | rn−2 , and in
this way we climb the ladder until we reach rn | r1 , rn | b and rn | a. Thus rn is a
common divisor of a and b.
Conversely, if d is any common divisor of a and b, then the first row tells us that
d | r1 , the second d | r2 , etc., and eventually we reach d | rn . In other words, rn is a
greatest common divisor.
It may be said that the definition of the greatest common divisor is chosen in such
a way that the proof of this fundamental result on the Euclidean algorithm becomes
essentially trivial.
We obtain the Bézout elements r, s ∈ R as follows: We start with rn = rn−2 −
rn−1 qn−1 and replace the rj with the maximal index by the linear combination in
the preceding row, in our case rn−1 by rn−1 = rn−3 − rn−2 qn−2 . Now we have
written rn as a linear combination of rn−2 and rn−3 . Next we replace rn−2 by rn−2 =
rn−4 − rn−3 qn−3 , etc., until we finally have written rn as an R-linear combination
of a and b.

4.4.1 Summary

We have defined the following notions in quadratic number rings:

• divisibility and congruences,
• units and associate elements, and
• primes and irreducible elements.
102 4 Divisibility in Integral Domains

Among the important results, we have obtained are the following:

• Primes are irreducible; the converse holds in unique factorization domains.
• We have the inclusions
Unique Factorization Domains ⊃ Principal ideal domains ⊃ Euclidean domains.
Moreover we know that in unique factorization domains, there exist greatest
common divisors d = gcd(a, b); in principal ideal domains, there exist Bézout
elements: We can write the greatest common divisor as a Z-linear combination of
a and b: d = am + bn. Finally, in Euclidean domains, we have an algorithm for
computing greatest common divisors as well as Bézout elements.

4.5 Exercises

4.1. In the ring R = Z[x] of polynomials, show that x | f (x) for some f ∈ R if
and only if f (0) = 0. Show more generally that (x − a) | f (x) if and only if
f (a) = 0.
Show that these properties continue to hold in polynomial rings R = K[x]
over fields K. What about polynomial rings over domains or arbitrary rings?
4.2. Show
√ that (1.12) is also a counterexample to the Four Numbers Theorem in
Z[√−5 ], whereas (1.11) is compatible with the Four Numbers Theorem in
Z[ −2 ].
4.3. Let R be a domain. Consider the set S of pairs (p, q) and define an
equivalence relation on S by (p, q) ∼ (r, s) if and only if ps = qr. On
the set K of equivalence classes, define addition and multiplication via
• (p, q) + (r, s) = (ps + qr, qs);
• (p, q) · (r, s) = (pr, qs).
Show that this is well defined and that it makes K into a field with neutral
elements (0, 1) for addition and (1, 1) for multiplication.
Show that the map ι : R −→ K : r → (r, 1) is an injective ring
homomorphism. The field K is called the quotient field of R, and we may
regard R as a subring of K via the embedding ι.
4.4. Let R ⊆ S be domains, and let a, b, m ∈ R. Does a ≡ b mod m in R imply
the same congruence in S? Is the converse true?
4.5. Each fraction in Q can be reduced
√
to lowest terms in a unique way; in
√
Z[ −5 ], on the other hand, 1+ 2 −5 = 1−√ 3
−5
, and both fractions are reduced
to lowest terms. Find more such examples.
4.6. Let α, β ∈ Ok ; show that α | Nα. If moreover α | β, then Nα | Nβ (even in
Z).
4.5 Exercises 103

√ √
4.7. Show that if −2 | y in Z[ −2] √ for some y ∈ Z, then 2 | y.
Show more generally that m | y, where m is squarefree, always implies
that m | y.
Find a counterexample to the claim that α | y always implies Nα | y.
4.8. Show that a + bi ≡ a + b mod (1 + i) in Z[i].
4.9. Prove Proposition 4.1.
4.10. Prove Proposition 4.3.
4.11. Show that a | b in Z implies a | b in the ring of integers Ok in a quadratic
number field k.
4.12. Show that the set of units R × in some ring R is a group with respect to
multiplication.
4.13. Show that if R = K is a field, then K × = K \ {0}.
4.14. If R is a domain and R[X] the ring of polynomials in one variable X with
coefficients from R, then R[X]× = R × , that is, the units in this polynomial
ring are all constant.
Show, on the other hand, that the polynomial 2X + 1 in (Z/4Z)[X] is a
unit. √
4.15. Show that the unit groups of the domains R = Z[ m ] for m < −1 are given
by R × = {−1, +1}.
4.16. Let Ok be the ring of integers in a quadratic number field k, and let Ek = Ok×
be its unit group. Show that Ek is a Gal (k/Q)-module (see Exercise 2.16).
4.17. Show: If R is a domain containing Z, and if π is prime in R, then the smallest
natural number divisible by π in R is a prime number.
4.18. Show that Nα = 1 for α = 1+2i 1−2i ∈ Q(i), but that α is not a unit in Z[i].
Construct infinitely many such examples.
4.19. Show that Z is Euclidean with respect to the absolute value.
4.20. Show that the polynomial ring K[x], where K is a field, is Euclidean with
respect to f (a) = 2deg a , where deg a denotes the degree of a ∈ K[x], and
where we have set deg 0 = −∞√ −∞ = 0.
√to have 2√ = 2
in order deg 0
√ √
4.21. Discuss
√ the examples 2 · 3√= − −6 · √ −6 in Z[ −6 √ ], 2 · 3 = 6 · 6 in
Z[ 6 ], and 2 · 7 = (2 + −10 )(2 − −10 ) in √Z[ 10 ] as in (1.12).
4.22. Consider the quadratic number field k = Q( m ); which of the rational
prime numbers p ∈ {2, 3, 5} in Ok with m ∈ {−5, −3, −2, −1, 2, 3, 5} are
irreducible and which are not?
4.23. Show that elements π ∈ Ok are irreducible if Nπ is a rational prime.
4.24. Let R be a unique factorization domain. Show:
a.gcd(a 2 , b 2 ) = (gcd(a, b))2 for all a, b ∈ R.
b.If gcd(a, b) = 1, then gcd(a 2 , b) = 1.
c.gcd(a + b, b) = gcd(a, b).
d.gcd(ra, rb) = r gcd(a, b).
√ √
4.25. Show that the elements a = 1 + −5 and b = 1 − −5 do not have a
common divisor except ±1, but that 2 is a common divisor of a 2 and b2.
104 4 Divisibility in Integral Domains

√
4.26. Let S be the domain you obtain by adjoining the element ω = 12 (1 + −5 )
√
to R = Z[ −5 ]. Show that S = R[ 12 ] and S ∩ Q = Z[ 12 ].
Show moreover that the decomposition (1.12) is not an example for
nonunique factorization into irreducible elements because 3 = 12 (1 −
√ √
−5 )(1+ −5 ) is a factorization of 3 into the unit 12 and the two irreducible
√
(and even prime)
√ √ elements 1 ± −5. Explain the equation 3 · 3 = (2 −
−5 )(2 + −5 ) by giving a factorization into irreducible elements. √
4.27. Solve √the Diophantine equation x 2 + 5y 2 = z2 by setting x + y −5 =
(r + s −5 )2 as Euler did, and show that the resulting parametrization x =
r 2 − 5s 2 , y = 2rs does not√yield all integral solutions of the equation.
Use the domain S = Z[ −5, 12 ] from the preceding exercise for obtaining
a complete parametrization of the solutions.
4.28. Prove Corollary 4.13. Hint: Try to obtain a = pa1 and b = pn−1 b1 , and then
apply Proposition 4.12 to a1 and b1 .
4.29. Determine all integral points on the elliptic curve 4y 2 = x 3 + 1, i.e., all pairs
(x, y) ∈ Z × Z satisfying this equation. √
4.30. Find all ring homomorphisms κ from Z[ −5 ] to Z/2Z, Z/3Z and Z/5Z,
and determine their kernels.
4.31. Show that the even integers 2Z form an ideal in Z. More generally, the sets
mZ for arbitrary m ∈ Z are ideals in Z.
4.32. Let (a) and (b) be principal ideals in some domain R. Show that a | b if and
only if (a) ⊇ (b). Show moreover that this implies the equivalence of the
following assertions:
a. (a) = (b);
b. a | b and b | a;
c. a = be for some unit e ∈ R × .
4.33. Show that the set
 
ab
T = : a, b, d ∈ Z
0d

is a subring of R = M2 (Z), the ring of all 2 × 2-matrices with entries from Z

(this ring is neither commutative nor a domain since it contains zero divisors),
but that T is not an ideal in R. Hint: Consider  the
 product of the identity
matrix with a lower triangular matrix such as 11 01 .
4.34. Let R ⊆ S be domains. Show that I ∩ R is an ideal in R if I is an ideal in S.
4.35. If I is a nonzero ideal in the ring of integers Ok of a quadratic number field
k, then I contains a natural number = 0. (Hint: Take the norm). Show that,
on the other hand, the ideal (X) in the polynomial rings Z[X] and Q[X] does
not contain any natural number = 0.
4.36. Show that the polynomial ring Z[x] admits a lot more homomorphisms
into simpler rings than the rings of integers Ok ; show in particular that the
4.5 Exercises 105

reductions πp modulo p and πx modulo x yield the following commutative

diagram:
πp
Z[x] −−−−→ Fp [x]
⏐ ⏐
⏐
πx 
⏐ πp

πp
Z −−−−→ Fp

4.37. Let k be a quadratic number field. Show that Z is a subring of Ok , but not an
ideal in Ok . √ √
4.38. Show√ that the set 2Z + 2 Z is an ideal √ in Z[ 2 ] consisting√of the multiples
of 2. Show moreover that Z + 2 2 Z is a subring of Z[ 2 ], but not an
ideal.
4.39. An order O in some quadratic number field is a subring of Ok that properly
contains Z. Consider the set F = {f ∈ Z : f ω ∈ O for all ω ∈ Ok }. Show
that F is an ideal in Z; the generator f > 0 of this ideal F = (f ) is called
the conductor of the order O. Show that the maximal order Ok has conductor
1.
4.40. Show that gcd(2, x) = 1 in the unique factorization domain Z[x] and that
there do not exist associated Bézout elements, i.e., that there do not exist
polynomials p, q ∈ Z[x] with 2p(x) + xq(x) = 1.
Is (2, x) a principal
√ ideal√in Z[x] or in Q[x]?
√
4.41. Find ideals in Z[ −6 ], Z[ −10 ], and Z[ 10 ] that are not principal.
4.42. Let R be the domain of all algebraic integers. Show that 2 does not
possess
√ √ a factorization
√ into irreducible elements. Also show that the ideal
(2, 2, 4 2, 8 2, . . .) is not principal in R and that it is not even finitely
generated (this means that it is not generated by finitely many elements, i.e.,
it does not have the form (a1 , . . . , an ) for suitable elements aj ∈ R).
4.43. Let R be a domain containing Z (for example, R = Ok ). Show that if a, b ∈ Z
are coprime in Z, then they are also coprime in R. (Hint: Bézout).
4.44. Compute the Bézout elements for gcd(21, 15) in Z.
4.45. For n ≥ 3, compute the greatest common divisor of the polynomials x n +
x 2 − 2 and x 2 − 1 in Z[x] (the result will depend on n). How can the result
that x − 1 is always a common divisor be verified in advance?
4.46. Let α, β ∈ Ok and (Nα, Nβ) = 1 in Z. Then gcd(α, β) ∼ 1 in Ok even if Ok
is not a unique factorization domain.
4.47. Bézout elements can be used for inverting residue classes. Assume for
example that a and m are coprime integers; show how to find the inverse
of the residue class a mod m in (Z/mZ)× (i.e., the element b ∈ Z such that
ab ≡ 1 mod m). Compute 12 mod 21 and 15 mod 33.
4.48. Study the equation y 2 = x 3 + 9 in integers.
4.49. Use the factorization (y − k)(y + k) = x 3 to deduce results on the integral
solutions of the Diophantine equation y 2 = x 3 + k 2 for a fixed integer k. This
106 4 Divisibility in Integral Domains

is more of an open problem than an exercise. Do not despair if you cannot

find a complete solution (and look for an error if you do).
4.50. For integers k, study the Diophantine equation y 2 = x 3 − k 2 . You should
be able to prove that this equation is solvable for k = b(3a 2 − b 2 ) or k =
2(a 3 + 3a 2b − 3ab 2 − b 3). For k = 88, there are two different representations
k = b(3a 2 − b 2 ), and hence there are at least two solutions of the equation
also y 2 = x 3 −k 2 in this case. Can the number of solutions become arbitrarily
large?
4.51. Solve the Diophantine equation (1 + 8i)x + (5 + 4i)y = 1 in Z[i].
Chapter 5
Arithmetic in Some Quadratic Number
Fields

√
Although already Euler had used numbers of the form a + b −2 for solving the
Diophantine equation y 2 +2 = x 3 in integers, it was Gauss who laid the foundations
for the arithmetic of quadratic number rings such as Z[i] by defining prime elements
and units and proving unique factorization for the first number ring strictly larger
than the ordinary integers. He did so in his second memoir on biquadratic residues
published in 1831.
In this chapter we will discuss a few √examples of quadratic number rings. For
the example of the ring of integers in Q( 5 ), we refer to the dissertation by Dodd
[32]; more examples may be found in Sommer’s book [118] and in the still excellent
introduction to number theory by Hardy and Wright [53].

5.1 The Gaussian Integers

We will start our journey through various quadratic number rings with the ring Z[i]
of Gaussian integers.

5.1.1 Z[i] Is Norm-Euclidean

Consider the domain R = Z[i]; we want to show that the norm is a Euclidean
function in R. To this end, we have to find, for each α ∈ R and each β ∈ R \ {0}, an
element γ ∈ R such that

N(α − βγ ) < N(β). (5.1)

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 107
F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6_5
108 5 Arithmetic in Some Quadratic Number Fields

Since we are dealing with infinitely many pairs (α, β), this looks difficult. But if
we divide (5.1) by N(β) using the multiplicativity of the norm, we see that it is
sufficient to find some γ ∈ R for each ξ = α/β ∈ k = Q(i) such that

N(ξ − γ ) < 1. (5.2)

If we can find such a γ ∈ R for some ξ , then we can solve this inequality for any
ζ ∈ k that differs from ξ by an integer η ∈ R since

N((ξ − η) − (γ − η)) = N(ξ − γ ) < 1.

Thus it is sufficient to consider only those ξ ∈ k that have the form ξ = x + yi

with |x|, |y| ≤ 12 . We claim that for all such ξ , a single element γ suffices, namely
γ = 0. In fact, we have

1 1 1
N(ξ − γ ) = N(ξ ) = x 2 + y 2 ≤ + = < 1.
4 4 2
Thus Z[i] is Euclidean with respect to the norm, and in particular it is a unique
factorization domain.
In the plane of Gaussian numbers, the elements ξ ∈ Q(i) with N(ξ ) ≤ 12 lie
√
inside a circle with radius 1/ 2 around the origin. If we place a circle with this
radius around each lattice point, i.e., around each point a + bi with a, b ∈ Z (see
Fig. 5.1), then these circles cover the whole plane. This implies that for each ξ ∈
Q(i), there is a γ ∈ Z[i] satisfying (5.2), and in fact we may even demand that
N(ξ − γ ) ≤ 12 .

Fig. 5.1 The covering of Z[i] with circles of radius √1

2
5.1 The Gaussian Integers 109

This proof that Z[i] is Euclidean is constructive: We can use it for finding the
greatest common divisor of two Gaussian integers. In order to compute, e.g., gcd(1+
12i, 7 + 4i), we find the nearest integer to

1 + 12i (1 + 12i)(7 − 4i) 55 + 80i 11 + 16i

= = = ,
7 + 4i (7 + 4i)(7 − 4i) 65 13

which is 1+i, and we obtain, as the first step in the Euclidean algorithm, the equation

1 + 12i = (1 + i)(7 + 4i) + (−2 + i).

The next step consists of the observation that

7 + 4i (7 + 4i)(2 + i)
= = −2 − 3i.
−2 + i (−2 + i)(2 + i)

Thus the Euclidean algorithm produces the chain of equations

1 + 12i = (1 + i)(7 + 4i) + (−2 + i),

7 + 4i = (−2 − 3i)(−2 + i),

which implies that gcd(1 + 12i, 7 + 4i) ∼ −2 + i ∼ 1 + 2i.

Prime Elements and Associates Now that we know that R = Z[i] is a Euclidean
domain and therefore has the unique factorization property, we would like to
determine the primes in R. We start with an observation valid for all quadratic
number fields.

Proposition 5.1 Let Ok be the ring of integers in some quadratic number field k.
Then for each prime π ∈ Ok , there is a unique prime number p ∈ N with π | p. In
particular, Nπ = ±p or Nπ = ±p2 .
Proof Since π | Nπ, we see that π divides the prime factor p of Nπ ∈ Z; if we also
had π | q for a different prime q = p, then π would divide gcd(p, q) = 1, which
is impossible since π is not a unit. The second claim follows easily from π | p by
taking the norm. In fact, we find Nπ | p2 in Z, and since Nπ = ±1 (otherwise π
would be a unit), we are left with the possibilities Nπ = ±p and Nπ = ±p2 .  
Thus there exist the following possibilities:
(1) p is prime in Ok ; then Np = p2 , and we say that p is inert in k.
(2) p is not prime in Ok , but irreducible; this can only happen if Ok is not a unique
factorization domain.
(3) p is reducible Ok .
Let us have a close look at the third case. Here p = αβ for non-units α, β ∈ R.
It follows from NαNβ = p2 that Nα = Nβ = ±p (if one factor had norm 1, it
110 5 Arithmetic in Some Quadratic Number Fields

would be a unit); finally, ±p = Nα = αα shows that we must have β = ±α . Thus

if we write π instead of α, then ±p = ππ , where π and π are primes with norm
±p. The only question remaining is whether π and π are distinct prime elements
or whether they are associated.
Below we will discuss this question in general; here we are content with studying
the prime elements in Z[i]. We claim:
Proposition 5.2 Let p ∈ N be a rational prime number. Then, there are the
following possibilities:
1. p = 2: Then, p is reducible in Z[i]. In fact, 2 = i(1 − i)2 , and π = 1 − i is, up
to associates, the only prime element dividing 2.
2. p ≡ 3 mod 4: Then, p is inert, i.e., it remains prime in Z[i] and has norm p2 .
3. p ≡ 1 mod 4: Then, p = ππ for prime elements π = a + bi and π = a − bi
in Z[i]. Here the primes π and π are not associated.
Proof The first claim is easily verified. For proving the second claim, we assume
that p ≡ 3 mod 4 is not prime in Z[i]; since this is a unique factorization domain,
p must be reducible, and hence ±p = Nπ for some prime π = a + bi. Clearly,
the positive sign must hold, and then p = a 2 + b 2 , which is never ≡ 3 mod 4 since
squares are always ≡ 0, 1 mod 4: a contradiction.
Now assume that p ≡ 1 mod 4. By Euler’s criterion, −1 is a quadratic residue
modulo p, and hence there is an x ∈ N with x 2 ≡ −1 mod p (this also follows
easily from the existence of a primitive root g modulo p: since g (p−1)/2 ≡ −1 mod
p, the congruence class x ≡ g (p−1)/4 mod p solves the congruence x 2 ≡ −1 mod
p). This implies that x 2 + 1 = (x + i)(x − i) is divisible by p. Since none of the two
factors is divisible by p in Z[i], p cannot be prime in Z[i], and since this ring is a
unique factorization domain, p must be reducible. Thus p = ππ for some element
π = a + bi. If π ∼ π , then π /π = π 2 /p = (a 2 − b 2 + 2abi)/p must be integral,
and hence p | a 2 − b2 and p | ab. The second condition yields p | a or p | b,
which implies that we have p | a and p | b, hence p | π. Taking norms now gives a
contradiction. 

As a corollary we obtain the following:
Corollary 5.3 (Two-Squares Theorem by Fermat and Euler) Each prime num-
ber of the form 4n + 1, where n ∈ N, is a sum of two square numbers.
We also remark that the Euclidean algorithm provides us with a method for
computing the representation of a prime p = 4n + 1 as a sum of two squares from
a solution of the congruence x 2 ≡ −1 mod p. In fact, all we have to do is compute
gcd(x + i, p) = a + bi in Z[i] because then p = a 2 + b2.
Another consequence of unique factorization in Z[i] is:

Corollary 5.4 (Euler’s Factorization Theorem) If x and y are coprime and m =

x 2 + y 2 , then to each factorization m = p1 · · · pt into primes there corresponds a
factorization μ = x + yi = π1 · · · πt such that pj = Nπj for 1 ≤ j ≤ t.
5.1 The Gaussian Integers 111

Quadratic Residues We will now briefly look at Fermat’s Little Theorem in the
domain Z[i] of Gaussian integers. It is easily checked that, for odd prime numbers
p, we have

a + bi mod p, if p ≡ 1 mod 4,
(a + bi) ≡ p
(5.3)
a − bi mod p, if p ≡ 3 mod 4.

This immediately implies:

Theorem 5.5 (Fermat’s Little Theorem) Let π ∈ Z[i] be prime. Then all ele-
ments α ∈ Z[i] not divisible by π satisfy the congruence

α Nπ−1 ≡ 1 mod π.

For the proof of the second claim, we observe that (a + bi)p ≡ a − bi mod π,
2
and hence (a + bi)p ≡ a + bi mod p. If α = a + bi is not divisible by p, we are
allowed to cancel α in this congruence.
We also have, in analogy with the ordinary integers, the following proposition.

Proposition 5.6 (Euler’s Criterion) If π ∈ Z[i] is prime with odd norm and if
α ∈ Z[i] not divisible by π, then the following assertions are equivalent:
1. α is a quadratic residue modulo π, i.e., the congruence α ≡ ξ 2 mod π is solvable
with ξ ∈ Z[i];
2. The congruence α (Nπ−1)/2 ≡ 1 mod π holds.

This result allows us to define the quadratic residue symbol [ πα ] with values in
{±1} by the congruence
α
α (Nπ−1)/2 ≡ mod π.
π

Dirichlet has shown how to derive the quadratic reciprocity law in Z[i] first
formulated by Gauss from the reciprocity law in ordinary integers by a few simple
calculations (see [77]).
Theorem 5.7 (Quadratic Reciprocity Law) If π and λ are non-associated primes
with odd norm in Z[i], and if π ≡ λ ≡ 1 mod 2, then
λ π 
= ,
π λ
The generalization of the quadratic reciprocity law to general quadratic number
fields is quite technical but can be done in a similar way. The generalization to
arbitrary number fields, on the other hand, requires much deeper means and leads,
as Hilbert has shown, directly to class field theory; see for example the last chapter
in Hecke’s introduction to algebraic number theory [60].
112 5 Arithmetic in Some Quadratic Number Fields

5.1.2 Fermat’s Last Theorem in Quadratic Number Fields

Certain Fermat equations do have solutions in quadratic number fields; we can easily
verify, for example, that

 1 + √−7 4  1 − √−7 4 √
+ = 14 in Z[ 1+ 2 −7 ],
2 2
 9 + √−31 3  9 − √−31 3 √
−31
+ = (−3)3 in Z[ 1+ 2 ],
2 2
√ 3 √ √ √
(5 − 9 5 ) + (12 5 )3 = (5 + 9 5 )3 in Z[ 5 ].

On the other hand, the cubic and the quintic Fermat√equations x 3 +y

√
3 = z3 and x 5 +
1+ −3
y = z do not have nontrivial solutions in Z[ 2 ] and Z[ 2 ], respectively;
5 5 1+ 5

we will prove these claims below. In this section we will solve (following Hilbert
[61]) the Fermat equation with exponent 4.
Theorem 5.8 The equation α 4 + β 4 = γ 2 has only trivial solutions in Z[i].
If a + bi ∈ Z[i] has odd norm, then a and b have different parity, and hence
a 2 −b2 ≡ ±1 mod 4 and 2ab ≡ 0 mod 4; this implies (a +bi)2 = a 2 −b2 +2abi ≡
±1 mod 4. If the elements α, β ∈ Z[i] have odd norm, then α 4 + β 4 ≡ 2 mod 4,
but 2 is not a square modulo 4 (the only squares modulo 4 are 0, 2i, and ±1). Thus
we may assume that β has even norm.
We will now show that if the equation α 4 + ελ4n β 4 = γ 2 is solvable, where
ε ∈ {±1, ±i} is a unit, λ = 1 + i, and where β is not divisible by 1 + i, then
(1) n ≥ 2;
(2) there exist α1 , β1 , γ1 ∈ Z[i] and a unit ε1 with

α14 + ε1 λ4(n−1) β14 = γ12 ,

where β1 is not divisible by 1 + i.

By applying (2) sufficiently often, we will find a solution in which the exponent of
λ vanishes, and this contradicts (1).
For proving the first claim, we assume that

α 4 + ελ4 β 4 = γ 2

with λ  β. Then α 4 ≡ 1 mod 8 implies 1 + ελ4 ≡ γ 2 mod λ6 . Clearly, γ 2 ≡

−1 mod 4, and hence we must have γ ≡ 1 mod 2. But then γ 2 −1 = (γ −1)(γ +1)
is divisible by λ2 · λ3 = λ5 , and this implies λ5 | ελ4 β 4 . Thus λ | β, and this proves
the claim.
5.2 The Eisenstein Integers 113

Now assume that

ελ4n β 4 = γ 2 − α 4 = (γ − α 2 )(γ + α 2 )

for some β = 0. Since γ 2 ≡ 1 mod 4, we have γ ≡ α 2 ≡ 1 mod 2, and hence

both factors on the right are divisible by λ2 . Since any common divisor divides their
sum 2γ 2 , these factors have greatest common divisor λ2 . Replacing γ by −γ if
necessary, we thus have

γ + β 2 = ηλ4n−2 ζ 4 , γ − β 2 = η λ2 ξ 4

for units η and η . Subtracting these equations, we obtain

2β 2 = ηλ4n−2 ζ 4 − η λ2 ξ 4 .

Dividing through by 2, we get, using λ2 = 2i,

β 2 = ηiλ4(n−1) ζ 4 − η iξ 4 .

Since β 2 ≡ 1 mod 2, we deduce that η i ≡ 1 mod 2, and hence η i = ±1. Dividing

through by −1 = i 2 if necessary, we now have

η1 λ4(n−1) ζ 4 + ξ 4 = β 2 .

This proves our claims.

5.2 The Eisenstein Integers

√
The domain Z[ρ], where ρ = −1+2 −3 is a primitive cube root of unity, is called the
ring of Eisenstein integers. Gotthold Eisenstein (1823–1852) died at a very young
age (as did his contemporaries Galois, Abel, and Riemann). He is best known for
a geometric interpretation of a key lemma in Gauss’s third proof of the quadratic
reciprocity law,1 his irreducibility criterion (which actually goes back to Theodor
Schönemann (1812–1868); see [26]), and for the Eisenstein series in the theory of
modular forms. Eisenstein used the domain Z[ρ] in his proof of the cubic reciprocity
law.
Z[ρ] Is Norm-Euclidean For verifying
√ the criterion
√ given by Eq. (5.2), we have to
show that for each ξ = x + y −3 ∈ k = Q( −3 ), there exists a γ = 12 (a +
√
b −3 ) ∈ Ok (here we have a ≡ b mod 2) with N(ξ − γ ) < 1. Now ξ − γ =

1 See the beautiful article [72].

114 5 Arithmetic in Some Quadratic Number Fields

Fig. 5.2 The ring of Eisenstein integers is norm-Euclidean

√
1
2 ((2x − a) + (2y − b) −3 ); clearly, we can choose b ∈ Z in such a way that
|2y − b| ≤ 12 . Next we have to determine an integer a ∈ Z with a ≡ b mod 2 in
such a way that |2x −a| becomes small. By choosing a from the integers ≡ b mod 2,
we can make |2x − a| ≤ 1 (the nearest integer with given parity has at most distance
1 from 2x). But then N(ξ − γ ) ≤ 14 (1 + 34 ) = 16
7
< 1.
√
In√the diagram in Fig. 5.2, each number x + y −3 corresponds to the point
(x, y 3 ) in R2 ; the domain Z[ρ] then corresponds
√ to a 2-dimensional lattice,
and we have drawn a circle with radius 1/ 3 around each lattice point. These
7
circles cover the whole plane, and hence the constant 16 in the proof above may
be improved to 3 , and we can always find an integral γ such that N(ξ − γ ) ≤ 13 .
1

The figure also shows that this bound is best possible,

√ since for smaller values, we
lose for example the point corresponding to ξ = 13 −3.
Prime Elements and Associates Since the domain R = Z[ρ] contains only six
units, namely ±1, ±ρ, and ±ρ 2 , each nonzero element has six associates. If we
write α = a + bρ, then we find

α = a + bρ −α = −a − bρ
αρ = −b + (a − b)ρ −αρ = b + (b − a)ρ .
αρ 2 = b − a − aρ −αρ 2 = a − b + aρ
√ √
Now −3 = ρ − ρ 2 is a prime element with 3 = −( −3 )2 , whereas λ2 = −3ρ
for the element λ = 1 − ρ.
When is an element α = a + bρ not divisible by λ? Since α = a + bρ =
a + b − b(1 − ρ) ≡ a + b mod λ, this is true if and only if a + b ≡ 0 mod 3. In
5.2 The Eisenstein Integers 115

this case one of the three numbers a, b, or a − b is divisible by 3, and the list above
shows that there is an associate of α whose coefficient of ρ is divisible by 3.
√
Proposition 5.9 If α ∈ Z[ρ] is not divisible by −3, then there is a t ∈ {0, 1, 2}
such that ρ t α = a + bρ with b ≡ 0 mod 3.

If α = a +√bρ and if b is a multiple of 3, then 2α can be written in the form

2α = L + 3M −3. In particular, 4Nα = L2 + 27M 2.
On the other hand, it is clear that at least one of the three numbers a, b, and a − b
is even; the same argument as above then shows the following:
Proposition 5.10 For each α ∈ Z[ρ], there is a t ∈ {0, 1, 2} such that ρ t α√= a +bρ
with b ≡ 0 mod 2. In other words, α has an associate of the form c + d −3 with
c, d ∈ Z.

The determination of prime elements in Z[ρ] proceeds exactly as for Z[i], so

it will be sufficient to record the result and leave the details for the readers. We
will, however, at least explain how to show that the congruence x 2 ≡ −3 mod p
is solvable for primes p ≡ 1 mod 3. To this end, we set r = g (p−1)/3, where g
is a primitive root modulo p. Clearly, r 3 ≡ 1 mod 3, i.e., r is a primitive cube
root of unity in Z/3Z. If ρ denotes a primitive cube root of unity in C, then we
know how to construct a square root of −3: we simply write λ = 2ρ + 1 and
obtain λ2 = 1 + 4ρ + 4ρ 2 = −3. This suggests that we set x = 2r + 1; then
x 2 = 1 + 4r + 4r 2 = −3 + 4(1 + r + r 2 ). It is therefore sufficient to show that
S = 1 + r + r 2 ≡ 0 mod p. But it follows from rS = r + r 2 + r 3 ≡ r + r 2 + 1 =
S mod p that p | (r − 1)S. Since r ≡ 1 mod p, we conclude that S is divisible by
p as claimed.
Proposition 5.11 The domain Z[ρ] is Euclidean and thus a unique factorization
domain. The prime elements in this domain are the following:
√
1. λ = 1 − ρ = −3ρ 2 is the prime dividing 3;
2. the inert primes q ≡ 2 mod 3;
3. the elements π and π with ππ = p, where p is a prime number ≡ 1 mod 3.
As a corollary, we obtain Fermat’s Little Theorem

α Nπ−1 ≡ 1 mod π

for all α ∈ Z[ρ] not divisible by the prime π. In particular, we observe that if π = 2;
then

α 3 ≡ 1 mod 2

for all α ∈ Z[ρ] not divisible by 2.

116 5 Arithmetic in Some Quadratic Number Fields

5.2.1 The Cubic Fermat Equation x 3 + y 3 + z3 = 0

Euler has given a proof of Fermat’s claim that the Diophantine equation

x 3 + y 3 + z3 = 0 (5.4)

has only trivial solutions (those with xyz = 0) in integers. In this proof he has used
properties of numbers of the form c2 + 3d 2 for which he did not give complete
proofs.2 The first proof of Fermat’s Last Theorem for cubes using the arithmetic of
Z[ρ] was given by Gauss, who showed the stronger result that Eq. (5.4) does not
have nontrivial solutions in the larger ring Z[ρ]. In the following, we will give a
rigorous version of Euler’s proof using the methods of Gauss. The idea behind the
proof goes back to Fermat, who called his method infinite descent.
For proving that a Diophantine equation in many variables x, y, z, . . . does not
have a solution in integers, assume you do have such a solution (x, y, z, . . .), and
then show that for each such solution there is a smaller solution (u, v, w, . . .)
(smaller in the sense that e.g. |u| < |x|). Since natural numbers cannot decrease
indefinitely, this results in a contradiction. For a simple application of this technique,
see Exercise 5.7.
Theorem 5.12 The Diophantine equation x 3 +y 3 +z3 = 0 has only trivial solutions
in integers.
Instead of proving this theorem for x, y, z ∈ Z, we show (as Gauss) that the
cubic Fermat equation does not have a solution in the domain Z[ρ]. This follows
immediately by setting α = x 3 , β = y 3 , and γ = z3 in the following theorem,
whose smooth formulation I learned from Paul Monsky3.

Theorem 5.13 Let α, β, γ ∈ Z[ρ] \ {0}. If α + β + γ = 0 and αβγ = μ3 for some

μ ∈ Z[ρ], then αβγ = 0 or αβγ = 1.
Proof We may assume that α, β, and γ are pairwise coprime. Among all counterex-
amples, we choose one for which N(αβγ ) is minimal. Then there exist A1 , B1 , C1 ∈
Z[ρ] with

α = ρ a A31 , β = ρ b B13 , γ = ρ c C13 .

If (α, β, γ ) is a solution, then so is (α/ρ a , β/ρ a , γ /ρ a ); thus we may assume that

a = 0.

2 The gap is the one that we have pointed out in Chap. 1, namely the missing proof for the
decomposition theorem for numbers of the form x 2 + 3y 2 : If c2 + 3d 2 = r 3 , then there exist
integers p and q with c = p(p2 − 9q 2 ) and d = 3q(p2 − q 2 ); see [10].
3 See https://mathoverflow.net/questions/39561.
5.2 The Eisenstein Integers 117

Since αβγ = μ3 , we must have b + c ≡ 0 mod 3, and there remain the

possibilities (b, c) = (0, 0), (1, 2), (2, 1). Switching the roles of β and γ if
necessary, we may assume that (b, c) = (0, 0) or (b, c) = (1, 2).
(a) (b, c) = (0, 0). In this case we have a = b = c = 0, and hence

α = A31 , β = B13 , γ = C13 .

We set α1 = B1 + C1 , β1 = ρB1 + ρ 2 C1 and γ1 = ρ 2 B1 + ρC1 . Then

• α1 + β1 + γ1 = B1 (1 + ρ + ρ 2 ) + C1 (1 + ρ + ρ 2 ) = 0;
• α1 β1 γ1 = B13 + C13 = β + γ = −α = (−A1 )3 ;
• β1 + γ1 = (B1 + C1 )(ρ + ρ 2 ) = −(B1 + C1 ) = 0 since β + γ = −α = 0.
• N(α1 β1 γ1 ) = N(α) | N(αβγ ); in particular, we have N(α1 β1 γ1 ) ≤
N(αβγ ), and if we had equality here, we would have N(β) = N(γ ) = 1.
Thus B1 and C1 are units, and hence β, γ = ±1. This is only possible if
(α, β, γ ) is, up to a permutation, equal to (0, 1, −1), which contradicts our
assumption.
(b) (b, c) = (1, 2). In this case we have

α = A31 , β = ρB13 , γ = ρ 2 C13 .

We set α1 = B1 + C1 , β1 = ρα, and γ1 = ρ 2 α. Then,

• α1 + β1 + γ1 = B1 (1 + ρ + ρ 2 ) + C1 (1 + ρ + ρ 2 ) = 0;
• α1 β1 γ1 = (B1 + C1 )3 ;
• β1 + γ1 = (B1 + C1 )(ρ + ρ 2 ) = −(B1 + C1 ) = 0 since β + γ = −α = 0.
• N(α1 β1 γ1 ) = N(α) | N(αβγ ); in particular, we have N(α1 β1 γ1 ) ≤
N(αβγ ), and if we had equality here, we would have N(β) = N(γ ) = 1.
Thus B1 and C1 are units, and hence β = ±ρ and γ = ±ρ 2 . This is only
possible if (α, β, γ ) is, up to sign, equal to (1, ρ, ρ 2 ).
Thus (α1 , β1 , γ1 ) is a solution with N(α1 ) < N(α) contrary to our assumption
that the solution we started with is one for which Nα is minimal. This contradiction
completes the proof. 

With the same method, we can show that the equation x 3 + y 3 = 3z3 has
only trivial solutions; similarly, the only integral solutions of x 3 + y 3 = 2z3 with
xyz = 0 are (x, x, x). Both results are due to Adrien-Marie Legendre (1752–1833),
who first stated the quadratic reciprocity law the way we know it, and whose main
claim to fame are his textbook in number theory and his contributions to the theory
of elliptic functions (or rather elliptic integrals). Legendre also claimed that the
equation x 3 + y 3 = az3 has only trivial solutions for a = 3, 4, 5, 6, 8, . . . Théophile
Pépin later observed that 173 + 373 = 6 · 213. Finally, Trygve Nagell has shown that
for a > 2, the equation x 3 + y 3 = az3 either has no nontrivial solution or infinitely
many primitive solutions. A solution (x, y, z) ∈ Z3 is called primitive if x, y, z are
118 5 Arithmetic in Some Quadratic Number Fields

pairwise coprime. Any solution (x, y, z) ∈ Z3 \ {(0, 0, 0)} gives rise to infinitely
many non-primitive solutions (kx, ky, kz) for k ∈ Z.
Another result can be found in the book [14] on elliptic curves by J.W.S.Cassels.
There you can find a sketch of a proof that the equation x 3 + y 3 = q1 q2 z3 , where
q1 ≡ 2 mod 9 and q2 ≡ 5 mod 9 are prime, has only trivial solutions. It is natural
to ask how this is connected to elliptic curves. In fact, the cubic Fermat equation
x 3 + y 3 = z3 is an elliptic curve: Dividing through by z and setting r = x/z,
s = y/z, we obtain r 3 +s 3 = 1; with r = u+v and s = u−v, we get 2u3 +6uv 2 = 1,
and hence 2 + 6(v/u)2 = 1/u3 . Multiplying through by 63 and setting Y = 36v/u,
X = 6/u, we obtain the equation of an elliptic curve Y 2 = X3 − 432 in the well-
known Weierstrass form.

5.3 The Lucas–Lehmer Test

It is known since Euclid that there is no largest prime number; nevertheless, there
usually is a largest known prime number, mainly because there is no simple formula
for computing arbitrarily large primes. Fermat once believed to have found such a
n
formula: He conjectured that all numbers of the form Fn = 22 + 1 are prime (and
in fact he almost believed to have a proof). Euler later showed that F5 = 232 + 1 =
641 · 6700417 is composite, and in fact, no other Fermat prime beyond F4 has been
discovered until now. For quite a few years now, the largest known prime number
always has been a prime number of the form 2p −1, where p is prime; such numbers
are called Mersenne numbers.
Marin Mersenne (1588–1648) was a French priest. He corresponded with most
mathematicians and many scientists of his time, in particular with Fermat. He is
known for his conjecture that p = 2, 3, 5, 7, 13, 17, 19, 31, 67, 127, and 257 (these
are all numbers that differ at most by 3 from a power of 2) are the only prime
numbers ≤ 257 for which 2p − 1 is prime. Later it was shown that the Mersenne
numbers for p = 67 and p = 257 are composite and that p = 61, 89, and
107 give rise to primes. The smallest Mersenne number not completely factored
today is M1207; this number has the prime factors 131 071, 228 479, 48 544 121, and
212 885 833, and the remaining factor is a composite number with 337 digits.
It is easy to show that 2p − 1 is composite if p is. This follows from the fact that
2 − 1 always divides 2ab − 1 since
a

x ab − 1 = (x a − 1)(x ab−a + x ab−2a + . . . + x a + 1).

The reason why the largest known prime is usually a Mersenne prime is that
there is a very effective primality test for such numbers developed by Édouard Lucas
(1842–1891) and Derrick Lehmer (1905–1991). In fact, the number Mp = 2p − 1
(where p ≥ 3) is prime if and only if Sp−1 ≡ 0 mod Mp , where the sequence Sn is
5.3 The Lucas–Lehmer Test 119

defined recursively by S1 = 4 and Sn+1 = Sn2 − 2. Using this test, Lucas was able
to show that 2127 − 1 is prime.
Example Let p = 5; then M5 = 31, and we find

S1 = 4
S2 = 14
S3 = 194 ≡ 8 mod 31
S4 ≡ 62 ≡ 0 mod 31,

which shows that M5 is prime.

The reason why this test works is related to the fact that Mp + 1 has a simple
prime factorization (it is a power√of 2). It is intimately connected to the arithmetic
of the quadratic number field Q( 3 ). At first sight, this number field has nothing to
do with the Lucas–Lehmer test; looking more carefully at the situation, we observe
the following lemma, which is easily proved by induction.
√ √ √
Lemma 5.14 Let ω = 2 + 3 be the fundamental unit of Z[ 3 ] and ω = 2 − 3
n n
its conjugate. Then Sn+1 = ω2 + ω2 for all n ≥ 0.
√
This lemma connects the Lucas–Lehmer test with the arithmetic of Z[ 3 ]. At
the heart of the matter lies the group structure of the unit group, whose geometric
interpretation we have presented in Chap. 2. This interpretation has the advantage
that it is analogous to similar theorems based on the group structure of (Z/pZ)× or
the group of rational points on elliptic curves. We next present the results we need
for understanding the Lucas–Lehmer test.

√
5.3.1 The Arithmetic in Z[ 3 ]
√
We begin
√ by showing √ that R = Z[ 3 ] is norm-Euclidean.
√ To this end, let ξ =
x + y 3 ∈ k = Q( 3 ) be given, and choose α = a + b 3 ∈ R in such a way that
|x − a| < 12 and |y − b| ≤ 12 . Then,

3
|N(ξ − α)| = |(x − a)2 − 3(y − b)2 | ≤ since
4
1
(x − a)2 − 3(y − b)2 ≤ (x − a)2 ≤ and
4
3
(x − a)2 − 3(y − b)2 ≥ −3(y − b)2 ≥ − .
4
In particular, R is norm-Euclidean.
120 5 Arithmetic in Some Quadratic Number Fields

The geometric interpretation of the Euclidean algorithm

√ is not as simple as for
the ring of Gaussian integers. We embed the domain Z[ 3 ] into the Euclidean plane
via the map
√ √ √
x + y 3 → (x + y 3, x − y 3 ).
√
The
√ number
√ 1 then corresponds √to the point (1, 1), and 3 is mapped to
( 3, − 3 ). The norm of x + y 3 is then the product of the coordinates of
the points, and hence the elements (ξ, η) with norm 1 lie on the hyperbola ξ η = 1.
√ If we move√the fundamental domain between the images1 of the elements
√ 0, 1,
3, and 1 + 3 to that whose corners are the images of 2 , − 12 , − 12 + 3, and
√
2 + 3, then we see that this region completely lies inside the hyperbolas ξ η = 1
1
√
and ξ η = −1, which makes clear again that Z[ 3 ] is norm-Euclidean (see Fig. 5.3).

Proposition 5.15 Let q be a rational prime number that is inert in R. Then R/qR
is a finite field with q 2 elements.
Proof Clearly, the residue class 2
√ ring modulo qR contains at most q elements since
each integral
√ element a + b 3 is congruent modulo qR to one of the elements of
{r + s 3 : 0 ≤ r, s ≤ q − 1}. Moreover, it is easily seen that the elements of
this set are pairwise incongruent modulo q, which implies that the residue class
ring does indeed have q 2 elements. Finally, R/qR does not have any zero divisors:
αβ ≡ 0 mod qR implies, since q is prime, that α ≡ 0 mod qR or β ≡ 0 mod qR.
It is therefore sufficient to show that finite rings without zero divisors are fields.
All we have to do is show the existence of inverses. Assume therefore that A is a
finite domain and that a = 0. Since A is finite, the sequence a, a 2 , . . . , a m must
contain two equal elements, say a i = a j for some i < j . Since A is a domain, we
may cancel i, which gives us a j −i = 1. But then a j −i−1 is an inverse of a. 


√
Fig. 5.3 The domain Z[ 3 ] is norm-Euclidean
5.3 The Lucas–Lehmer Test 121

It follows easily from the quadratic reciprocity law that


3 +1, if p ≡ ±1 mod 12,
=
p −1, if p ≡ ±5 mod 12.
√
The prime elements of Z[ 3 ] can now be determined as for Z[i] and Z[ρ].
Proposition 5.16
√ The following elements are, up to associates, the only prime
elements in Z[ 3 ]:
√ √ √
1. 1 + 3 is the prime dividing 2 since 2ε = (1 + 3 )2 with ε = 2 + 3.
√ √ 2
2. 3 is the prime divisor of 3 since 3 = 3.
3. The prime numbers q ≡ ±5 mod 12 are inert.
4. The prime numbers p ≡ ±1 mod 12 split into two distinct prime elements π
and π ; in particular, every prime p ≡ ±1 mod 12 can be written in the form
±p = x 2 − 3y 2.
√
Fermat’s Little Theorem also holds in Z[ 3 ]; as in other quadratic number rings,
it is a consequence of the following general and elementary observation:
√
Proposition 5.17 Let p  4m be prime and k = Q( m); then for all α ∈ Ok , we
have
 
α m +1
α ≡
p
mod p, if =
α p −1.
√
Proof Write α = 12 (a + b m ) with a, b ∈ Z; then the fact that the binomial
coefficients pt are divisible by p for each 1 ≤ t ≤ p − 1 implies that

√ p m √
(2α)p ≡ a p + b p m ≡ a + b m mod p
p
√ p √
since a p ≡ a mod p and m = m(p−1)/2 m. The claim now follows from 2p ≡
2 mod p. 


5.3.2 The Lucas–Lehmer Test

Assume first that q = Mp = 2p − 1 is prime; we want to show that Mp passes

the Lucas–Lehmer test, i.e., that Sp−1 is divisible by Mp . To this end, we observe
that Mp ≡ 7 mod 8 since p ≥ 3 is odd and that Mp √ ≡ 1 mod 3; this shows that
Mp ≡ 7 mod 24. We claim that Mp is irreducible in Z[ 3√ ].
In fact, if we had Mp = ππ for an element π = a + b 3, then we would have
a 2 − 3b2 = Nπ = ±Mp ; since Mp ≡ 1 mod 3 and a 2 − 3b 2 ≡ 0, 1 mod 3 only the
122 5 Arithmetic in Some Quadratic Number Fields

positive sign can hold. But then a 2 − 3b 2 ≡ a 2 + b2 ≡ 0, 1 mod 4 in contradiction

to Mp ≡ 7 mod 8.√
Since R = Z[ 3 ] is a unique factorization domain, Mp is not only irreducible
but prime in R. If q ≥ 5 is any prime element in R, then
√ √ √
(a + b 3 )q ≡ a + ( q3 )b 3 ≡ a − b 3 mod qR

since ( q3 ) = −1 for q ≡ 7 mod 24. For a = 2 and b = 1, this yields ωq ≡

ω mod qR (this congruence is analogous to the congruence (5.3) in Z[i]), and thus
ωq+1 ≡ ωω = 1 mod qR. Since R/qR is a field, the element 1 has at most two (and
in fact exactly two) square roots, namely 1 and −1. In particular, ω(q+1)/2 ≡ ±1.
We claim that the positive sign holds. √ √
To this end, we observe that√2ω = 4 + 2 3 = (1 + 3 )2 is a square; thus we
√ q= (1 + √ 3q) . The(q−1)/2
find 2(q+1)/2ω(q+1)/2 q+1 binomial
√ expansion of this expression
shows that (1 + 3 ) ≡ 1 + 3 = 1 + 3 3 mod q. By Euler’s
√ criterion,
we have 3 (q−1)/2 = −(−3)(q−1)/2 ≡ −1 mod q, and hence (1 + 3 )q+1 ≡ (1 +
√ √
3 )(1 − 3 ) = −2 mod qR. Since 2(q+1)/2 = 2 · 2(q−1)/2 ≡ 2 mod q, we finally
find
√ q+1
ω(q+1)/2 = 2−(q+1)/2(1 + 3) ≡ −1 mod qR

as claimed. Using ωω = 1, we now obtain

 
Sp−1 = ω(q+1)/4 + ω(q+1)/4 = ω(q+1)/4 1 + ω−(q+1)/2 ≡ 0 mod qR.

Assume conversely that Sp−1 ≡ 0 mod q; then ω(q+1)/2 ≡ −1 mod qR. Since
q+1
2 = 2p−1 is a power of 2, q+1
2 must be the smallest exponent n > 0 for which
ωn ≡ −1 mod qR. On the other hand, for each prime divisor  | q, the same
congruence ω(q+1)/2 ≡ −1 mod R holds, and again the exponent q+1 2 is minimal.
Now either ω+1 ≡ 1 mod R or ω−1 ≡ 1 mod R by Proposition 5.17, i.e., we
have  − 1 ≥ 2 q+1
2 = q + 1 or  + 1 ≥ 2q + 1. The first case is impossible, the
second shows that  ≥ q, and hence all divisors of q are ≥ q. But then q is prime.

5.4 Fermat’s Last Theorem for the Exponent 5

Dirichlet’s first mathematical result was his proof [29] that the quintic Fermat
equation x 5 + y 5 = z5 has only the trivial solutions with xyz = 0 in integers.
Legendre completed Dirichlet’s proof before Dirichlet did but did not deal properly
with the issues of unique factorization and units. In the following, we will give a
streamlined version of Dirichlet’s proof using ideas due to J. Plemelj [103] and L.
Tschakaloff [125].
5.4 Fermat’s Last Theorem for the Exponent 5 123

Fig. 5.4 The ring Z[ω] is norm-Euclidean: The square defined by 0 ≤ x, y ≤ 1

2 lies inside the
region cut out by the hyperbolas (x − 1)2 − 5y 2 = 1 and (x − 1)2 − 5y 2 = −1

√ √
First we observe that the ring of integers in Q( 5 ) is Z[ω] with ω = 1+ 5
2 .

Proposition 5.18 The ring Z[ω] is Euclidean with respect to the absolute value of
the norm. In particular, it is a unique factorization domain.
√
As before we need to show that for every ξ ∈ Q( 5 ), there is an element γ ∈
Z[ω] with |N(ξ √ − γ )| < 1. By symmetry, it is enough to prove the existence of γ
for ξ = x + y 5 with 0 ≤ x, y ≤ 12 . But for such ξ , the value γ = 1 always works
with the single exception ( 12 , 12 ), for which we can pick γ = 0 (see Fig. 5.4).
We also see that −1 and ω are units in Z[ω]; it will follow from the results in the
next chapter that every unit is, up to sign, a power of ω.
Assume now that x 5 + y 5 = z5 for nonzero integers. Classical proofs of Fermat’s
Last Theorem for exponents ≥ 5 are usually divided into the first and the second
case. The first case, where one of x, y, or z is divisible by p, is a lot easier to prove
than the second case.
Observe that x 5 ≡ ±1, ±7 mod 25 if 5  x. This shows that the only solutions of
x + y 5 ≡ z5 mod 25 in rational integers are those in which 5 | xyz.
5

√ we have to prove something similar in Z[ω]. In the following, we write

Now
λ = 5 for the unique ramified prime element. Then x ≡ ±1, ±2 mod λ for any x
coprime to λ, and this implies (binomial expansion) that x 5 ≡ ±1, ±32 ≡ ±7 mod
λ3 . By the same reasoning as above, we obtain the following lemma.
Lemma 5.19 If x 5 + y 5 = z5 in Z[ω], then λ | xyz.
124 5 Arithmetic in Some Quadratic Number Fields

The next fact we need is:

Lemma 5.20 For every nonzero residue class a modulo 5, there exists a unit η ∈
Z[ω] with η ≡ a mod 5.
Since ω ≡ −2 mod λ and because −2 is a primitive root modulo 5, ω4 = 2 + 3ω
is the smallest positive power of ω that is ≡ 1 mod λ. Similarly, ω10 ≡ −1 mod 5
then shows that ω has order 20 modulo 5. This proves the claim.
We will also need the following special case of “Kummer’s Lemma”:
Lemma 5.21 If η ∈ Z[ω] is a unit congruent to a rational integer modulo 5, then
ω is a fifth power.
This can be verified by brute force: The first powers of ω are

n 1 2 3 4 5
ωn ω 1+ω 1 + 2ω 2 + 3ω 3 + 5ω

Thus ω5 ≡ 3 mod 5 is the smallest positive power congruent to a rational integer

modulo 5, and the exponents of all other such powers are divisible by 5.
Now consider the equation x 5 + y 5 = z5 . We may assume without loss of
generality that λ | z; in fact, if λ | y, for example, then write the equation in the
form x 5 + (−z)5 = (−y)5 .
Assume therefore that x 5 + y 5 = z5 and λ | z. The equation

(x + y)[(x + y)4 − 5xy(x + y)2 + 5x 2 y 2 ] = z5

shows that λ | (x + y); therefore, the expression in the square brackets is divisible
exactly by λ2 , and hence x + y must be divisible by λ3 . Since any common divisor
divides 5x 2y 2 , we conclude that the greatest common divisor of both factors is λ2 =
5.
Next we multiply x 5 + y 5 = z5 with a suitable power of ω5 to make sure that
x ≡ 1 mod 5 and therefore y ≡ −1 mod 5. Next

x 5 + y 5 = (x + y)(x 4 − x 3 y + x 2 y 2 − xy 3 + y 4 )
= (x + y)[(x + y)4 − 5xy(x 2 + xy + y 2 )]
= (x + y)[(x + y)4 − 5xy(x + y)2 + 5x 2 y 2 ]
= (x + y)[λxy − ω(x + y)2 ][λxy + ω (x + y)2 ].
5.4 Fermat’s Last Theorem for the Exponent 5 125

By unique factorization, there exist α, β, γ ∈ Z[ω] and units εj with

x + y = ε1 λ3 γ 5 ,
λxy − ω(x + y)2 = ε2 λα 5 ,
λxy + ω (x + y)2 = ε3 λβ 5 .

Dividing the second equation by λ, we get

xy − ω x+y
λ = ε2 α .
5

Since xy ≡ −1 mod λ2 , we find that ε1 is congruent to a rational integer modulo

5 and therefore is a fifth power; the same argument shows that ε3 is a fifth power,
and since the product of the three units is 1, so is ε1 . We may therefore assume that
εj = 1 and obtain

x + y = λ3 γ 5 , (5.5)
λxy − ω(x + y)2 = λα 5 , (5.6)
λxy + ω (x + y) = λβ .
2 5
(5.7)

Subtracting (5.7) from (5.6) and using ω + ω = 1, we obtain

λα 5 + λ(−β)5 = λ(x + y)2 = λ6 γ 10 = λ(λγ 2 )5

and, after dividing through by λ,

α 5 + (−β)5 = (λγ 2 )5 (5.8)

with αβγ = z.
Thus we have obtained a new solution to the quintic Fermat equation in which γ
has fewer distinct prime factors than z except when α and β are units (observe that
they are coprime to λ). But this is impossible, as we will show now.
In fact, dividing (5.8) through by α 5 , we find an equation 1 ± ω5k = γ 5 for
some γ divisible by λ. Since ω5k ≡ ±1 mod 5, the integer k is even. Dividing our
equation by its conjugate and using

1 + ω5k 1 + ω5k
= ω5k = ω5k ,
1+ω 5k ω5k + (−1)5k

we obtain
 γ 5
ω5k = ± ,
γ
126 5 Arithmetic in Some Quadratic Number Fields

and this shows that γ = ±ωk γ . Thus γ and γ have the same prime factorization,
and hence γ is a product of a power of the ramified prime element λ and a rational
integer. Since λ2 = 5, we have γ = a or γ = λa for a rational integer a.
Since 1 ± ω5k = a 5 immediately implies k = 0 and a = 0, we must have 1 ±
ω = λ5j a 5 for some odd integer j . Taking the trace of 1±(F5k−1 +F5k ω) = λ5j a 5
5k

yields 0 = 2±(2F5k−1 +F5m ) = 2±(F5k−2 +3F5k−1 ), hence F5k−2 +3F5k−1 = ±2,

and this is impossible.

5.5 Euclidean Number Fields

There are only a few norm-Euclidean quadratic

√ number fields. The norm-Euclidean
complex quadratic number fields are Q( m ) for m = −1, −2, −3, −7, −11. It
can in fact be shown that the other complex quadratic number fields not only are
not norm-Euclidean, but that they also do not admit any Euclidean function at all.4
Nevertheless, the rings of integers in the quadratic number fields with m = −19,
−43, −67, −163 are unique factorization domains, as we shall see below.
In the real quadratic case, the situation is less clear. The classification of all norm-
Euclidean real quadratic number fields was completed in the 1950s. Here is the
result:
√
Theorem 5.22 The rings of integers in Q( m ), m > 0, are norm-Euclidean
exactly for

m = 2, 3, 5, 6, 7, 11, 13, 17, 19, 21, 29, 33, 37, 41, 57, 73.

The full proof of this result is very technical; we now present a clever idea
for proving that several rings with small discriminant are norm-Euclidean due to
Oppenheim [101]. More geometric√ proofs can be found in [34].
Assume first that K = Q( m ) with m ≡ 2, 3 mod 4. The ring OK is norm-
√ y) ∈ Q × Q, there exists a pair of integers (a, b) such that
Euclidean√if for every (x,
|N(x + y m − (a + b m ))| < 1, i.e., with

|(x − a)2 − m(y − b)2 | < 1. (5.9)

We now assume that OK is not norm-Euclidean. We will show that this implies
m ≥ 8, and then it will follow that the rings with m ≤ 7 are norm-Euclidean.

4 This result is due to Theodore Motzkin (1908–1970) [98]. It can be proved quite easily and has

played a big role in recent years; see Lemmermeyer [76].

5.5 Euclidean Number Fields 127

We may also assume that 0 ≤ x, y ≤ 12 . Since OK is not norm-Euclidean, there

exists a pair (x, y) such that one of the inequalities

P (a, b) : (x − a)2 ≥ 1 + m(y − b)2 (5.10)

N(a, b) : m(y − b)2 ≥ 1 + (x − a)2 (5.11)

is true for all pairs of integers (a, b). We will consider the following set of
inequalities:

(a, b) P (a, b) N(a, b)

(0, 0) x 2 ≥ 1 + my 2 my 2 ≥ 1 + x 2
(1, 0) (x − 1)2 ≥ 1 + my 2 my 2 ≥ 1 + (x − 1)2
(−1, 0) (x + 1)2 ≥ 1 + my 2 my 2 ≥ 1 + (x + 1)2

Now clearly P (0, 0) is false; therefore, N(0, 0) must be true. But then P (1, 0) is
false, and hence N(1, 0) must hold. Next P (−1, 0) and N(1, 0) imply (1 + x)2 ≥
2 + (1 − x)2 , hence 4x ≥ 2, x = 12 , and my 2 = 54 , and hence y is irrational. Thus
P (−1, 0) is false, and N(−1, 0) must hold. But now my 2 ≥ 1 + (1 + x)2 ≥ 2
implies m ≥ 8.
Therefore the Euclidean algorithm holds for all m < 8, i.e., for m = 2, 3, 5, 6, 7.
The very same proof works for fields with odd discriminant if we replace the
inequality (5.9) by

|(x − b
2 − a)2 − m
4 (y − b)2| < 1,
√
and the result is that Z[ 1+2 m ] is norm-Euclidean if m < 32, i.e., for m =
5, 13, 17, 21, 29.
For real quadratic number fields, there are fields that are Euclidean but not norm-
Euclidean, and in fact it is expected (and can be proved by assuming the truth of
the Generalized Riemann Hypothesis) that all number fields whose ring of integers
is a unique factorization domain are Euclidean for a suitable function (with the
exception of complex quadratic fields). The first number field √ that was known not
to be norm-Euclidean and was shown to be Euclidean is Q( 69 ); nowadays, many
examples are known; see, e.g., Harper [54, 55].
The fact that the domains listed in Theorem 5.22 are norm-Euclidean can
nowadays be done by computer (as we have seen, it is possible to do this by hand
for small values of the discriminant). The proof that the other fields are not norm-
Euclidean is much more technical. The heart of the proof is an article by Davenport,
which uses the language of quadratic forms; see [49].
128 5 Arithmetic in Some Quadratic Number Fields

5.5.1 Dedekind–Hasse Criterion

It is possible to show that a quadratic number ring has unique factorization by a

criterion going back to Dedekind and Hasse.5 Helmut Hasse (1898–1979) was one
of the leading number theorists in the first half of the twentieth century. The Local–
Global Principle for quadratic forms and for norm equations in cyclic extensions
of number fields, explicit reciprocity laws or the Riemann conjecture for elliptic
curves were results that have more or less defined the progress in number theory in
the 1930s.
The Dedekind–Hasse criterion is a weakening of the existence of a Euclidean
algorithm.

Theorem 5.23 Let k be a quadratic number field; then Ok is a unique factorization

domain if and only if for all α, β ∈ Ok \{0} with β  α, there exist elements γ , δ ∈ Ok
with 0 < |N(αγ − βδ)| < |Nβ|.
Using this criterion, we can, with some effort, prove the following theorem that
we will obtain later (in Theorem 6.17) using the theory of ideals:

Theorem 5.24 Let k be a quadratic number field with discriminant Δ; set

√
Δ/5 if Δ > 0,
Mk = √
−Δ/3 if Δ < 0.

Then Ok is a unique factorization domain if and only if for all prime numbers p <
Mk with (Δ/p) = −1, there exist elements π ∈ Ok with |Nπ| = p.

Using this result, we can quickly verify that there are nine complex quadratic
number fields whose ring of integers has unique factorization, namely those with
discriminants

Δ = −3, −4, −7, −8, −11, −19, −43, −67, −163.

It is a very deep result first conjectured by Gauss6 and proved independently by

Heegner, Stark, and Baker that there are no other complex quadratic fields with
unique factorization.

5 The Dedekind–Hasse criterion was published by Helmut Hasse [57]. Emmy Noether later found

this criterion among Dedekind’s papers when she edited his collected works [28]; see also [90,
Anm. 1, S. 60].
6 Gauss formulated this conjecture for class numbers of binary quadratic forms with even middle

coefficients.
5.6 Quadratic Unique Factorization Domains 129

5.6 Quadratic Unique Factorization Domains

For most quadratic number fields, we can often decide that the ring of integers
does not have unique factorization just by looking at its discriminant. We will later
explain our partial results here by more advanced techniques such as the ambiguous
class number formula.
In this section we will prove that the ring of integers in a quadratic number field
cannot have unique factorization if its discriminant Δ has more than two distinct
prime factors. The proof we will give is due to Laszlo Rédei [106]; in Chap. 9 we
will derive this observation as a corollary of the much more general theorem on the
structure of the ideal class group.
√
Theorem 5.25 Let k = Q( m ) be a quadratic number field whose ring of integers
Ok is a unique factorization domain, and let Δ = disc k denote its discriminant,
If Δ < 0, then Δ = −4, −8 or Δ = −q for some positive prime number
q ≡ 3 mod 4.
If Δ > 0, then Δ is either a prime discriminant or the product of two negative
prime discriminants:
⎧
⎪
⎪ p ≡ 1, 3 mod 4 prime,
⎨p,
m = 2q, q ≡ 3 mod 4 prime,
⎪
⎪
⎩pq, p ≡ q ≡ 3 mod 4 prime.

For the proof, we need the following:

Lemma 5.26 Let Ok be a unique factorization domain. If p | Δ is a prime factor
√
of the discriminant, then there is a unit η ∈ Ek with pη ∈ OK .
√
√ k = Q( m ) 2for some
Proof Let squarefree integer m. If p | m, then we set α =
gcd(p, m ) and find α = (p2 , m) = p, that is, α 2 = pη for a unit η ∈ Ek .
If p  m, then
√ we must have p = 2 and m ≡ 3 mod √ 4; in this case,√ we set α =
gcd(2, 1 + m ) and obtain α 2 = gcd(4, 1 + m + 2 m ) = gcd(4, 2 m ) = 2, and
now we conclude as above that α 2 = 2η for some unit η ∈ Ek . 

Now we are ready to prove Theorem 5.25. If Δ = −3 or Δ = −4, then unique
factorization holds. If Δ < −4, then Ek = {−1, +1}. By Lemma 5.26, for each
√
prime p | Δ, the field k contains the element −p. Thus there can be at most one
such prime p, and Δ must be a prime discriminant.
In the case Δ > 0, we start by showing that if Ok has unique factorization, then
Δ = disc k is either a prime discriminant or the product of two negative prime
discriminants. Assume therefore that unique factorization holds, and write pεp =
αp2 for each prime p | Δ. Clearly, both εp and εp are positive, and hence Nεp = +1.
If there is a prime p | Δ for which εp is a square, then pε = α 2 implies that p is
a square in k. Thus in this case, there is only one such prime, and Δ must be a prime
discriminant.
130 5 Arithmetic in Some Quadratic Number Fields

Assume therefore that εp is not a square for all p | Δ. Since every positive unit
is a power of the fundamental unit ε, it follows that pε is a square for each prime
p | Δ. If p and q are such primes, then pqε2 and therefore also pq is a square in k,
√
and hence k = Q( pq ).
Thus it remains to show that we cannot have p ≡ q ≡ 1 mod 4 or p ≡ 1 mod 4
and q = 2. In both cases, pq = a 2 + b 2 would be a sum of two squares, and we may
√
assume that a is odd. We set ρ = b + pq and ω = gcd(a, ρ). Observe that either
b is odd and pq is even, or b is even and pq is odd; this implies that gcd(ρ, 2) = 1.
Next

gcd(ρ, ρ ) = gcd(ρ, ρ + ρ ) = gcd(ρ, 2b) = gcd(ρ, b) = 1

since this gcd divides gcd(ρρ , b) = gcd(−a 2 , b) = 1. This implies

ω2 = gcd(a 2 , ρ 2 ) = gcd(ρρ , ρ 2 ) = ρ gcd(ρ, ρ ) ∼ ρ;

observe that the gcd has the usual properties since Ok has unique factorization. Thus
ω2 /ρ is a unit with negative norm: a contradiction.

5.6.1 Euler’s Polynomial

In his letter from September 28, 1743, Goldbach pointed out to Euler that the
quadratic polynomial f (x) = x 2 + 19x − 19 represents many prime numbers for
small values of x (the first composite number is f (19) = 19 · 37). Some time
later, Euler gave the polynomial n(x) = x 2 − x + 41, which represents prime
numbers for 0 ≤ x ≤ 40. The discriminant of Euler’s polynomial
√ is Δ = −163,
and the ring of integers of the quadratic number field Q( −163 ) is, as we will
show in the next chapter, a unique factorization domain. Georg Frobenius [42] and
Juri Rabinowitsch [105] have discovered that this is no coincidence, and today the
mathematical literature knows hundreds if not thousands of publications (see, e.g.,
[7, 120] and Paulo Ribenboim’s book [109], to mention but three) that deal with this
topic. We claim:
√
Theorem 5.27 The ring of integers in the quadratic number field Q( −p ), where
p ≡ 3 mod 8 is a prime number, is a unique factorization domain if and only if the
polynomial n(x) = x 2 + x + p+1 p−3
4 attains prime values for 0 ≤ x < 4 .
We start with the following remark:
Lemma 5.28 If k is a complex quadratic number field with discriminant Δ ≤ −11
for which the ring of integers is a unique factorization domain, then Δ = −p is
prime and we have p ≡ 3 mod 8.
Proof We already know that Δ = −p must be a prime discriminant, and thus we
have p ≡ 3 mod 4. If we had p ≡ 7 mod 8, then 2 in Ok cannot prime since 2 |
5.6 Quadratic Unique Factorization Domains 131

√ √
1+p 1− −p 1+ −p
4 = 2 · 2 divides a product without dividing one of the factors. Since
Ok is a unique factorization domain, 2 must be reducible,
√
and this is only possible
x+y −p x 2 +py 2
≥ x +11y
2 2
if Ok contains an element of norm 2. Since N( 2 ) = 4 4 > 2,
this is impossible. 

If there is a composite number occurring among the values of the polynomial
n(x) for 0 ≤ x < p−3 4 , then this number is divisible by a prime number q. This
prime q is odd since n(x) = x 2 + x + p+1
4 ≡ x + x + 1 ≡ 1 mod 2 for all integers
2

x. Thus n(x) = x + x + 4 = aq, where we may assume that q 2 ≤ x 2 + x + p+1

2 p+1
√ 4
since each composite integer N contains a prime divisor ≤ N . But then
 p − 1 2  p + 1 2
4q 2 ≤ 4x 2 + 4x + p + 1 = (2x + 1)2 + p ≤ +p = ,
2 2

and thus q ≤ p+1

4 . Observe that (2x + 1)2 + p = aq implies that ( −p
q ) = +1. Since
√ √
2x+1− −p 2x+1+ −p
q | 2 · 2 , the prime q is not prime in Ok , hence reducible, and
there exists an element with norm q in Ok . On the other hand, we have
 x + y √−p  x 2 + py 2 1+p
N = ≥
2 4 4
unless the norm is a square (and thus y = 0). This contradiction proves the claim.
For proving the converse, namely that Ok is a unique factorization domain if the
values of n(x) = x 2 + x + p+1 4 are prime numbers for √ 0 ≤ x < p−3 4 , we use
Theorem 5.24. We have to show that for all primes q < p/3 that are not inert,
there exist elements π ∈ Ok with |Nπ| = q. Since p ≡ 3 mod 8, we have q > 2.
Assume therefore that −p ≡ a 2 mod q; we may assume moreover that a =
2x + 1 is odd and find that q divides (2x + 1)2 + p = 4x 2 + 4x + p + 1 = 4n(x)
and therefore n(x). Changing x modulo q does not change this divisibility
√ by q, and
hence there is an integer x with 0 ≤ x < q and q | n(x). Since q < p/3 < p−3 4
for p ≥ 11, we have q | n(x); on the other hand, n(x) is prime by assumption.
Thus n(x) = q, and therefore q is the norm of an element in Ok . This completes the
proof.

5.6.2 Summary

In this chapter we have discussed a few minor applications of the theory of quadratic
number fields. In particular, we have shown that Z[i] and Z[ρ] are norm-Euclidean
domains and that the decomposition of primes p in these rings is connected with the
representations of p in the form x 2 + y 2 and x 2 + 3y 2 , respectively.
132 5 Arithmetic in Some Quadratic Number Fields

5.7 Exercises

5.1. Determine gcd(26−29i, 13+4i) using the Euclidean algorithm in Z[i]. Verify
the result using the prime factorization of these numbers. Also determine the
corresponding Bézout elements.
5.2. Let p = a 2 +b2 be an odd prime number. Show that a and b can be computed
from a solution of the congruence x 2 ≡ −1 mod p by applying the Euclidean
algorithm to the numbers p and x + i in Z[i].
This consequence of the fact that Z[i] is Euclidean can of course be
generalized. How would you prove that each positive prime number p ≡
1, 3 mod 8 can be written in the form p = c2 + 2d 2 ?
5.3. Show that both {0, ±1, ±i} and {0, 1, 2, 3, 4} are complete systems of
residues modulo 1 + 2i in Z[i].
5.4. Show that the associates of a +bi ∈ Z[i] are given by ±(a +bi), ±(−b +ai).
5.5. Show that for α ∈ Z[i], the following assertions are equivalent:
1. (1 + i)  α.
2. Nα is odd.
3. Nα ≡ 1 mod 4.
4. α has an associate of the form a + bi with a − 1 ≡ b ≡ 0 mod 2.
5. α has an associate congruent to 1 mod (2 + 2i).
5.6. Solve the Pythagorean equation x 2 + y 2 = z2 by factoring the left side and
using the arithmetic of Z[i].
5.7. Use infinite descent to show that the equation x 3 + 3y 3 + 9z3 = 0 has only
the trivial solution (0, 0, 0) and generalize.
5.8. Compute the quadratic residue symbols [ 1+2i3+2i ], [ 3+2i ] and [ 1+4i ].
1+4i 1+2i

5.9. In the following, we prove the quadratic reciprocity law in Z[i] using an idea
of Dirichlet.
1. Show by comparing the definitions of the quadratic residue symbols in Z
and Z[i] that for primes π ∈ Z[i] with odd prime norm p and a ∈ Z we
always have [ πa ] = ( pa ).
Show next that [ qa ] = 1 for all a ∈ Z not divisible by q ≡ 3 mod 4.
2. If π = a + bi ≡ 1 mod 2 is prime, then [ a+bi a
] = 1.
3. Let π = a + bi and λ = c + di be primes ≡ 1 mod 2 with norms Nπ = p
and λ = q. Use the congruences ci ≡ d mod (c + di) and ( qc ) = 1 for
c+di ] = ( q ).
proving [ a+bi ac+bd

pq ) = 1.
4. Use the quadratic reciprocity law in Z for verifying that ( ac+bd
5. Prove the quadratic reciprocity law in Z[i].
5.10. Show using Theorem 5.24 that Ok is a unique factorization domain for Δ =
−19, −43, −67, −163.
5.7 Exercises 133

5.11. Show that the ring

√ √
S = Z[ −17, 12 ] = {2−n (a + b −17 ) : a, b, n ∈ Z}

√ Nu defined by taking the maximal odd

is Euclidean with respect to the norm
factor of the usual norm N(x + y −17 ) = x 2 + 17y 2.
5.12. Show that the ring
√ √
R = Z[ −5, 12 ] = {2−n (a + b −5 ) : a, b, n ∈ Z}

is Euclidean with respect to the norm√ Nu defined by taking the maximal odd
factor
√ of the usual norm N(x + y −5 ) = x 2 + 5y 2 ; for example, N (1 +
u
−5 ) = 3.
Show that the unit group of R is R × = −1, 2 and thus is isomorphic as
an abelian group to Z/2Z × Z.
The domains in this exercise are called rings of S-integers (in our case we
had S = {2}). These domains are occasionally used if one would like to apply
theorems that hold for principal ideal domains. The price one has to pay is
a larger unit group, which usually outweighs the advantage of having unique
factorization in almost all number theoretic problems.
5.13. Find the prime factorizations of 7, 13, and 19 in Z[ρ].
5.14. Show that for each α ∈ Z[ρ], we have α 3 ≡ 0, 1 mod 2.
5.15. The integral solutions of the equation y 2 = x 3 + 24 are (1, 5), (−2, 4),
(10, 32), and (8 158, 736 844). How close to this result√can you come by
factoring y 2 − 24 = x 3 in the quadratic number field Q( 6 )?
5.16. (See [87]) Consider Goldbach’s polynomial f (x) = x 2 + 19x − 19, and show
that it represents infinitely many composite integers by verifying the identity

f (x 2 + 20x − 19) = f (x) · f (x + 1).

Show similarly that, for Euler’s polynomial n(x) = x 2 − x + 41, we have

n(x 2 + 41) = n(x) · n(x + 1).

Show more generally that f ((x +f (x)) is, for any polynomial f with integral
coefficients and degree n, the product of f (x) and another polynomial with
integral coefficients.
5.17. Show that the only integral solutions of y 2 + 1 = 2x 3 are (x, y) = (1, ±1).
5.18. In his proof of the first case of Fermat’s Last Theorem for the exponent 5,
Gauss considered the equation x 5 + y 5 + z5 = 0 and set y + z = a, z + x = b
and x + y = c. Show that this implies

(a + b + c)5 = 80abc(a 2 + b 2 + c2 ).
134 5 Arithmetic in Some Quadratic Number Fields

Verify this identity and derive the first case of Fermat’s Last Theorem for the
exponent 5.
5.19. (Werebrussow) Let φ(x, y) = x 2 + xy − y 2 . Verify the identity

x 5 + y 5 = (x + y)φ(x 2 − xy + y 2 , x 2 − 2xy + y 2 ).

5.20. Generalize the congruence (5.3) to general quadratic number fields.

5.21. The congruence (5.3) implies divisibility results for recurring series of order
2. We will be content with explaining a few results for Fibonacci numbers;
general results were obtained by Siebeck [116].
Recall Binet’s formula (2.5) for the Fibonacci numbers:

ωn − ω n
Un = ,
ω−ω
√ √ √
where ω = 1+2 5 and ω = 1−2 5 ; in particular, ω − ω = 5.
Now prove the following congruences: For primes p with ( p5 ) = +1, we
have
5
Up−1 ≡ 0, Up ≡ 1, Up+1 ≡ 1 mod p if = +1,
p
5
Up−1 ≡ 1, Up ≡ −1, Up+1 ≡ 0 mod p if = −1.
p
Chapter 6
Ideals in Quadratic Number Fields

In this chapter we will show how to work with ideals in quadratic number rings and
how they can be applied to number theoretical problems.

6.1 Motivation

In Chap. 1, we have seen that

√ √
6 = 2 · 3 = (1 + −5 )(1 − −5 )

is an example
√ of nonunique factorization into irreducible elements in the domain
R = Z[ −5 ]. This factorization also provides a counterexample to other results
that hold in unique factorization domains. We know, for example, that in unique
factorization domains,
√ it follows from gcd(a, c) = 1 that gcd(a 2 , c) = 1. In our
case, 2 and 1 + −5 √ are both irreducible;
√since they are not associate,√ they must
be coprime. Yet (1 + −5 )2 = −4 + 2 −5 shows that gcd((1 + −5 )2 , 2) is
nontrivial
√ since 2 is a common divisor.
If Z[ −5] were a √ principal ideal domain, we could write down such √ a factor
immediately:
√ (2, 1 + −5 ) = (α) would imply α ∼ gcd(2,
√ 1 + −5 ). But
Z[ −5] is not a principal ideal domain, and the ideal
√ (2, 1 + −5 ) is not principal.
Dedekind’s idea was to regard√the ideal (2, 1 + −5 ) as the “correct” greatest
common divisor of 2 and (1 + −5 ). The introduction of such “ideal” factors then
allows us to replace the non-existent unique factorization into elements by a unique
factorization into prime ideals.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 135
F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6_6
136 6 Ideals in Quadratic Number Fields

6.1.1 From Ideal Numbers to Ideals

Already in the first chapter, we have pointed out that Kummer’s ideal numbers
may be interpreted as ring homomorphisms Ok −→ Fq from the ring of integers
of a (quadratic) number field to finite fields and that Dedekind replaced these
homomorphisms by their kernels. In this chapter we will have a closer look at the
situation.
We may, for example, study the domain Z[i] by looking at ring homomorphisms
from this ring to finite fields Fp = Z/pZ. Recall that ring homomorphisms f :
R −→ S satisfy f (r1 + r2 ) = f (r1 ) + f (r2 ) and f (r1 r2 ) = f (r1 )f (r2 ) and must
have the property that the unit element of R is mapped to the unit element of S.
Each ring homomorphism κ2 : Z[i] −→ Z/2Z satisfies, by definition, the
equation κ2 (1) = 1 + 2Z. Since κ2 (i)2 = κ2 (i 2 ) = κ2 (−1) = −1 + 2Z = 1 + 2Z,
we have κ2 (i) = 1 + 2Z. Thus,

κ2 (a + bi) = κ2 (a) + κ2 (b)κ2 (i) = a + b + 2Z,

i.e., each Gaussian integer a + bi is mapped to the residue class a + b + 2Z. In

particular, there exists a unique ring homomorphism from Z[i] to the field F2 with
2 elements.
Let us next ask whether there exist ring homomorphisms κ3 : Z[i] −→ Z/3Z. As
above we find κ3 (a) = a + 3Z for all a ∈ Z. Moreover κ3 (i)2 = κ3 (−1) = 2 + 3Z;
but since 2 + 3Z is not a square in Z/3Z, we arrive at a contradiction, and we
conclude that there is no such ring homomorphism κ3 : Z[i] −→ Z/3Z. If we
would like to construct a ring homomorphism κ3 on Z[i] whose restriction to Z is
reduction modulo 3, then its image must live in a field extension of F3 = Z/3Z in
which the residue class 2 + 3Z = −1 + 3Z is a square. The field F9 with 9 elements
is such a field. We can think of F9 as the extension of Z/3Z that is obtained by
adjoining a square root i of −1 (modulo 3). The elements of this extension have
the form a + bi with 0 ≤ a, b ≤ 2, and we do all calculations modulo 3. This
construction provides us with a ring homomorphism κ3 : Z[i] −→ F9 , which sends
a + bi to the residue class a + bi modulo 3 in F9 .
As our last example, we study the ring homomorphisms κ5 : Z[i] −→ Z/5Z.
Here κ5 (i)2 = κ5 (−1) = −1 + 5Z = 4 + 5Z = (±2 + 5Z)2 , and hence we obtain
two distinct ring homomorphisms, namely one with κ5 (i) = 2 + 5Z and another one
defined by κ5 (i) = −2 + 5Z. Thus we have

κ5 (a + bi) = a + 2b + 5Z and κ5 (a + bi) = a − 2b + 5Z.

The ideal numbers that Kummer introduced in cyclotomic number fields are
essentially such ring homomorphisms; for Kummer, they were procedures for
attaching residue classes to elements. Each such ring homomorphism possesses a
kernel, and kernels of ring homomorphisms today are called ideals. If f : R −→ S
is a ring homomorphism, then its kernel I has the following properties:
6.1 Motivation 137

• I + I ⊆ I : if r1 , r2 ∈ ker f , then f (r1 + r2 ) = f (r1 ) + f (r2 ) = 0 + 0 = 0, and

so r1 + r2 is an element of the kernel: r1 + r2 ∈ I .
• R · I ⊆ I : if s ∈ ker f and r ∈ R, then f (r · s) = f (r) · f (s) = f (r) · 0 = 0,
and hence r · s ∈ I .
If, conversely, I is a subset of R with these properties, then we can define the
quotient ring S = R/I and obtain a natural map f : R −→ R/I defined by
f (r) = r + I ; this map f is then, as can be easily checked, a ring homomorphism
with kernel I .
For example, ker κ2 consists of all elements a + bi ∈ Z[i] with a + b ≡ 0 mod 2.
These numbers are easily seen to be the multiples of 1 + i. The ideal ker κ3 consists
of the multiples of 3 and finally ker κ5 of the multiples of 1 + 2i, whereas ker κ5
consists of the multiples of 1 − 2i.
We will denote the set of multiples of an element α in some domain R by aR
or simply by (a) and call such ideals principal. All ideals in the rings Z and Z[i]
are principal;
√ domains with this property are called principal ideal domains. The
domain Z[ −5 ] is not√ a principal ideal domain. In fact, the ring homomorphism
√ κ2
defined by κ2 (a + b 5 ) = a + b + 2Z has kernel I = ker κ2 = {a + b −5 : a ≡
b mod 2}, √and this ideal is not principal. This can be seen √ as follows: If there exists
an α ∈ Z[√ −5 ] with ker κ 2 = (α), then κ 2 (2) = κ 2 (1 +
√ −5 ) = 0 implies that 2
and 1 + −5 are multiples of α, say 2 = √ αβ and 1 + −5 = αγ . Since we have
already shown that 2 is irreducible in Z[ −5 ], we must have α = ±1 or α = ±2,
but both alternatives are impossible. In fact, since κ2 (±1) = ±1 +√5Z, the elements
±1 do not belong to the ideal ker κ2 , and in the second case 1 + −5 would have
to be a multiple of 2, which it is not.

6.1.2 Products of Ideals

For studying divisibility of elements in number rings without unique factorization,

we must define products of ideals and investigate when an ideal is divisible by
another.
For principal ideals, this is easy: The product of two principal ideals (α) and
(β) is of course defined to be the principal ideal (αβ). Using this definition we can
characterize divisibility of elements and principal ideals as follows:

Proposition 6.1 Let k be a quadratic number field with ring of integers Ok . For
α, β ∈ Ok , the following assertions are equivalent:
1. α | β;
2. (α) ⊇ (β).
138 6 Ideals in Quadratic Number Fields

This implies that the following assertions are also equivalent:

1. (α) = (β);
2. α | β and β | α;
3. There exists a unit η ∈ Ok× with α = βη.
The simple proof, which works in general domains and does not use any special
properties of quadratic number rings, is left to the readers (see Exercise 4.32). We
remark in passing that the transition from elements to principal ideals simplifies
many questions concerning divisibility since the units of the domain do not play
any role.
The product of two not necessarily principal ideals is defined in a similar manner:
If A and B are ideals in some domain R, then the set,

AB = {α1 β1 + . . . + αm βm : αj ∈ A, βj ∈ B},

of all finite sums of products αj βj is again an ideal in R. This is easily verified:

Sums of finite linear combinations of products αi βj again have this form, so the set
AB is an additive group. Moreover, AB is closed with respect to multiplication by
ring elements; in fact, if α1 β1 + . . . + αm βm ∈ AB and r ∈ R, then r(α1 β1 + . . . +
αm βm ) = (rα1 )β1 + . . . + (rαm )βm ∈ AB since each rαj ∈ A.
An ideal A is finitely generated if there exist elements α1 , . . . , αm ∈ A with
A = (α1 , . . . , αm ). We will see
√ that
√ ideals
√ in quadratic
√ number
√ √ rings have at most
two generators; the ideal (2, 2, 4 2, 8 2, . . .) in Z[ 2, 4 2, 8 2, . . .], on the other
hand, is not finitely generated. Products of finitely generated ideals can easily be
written down.
Lemma 6.2 If A = (α1 , . . . , αm ) and B = (β1 , . . . , βn ) are finitely generated
ideals, then AB = (α1 β1 , α1 β2 , . . . , αm βn ).
Proof Equality of ideals is usually proved by showing that each ideal is contained
in the other. The proof therefore consists of two parts.
(1) AB ⊆ (α1 β1 , . . .). Each element
 α ∈ A is an R-linear combination of the αi
and hence has the
 form α = ri αi with ri ∈ R.Similarly, each β ∈ B has
the form β = si βi with si ∈ R. Thus αβ = i.j ri sj αi βj is an R-linear
combination of the αi βj and so is contained in the ideal (α1 β1 , . . .).
(2) AB ⊇ (α1 β1 , . . .). This is obvious since each generator αi βj in the ideal on the
right is a product of elements of A and B.


Without problems we verify the following properties:
Proposition 6.3 Let A, B, and C be ideals in some domain R. Then AB = BA,
(AB)C = A(BC), and AR = A(1) = A.

For every ideal a in quadratic number rings, we can define the conjugate ideal
aσ = a (here σ is the nontrivial automorphism of k/Q), which consists of all
6.1 Motivation 139

elements α for which α ∈ a. Again it is easy to check that conjugation commutes

with multiplication, i.e., that (ab)σ = aσ bσ .
It takes some time to√get used to computing √ with ideals. Consider for example
√
the ideals a = (2, 1 + −5 ), b = (3, 1 + −5 ), and c = bσ = (3, 1 − −5 ).
Then
√ √ √
a2 = (2 · 2, 2(1 + −5 ), 2(1 + −5 ), −4 + 2 −5 )
√ √
= (4, 2(1 + −5 ), −4 + 2 −5 )
√ √
= (2)(2, 1 + −5, −2 + −5 );
√ √ √ √
the last ideal contains −5 = 2+(−2+ −5 ) and thus also 1 = (1+ −5 )− 5,
and hence a2 = (2)(1) = (2).
In a similar way, we find
√ √
bc = (9, 3(1 + −5 ), 3(1 − −5 ), 6)
√ √
= (3)(3, 1 + −5, 1 − −5, 2) = (3)(1) = (3).

It is slightly more tricky to compute

√ √
b2 = (9, 3(1 + −5 ), (1 + −5 )2 )
√ √ √ √
= (2 + −5 )(2 − −5, 1 − −5, −2) = (2 + −5 ).

The calculation of the products ab, ac, and c2 is done in Exercise 6.3.
Let us have another look at the equation
√ √
2 · 3 = (1 + −5 )(1 − −5 ).

If we form the ideals generated by the elements

√ on √
the left and the right hand side,
we obtain (2)(3) = (2 · 3) = (1 + −5 )(1 − −5 ) (the fact that there is a
product of ideals on the right hand side can only be seen by observing that there
is a product of ideals on the left). If we plug in (2) = a2 and (3) = bc, then we
obtain the equation of ideals (6) = a2 bc; by writing the ideal factors in the form
a2 · (bc), we obtain
√ the decomposition
√ (6) = (2)(3) into two principal ideals, and
(ab)(ac) = (1 + −5 )(1 − −5 ) yields the second decomposition into principal
ideals.
This shows that the two essentially different factorizations on the level of
numbers correspond to different ways of taking products of the “prime” ideals
a, b, and c. In the next section we will show that this holds in general quadratic
number rings Ok : even if the factorization into irreducible elements is not unique,
the factorization into irreducible ideals is.
140 6 Ideals in Quadratic Number Fields

6.1.3 The Class Group at Work

√
If we look carefully at counterexamples to the Square Product Theorem in Z[ −5 ],
then we will quickly see that there are infinitely many of them. For example, we have

22 + 5 · 12 = 32 ,
22 + 5 · 32 = 72 ,
222 + 5 · 32 = 232,
382 + 5 · 92 = 432,
22 + 5 · 212 = 472 .

In all these cases with x 2 + 5y 2 = q 2 , the equations x 2 + 5y 2 = q do not have an

integral (not even a rational) solution, and it is not difficult to guess that the squares
of all prime numbers q ≡ 3, 7 mod 20 are represented by the form x 2 +5y 2. We √ will
see in this chapter that this observation is a consequence of the fact that Q( −5 )
has class number 2. The additional observation that the representation of primes by
the form x 2 + 5y 2 only depends on their residue classes modulo 20 lies deeper and
is a consequence of genus theory, which we will touch upon in Chap. 9.
Similar phenomena show up for other fields. The primes p with ( −23 p ) = +1, for
example, can be written in the form 4p3 = x 2 + 23y 2 and √ some of them even as
4p = x 2 + 23y 2. This is a consequence of the fact that Q( −23 ) has class number
3. The class number is less visible in the observation that these primes are either
represented by 4p = x 2 + 23y 2 or by 8p = x 2 + 23y 2: This is a consequence of
the fact that the ideal class group is generated by the prime ideals above 2.

6.2 Unique Factorization into Prime Ideals

So far we have only discussed properties of ideals that hold in general domains.
From now on we will exploit the fact that ideals in rings of integers of algebraic
number fields have additional properties. For deriving them, it is useful to introduce
the concept of Z-modules. In arbitrary domains R, a Z-module in R is just an
additive subgroup of R.

6.2.1 Classification of Modules

Examples of Z-modules in Ok are multiples of a single element (these are called

Z-modules of rank 1) such as Z, the even √ or Zω, which consists of the
√ integers 2Z,
multiples of ω. Similarly, the order Z[ m √
] = Z ⊕ m Z is a Z-module of rank 2,
as is the maximal order Z ⊕ ωZ or 2Z + 3 mZ.
6.2 Unique Factorization into Prime Ideals 141

Proposition 6.4 The Z-modules of Z are mZ for integers m ≥ 0.

Clearly mZ is a Z-module for every integer m. If M is an arbitrary Z-module,
then either M = 0 = 0Z contains just the zero element or it contains an integer
n = 0. If n is negative, then −n ∈ M is positive. Let m be the smallest positive
integer in M. We claim that M = mZ. In fact, given any a ∈ M, we can write
a = mq + r with 0 ≤ r < m. If r = 0, then r ∈ M is smaller than m contradicting
our choice of m. Thus r = 0, which tells us that any a ∈ M is a multiple of m,
which is what we wanted to prove.
√ following, let Ok be the ring of integers in the quadratic number field
In the
k = Q( m ). Given a Z-module M in Ok , we define two Z-modules in Z, namely
M ∩ Z and the coefficient module

coeff(M) = {s ∈ Z : there is ana ∈ Z such that a + sω ∈ M},

where {1, ω} is an integral basis of Ok . The Z-module coeff(M) does not depend on
the choice of ω: Replacing ω by ω1 = ω − r for an arbitrary integer r clearly leaves
coeff(M) invariant.
The following table displays the Z-modules M ∩ √ Z and coeff(M) for a few
choices of Z-modules M in a quadratic number ring Z[ m ]:

√
M Z Z[ m ] Ok 5Z ⊕ (1 + 2i )Z
M ∩Z Z 0 Z 5Z
coeff(M) 0 Z Z 2Z

Actually we can define a group homomorphism coeff : M −→ coeff(M) via

coeff(a + bω) = b. This map respects addition and is onto. Its kernel consists of all
elements a + bω ∈ M with b = 0, i.e., we have ker coeff = M ∩ Z. In the language
of exact sequences that we will introduce in Chap. 9, this means that the sequence

0 −−−−→ M ∩ Z −−−−→ M −−−−→ coeff(M) −−−−→ 0

is exact. This means little more than that there are maps ι : M ∩Z −→ M (inclusion)
and coeff : M −→ coeff(M) (projection) with im ι = ker coeff.
Those familiar with the concept of direct sums in group theory will know that for
writing M as a direct sum of two modules of rank 1, one needs a lift coeff(M) −→
M. Clearly, given an element m ∈ coeff(M), there is an element a + bω ∈ M; this
“lift” will occur in our proofs below, which do not use the exact sequence above or
any other fancy tools from commutative algebra.
We now prove the following “basis theorem” for Z-modules of Ok :

Proposition 6.5 Let M be a Z-module in Ok . Then there exist unique natural

numbers m, n ∈ N0 and some a ∈ Z with M = nZ ⊕ (a + mω)Z.
142 6 Ideals in Quadratic Number Fields

This proposition claims that each such Z-module possesses a Z-basis; thus Z-
modules in Ok behave as subspaces of a vector space. The number of elements of a
basis does not depend on the choice of the basis and is called the rank
√ of the module.
For example, the module M = (0) has rank 0, the modules Z and m · Z have rank
1, and Ok has rank 2. Clearly M = nZ ⊕ (a + mω)Z has rank 2 if and only if
mn = 0.
Proof of Proposition 6.5 Write M ∩ Z = nZ and coeff(M) = mZ for integers
m, n ∈ N0 . By construction there is an integer a ∈ Z with a + mω ∈ M; since we
may change a by a multiply of n, the integer a is only determined modulo n.
Next we verify that these integers have the desired properties. We have to show
that M = nZ ⊕ (a + mω)Z. The fact that M ⊇ nZ ⊕ (a + mω)Z is clear. Assume
therefore that r + sω ∈ M. Since s ∈ coeff(M), we conclude that s = um for some
u ∈ Z, and then r − ua = r + sω − u(a + mω) ∈ M ∩ Z, hence r − ua = vn. Now
we obtain r + sω = r − ua + u(a + mω) = vn + u(a + mω) ∈ nZ ⊕ (a + mω)Z.  
Now let M be a Z-module in R = Ok . We consider the factor group R/M. This
group consists of all expressions of the form r+M with r ∈ R, where r+M = s+M
if and only if r − s ∈ M. This set becomes a group by setting (r + M) + (s + M) =
(r + s) + M. The idea behind computing with factor groups such as this one is doing
calculations in R and identifying elements that differ by an element in M.
The number of residue classes modulo M, i.e., the cardinality of the residue class
group R/M, is called the norm of the module M, and we write N(M) = (R : M).
The norm of a module M need not be finite, as the example R = Ok and M = Z
shows.
The importance of the numbers m and n in Proposition 6.5 is also emphasized by
our next result.
Proposition 6.6 Let M = nZ ⊕ (a + mω)Z be a Z-module of rank 2 in Ok . Then

S = {r + sω : r, s ∈ Z; 0 ≤ r < n, 0 ≤ s < m}

is a complete system of residues modulo M in R. In particular, the order of the

residue class group R/M is N(M) = mn.

We have to show
(a) that each element of R is congruent modulo M to some element of S and
(b) that elements of S are congruent modulo M only if they are equal.
For proving the first claim, take an element x + yω ∈ R, and write y = mq + s
with 0 ≤ s < m and x − qa = np + r with 0 ≤ r < n. Then

x + yω − (np + q(a + mω)) = r + sω,

and since np + q(a + mω) ∈ M, the claim is true.

6.2 Unique Factorization into Prime Ideals 143

For proving the second claim, assume that r + sω ≡ r + s ω mod M with

0 ≤ r, r < n and 0 ≤ s, s < m. Then r − r + (s − s )ω ∈ M. Thus r − r ∈ mZ
and s − s ∈ nZ, and hence r = r and s = s .

6.2.2 Ideals as Modules

Given a Z-module M of rank 2 in R = Ok , we have defined the (additive) residue

class group R/M and determined its order. It is a natural question whether this
group can actually be given a ring structure. Observe that we have added two residue
classes r + M and s + M by adding the representatives, i.e., we have set

(r + M) + (s + M) = r + s + M.

What could prevent us from defining the product of these residue classes by

(r + M) · (s + M) = rs + M?

All we have to do is verify that our product is well defined. To this end, we replace
s by s + m for some m ∈ M; then

(r + M) · (s + m + M) = rs + rm + M,

and this is equal to rs + M if and only if rm ∈ M for every element r ∈ R. In

other words, we can give the residue class ring R/M a ring structure only if M is
closed with respect to multiplication by arbitrary elements of R. Z-modules with
this property are ideals by definition.
Our next result characterizes ideals in terms of their module basis.
Proposition 6.7 The module a = nZ + (a + mω)Z is an ideal if and only if m | n,
m | a (and thus a = mb for some b ∈ Z), and n | m · N(b + ω).

Proof We first show that nZ = a ∩ Z ⊆ coeff(a) = mZ, which then implies (to
contain is to divide) that m | n. To this end assume that c ∈ a ∩ Z; then cω ∈ a, and
by definition of the coefficient module, we conclude that c ∈ coeff(a).
For showing that m | a, we observe that ω2 = x + yω for integers x, y ∈ Z since
{1, ω} is an integral basis. Now a is an ideal; thus if it contains a + mω, it will also
contain (a + mω)ω = mx + (a + my)ω. Thus a + my ∈ coeff(a) is a multiple of
m, and this implies immediately that m | a, and hence a = mb for some b ∈ Z.
For verifying the last divisibility relation we set α = a + mω = m(b + ω). With
α ∈ a clearly α(b+ω ) is contained in the ideal a. Since m1 Nα = m(b+ω)(b+ω ) ∈
a ∩ Z we find that m1 Nα = m · N(b + ω) is a multiple of n. 

Our next goal is the statement that the norm aa of an ideal a is generated by an
integer. For principal ideals this is clear since (α)(α) = (α)(α ) = (αα ) = (Nα).
144 6 Ideals in Quadratic Number Fields

A key step in proving unique factorization for ideals in general number fields is
showing that for each integral ideal a = (0) there is an ideal b = (0) such that
ab = (α) is principal.
Proposition 6.8 Let a = (0) be an ideal in Ok . Then there is an a ∈ N with
aa = (a).

Remark Here the notation (a) is slightly ambiguous since it is not clear whether we
are talking about the ideal aZ in Z or the ideal aOk generated by a in Ok . Since on
the left side there is an ideal in Ok , clearly (a) must be the ideal (a) = aOk .
For the proof of Proposition 6.8, we use the following lemma1 due to A. Hurwitz:
Lemma 6.9 (Hurwitz’s Lemma) Assume that α, β ∈ Ok and m ∈ N. If Nα, Nβ
and Tr αβ are divisible by m, then m | αβ and m | α β.
Proof Let γ = αβ /m; then γ = α β/m, and we know that γ + γ = (Tr αβ )/m
Nβ
and γ γ = Nαm m are integers. If the norm and the trace of an element of a quadratic
number field are integers, the element must be an algebraic integer, hence γ ∈ Ok ,
and the claim follows. 

Proof of Proposition 6.8 We write a = (α, β) for α, β ∈ Ok (we can do so by
Proposition 6.5). Then a = (α , β ), and thus aa = (Nα, αβ , α β, Nβ). If we set
a = gcd(Nα, Nβ, Tr αβ ) (in Z), then by Hurwitz’s Lemma 6.9, the two numbers
αβ αβ Nα Nβ αβ α β
a and a are algebraic integers; thus we obtain aa = (a)( a , a , a , a ),
where the last ideal lies in Ok by Hurwitz’s Lemma. In order to show that aa = (a),
Nβ αβ α β
it is enough to show that 1 ∈ ( Nα a , a , a , a ). But 1 is a Z-linear combination
Nβ Tr αβ Nα Nβ αβ
a , a and a , hence a Ok -linear combination of
of Nα a , a and a + αaβ , and
the claim follows. 

The natural number a in Proposition 6.8 is called the norm of the ideal a; we
thus have aa = (Na). Since (Nab) = (ab)(ab) = (aa )(bb ) = (Na)(Nb), the
ideal norm is multiplicative. Other important properties of the norm of ideals are the
following:
• Na = 1 ⇐⇒ a = (1): In fact, Na = 1 implies (1) = aa ⊆ a ⊆ Ok = (1),
and the converse is clear.
• Na = 0 ⇐⇒ a = (0): It follows from aa = (0) that Nα = αα = 0 for all
α ∈ a.
The following property shows that the norm of an ideal can easily be computed
from its Z-basis:

Proposition 6.10 Let a be an ideal in Ok . Write a ∩ Z = nZ and coeff(a) = mZ

for positive integers m and n. Then Na = mn.

1 This lemma is related to Dedekind’s “Prague Theorem”; see [80]. At this point we are using the

fact that the ring Ok is integrally closed, i.e., is equal to the maximal order.
6.2 Unique Factorization into Prime Ideals 145

For proving this claim, we write a = nZ + (a + mω)Z as in Prop. 6.7 and set
α = m(b + ω). Then a = (n, α), a = (n, α ) and

aa = (n2 , mn(b + ω ), mn(b + ω), m2 N(b + ω))

n 1 
= (mn) , b + ω, b + ω , N(b + ω) .
m n
Proposition 6.7 implies that the last ideal is contained in Ok , and hence (Na) =
aa ⊆ (mn)Ok = (mn) and thus mn | Na.
For proving the converse Na | mn, we proceed as follows: Let A = Na, i.e.,
aa = (A). Since α ∈ a and n ∈ a , we have nα ∈ aa = (A), and hence A | nα =
na + nmω. Since {1, ω} is an integral basis of Ok , this implies A | na and A | nm.
This shows that the norm of an ideal is equal to the ideal generated by the norm
of an ideal interpreted as a module.

6.2.3 The Cancellation Law

Now we approach the theorem of unique factorization into prime ideals. The idea
behind the proof is the same as for numbers. In that case we could immediately
conclude from an equation αβ = αγ with α = 0 that β = γ (we just multiply by
the inverse of α); in the case of ideals, this is not yet possible since we do not have an
“inverse ideal” at our disposal. The fact that the “cancellation law” is nevertheless
correct is the content of the next proposition.
Proposition 6.11 (The Cancellation Law) If a, b, and c are nonzero ideals in Ok
with ab = ac, then b = c.

Proof Assume first that a = (α) is principal; then ab = αb, and hence b = α −1 ab
and c = α −1 ac = α −1 ab = b.
If a is an arbitrary ideal, then ab = ac immediately implies that (aa )b = (aa )c.
Since aa = (Na) is principal, the claim now follows from the first part of the
proof. 

Thus the ideals in Ok form a monoid with cancellation. Such monoids can be
completed to a group in a formal way by imitating the construction of Q from Z,
namely by considering expressions of the form a/b, which are multiplied via a/b ·
c/d = ac/bd. It is possible to interpret an element ab−1 of this group as a set by
setting ab−1 = 1b ab , where b is the norm of b, and defining m1 a = { m
α
: α ∈ a}.
Such sets are called fractional ideals.
146 6 Ideals in Quadratic Number Fields

6.2.4 Divisibility of Ideals

Now that we have defined products of ideals we can study divisibility questions. Of
course we say that an ideal b is divisible by an ideal a if there exists an ideal c such
that b = ac. Since c ⊆ Ok , it follows from a | b that b = ac ⊆ a(1) = a: To divide
is to contain. The converse also holds.

Proposition 6.12 If a and b are ideals = (0) with a ⊇ b, then a | b.

Proof It follows from a ⊇ b that ba ⊆ aa = (a) with a = Na. Then c = a1 ba
is an ideal since a1 a b ⊆ Ok (the algebraic properties of ideals are easily verified).
Now the claim follows from ac = a1 baa = b. 

The notions of irreducible, maximal, and prime ideals are perhaps known from
commutative algebra. We remind the readers that an ideal a = (0), (1) is called
• irreducible if a = bc for ideals b, c = (1), i.e., if the ideal is not a product of
nontrivial ideals;
• maximal if a ⊆ b ⊆ (1) implies b = a or b = (1);
• prime if a | bc implies a | b or a | c.
The rings of integers in algebraic number fields have the pleasant property that these
three notions coincide (in a domain, the zero ideal (0) is prime but not maximal).
• Irreducible ideals are maximal: If a is not maximal, then there is an ideal b with
a  b  (1), but then b | a with b = (1), a.
• Maximal ideals are irreducible: It follows from a = bc that a  b  (1).
It also follows from the definition that maximal ideals are always prime:
• Irreducible (and thus maximal) ideals are prime. Assume that the ideal a is
irreducible and that a | bc, but a  b; we have to show that a | c. To this end,
we observe that the ideal a + b = {α + β : α ∈ a, β ∈ b} (it is easily checked
that this is an ideal; once we know that the factorization into prime ideals exists
and is unique, we will see that a + b is the greatest common divisor of a and b)
contains a and hence divides it. On the other hand, a + b = a since this would
imply that a = a + b ⊇ b and hence a | b, contradicting our assumptions. Since
a is irreducible, we must have a + b = (1). This implies that there exist α ∈ a
and β ∈ b such that 1 = α + β. If γ ∈ c is arbitrary, then γ = αγ + βγ ; but
αγ ∈ a and βγ ∈ bc ⊆ a, and hence γ ∈ a. Thus we have shown that c ⊆ a,
which implies a | c.
The proof that prime ideals in rings of integers of quadratic number fields are
maximal uses Proposition 6.12, which does not hold in general domains (see
Exercise 6.31):
• Prime ideals are irreducible and hence maximal. In fact, it follows from a = bc
and a  b that a | c, and since c | a (to divide is to contain), we obtain a = c and
thus b = (1).
6.2 Unique Factorization into Prime Ideals 147

It is not obvious how to conclude from a | c and c | a that a = c without

Proposition 6.12. From a = cd and c = ae, we obtain a = dea. But without the
cancellation law, this does not allow us to conclude that de = (1).
Now we prove the main theorem of the theory of ideals in quadratic number
fields.
Theorem 6.13 Each ideal a = (0) in the ring of integers Ok in some quadratic
number field k can be written as a product of prime ideals, and this factorization is
unique up to order.

Proof We begin by proving the existence of a factorization into irreducible ideals.

If a is irreducible, we are done. If not, then a = bc; if b and c are irreducible, we are
done. If not, we go on factoring the ideals. Since Na = NbNc and 1 < Nb, Nc <
Na, etc., this procedure must terminate since norms are natural numbers and so
cannot decrease indefinitely.
Now assume that we are given two factorizations a = p1 · · · pr = q1 · · · qs of a
into prime ideals. Since p1 is prime, it divides some qj on the right side. Rearranging
the order of the factors, we may assume that p1 | q1 . Since q1 is irreducible, we must
have p1 = q1 , and the cancellation law yields p2 · · · pr = q2 · · · qs . The claim now
follows by induction on the number of prime ideal factors of a. 

Remark √ The assumption that Ok is the full ring of integers is important. The domain
R = Z[ −3 ], for example, does not have √ unique factorization
√ into irreducible
ideals. In fact, we have (2)(2) = (1 + −3 )(1 − −3 ), √ and the ideal (2) is
√ 1+ −3
irreducible. We cannot have (2) = (1 + −3 ) since then 2 ∈ R, which is not
true.
Working in residue class rings modulo √ideals I is easy. We write√a ≡ b mod I
if a − b ∈ I . In order
√ to reduce 17 + √ −5 modulo I =√(3, 1 + −5 ), we first
19
reduce modulo√1 + −5; since 1 + −5 ∈ I , we have −5 ≡ −1 mod I , and
hence 17 + 19 −5√≡ 17 − 19 ≡ −3 mod I . Reducing the result modulo 3 then
shows that 17 + 19 −5 ≡ −2 ≡ 1 mod I .
Observe that this generalizes the usual notion of congruences: If I = mR is a
principal ideal, then a − b ∈ mR is equivalent to m | (a − b). The set of residue
classes of a domain modulo an ideal I forms a ring which we denote by R/I .

6.2.5 Description of Prime Ideals

If p is a prime ideal in Ok , then there is a unique prime number p > 0 with p | (p).
In fact, p | pp = (Np); factoring Np in the integers and observing that p is prime,
we deduce that there is a prime number p such that p | p. The fact that p cannot
divide two distinct prime numbers should be clear: If p | (p) and p | (q), then
p, q ∈ p, hence 1 ∈ p, and this is a contradiction.
148 6 Ideals in Quadratic Number Fields

If p is the prime number that p divides, then we say that p lies above p. Since
the ideal (p) in Ok has norm p2 , it follows that each prime ideal above p has norm
p or p2 .
The determination of all prime ideals in Ok is not difficult (the case p = 2 is
taken care of in Exercise 6.21).
Theorem√6.14 Let p be an odd prime number, m a squarefree integer, and
k = Q( m ) a quadratic number field with discriminant Δ. Then we have the
following:
√
• If p | Δ, then (p) = (p, m )2 ; we say that p is ramified.
• If (Δ/p) = +1, then (p) = pp for prime ideals p = p ; we say that p splits.
• If (Δ/p) = −1, then the ideal (p) is prime; we say that p is inert.
√
Proof √Assume first that p√| Δ; since p is odd, we have p | m. √ Now (p, m )2 =
(p2 , p m, m) = (p)(p, m, m p ) = (p) since the ideal (p, m, p ) contains the
m
m
coprime integers p and p and thus is equal to the unit ideal (1).
Now assume that (Δ/p) = 1; then Δ is a quadratic residue modulo p, and since
Δ = m or Δ√= 4m, so is m. Thus there is an x ∈ Z with x 2 ≡ m mod p. We set
p = (p, x + m ) and find
√ √
pp = (p2 , p(x + m ), p(x − m ), x 2 − m)
√ √
= (p)(p, x + m, x − m, (x 2 − m)/p).
√ √ √ √
Clearly, 2 m = x + m − (x − m ), and thus 4m = (2 m)2 is contained in
the last ideal. Since p and 4m are coprime, this ideal is the unit ideal, and we have
pp = (p). If we had p = p , then it would follow as above that 4m ∈ p and p = (1):
a contradiction.
Finally, assume that (Δ/p) = −1. If there were an ideal p with norm p, then
by Proposition
√ 6.7 it would have the form p = (p, b + ω) with p | N(b + ω). If
ω = m, this means b2 − m ≡ 0 mod p, hence √ (Δ/p) = (4m/p) = (m/p) = +1
contradicting our assumption. If ω = 12 (1 + m ), then (2b + 1)2 ≡ m mod p, and
we get a contradiction as above. 

We can combine the two cases p = 2 and p = 2 by using the Kronecker symbol
(Δ/p). Recall that this symbol coincides with the Legendre symbol for odd values
of p; for p = 2 and Δ ≡ 1 mod 4, it is defined by (Δ/2) = (−1)(Δ−1)/4, and for
Δ ≡ 1 mod 4, we set (Δ/2) = 0. Using the Kronecker symbol, a prime number p
p ) = +1, 0, or −1, respectively.
splits, ramifies, or is inert according as ( Δ

6.3 Ideal Class Groups

As we have seen, we may think√of ideals as a substitute for greatest common

divisors. The elements 2 and 1 + −5, for example, do not have a common divisor
6.3 Ideal Class Groups 149

√
= ±1, whereas the ideal (2, 1 + −5 ) generated by them describes the “correct”
greatest common divisor.
There are also pairs of elements with common divisors but without a greatest
one. For example,
√ √ √ √ √
6 = 2 · 3 = (1 + −5 )(1 + −5 ) and − 4 + 2 −5 = 2(−2 + −5 ) = (1 + −5 )2
√
have common divisors 2 and 1 + −5, but there √ is no greatest common divisor.
On the other hand, there √ Z[ −5 ] that do have a greatest common
are elements in √
divisor, for example, 2 + 2 −5 and 3 + 3 −5. Here we have
√ √ √ √
gcd(2 + 2 −5, 3 + 3 −5 ) = (1 + −5 ) gcd(2, 3) ∼ 1 + −5.

How can we decide whether such a greatest common divisor of two elements α and
β exists? To answer this question, we consider the ideal (α, β) generated by them
and check whether it is principal. If (α, β) = (δ), then δ is an “honest” greatest
common divisor of α and β. One goal of this (and the next) chapter is providing a
method for testing whether an ideal is principal or not.

6.3.1 Equivalence of Ideals

We have seen that the set of integral ideals = (0) in Ok forms a monoid with
the cancellation law. Such monoids can be made into a group Ik in a rather
formal way resembling the construction of the field Q of rational numbers from
the multiplicative monoid Z. Such quotients of ideals are called fractional ideals.
Formally, two such ideals a/b and c/d are multiplied in the same way as fractions
of numbers, and of course we may cancel common factors. Principal ideals of the
form (α) = αOk , where α ∈ k × is not necessarily an algebraic integer, are called
principal fractional ideals, and they form the subgroup Pk in Ik . The quotient group
Cl(k) = Ik /Pk is called the ideal class group of k.
Those who do not like such a formal approach may describe fractional ideals as
sets. In fact, write a fractional ideal ab−1 as ab (bb )−1 = 1b ab, where b = Nb
denotes the norm of b. Then we define α1 c := { γα : γ ∈ c}. On the set of fractional
ideals = (0), we define products as for integral ideals; then we show that they form
a group.
We will use a third approach that does not use any fractional ideals. In fact, the
definition of the ideal class group above implies that two ideals a and b belong to
the same class modulo the group Pk of principal ideals if a = ξ b for some ξ ∈ k × .
If we write ξ = β/α with α, β ∈ Ok , then this is equivalent with αa = βb.
Such equations define an equivalence relation on the set of nonzero integral
ideals: We will call ideals a and b equivalent and write a ∼ b if there exist elements
150 6 Ideals in Quadratic Number Fields

α, β ∈ Ok such that αa = βb. Of course we have to verify the usual axioms:

symmetry, reflexivity, and transitivity (see Exercise 6.20).
With respect to this notion of equivalence, all principal ideals belong to the same
equivalence class. In fact, if a = (α), then 1·a = α ·(1), and this shows that a ∼ (1).
Conversely, each ideal equivalent to the unit ideal is principal: αa = β(1) implies
a = ( βα ), and since a is an integral ideal, βα = γ must be integral, as well. Thus all
principal ideals are contained in the class of the unit ideal (1).
This implies that Ok has exactly one equivalence class of ideals if and only if
each ideal is principal.
Proposition 6.15 The ring Ok of integers in a quadratic number field k is a
principal ideal domain if and only if k has class number 1.
√
√ are at least two ideal classes in Z[ −5 ]: Since the prime
In particular, there
ideal p = (2, 1 + −5 ) is not principal, p cannot belong to √ the equivalence class of
principal ideals. Observe, however, that p and q = (3, 1 + −5 ) belong to the same
√ αp = βq, we multiply this
ideal class: In order to satisfy the condition √ equation by p
and find, using p2 = (2) √ and pq = (1 + −5 ), that α(2) = β(1 + −5 ).√Thus it is
sufficient to set α = 1 + −5 and β = (2), and in fact the equation (1 + −5 )p =
2q is correct since both ideals have the same prime ideal factorization p2 q.
On the set of equivalence classes of ideals, we now introduce a group structure
as follows. Given ideal classes c and d, we choose ideals a ∈ c and b ∈ d and call
the class cd = [ab] the product of c and d. We have to check that the product does
not depend on the choice of the representatives (this is a simple exercise). Clearly,
the class of principal ideals is the neutral element; associativity is inherited from the
associativity of the multiplication of ideals, and the existence of the inverse follows
from the fact that aa = (a) is principal; in other words, we have [a]−1 = [a ].
This shows that the ideal classes of a quadratic number field k form a group,
which is called the ideal class group of k, and which is denoted by Cl(k). Together
with the unit group, it is the most important invariant of a number field. The goal
of this section is proving that the class number hk = # Cl(k) is finite. Our proof is
constructive and will allow us to actually compute the ideal class group of a given
quadratic number field.

6.3.2 Finiteness of the Class Number

We will now show that each ideal class in the ring of integers of a quadratic number
field k contains an ideal whose norm is bounded by a constant depending only on k.
This immediately implies that the class number is finite. Let us call an ideal primitive
if it is not divisible by an ideal of the form (m) = (1) with m ∈ Z. Clearly, each
ideal class is represented by a primitive ideal since dividing an ideal by the principal
ideal (m) does not change its class.
By Proposition 6.7, each ideal a possesses a Z-basis of the form {n, m(b + ω)}
with m | n; in particular, a is primitive if and only if m = 1. In other words:
6.3 Ideal Class Groups 151

Proposition 6.16 If the ideal a is primitive, then there exist n ∈ N and b ∈ Z with
a = nZ ⊕ (b + ω)Z, and we have Na = n. In particular, we have a ∩ Z = (Na) in
this case.
Now we claim the following:
√
Theorem 6.17 Let m ∈ Z be squarefree and k = Q( m ) a quadratic number field
with ring of integers Ok = Z[ω] and discriminant Δ. Define the Gauss bound μk
by
√
Δ/5, if Δ > 0,
μk = √
−Δ/3, if Δ < 0.

Then each ideal class of k contains an integral ideal = (0) with norm ≤ μk ; in
particular, the number h of ideal classes is finite.
Before we prove this result, we will present a few applications. Clearly, the
bounds are best possible since for Δ = 5 and Δ = −3, they cannot be improved.
If μk < 2, then each ideal class contains an integral ideal = (0) with norm < 2,
hence with norm 1. The only such ideal is (1), and this implies that there is a single
ideal class, namely the class of principal ideals. Thus in this case, Ok is a unique
factorization domain. Theorem 6.17 tells us that this holds for all fields k with
discriminant −12 ≤ Δ ≤ 20, i.e., for m ∈ {−11, √ −7, −3, −2, −1, 2, 3, 5, 13, 17}.
Next√consider the ring of integers R = Z[ −5 ] in the quadratic number field
k = Q( −5 ) with Δ √ = −20; according to Theorem 6.17, each ideal class contains
an ideal with norm < 20/3 and so with norm ≤ 2. Since there are only √two such
ideals, namely the principal ideal (1) and the nonprincipal ideal (2, 1 + −5 ), the
field k has class number 2.
Proof of Theorem 6.17 Let c = [a] be an ideal class represented by an ideal a.
√assume that a is primitive. Thus a = (a, α) with
Without loss of generality, we may
a = Na and α = b + ω = s + 12 Δ for some s ∈ Q with 2s ∈ Z. If a ≤ μk , then
we are done; otherwise, we apply the Euclidean algorithm to the pair (s, a) and find
an integer q ∈ Z with s − qa = r and
a
|r| ≤ if Δ < 0,
2
a
≤ |r| ≤ a if Δ > 0.
2
√
Setting α1 = r + 1
2 Δ, we will show below that
(1) α1 ∈ a,
(2) |Nα1 | ≤ a −Δ
2
4 ≤ a 2, and
(3) a1 := a α1 a ∼ a is an integral ideal with [a1 ] = [a] and Na1 < Na.
1
152 6 Ideals in Quadratic Number Fields

We repeat this step until we have found an ideal with norm ≤ μk ; since the norm
decreases at each step by at least 1, this process must terminate after finitely many
steps.
Now clearly α1 = α − qa ∈ a, which proves (1). The proof of the inequality (2)
is easy: If Δ < 0, we have |Nα1 | = |r 2 − Δ4 | ≤ a +|Δ| < 1 since a 2 > μ2k = |Δ|
2
4 3 ,
and if Δ > 0, we clearly have −a 2 = a −5a
2 2
4 < r 2 − Δ4 < a 2.
It remains to show that the ideal a1 is integral; but since

1
α a ⊆ Ok ⇐⇒ α a ⊆ (a) = aa ⇐⇒ (α ) ⊆ a ,
a 1
this is clear. 

The following observation, which generalizes our results on representations of
prime numbers in the form x 2 + y 2 or x 2 + 3y 2 , is an important consequence of
Theorem 6.17.
√
Corollary 6.18 Let m be a squarefree integer and k = Q( m ) a quadratic number
field with class number h, and assume that pOk = pp in Ok splits. Then there exist
integers x, y ∈ N with ±4ph = x 2 − my 2 .
√
Proof The h-th power of each ideal in Ok is principal. In particular, ph = ( x+y2 m
),
| x −my
2 2
and taking norms, we obtain ph = 4 |. 


6.3.3 Class Group Calculations

We now show how to compute class groups in a given quadratic number field.
√ √
k = Q( −21 ), Δ = −84 The Gauss bound is μk = 84/3, so we have to
√ with norm ≤ 5. Since 22 | Δ, the prime √ 2 is ramified: (2) = a for
consider ideals 2

a = (2, 1+ −21 ). Similarly, (3) = b with b = (3, −21 ). Finally, (−21/5) √ =1

implies that (5) = cc splits into prime ideals of norm 5, namely c = (5, 2 + −21 )
and its conjugate c .
The ideals with norm ≤ 5 thus are (1) a, b, a2 = (2) c and c (ab already has
norm 6). Since a2 ∼ (1), it remains to investigate a, b, c, and c . Clearly, none of
these ideals is principal since Ok does not contain elements with norms 2, 3, or 5.
Similarly, a ∼ b since otherwise (2) = a2 ∼ ab, and there would exist an element
of norm 6, which is not the case.
√ Now abc is an ideal with norm 30, and this is the norm of the elements 3 ±
−21.√ Since there is only one√ ideal above 2 and 3, respectively, we must have
(3 + −21 ) = √ abc or (3 + −21 ) = abc . For√finding the correct factorization,
√
we compute 3 + −21 mod √ c. From c = (5, 2 + −21 ), we deduce that −21 ≡
−2 mod c, and hence 3 + −21 ≡ 3 − 2 ≡ 1 mod c, and so
√ √ we must have (3 +
−21 ) = abc . This can be confirmed by verifying that 3 + −21 ≡ 0 mod c ; in
6.3 Ideal Class Groups 153

√ √
fact, we have −21 ≡ 2 mod c , and hence 3 + −21 ≡ 3 + 2 = 5 ≡ 0 mod c .
Thus abc ∼ 1, and now c ∼ c−1 implies ab ∼ c.
Finally, c ∼ c−1 ∼ a−1 b−1 ∼ ab since a2 ∼ b2 ∼ 1. Thus there exist exactly 4
ideal classes: the class of principal ideals and three classes [a], [b], and [a][b] with
order 2 in the class group. Thus the class group is isomorphic to Z/2Z × Z/2Z,
which is called Klein’s four group.
√
k = Q( −17 ), Δ = −68 Here √ we have to consider all ideals with norm √ ≤ 4. We
have (2) = a2 with a = (2, 1 + −17 ) and (3) = bb with b = (3, 1 + −17 ).
The ideals with norm ≤ 4 thus are (1) a, b, b , and (2) = a2 .
Now b2 cannot be principal: The only elements with norm 9 are ±3, but
b =√(3) = bb by unique factorization into prime ideals. On the other hand,
2

(1 + −17 ) = ab2 shows that b2 ∼ a−1 ∼ a. Finally, b ∼ b−1 , and we see

that the class [b] generates the whole class group: b2 ∼ a, b4 ∼ a2 ∼ 1 and
thus b3 ∼ b−1 ∼ b . The ideal class group of k therefore is cyclic of order 4, i.e.,
Cl(k)  Z/4Z.
√
k = Q( 79 ), Δ = 316√Here the class√group is generated by ideals with norm ≤ 7.
The ideal a = (2, 1 + 79 ) = (9 + 79 ) is principal.√The ideals above the √ odd
prime numbers ≤√7 are, up to conjugates, b = (3, 1 + 79 ), c = (5, 2 + 79 ),
and d = (7, 3 + 79 ). The computation of ideals with small norm and their prime
ideal factorizations yields the following table:

α Prime ideal factorization

√
7 + √79 abc
8 + √79 bc
10 + √79 bd
11 + √79 ab d
17 + 2 79 b3

Since [a] = [(1)], it follows from the first relation that [b] = [c ] = [c]−1 . The third
relation shows that [b] = [d ] = [d]−1 . Thus the ideal class group is generated by
the ideal b whose third power is principal. It remains to check whether b is principal.
As we will see in the next chapter in connection with the bounds (7.7), this is not
the case. Thus Cl(k)  Z/3Z.
Here is a small table with nontrivial class numbers for practicing class number
calculations:

Δ −52 −23 −20 −15 40 60

h 2 3 2 2 2 2

For another beautiful application of class groups, consider the field k =

√
Q( −5 ). We have
√ seen above that its ideal class group consists of the classes of (1)
and a = (2, 1 + −5 ). Let p be a prime ideal with norm p (thus (−5/p) = +1 and
154 6 Ideals in Quadratic Number Fields

√
pOk = pp ). Then either p =√(a + b −5 ) is principal and thus p = a 2 + 5b2, or
p ∼ a, and then ap = (C +d −5 ) is principal. In this case we find 2p = C 2 +5d 2 ;
but since C and d are odd, we can write C = 2c + d for some c ∈ Z, and then we
find 2p = (2c + d)2 + 5d 2 = 4c2 + 4cd + 6d 2 , and hence p = 2c2 + 2cd + 3d 2 .
In other words, if (−5/p) = +1, then p can be written in the form p = a 2 + 5b 2
or p = 2c2 + 2cd + 3d 2 .
Polynomials Ax 2 + Bxy + Cy 2 ∈ Z[x, y] are called binary quadratic forms.
Their discriminant is defined by Δ = B 2 − 4AC. In particular, the binary quadratic
forms x 2 + 5y 2 and 2x 2 + 2xy + 3y 2 both have discriminant Δ = −20. This is not
a coincidence: Gauss defined an equivalence relation on the set of binary quadratic
forms with the same discriminant, and Dirichlet and Dedekind have shown that
these equivalence classes correspond, in the case of fundamental discriminants, to
ideal classes in quadratic number fields (with a technical complication in case of
positive discriminants). For Δ = −20, there exist two different classes, namely
those represented by x 2 + 5y 2 and 2x 2 + 2xy + 3y 2 .
By the Modularity Theorem, we have
 −5 
= +1 ⇐⇒ p ≡ 1, 3, 7, 9 mod 20.
p

If we investigate which prime numbers are represented by which of the forms above,
then we find

x 2 + 5y 2 if p ≡ 1, 9 mod 20,
p=
2x + 2xy + 3y
2 2 if p ≡ 3, 7 mod 20.

Examples. 29 = 32 + 5 · 22 , 41 = 62 + 5 · 12 , 3 = 2 · 12 + 2 · 1 · (−1) + 3 · (−1)2 ,

7 = 2 · 12 + 2 · 1 · 1 + 3 · 12 , etc.
This observation can be proved easily. In fact, we have p = x 2 +5y 2 ≡ x 2 +y 2 ≡
0, 1 mod 4. If p is prime, then p ≡ 1 mod 4, and since we also have p ≡ ±1 mod 5
because of ( p5 ) = +1, this happens only for p ≡ 1, 9 mod 20. If p = 2x 2 + 2xy +
3y 2 , on the other hand, then y is odd, and hence p ≡ 2x 2 +2x +3 = 2x(x +1)+3 ≡
3 mod 4 (since x(x + 1) is always even).
Proposition 6.19 The quadratic form Q0 (x, y) = x 2 + 5y 2 represents all prime
numbers p with ( −1
p ) = ( p ) = +1, the form Q1 (x, y) = 2x + 2xy + 3y all with
5 2 2

( −1
p ) = ( p ) = −1.
5

This pretty observation is a special case of genus theory, which we will

investigate
√ in Chap. 9. This observation also reflects
√ √the fact that the genus class field
of Q( −5 ) is the biquadratic extension Q( −1, 5 ); for more in this direction,
see the beautiful book [25] by D. Cox.
6.4 The Diophantine Equation y 2 = x 3 − d 155

6.4 The Diophantine Equation y 2 = x 3 − d

Let us now investigate what we can say about the solutions of the Bachet–Mordell
equation y 2 = x 3 − d for integers d > 0, where we will make suitable assumptions
on d in the course of our calculations.
We begin by factoring the right side and write
√ √
x 3 = y 2 + d = (y + −d )(y − −d ).
√
We would like the ideals a = (y + −d ) and a to be coprime. Clearly, √ each
common
√ prime ideal factor p (with p | p) also divides the difference 2 −d; since
p | −d (and p = 2) immediately yields p | d, p | y, p | x and finally p2 | d, we
may exclude this case by assuming that d is squarefree . Thus only the possibility
p | 2 remains; we now distinguish the following cases:
√ √
• d ≡ 2 mod 4: Then p | ( −d ) (since p = (2, −d )), hence p | y, p | y, and
finally x 3 = y 2 + d ≡ 2 mod 4: this is a contradiction since a cube cannot be
divisible exactly by 2. √ √
• d ≡ 1 mod 4: Then p = (2, 1 + −d ), and hence p | (y + −d ) if and only
if y is odd. This implies x 3 = y 2 + d ≡ 1 + 1 ≡ 2 mod 4, and this is again a
contradiction. √
• d ≡ 3 mod 4: Here y + −d is divisible by p (even by 2) if and only if y is odd. It
follows from d = x 3 −y 2 that x must be even, and hence d ≡ −y 2 ≡ −1 mod 8.
Thus if we assume that d ≡ 7 mod 8 , then p | 2 cannot be a common divisor of
a and a also in this case.
Thus a and a are in fact coprime. Since their product is a cube, there is an ideal
b such that a = b3 , which implies that we also have √ a 3 = b 3 . Now we need the
next assumption: If h denotes the class number of Q( −d ), then we demand that
3  h . Then b3 and bh are principal ideals, hence so is b3a+hb for all a, b ∈ Z, and
since 3 and
√
h are coprime we find, using Bézout, that b itself must be principal, say
b = ( r+s 2 −d ) for integers r, s with r ≡ s mod 2.
If we assume that d > 0, d = 1, 3 , then ±1 are the only units, and from the
equation of ideals above, we obtain the equation of elements
√
√ r + s −d 3
y+ −d = ,
2

where we have subsumed the sign into the cube. Comparing coefficients now yields
1 = 18 (3r 2 s − ds 3 ), and therefore 8 = 3r 2 s − ds 3 = s(3r 2 − ds 2 ). Clearly, we
must have s | 8, and hence s = ±1 or r ≡ s ≡ 0 mod 2. In the first case we find
±8 = 3r 2 − d, hence d = 3r 2 ∓ 8, and in the second case, we set r = 2t, s = 2u
and find 1 = u(3t 2 − du2 ), that is, u = ±1 and d = 3t 2 ∓ 1.
156 6 Ideals in Quadratic Number Fields

Thus we have shown: If d satisfies our assumptions and does not have the form
d = 3t 2 ± 1 or d = 3t 2 ± 8, then the Diophantine equation y 2 = x 3 − d does not
have an integral solution.
What happens if d has one of these forms? Assume for example that d = 3r 2 −8;
then comparing coefficients immediately yields (observe that s = 1)

8y = r 3 − 3dr = r 3 − 9r 3 + 24r = 24r − 8r 3 ,

hence y = (3 − r 2 )r, and

y 2 + d = r 6 − 6r 4 + 12r 2 − 8 = (r 2 − 2)3 ,

hence x = r 2 − 2. Thus any representation d = 3r 2 − 8 corresponds to an integral

solution (r 2 − 2, ±(3 − r 2 )r) of our Diophantine equation. Similarly, the other
representations d = 3r 2 +8, 3t 2 +1, and 3t 2 −1 correspond to the pairs of solutions
(r 2 + 2, ±r(r 2 + 3)), (4t 2 + 1, ±t (8t 2 + 3)), and (4t 2 − 1, ±t (8t 2 − 3)).
Of course we now can ask whether an integer d can have more than one such
representation. The answer is surprisingly simple: Only d = 11 possesses two such
representations, all other d have at most one. The proof is not difficult: Equations
such as 3r 2 − 8 = 3t 2 − 1 are impossible modulo 3; the remaining equations are
3r 2 −8 = 3t 2 +1 (this yields 3(r 2 −t 2 ) = 9, hence r 2 −t 2 = (r −t)(r +t) = 3, with
the only solution r = ±2, t = ±1, which leads to d = 4, which is not squarefree),
and 3r 2 + 8 = 3t 2 − 1 (this yields similarly 3 = t 2 − r 2 , hence t = ±2, r = ±1,
and thus d = 3 + 8 = 3 · 22 − 1 = 11).
Thus we have proved the following result2 :
Theorem 6.20 Let d =√1, 3 be a squarefree natural number, and d ≡ 7 mod 8. If
the class number of Q( −d ) is not divisible by 3, then the Diophantine equation
y2 = x3 − d
1. has exactly two pairs of integral solutions (3, ±4) and (15, ±58) for d = 11;
2. has exactly one pair of integral solutions if d = 11 has the form d = 3t 2 ± 1 or
d = 3t 2 ± 8:

d (x, y)
3t 2 −1 (4t 2 − 1, ±t (8t 2 − 3))
3t 2 + 1 (4t 2 + 1, ±t (8t 2 + 3))
3t 2 − 8 (t 2 − 2, ±t (3 − t 2 ))
3t 2 + 8 (t 2 + 2, ±t (3 + t 2 ))

3. does not have any integral solutions otherwise.

2 Ina similar way it can be shown that the Fermat equation x p + y p = zp for prime exponents p
has only trivial solutions with xyz = 0 if p does not divide the class number of the field Q(ζp ) of
p-th roots of unity—this is essentially Kummer’s approach to Fermat’s Last Theorem.
6.4 The Diophantine Equation y 2 = x 3 − d 157

Observe that Theorem 6.20 contains several results on this equation that we have
obtained before: Since 2 = 3 · 12 − 1, the equation y 2 = x 3 − 2 has the only integral
solution (3, ±5).
If we look carefully at the case d = 26 = 3 · 32 − 1, we see that y 2 = x 3 − 26
has the solution (35, ±207) given by our theorem as well as the additional solutions
(3, ±1).√ This is not a contradiction: The theorem now implies that the class number
of Q( −26 ) must be divisible by 3. In fact, the class number is equal to 6. This
example can be generalized (see Exercise 6.27).
It is natural to ask whether the solutions found for d = 26 are the only ones. We
cannot answer this question here, but we would like to show how to begin such an
investigation. √ √
As above we find (y + −26 )(y − −26 ) = x√3 , and since the two factors on
the left hand side are coprime, we must have (y + −26 ) = a3 for some ideal a.
If a = (α) is principal, then the only solution is, as we have already seen, (x, y) =
(35, ±207). If a is not principal, then it lies in
√ some ideal class of order 3. One such
class is generated by√the ideal p = (3, 1 + −26 ) the other one by its conjugate;
in fact, p3 = (1 + −26 ), and clearly p is not principal. Thus√either pa = (α)
or p a√ = (α) is principal. In the first case, multiplying (y + −26 ) = a3 by
(1 + −26 ), we obtain the equation
√ √
(1 + −26 )(y + −26 ) = (pa)3 = (α)3 ,

and hence
√ √
y − 26 − (y + 1) −26 = (a − b −26 )3 .

Comparing the coefficients of the real and imaginary parts, we obtain the equations

y − 26 = a(a 2 − 78b2),
y + 1 = b(3a 2 − 26b 2).

Eliminating y, we then obtain

27 = −a 3 + 3a 2b + 78ab2 − 26b 3.

Using a = −3A + b, we find

A3 − 9Ab2 + 2b 3 = 1. (6.1)
158 6 Ideals in Quadratic Number Fields

At this point we invoke algebraic number theory. We consider the cubic number field
Q(ω), where ω is a root of the polynomial f (x) = x 3 − 9x + 2 = 0, and the domain
Z[ω]. The norm of an element α = A − bω can be determined, as in the quadratic
case, by computing the determinant of the linear map given by multiplication by α.
We find

αω = Aω − bω2 ,
αω2 = Aω2 − bω3 = Aω2 − b(9ω − 2)

because ω3 = 9ω − 2, and hence

 
 A 0 2b 
 
Nα = −b A −9b = A3 − 9Ab2 + 2b3.
 0 −b A 

Thus (6.1) boils down to the question whether there is a unit of the form A − bω in
Z[ω]. Since f has three real roots, Dirichlet’s unit theorem tells us that there exist
two independent units. Using pari, we find the units ε1 = 3ω2 + 9ω − 1 and
ε2 = 2ω2 + 4ω − 1. Thus the question (which is anything but easy to answer) is
whether there exist exponents m and n with ε1m ε2n = A − bω.
As we have seen, it is a highly nontrivial problem to determine which integers
are represented by a binary cubic form such as (6.1). Thue [122] showed in 1909
that an equation F (U, V ) = m, where F (U, V ) = AU 3 + BU 2 V + CU V 2 + DV 3
is an irreducible cubic form, has only finitely many solutions in integers.
Let me say a few words about a connection between class numbers and elliptic
curves of the form y 2 = x 3 − m. If we write this equation in the form y 2 + m = x 3 ,
we see √ that for each integral point (x, y) on this elliptic curve, the principal ideal
(y + −m√) is, except for factors coming from common divisors with its conjugate
ideal (y − −m ), is a cube of an ideal. Ideals whose third √ powers are principal are
sources for ideal classes of order 3 in the class group of Q( −m ). √
In general, the equation y 2 = x 3 − mz2 will lead to ideals (y + z −m ) that
often are cubes of ideals. For more on the connection between this equation and the
3-class group3 of quadratic number fields, see [51] and the literature cited there.
If we factor the equation y 2 = x 3 − m on the √ right side, then we have to
study
√ the 2-class
√ group of pure cubic number fields Q( 3
m ) or their normal closure
Q( −3 , m ). This will require familiarity with the basic concepts of algebraic
3

number theory and the arithmetic theory of elliptic curves.

3 This is the 3-Sylow subgroup of the ideal class group, which consists of all ideal classes whose

order is a power of 3.
6.5 Exercises 159

6.4.1 Summary

This chapter contains√the essential results of the basic arithmetic of quadratic

number fields k = Q( m ):
• Ideals in the rings of integers Ok form a monoid with cancellation rule.
• The prime ideal factorization in Ok is unique.
• Rational prime numbers ramify, split, or are inert in Ok according as (Δ/p) = 0,
+1, or −1, respectively.
• Ideals a and b are called equivalent if there exist α, β ∈ Ok \ {0} with αa = βb.
The equivalence classes of ideals form a group called the ideal class group.
• The class group of k is a finite group.

6.5 Exercises

6.1. Show that the elements a + bi with a + b ≡ 0 mod 2 are exactly the multiples
of 1 + i.
6.2. Let R be a principal ideal domain and (d) = (a, b) for a, b, d ∈ R. Show that
d is a greatest common
√ divisor of a √
and b. √
6.3. Let a = (1√+ −5, 2), b = √ (1 + −5, 3), and c = √ (1 − −5, 3). Verify
ab = (1 + −5 ), ac = (1 − −5 ), and c2 = (2 − −5 ).
6.4. Show that the integer a in the basis of Proposition 6.5 is only determined
modulo n.
6.5. Show that the ideal I = (1 + 2i) properly contains the Z-module M =
5Z + (1 + 2i)Z by showing that −2 + i ∈ M. Determine the Z-basis of the
ideal I . √
6.6. Let R = Ok for k = Q( m √ ) and a squarefree integer m, and M = Z.
Show that the residue classes b m (b ∈ Z) in R/M are all distinct and that
N(M) = ∞. √
6.7. Show that (7, 1 + −5 ) = (1). Show more generally that (a, α) = (1) for
a ∈ Z and α ∈ Ok if gcd(a, Nα) = 1. √
6.8. Determine the prime ideal factorization of√ (4 + −5 ). √
6.9. Compute a greatest common
√ divisor of 8+ −14 and 4− −14 [107, S. 313].
6.10. The ideal (21, 10 + −5 ) has√norm 21 and is divisible
√ by prime ideals above
3 and 7 and hence by (3, 1 ± −5 ) and (7, 3 ± −5 ). Determine the exact
prime ideal factorization [107, S. 350].
6.11. Let m = a 2 √ + b2 be a sum√of two squares, and assume that a is odd. Show
that (a, b + m )2 = (b + m ).
√ 2
6.12. Explain 2 · 3 = − −6 by factoring the elements into prime √
ideals.
√ 1+ −23
6.13. Let k = Q( −23 ); show that (2) = aa for a = (2, ) and a3 =
√ 2
−23
( 3−2 ). Why is the ideal a2 not principal?
160 6 Ideals in Quadratic Number Fields

6.14. Show that there exist homomorphisms

√ φ2 : R −→ F2 , φ3 : R −→ F3 and
φ3 : R −→ F3 in R = Z[ −5 ] whose kernels are exactly the prime ideals
a, b, and c considered above.
6.15. Show that the equation of ideals
√ √ √
(2, 1 + −3 )(2, 1 + −3 ) = (2)(2, 1 + −3 )
√
holds in R = Z[ −3 ], but that the cancellation law does not because (2, 1 +
√
−3 ) = (2). √
6.16. Generalize the last exercise to all orders Z[ m ], where m ≡ 1 mod 4 is
squarefree.
6.17. Consider the domain Z[3i] = {a + 3bi : a, b ∈ Z}. Show that (2) = p2 , that
ideals (q) for primes q ≡ 3 mod 4 are inert, and that the ideals (p) for primes
p ≡ 1 mod 4 split.
Show that (5, 1 − 3i) = (5, 3 + 6i).
Show that (3) ⊃ (3 + 6i), but that there does not exist an ideal A with
(3)A = (3 + 6i). In particular, the rule “to contain is to divide” does not hold
in Z[3i].
Show that we do not have unique factorization into irreducible ideals in
Z[3i].
6.18. Let R be a domain in which unique factorization into prime ideals holds (such
domains are called Dedekind domains). Show that if A and B are coprime
ideals with AB = en , then A = an and B = bn .
6.19. Let a and b be ideals in Ok . Show that a ∩ b ⊇ ab, and prove that we even
have equality if a and b are coprime.
6.20. Recall that two ideals a and b are equivalent (a ∼ b) if and only if there exist
elements α, β ∈ Ok with αa = βb. Show that this is an equivalence relation
on the nonzero ideals in Ok , i.e., that the following assertions are true:
• symmetry: a ∼ a;
• reflexivity: a ∼ b implies b ∼ a;
• transitivity: a ∼ b and b ∼ c imply a ∼ c.
√
6.21. Let k = Q( m ) be a quadratic number field, and assume that m is
squarefree.
√ 2
• If m ≡ 2 mod 4, then (2) = (2, m √ ) is ramified.
• If m ≡ 3 mod 4, then (2) = (2, 1 + m )2 is ramified.
√
• If m ≡ 1 mod 8, then (2) = aa with a = (2, 1+2 m ) and a = a (the ideal
(2) splits).
• If m ≡ 5 mod 8, then (2) is prime (the ideal (2) is inert).
The first three claims can be verified by a simple calculation. For the last, you
have to show that a prime√
ideal with norm 2 for m ≡ 1 mod 4 necessarily
has the form (2, a + 1+2 m ). This implies m ≡ (2a + 1)2 mod 8, and hence
m ≡ 1 mod 8. For guidance, keep the proof of Theorem 6.14 in mind.
6.5 Exercises 161

6.22. If Δ ≡ 5 mod 8, then (2) remains prime, and there are no ideals of norm 2
in Ok . Show that this implies that the fields with Δ = −19, 21, 29, 37 have
class number 1. Which fields do we obtain by demanding in addition that
Δ ≡ 2 mod 3? √
6.23. Show that the class number of Q( −m ) is even √ for each m ≡ 1 mod 4
with m √> 1. To this end, show that (2, 1 + −m )2 is principal but that
(2, 1 + −m ) is not.
6.24. Let k be a complex quadratic number field with discriminant Δ < 0. For
some small values of Δ, compute the sum
|Δ|/2 
w Δ
h= r,
2|Δ| r
r=1

where w denotes the number of roots of unity contained in k (which is simply

the order of the unit group in this case) and (Δ/r) is the Kronecker symbol.
Compare h with the class number of k. We will return to this observation in
our last chapter. √
6.25. Show that the complex quadratic number fields Q( m ) for m = −1, −2,
−3, −7, −11, −19, −43, −67, and −163 have class number 1.
The conjecture that there are no other complex quadratic fields with
class number 1 essentially goes back to Gauss. The proof was obtained
independently from each other by Kurt Heegner, Harold Stark, and Alan
Baker. √
6.26. Show that the prime ideals above (2) in Q( −m ) for squarefree integers
m ≡ 7 mod 8 are principal if and only if m = 7.
6.27. Show that the equation y 2 = x 3 − d has an integral solution not listed in
√ 6.20 for all d = 3t − 1 with t = 3c6 . Deduce that the class number
Theorem 2 3

of Q( d ) is divisible by 3 for all d = 27c − 1 for which d or 4d is the

discriminant of a quadratic number field (for example, if it is squarefree).
How often a polynomial such as f (x) = 27x 6 −1 attains squarefree values
is an open problem, even in√the case of polynomials of degree 4.
6.28. The class group of k = Q( −5 ) consists of √ the principal class and the class
of order 2 generated by the ideal a = (2, 1 + −5 ). Show that the following
assertions hold:
a. For each prime ideal p of norm p = 5, either p or pa is principal.
b. If p is a prime with (−5/p) = +1, then either p = x 2 + 5y 2 or 2p =
x 2 + 5y 2 .
c. If p = x 2 + 5y 2, then p ≡ 1 mod 4 and thus p ≡ 1, 9 mod 20; if 2p =
x 2 + 5y 2 , on the other hand, then we must have p ≡ 3, 7 mod 20.
d. Deduce that primes p ≡ 1, 9 mod 20 can be represented by the form p =
x 2 + 5y 2 and primes p ≡ 3, 7 mod 20 by 2p = x 2 + 5y 2 .
e. Verify that (a 2 + 5b 2 )(c2 + 5d 2 ) = (ac − 5bd)2 + 5(ad + bc)2 .
f. If 2p = a 2 + 5b2, show that p2 can be written in the form p2 = x 2 + 5y 2.
g. If 2p = a 2 + 5b 2 and 2q = c2 + 5d 2 , show that pq = x 2 + 5y 2.
162 6 Ideals in Quadratic Number Fields

√ √
6.29. Solve the preceding exercise for the fields Q( −6 ) and Q( −10 ).
6.30. Verify the following assertions for small prime numbers p:
Let p be an odd prime number with ( −23 p ) = +1. Then the two prime ideals
√
above p in Q( −23 ) are principal if and only if the polynomial f (x) =
x 3 − x + 1 splits into three linear factors modulo p.
Observe that f has discriminant −23. This result is a consequence of class
field theory.
6.31. Show that (2, x) ⊇ (2) in R = Z[x], but that there does not exist an ideal I
in R with (2, x)I = (2).
6.32. Consider the set S of all sequences of rational numbers. This set is a ring with
respect to addition and multiplication defined as follows:

(a1 , a2 , a3 , . . .) + (b1 , b2 , b3 , . . .) = (a1 + b1 , a2 + b2 , a3 + b3 , . . .),

(a1 , a2 , a3 , . . .) · (b1 , b2 , b3 , . . .) = (a1 b1 , a2 b2 , a3 b3 , . . .).

Show that the following subsets of S are subrings:

a. the set N of all null sequence (sequences that converge to 0);
b. the set D of all sequences converging in Q;
c. the set C of all Cauchy sequences;
d. the set B of all bounded sequences.
Observe that N ⊂ D ⊂ C ⊂ B ⊂ S. Which of these subrings are actually
ideals in B (or in C or D, respectively)?
Show that all these rings contain zero divisors and that N is a maximal
ideal in C (actually, we have C/N  R).
6.33. Consider the equation y 2 = x 3 − d for d = 4f and√ squarefree f ≡ 3 mod 8
with f ≥ 11. Assume that the class number h of Q( −f ) is not divisible by
3.
a. Show that x and y are odd. √
b. Show that we must have (y + 2 −f ) = a3 . Conclude that a = (α) is
principal. √
c. Write α = r+s 2 −f and deduce that s(3r 2 − f s 2 ) = 16.
d. Show that the only integral solutions are given by
• x = r 2 − 4, y = ±(r 3 − 6r) if f = 3r 2 − 16 ≥ 11;
• x = r 2 + 4, y = ±(r 3 + 6r) if f = 3r 2 + 16.
6.34. Let m√= 85 = 92 + 4 · 12 √= 72 + 4 · 32 . Consider the two ideals a1 =
(2 + 85, 9) and a2 = (6 + 85, 7). Show that a1 is principal and a2 is not.
6.35. Let m = 5 · 13 · 17. Write m in the form m = aj2 + 4bj2 in all possible ways,
√
and investigate which of the ideals aj = (2bj + m, aj ) are principal and
which are not.
6.5 Exercises 163

6.36. Show that the Diophantine equation x 3 + 4 = py 2 for primes p ≡ 5 mod 8

has the only solution x = 1, y = ±1 and p = 5 if the class number of
√
Q( p ) is not divisible by 3.
6.37. Let k ≡ 7 mod 8 be√a squarefree negative integer, and assume that the class
number of K = Q( k ) is divisible by 3 (Hall [47]). Show that the equation
y 2 = x 3 − k does not have an integral solution
√
with y odd if the ideal class
generated by the prime ideal p = (2, 2 ) is not a cube of another ideal
1+ k

class.
6.38. Show that the Diophantine equation y 2 = x 3 − 31 does not have an integral
solution (Hall [47]).
Chapter 7
The Pell Equation

Complex quadratic number√rings have finitely many units; in the real quadratic case,
the rings of integers of Q( m) seem to contain a unit ε of infinite order:

m 2 3 5 6 7
√ √ √ √ √
ε 1+ 2 2+ 3 2 (1 +
1
5) 5+2 6 8+3 7
√
The existence of nontrivial units ε = x+y2 m in real quadratic number fields
√
Q( m) is equivalent to the solvability of the Pell equation x 2 − my 2 = ±4 in
nonzero integers for all squarefree values of m > 0. In this chapter we will prove
that the equation x 2 − my 2 = 1 has a nontrivial1 solution in integers whenever
m > 0 is not a square, and we will provide methods for computing units in real
quadratic number fields.
Before we prove the solvability of the Pell equation, we make a few remarks on
the connection between the equations x 2 −my 2 = ±4√ and the equation x −my = 1
2 2

and on how to compute the fundamental unit of Q( m) from the minimal nontrivial
solution of x 2 − my 2 = 1 and vice versa.
Consider for example the case m = 13. Here the fundamental unit of√the
√
ring of integers Ok of the quadratic number field k = Q( 13) is ε = 3+2 13 ,
√ solution (3, 1) of the Pell√equation x − 13y = −4.
which corresponds to the 2 2

The unit ε = 18 + 5 13 is a unit in the order Z[ 13 ] and corresponds to the

3

√ (18, 5) of the Pell equation x − 13y = −1. Finally the unit

fundamental solution 2 2

ε = 649 + 180 13 corresponds to the minimal nontrivial solution (649, 180) of

6

the Pell equation x 2 − 13y 2 = 1.

1 By this we mean solutions with y = 0.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 165
F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6_7
166 7 The Pell Equation

√
Proposition 7.1 If k = Q( m) for some squarefree √ integer m ≡ 1 mod 4, and if ε
is a unit in Ok , then ε3 is a unit in the order Z[ m ].
In other words, if t 2 − mu2 = ±4, then T 2 − mU 2 = ±1, where

√  t + u√m 3
T +U m= .
2

Proof If t 2 −my 2 = ±4 for odd integers t and u, then reducing this equation modulo
√
8 shows that m ≡ 5 mod 8. In this case, the prime ideal (2) is inert in Q( m);
hence, the group of coprime residue classes modulo 2 has order N(2) − 1 = 3, and
this in turn implies that ε3 ≡ 1 mod 2. 

Clearly, if ε is a unit with norm −1, then ε2 is a unit with
√ norm +1. Thus if we
want to compute a fundamental unit from the unit x + y m corresponding to the
smallest positive solution of the Pell equation x 2 − my 2 = 1, √
then we have to check
whether ε is a square, a cube, or a sixth power of a unit in Q( m).
We will explain how to do this in the case at hand. Assume we have the minimal
√ solution (649, 180) of the Pell equation x − 13y = 1; then η = 649 +
positive 2 2

180 13 is√a unit with norm 1 (and the smallest positive unit with norm 1 in the
domain Z[ 13 ]). √
√
For checking whether η ∈ Q( 13), we use the real approximations
√
η = 649 + 180√13 ≈ 1297.9992295 . . .,
η = 649 − 180 13 ≈ 0.0007704 . . . .
√
Clearly, the trace η + η = 2 · 649 is an integer. If η is a square, then the trace of η
must also be an integer. We find
√
η ≈ 36.0277563773 . . .,
√
η ≈ 0.0277563773 . . ..

√ √ √
√ η+ η
This shows2 that 12 ( η − η ) ≈ 18 and √ ≈ 5 are very close to integers,
√ √
2 13
which in turn suggests that η = 18 + 10 13. Now we can readily verify that
√ √ √ √
(18 + 5 13)2 = η. Observe that 18 − 5 13 < 0, which is why 18 − 5 3 ≈ − η .
In a similar way we can check that η is a cube and in fact a sixth power:
√6 η ≈ 3.30277563773 . . .,
√
6
η ≈ 0.30277563773 . . .,

2 See Exercise 7.1.

7.1 The Solvability of the Pell Equation 167

and this time

√ √ √ √
6 η − 6 η 6 η+ 6η
≈ 1.5 and √ ≈ 0.5
2 2 13
√
√
6 η = 3+ 13
suggests that 2 , which can then be verified.

7.1 The Solvability of the Pell Equation

The history of the Pell equation in Europe3 begins with Fermat’s challenge in 1657.
In that year, Fermat posed the following problem (among others) and asked his
contemporaries, in particular the English mathematicians John Wallis and William
Brouncker, for a solution:
Given an arbitrary natural number, which is assumed to be not a square, there are infinitely
many square numbers with the property that after adding 1 to the product of one of these
square numbers with the given number, another square is produced [. . . ]. We ask e.g. for a
square that produces another square after adding 1 to the product with 149 or 109 or 433
etc.

Thus Fermat asked for solutions of equations such as Na 2 + 1 = b 2 for positive

nonsquare integers N, in particular for the values N = 149, 109, and 433. Brouncker
and Wallis solved these equations in rational numbers,4 and Fermat remarked that he
hardly would have posed a problem that any “three-day-arithmetician” could have
solved. Brouncker then succeeded in solving Fermat’s equation for any given value,
but Fermat complained that Brouncker had not shown that his method would always
work‘ and claimed that such a proof is possible using his method of infinite descent.
Whether Fermat himself had such a proof is an open question.
Long before Fermat, Indian mathematicians such as Brahmagupta (ca. 598–670)
and Bhaskara II (1114–1185) had developed a method for solving the Diophantine
equation Nx 2 + 1 = y 2 ; this became known in Europe only rather late and did not
have, as far as we know, any influence on the development of number theory in the
West.5
Leonhard Euler later studied the equation Na 2 + 1 = b2 in several articles,
and Joseph-Louis Lagrange succeeded in proving the solvability in integers. His
first proof, which already used what later became known as Dirichlet’s pigeonhole

3 Strictly speaking, the investigation of Platon’s side and diagonal numbers by Theon may be seen

as the only serious investigation of a Pell equation in ancient Greece. Equations of Pell type also
figure prominently in the Cattle Problem of Archimedes; it is not known, however, whether there
were any attempts at solving this problem before it was discovered by Lessing in 1773.
4 We have derived the rational parametrization of Pell conics in Theorem 3.1.
5 An excellent account of Indian mathematics was given by Kim Plofker [104]. For an investigation

of the Indian method of solving the equation Nx 2 + 1 = y 2 , see [114].

168 7 The Pell Equation

principle, was streamlined and generalized by Dirichlet: In his unit theorem, he

proved the existence of nontrivial units in all number fields except Q and complex
quadratic number fields.
Below we will prove the solvability of the Pell equation x 2 − my 2 = 1 for
all natural numbers m that are not squares. The essential idea behind this proof is
due to Lagrange, who derived the necessary lemmas from the theory of continued
fractions. Dirichlet later replaced Lagrange’s arguments by repeated applications of
his pigeonhole principle, which simplified the proof considerably. The proof is more
or less by descent: From the solvability of an equation x 2 − my 2 = c for some value
of c > 1, we will deduce the solvability of x 2 − my 2 = c for some c < c. In order
to make this argument work, we will have to exploit the fact that these equations
x 2 − my 2 = c have infinitely many solutions.
Dirichlet’s pigeonhole principle6 may be stated as follows:
If N + 1 pearls are put into N pigeonholes, then there must be a pigeonhole containing at
least two pearls.

For finding solutions of equations such as x 2 − my 2 = c, we observe that √

if m
is large and c is small, then x 2 ≈ my 2 implies that xy is an approximation of m.
In order to find such approximations, one may use, as Lagrange did, the theory of
continued fractions; if we are content with proving the existence of solutions, we
may use Dirichlet’s pigeonhole principle.
Theorem 7.2 The equation x 2 − my 2 = 1 is solvable in nonzero integers x, y
whenever m > 0 is not a square.

We begin with the following lemma.

Lemma 7.3 If ξ1 and ξ2 are two nonzero real numbers such that ξ1 /ξ2 is irrational,
then for any N ∈ N there exist integers A, B ∈ Z, which are not both 0 and satisfy
the following inequalities:

1
|Aξ1 + Bξ2 | ≤ (|ξ1 | + |ξ2 |), |A| ≤ N, |B| ≤ N. (7.1)
N
Proof We assume that ξ1 and ξ2 are both positive (otherwise we just have to change
the signs of a and b in the proof below). The irrationality of ξ1 /ξ2 implies that the
function

f : Z × Z −→ R : (a, b) −→ aξ1 + bξ2 (7.2)

is injective (see Exercise 7.7.17).

There are (N + 1)2 pairs of integers (a, b) ∈ [0, N] × [0, N], and for these we
have 0 ≤ f (a, b) ≤ N(|ξ1 | + |ξ2 |). If we divide the interval [0, N(|ξ1 | + |ξ2 |)]

6 It seems that this principle was given a name rather late (in the twentieth century?); a pigeonhole

is a drawer, so the last thing you would like to put there are pigeons.
7.1 The Solvability of the Pell Equation 169

into N 2 subintervals of equal length N1 (|ξ1 | + |ξ2 |), then since (N + 1)2 > N 2
there must exist, according to Dirichlet’s pigeonhole principle, at least two pairs
(a, b) = (a , b ) with |f (a, b) − f (a , b )| ≤ N1 (|ξ1 | + |ξ2 |). Now we set A = a − a
and B = b − b ; these integers have the desired properties. 

Corollary 7.4 Assume that m ∈ N is not a square. Then there exists an integer c
such that the equation A2 − mB 2 = c has infinitely many solutions (A, B) ∈ Z × Z.

Proof By the preceding lemma, there exist numbers A, B ∈ Z, not both 0, that
satisfy the inequalities

√ 1 √
|A − B m | ≤ (1 + m ), |A| ≤ N, |B| ≤ N. (7.3)
N
The triangle inequality shows that
√ √ √
|A + B m | ≤ |A| + |B m | ≤ (1 + m ) · N, (7.4)

and multiplying (7.3) and (7.4) yields

√
|A2 − mB 2 | ≤ (1 + m )2 . (7.5)

Now let N → ∞; then infinitely many distinct√pairs (A, B) must occur, since if
we had only finitely many, then the set {|A − B m | : A, B ∈ Z} would possess a
minimum, which is impossible because of (7.3).
Since |A2 − mB√ | is
2 bounded from above by (7.3), there must exist an integer c
with |c| ≤ (1 + m )2 for which A2 − mB 2 = c has infinitely many solutions in
integers. 

Now we can prove Theorem 7.2. According to Corollary 7.4, there exists an
integer c = 0 such that there are infinitely many pairs (A, B) with A2 − mB 2 = c;
here we may clearly assume that A > 0. Among these infinitely many solutions, we
choose (c + 1)2 solutions and consider the residue classes of A and B modulo c;
by Dirichlet’s pigeonhole principle, there must exist pairs (A1 , B1 )√= (A2 , B2 ) with
A1 ≡ A2 mod c and B1 ≡ B2 mod c. The elements ηj = Aj +Bj m then have the
same norms Nη1 = Nη2 = c and satisfy the congruence η1 ≡ η2 mod c. It follows
from N(η1 /η2 ) = 1 that η1 /η2 is a unit if we can show that this is an algebraic
integer. To this end, observe that η1 /η2 = 1 + (η1 − η2 )/η2 = 1 + (η1 − η2 )η2 /c.
Since the difference η1 − η2 is divisible by c by construction, η1 /η2 is indeed an
algebraic integer and thus a unit.
It remains to show that η1 /η2 = ±1 is a nontrivial unit. But η1 /η2 = 1 follows
from η1 = η2 , and η1 /η2 = −1 follows from the fact that A1 and A2 are both
positive. This concludes the proof of Theorem 7.2.
We now know that there exist nontrivial units in each real quadratic number field.
In fact, it is possible to determine the abstract structure of the unit group: For real
quadratic number fields k, we have Ok×  (Z/2Z) × Z. As we will show in a
170 7 The Pell Equation

moment, each unit η ∈ Ok× can be written in the form η = (−1)s εt for some
“fundamental unit” ε, and then the map λ : Ek −→ (Z/2Z) × Z defined by λ(η) =
(s, t) provides us with an isomorphism of abelian groups. This is the content of our
next theorem.

Theorem 7.5 If k is a real quadratic number field, then there is a unit ε ∈ Ok× with
the property that every unit η ∈ Ok× can be written uniquely in the form η = ±εt
for some t ∈ Z. In particular,

Ok×  Z/2Z ⊕ Z.

We immediately see that if ε has the property in Theorem 7.5, then so do the
units ±ε±1 . Among these four units, there are two that are positive, and among
these exactly one is > 1. This unit ε > 1 will be called the fundamental unit of k.
√
Proof We identify the numbers a + b m with those real numbers that correspond
×
√ η ∈ Ok with |η| = 1 then are
to the positive square root of m. The only units
η = ±1, which follows from irrationality of m.
We claim that among the units with |η| > 1, there is one with minimal absolute
value. Otherwise there would exist a unit (in fact, infinitely many) with 1 < |η| < 54
(just pick two units that are sufficiently close to the infimum of the absolute values
and consider their quotient). Since |ηη | = 1, this implies 45 < |η | < 1. If we write
√
η = a + b m (where 2a, 2b ∈ Z), then 2|a| = |η + η | ≤ |η| + |η | < 94 , and
hence |a| ≤ 1. Since a = 0 is not possible, we must have a = ±1. Then it follows
immediately from 1 < |η| < 54 that b = 0, and hence η = 1 in contradiction to our
assumption.
Let ε be a unit with minimal absolute value > 1. We claim that ε has the
properties listed in Theorem 7.5. Otherwise there would exist a unit η with εn <
|η| < εn+1 for some n ∈ N (the proof is similar to that of Theorem 2.6). But
then ηε−n is a unit whose absolute value lies strictly between 1 and |ε|, and this
contradicts the choice of ε.
Uniqueness is clear: ±εt = ±εu implies |εt −u | = 1, which in turn implies t = u
since ε is irrational. But then the signs must also coincide. 

Remark The proof of the solvability of the Pell equation t 2 − mu2 = 1 given here
does not provide us with a method of computing the fundamental√ unit, except for
very small
√ values of m. For example, ε = 48842 +5967 67 is the fundamental unit
of Q( 67), and this solution is hard to find by solving the Pell equation by brute
force (i.e., looking for an integer m = 1, 2, 3, . . . such that mu2 +1 = t 2 is a square).
A much better way of computing the fundamental unit of quadratic number fields
with modest discriminants is based on the theory of continued fractions. For number
fields of higher degree, the computation of the unit group becomes time consuming
with growing degree and discriminant even when using the best algorithms that are
known today.7

7 Good sources for the state of the art are [20, 91], and, in particular, [66].
7.1 The Solvability of the Pell Equation 171

7.1.1 The Negative Pell Equation

The equation t 2 − mu2 = −1 is called the negative Pell equation or sometimes the
anti-Pell equation. In this section we will show how to derive solvability conditions
for the negative Pell equation from the solvability of the usual Pell equation.
We begin by considering the equation t 2 − pu2 = 1 for prime values of p. We
can write this equation in the form

pu2 = t 2 − 1 = (t − 1)(t + 1).

The greatest common divisor of t + 1 and t − 1 divides their difference 2, and hence
one of the following four possibilities must occur:

t + 1 = a 2, t − 1 = pb2 ,
t + 1 = pb2 , t − 1 = a2,
t + 1 = 2a 2, t − 1 = 2pb2 ,
t + 1 = 2pb2 , t − 1 = 2a 2.

We choose the integers a and b positive. Subtracting the right equation from the left,
we find that at least one of the following four equations must be solvable in integers:

a 2 − pb 2 = 2; a 2 − pb 2 = −2; a 2 − pb 2 = 1; a 2 − pb 2 = −1.

If we assume that (t, u) is the smallest positive solution of the Pell equation, then
we can exclude the equation a 2 − pb2 = 1 since t + 1 = 2a 2 implies that a < t.
A necessary condition for the equation a 2 − pb2 = 2 to be solvable is that
p ≡ ±1 mod 8. Similar considerations yield the following table:

p ≡ 3 mod 8 p ≡ 5 mod 8 p ≡ 7 mod 8

a2 − pb2 = +2 x x
a 2 − pb2 = −2 x x
a2 − pb2 = −1 x x

Here “x” represents the unsolvability of the corresponding equation.

If p ≡ 1 mod 8, it follows from t 2 − pu2 = 1 that t must be odd and thus
gcd(t − 1, t + 1) = 2. Therefore the first three cases are impossible, and we end up
with the equation a 2 − pb2 = −1.
Since, as we have seen, one of the three equations must be solvable, we obtain
the following:
172 7 The Pell Equation

Proposition 7.6 The solvability of t 2 − pu2 = 1 for odd prime numbers p implies
the solvability of

a 2 − pb 2 = −1 for p ≡ 1 mod 4,
a 2 − pb 2 = −2 for p ≡ 3 mod 8,
a 2 − pb 2 = +2 for p ≡ 7 mod 8.

Even if the equation a 2 − pb 2 = ±2 for some prime p ≡ 1 mod 8 is not solvable

√
in integers, the ring of√integers in k = Q( p) might contain elements of norm ±2,
as the example N( 5+2 17 ) = 2 shows.

7.2 Which Numbers Are Norms?

The only method we know so far for showing the unsolvability of the norm equation
x 2 − my 2 = c for given values of m ∈ N and c ∈ Z is reducing the equation modulo
n for some choice of n, where n in general is a divisor of m or c, and showing
that the congruence does not have a solution. For example, x 2 − 10y 2 = ±2 is not
solvable in integers since the congruence x 2 ≡ ±2 mod 5 does not have solutions.
This method does not work in the case of the equation x 2 − 79y 2 = ±3, the reason
being that x 2 − 79y 2 = −3 has the rational solution x = 25 , y = 15 ; in particular,
this equation is solvable module each modulus coprime to 5. Similarly, the solutions
x = 137 and y = 7 show that the congruence is solvable for each modulus coprime
2

to 7. This implies by the Chinese remainder theorem that x 2 − 79y 2 ≡ −3 mod m

is solvable for each nonzero modulus m ∈ Z.
Remark Hasse’s Local–Global Principle for quadratic forms implies that equations
such as x 2 − my 2 = c have rational solutions if and only if the congruence x 2 −
my 2 ≡ c mod N is solvable for each modulus N. The example above implies that
there is no similar Local–Global Principle for integral solutions of such equations.
For cubic equations such as y 2 = x 3 − m even the Local–Global Principle for
rational solutions does not hold.√ In the case of integral solutions of x 2 − my 2 = c,
the class group Cl(k) of k = Q( m) is a measure for the obstruction to the Local–
Global Principle in the sense that if the class group of k is trivial, the equation x 2 −
my 2 = c is solvable in integers if and only if the congruence x 2 − my 2 ≡ c mod N
is solvable for each modulus N. In the case of elliptic curves, there is a similar
group called the Tate–Shafarevich group. Understanding the failure of Local–Global
principles is a central area of research in modern number theory.
In order to show that x 2 − 79y 2 = −3 does not have integral solutions, we have
to employ a √ different technique. Let
√us consider an arbitrary real quadratic number
field k = Q( m), and let ε = t +u m > 1 be the fundamental unit (we allow t and
u to be half-integers). Assume moreover that α ∈ Ok is a solution of the equation
7.2 Which Numbers Are Norms? 173

|Nα| = c. The basic idea is to choose the exponent √ n in β = αε in such a way that
n

the coefficients of β with respect to the basis {1, m } become as small as possible.
It is clear from geometric considerations that there exists an exponent n ∈ Z such
that

1 ≤ |εn α| < ε.
√
If we set β = εn α and write β = a + b m (again a and b are allowed to be
half-integers), then

|ββ | c
|β | = = ,
|β| |β|

and we obtain the bounds

c
< |β | ≤ c.
ε
The triangle inequality now yields

|2a| = |β + β | ≤ |β| + |β | < ε + c,

√ (7.6)
|2b| m = |β − β | ≤ |β| + |β | < ε + c.

This immediately yields bounds for a and b, and now the problem can be solved in
finitely many steps by simply checking the possible values of a and b one by one.
Before we do this in our example, we will improve the bounds on a and b.
To this end, we set β = εn α and choose the exponent n ∈ Z in such a way that
√
c √
√ ≤ |β| < cε .
ε

As above, this implies the bounds

√ √
|β| < cε and |β | ≤ cε ,
√
and now we obtain |2a| < 2 cε, which is a lot better than |2a| < ε + c.
As a matter of fact these bounds may be improved again by using the following
lemma:

Lemma 7.7 If x, y ∈ R satisfy the inequalities 0 < x ≤ r, 0 < y ≤ r, and

0 < xy ≤ s, then x + y ≤ r + rs .

This claim follows from the observation 0 < (r−x)(r−y) = r 2 −r(x+y)+xy ≤

r2 + s − r(x + y).
174 7 The Pell Equation

√ √ √ 
In our case, we have r = cε and s = c; thus |β + β | ≤ c ε + √1
ε
.
Since √1 < 1, this bound improves the previous one by a factor of about 2. We
ε
have proved the following:
Theorem 7.8 Let k be a quadratic number field with a unit ε >√1; then for each
α ∈ Ok with norm |Nα| = c, there exists an associate β = a + b m (with integers
or half-integers a, b) such that

1 √ √ 1  1 √ √ 1 
|a| ≤ c ε+ √ and |b| ≤ √ c ε+ √ . (7.7)
2 ε 2 m ε
√
√ is an element α ∈ Z[ 79 ] with norm √
If there ±3, then (set m = 79, ε =
80 + 9 79, and c = 3) there is an element a + b 79 with norm ±3 such that
|b| < 1.25. Thus it is sufficient to consider b = 1, but the equation a 2√−79·12 = ±3
is not solvable in integers since 79 ± 3 is not a square. Thus Z[ 79 ] does not
contain an
√ element √ with norm ±3, and hence 3 is irreducible, but not prime since
3 | (2 − 79 )(2 + 79).
Remark Theorem 7.8 goes back to Pafnuty Chebyshev [18]; the corresponding
result in general number fields but with weaker bounds had been obtained before
by Dirichlet [30]. Chebyshev is best known for his contributions to the proof of
the prime number theorem. This theorem states that the number π(x) of all prime
numbers ≤ x is asymptotically equal to π(x) ∼ logx x in the sense that the quotient
of these functions has limit 1 as x → ∞; here log x denotes the natural logarithm.
Chebyshev proved that if the limit of x/π(x)
log x for x → ∞ exists, then it must be equal
to 1. The existence of this limit and thus the prime number theorem was established
independently in 1896 by Jacques Hadamard and Charles-Jean de la Vallée-Poussin.

7.2.1 Davenport’s Lemma

Using Theorem 7.8, it is easy to prove a result going back to Harold Davenport:

Proposition 7.9 Let m, n, and t be natural numbers with m = t 2 + 1; if the

Diophantine
√ equation x 2 − my 2 = ±n has integral solutions with n < 2t, then
x + y m is associated with a rational integer a and n = a 2 is a perfect square.
This result tells us that the only norms less than 2t in absolute value are the
obvious ones, namely elements associated with rational integers a, which have
norms ±a 2 . The norms of all other elements have absolute value ≥ 2t.
7.2 Which Numbers Are Norms? 175

√
For a proof, set ξ = x + y m; we will show that if | Nξ |√= n is not a square,
√ n ≥ 2t. Assume therefore that n < 2t; since ε = √
then t + m > 1 is a unit in
Z[ m ], we can find a power η of ε for which ξ η = a + b m has coefficients
√ a and
b that satisfy the bounds from Theorem 7.8. Because of 2t < ε < 2 m, we find
√
n √ 1 1
|b| ≤ √ ε+ √ <1+ .
2 m ε t

Since the claim is trivial for t = 1, we may assume √ that t ≥ 2, and then the last
inequality gives |b| ≤ 1. If b = 0, then (x + y m )η = a is associated with √ a
rational integer, and |Nξ | = a 2 is a square. If b = ±1, then α =√ξ η = a ± m.
Now |Nξ | = |Nα| = |a 2 − m| is minimal for values of a close to m, and we find

2t if a = t ± 1;
n = |a − m| =
2
1 if a = t.

Thus either n = 1 (which we have excluded) or n ≥ 2t. This proves our claims.
Proposition 7.9 was used by Ankeny, Chowla, and Hasse [2] for constructing
quadratic number fields with nontrivial class groups.
√
Proposition 7.10 The quadratic number field k = Q( m) with m = t 2 + 1 and
t = 2lq, where q is prime and l > 1, has class number > 1.
Since m ≡ 1 mod q, the prime q splits in k, and we have (q) = qq . If q is
principal, then the equation x 2 − my 2 = ±4q has integral solutions. But since
4q < 2t = 4lq is not a square, this contradicts Proposition 7.9.
Examples In the following examples, m = t 2 + 1 is prime. The ambiguous class
number formula (see Chap. 9) will explain why the class number h is odd in this
case.

q l t2 + 1 h q l t2 + 1 h
3 4 577 7 5 2 401 5
6 1297 11 4 1601 7
9 2917 3 9 8101 13
11 4357 5 11 12101 5
14 7057 21 12 14401 43

The following result8 shows that even a simple result such as Proposition 7.9
allows us to deduce astonishingly simple lower bounds for class numbers of fields
of Richaud–Degert type.

8 This theorem is due to Halter-Koch [48] and the proof presented here to Mollin [95].
176 7 The Pell Equation

Theorem 7.11 Let t be an odd integer with prime factorization t = p1e1 · · · pses and
set m =√t 2 + 1, and assume that m = t 2 + 1 is squarefree. Then the class number
h of Z[ m ] satisfies h ≥ S = 2τ (n) − 2, where

τ (n) = (e1 + 1)(e2 + 1) · · · (es + 1)

denotes the sum of all divisors of n.

If t = q e is a prime power, then the class number is divisible by S.

√ For each prime p1 | m, we have (m/p√j ) = +1, and hence

Proof √ pj splits in
Z[ m ] as (pj ) = pj pj , where pj = (pj , 1 + m). Let p0 = (2, m) denote the
a
prime ideal above 2 and set e1 = 1. We now consider the ideals a = p00 pa11 · · · pas s
with 0 ≤ aj ≤ ej ; clearly there are (e0 + 1)(e1 + 1) · · · (es + 1) such ideals;
since (e0 + 1)(e1 + 1) · · · (es + 1) = τ (n) is the number of divisors of n and since
e0 + 1 = 2, the number of ideals is 2τ (n).
The class number bound will follow if we can show that only two among these
ideals a can be principal:
• the unit ideal a = p00 p01 · · · p0s = (1);
• the ideal a = p0 pe11 · · · pes s with norm 2t.
a √
In fact, if a = p00 pa11 · · · pas s = (x + y m) is principal, then |x 2 − my 2 | = Na ≤
N(p0 pe11 · · · pes s ) = 2t. If a is not one of the two ideals with norm 1 or 2t, then
1 < |x 2 − my 2 | < 2t; but then y = 0 and a = (x) for some rational integer x. Now
a = aσ for the the nontrivial automorphism of k/Q implies a1 = . . . = as = 0, and
hence a = p0 ; but the prime ideal above 2 is not principal.
√ assume that t = q for an odd prime number q. The
For proving the last claim, e

relation p0 qe = (t + 1 + m), together with the fact that no ideal of the form 2qj
with 0 ≤ j < e is principal, implies that the ideal class of q has order 2e; thus we
obtain the lower bound 2e | h, where 2e = 2τ (t) − 2. 

The following table compares the lower bound S in Theorem 7.11 with the class
number h for a few small values of m:

t m S h t m S h t m S h
3 10 2 2 21 442 6 8 37 1370 2 4
5 26 2 2 23 530 2 4 39 1522 6 12
9 82 4 4 25 626 4 4 45 2026 10 14
11 122 2 2 27 730 6 12 47 2210 2 8
13 170 2 4 29 842 2 6 49 2402 4 8
15 226 6 8 31 962 2 4 51 2602 6 10
17 290 2 4 33 1090 6 12 53 2810 2 8
19 362 2 2 35 1226 6 10 55 3026 6 16
7.3 Computing the Solution of the Pell Equation 177

7.3 Computing the Solution of the Pell Equation

√
The computation of the units in a real quadratic number field Q( m), that is, solving
the corresponding Pell equation x 2 −my 2 = ±1, is usually a quite difficult problem.
The basic idea behind the computation of the fundamental unit of a quadratic
number field that we will present here is, as in the proof of the solvability of the Pell
equation, the construction of sufficiently many elements of small norm. If we have
many such elements, then we will look for elements α and β that not only have the
same norm but also generate the same principal ideal. In this case, the quotient αβ
will be a (possibly trivial) unit. √
In order to convey the main idea, we consider the ring Z[ 11 ]. We look for
solutions of the equation x 2 − 11y 2 = n for√small values of n. If we pick y = 1, the
expression x 2 − 11y 2 will be small if x ≈ 11, that is, for x = 3 and x = 4. Thus

32 − 11 = −2,
42 − 11 = +5.
√
For y = 2, we choose x ≈ 2 11, and we find

62 − 11 · 22 = −8,
72 − 11 · 22 = +5.
√ √
Thus we already have found elements 4 ± 11 and 7 ± 2 11 with the same norm 5.
Which of these generate the same ideal? One possibility of finding the right choice
of signs is simply computing the quotients:
√ √ √ √
7 + 2 11 (7 + 2 11)(4 − 11) 6 + 11
√ = √ √ = ,
4 + 11 (4 + 11)(4 − 11) 5
√ √
which is not an algebraic integer; thus 7 + 2 11 and 4 + 11 generate distinct
prime ideals above 5. On the other hand,
√ √ √ √
7 + 2 11 (7 + 2 11)(4 + 11) 50 + 15 11 √
√ = √ √ = = 10 + 3 11,
4 − 11 (4 + 11)(4 − 11) 5
√
and we have found the nontrivial unit ε = 10 + 3 11. √ √
Here is a more elegant way of verifying that 7 + 2 11 and 4 − 11 generate
the same ideal: We know that these elements have norm 5, and hence they generate
√
prime ideals above 5. There are only two such ideals, namely 51 = (5, 1 + 11)
178 7 The Pell Equation

√ √ √
and 52 = (5, 1 − 11). Thus 11 ≡ −1 mod 51 and 11 ≡ +1 mod 52 , hence
√ √
7 + 2 11 ≡ 0 mod 51 , 7 + 2 11 ≡ 4 mod 52 ,
√ √
4 + 11 ≡ 3 mod 51 , 4 + 11 ≡ 0 mod 52 ,
√ √
and this shows that (7 + 2 11 ) = (4 − 11) = 51 .
Another possibility of finding a √
nontrivial unit is based on the observation
√ that
(2) = 22 is ramified in K. Since 3+ 11 has norm −2, we must have 2 = (3+ 11),
√ √ √ √
and then (2) = 22 = (3 + 11 )2 = (20 +6 11) shows that 20+62 11 = 10 +3 11
is a unit.
Now let us see how this method works for larger values of m, say for m = 3431.
Again we begin by collecting elements with small norms:

α Nα α Nα
√ √
55 + m −2 · 7 · 29 60 + m 132
√ √
56 + m −5 · 59 61 + m 2 · 5 · 29
√ √
57 + m −2 · 7 · 13 62 + m 7 · 59
√ √
58 + m −67 63 + m 2 · 269
√ √
59 + m 2 · 52 64 + m 5 · 7 · 19

We remark in passing that 602 − m = 132 is a square; this implies that m = 602 −
132 = (60 − 13)(60 + 13) = 47 · 73. Fermat’s method of factorization is based on
this idea.
The fact that 3 does not occur among these prime factors √ is explained by the
observation that there is not even an ideal with norm 3 in Q( m) since ( m3 ) = −1.
For the same reason, the primes 11 and 17 do not show up as factors. Instead of
waiting until elements with the same norm occur, we will use an idea that was
already used by Fermat and his contemporaries in their search for numbers whose
sums of divisors are squares or cubes. We factor the elements with small norm into
primes. It is easy to write
√ down a list of prime
√ ideals with small
√ norms; in our√ case,
these are 2 = (2, 1√ + m), 51 = (5, 1 + m), 52 = (5, 1 − m), 7 = (7, 1 + m),
and 72 = (7, 1 − m). Now we factor all elements with small norm that are only
divisible by 2, 5, and 7:

α 2 51 52 71 72
√
1+ m 1 1 0 3 0
√
1− m 1 0 1 0 3
√
41 + m 1 3 0 0 1
√
41 − m 1 0 3 1 0
√
59 + m 1 0 2 0 0
√
59 − m 1 2 0 0 0
7.3 Computing the Solution of the Pell Equation 179

The first line in this table records the prime ideal decomposition
√
(1 + m ) = 21 · 511 · 731 .

If we look carefully at this table, then we can see that

√ √
(1 + m )(41 + m )3 = 24 510 3 3
1 71 72 .

Since 22 = (2) und 71 72 = (7), the element

√ √ 3
(1 + m )(41 + m) √
= 21549 + 364 m
22 · 73
√ 5
1 . But then (59 −
has the prime ideal factorization 510 m ) = 25 510 shows that
√
(59 − m )5 √
α= √ = 49316884 − 841948 m
21549 + 364 m

is an algebraic integer with the factorization 25 . Since the ideal 2 is ramified, the
element ε = 25 /α 2 must be a unit, and we have
√
ε = 152009690466840 + 2595140740627 m.

Observe that this method gives us not only a nontrivial unit but also something
called a “compact representation” of this unit:
√ √
2(1 + m )2 (41 + m )6
ε= √ .
76 (59 − m )10

Also observe that the prime ideal factorization in quadratic number fields is an
essential component of this method of solving the completely elementary equation
x 2 − my 2 = 1.
After having found a nontrivial unit ε, the question remains how we can check
that this unit is fundamental. So far we only know that ε = ±ηn for some integer
n, where η is the fundamental unit. Since ε > 1, the positive sign must hold, and
we have n ≥ 1. Clearly, ε is not a square as we can read off from its compact
representation. Thus we only have to check whether ε is an n-th power for the values
n = 3, 5, 7, . . . , and the first problem is bounding this exponent.
180 7 The Pell Equation

The following bound is simple and best possible:

Lemma 7.12 Let η > 1 be the fundamental unit of a real quadratic number field
with discriminant d. Then
 √
log d, if Nε = +1,
log η > √
log( d − 1), if Nε = −1.
√
Proof Let K = Q( m) with √ m ≡ 2, 3√ mod 4 and Nε = +1. Then√the smallest
a + m with a ≈ m. If Nε = +1, then a > m, and this
possible value√of ε is√
implies ε > 2 m = d. √
Observe that√the family of quadratic
√ number √ rings Z[ √m ] with
√ m = t − 1 has
2

units εm = √t + m√for which √ εm = m + 1 + m > 2 m = d is best possible

since εm − d = m + 1 − m = √m+1+ 1 √
m
< 2√1m .
The other cases are discussed similarly. 

In our case we have m = 3431 = 47 · 73; since m is divisible by the prime
number 47 ≡ 3 mod 4, we must have Nε = +1 and thus log ε ≥ 4.763 . . ., and
hence n = log ε/ log η ≤ 33.3/4.763 = 6.991 . . .. Therefore n ≤ 6, and since we
already know that ε is not a square, we must have m ≤ 5.
Thus it remains to show that ε is not a cube or a fifth power. Perhaps the easiest
way of doing this is finding a prime ideal p modulo which ε is not a cube or a fifth
power.
√
• Since ε ≡ 0 − 3 m ≡ 3 mod 51 , the unit ε is not a square; in fact, ( 35 ) = −1
implies that 3 is not a square modulo 51 .
• For showing that ε is not a cube,√we need to find a prime ideal p with norm
Np ≡ 1 mod 3. Now ε ≡ 3 + m ≡ 2 mod 71 , and since 2 is not a cubic
residue modulo 7 and OK /71  Z/7Z, the unit ε is not a cubic residue modulo
71 . In particular, ε√is not a cube. √
• Let q = (61, 25+ m); then p has norm Np = 61, and we have ε ≡ 40−3 m ≡
54 mod q. Since 54 is not a fifth power modulo 61, the unit ε cannot be a fifth
power.
Instead of working with residue classes, we can compute with real numbers. To this
end, we determine the real approximations

ε ≈ 304 019 380 933 679.999 999 999 999 996 711
1/ε ≈ 0.000 000 000 000 003 289.
√ √
Now ε +1/ε is an integer; in fact, if we write ε = a +b m, then 1/ε = a −b m =
ε and thus ε + ε = 2a. If ε = η were a fifth power, then η + 1/η = η + η would
1 5

be an integer. Since η ≈ 788.098052 . . . and 1/η ≈ 0.001268877 . . ., we have

η + 1/η ≈ 788.0993 . . .. Thus ε is not a fifth power, and the cases n = 2 and n = 3
can be treated similarly.
7.4 Parametrized Units 181

7.4 Parametrized Units

It is rather easy to construct families of quadratic number fields in which the

fundamental unit can be written down explicitly. The simplest way of finding such
a family is looking at the unit equation t 2 − √ mu2 = ±1 and setting√u = 1; then
m = t ∓ 1 (with t ≥ 2), and in fact εt = t + t 2 ∓ 1 is a unit in Z[ m ].
2

√
Proposition 7.13 If m√ = t 2 − 1 is squarefree for t ≥ 2, then εm = t + m is the
fundamental unit of Z[ m ].
√
also holds if m is not squarefree, but then Z[ m ] is not the ring of
This result √
integers of Q( m).
Since we have already shown that εm is a unit, it only remains to show that
εm is fundamental.
√ But since εm > 1, this unit can only be not fundamental √ if
εm = (r + s m )k for some exponent k ≥ 2, and in that case the coefficient √ of m
in ε would have√ to be strictly greater than 1; for example, we have (r + s m )2 =
r 2 + ms 2 + 2rs m.
The case m = t 2 + 1 is slightly more complicated.

√ Assume that m = t + 1 is squarefree for t ≥ 1. If t is odd,

Proposition 7.14 2
√
then εm = t + m is the√fundamental unit of Z[ m ]. If t is even, then √
εm is the
1+ m √
fundamental unit of Z[ 2 ] except for t = 2, when ε5 = 2 + 5 = ( 2 ) .
1+ 5 3

The proof that εm is fundamental if t is odd (and thus if m ≡ 2 mod 4) is exactly

as above. Assume therefore that t is even and m = t 2 + 1 ≡ 1 mod 4. If εm is not
 r+s √m k
fundamental, then εm = 2 for some exponent k ≥ 2. If r and s are even,
the proof above
√
works. Assume therefore that r and s are odd. Then the smallest
r+s m √
power of 2 that lies in Z[ m ] is 3, and in fact k must be a multiple of 3. The
case k ≥ 6 cannot occur (the same proof as above), and if k = 3, then
 r + s √m 3 √
r 3 + 3rms 2 + (3r 2 s + ms 3 ) m
=
2 8

shows that we must have 3r 2 s + ms 3 = 8. Since s is odd, this implies s = 1, and

then 3r 2 + m = 8 yields m = 5 and r = 1 as the only integral solution.
We obtain a slightly less trivial family by writing the Pell equation t 2 − mu2 = 1
in the form mu2 = t 2 − 1 = (t − 1)(t + 1). Setting t − 1 = u2 and t + 1 = m, we
find m = u2 + 2 and t = u2 + 1. In this way we obtain the following proposition.
√
√ m = t + 2 is squarefree. Then εm = t + 1 + t m
Proposition 7.15 Assume that 2 2

is the fundamental unit of Z[ m ].

√
Here εm = (r√+ s m )k is impossible√for k ≥ 2 because already the coefficient
√
of m in (r + s m )2 = r 2 + ms 2 + 2rs m is too large: We must have r 2 + ms 2 >
t 2 + 1 since otherwise rs = 0, which is impossible.
182 7 The Pell Equation

In the examples above, the units are rather small. For finding fields with larger
fundamental units,9 we construct elements α and β with Nα = ±a n and Nβ = a;
using some additional conditions, we can make sure that the quotient ε = α/β n is
integral and therefore a unit. √
For finding fields K = Q( m) containing √ elements with norm n±a , we can
n

simply write m = r + a ; then

2 n
√ α = r + m has norm Nα = −a . For finding
elements with norm ±a in Z[ m ], we observe that if Q(x, y) = Ax 2 + Bxy + Cy 2
(below, we will often abbreviate this form by Q = (A, B, C)) is a binary quadratic
form with discriminant Δ = B 2 − 4AC = 4m, and if Q(s, t) = 1, then

As 2 + Bst + Ct 2 = 1 implies 4A = (2As + Bt)2 − Δt 2 ,

√
and hence As + 12 Bt + t m has norm A. Clearly, the quadratic form Q =
(a, 2r, a n−1 ) has discriminant 4m, so all we need is a solution of the equation
1 = Q(s, t) = as 2 + 2rst + a n−1 t 2 in integers. Before we construct such solutions,
we prove that we do in fact obtain units in this way:

Proposition 7.16 Assume that m = r 2 + a n ≡ 2, 3 mod 4 for coprime integers

a > 1 and n ≥ 2. Assume moreover that Q(s, t) = √ 1, where s and t are nonzero
√
integers and where Q = (−a, 2r, a n−1 ). Set α = r + m and γ = as − rt − t m;
then Nα = −a n , Nγ = −a, and the element

γn
ε=
α
√
is a nontrivial unit in Z[ m ].

for m ≡ 1 mod 4. If r is odd, then one has to

There is, of course, a similar result √
consider elements of the form α = r+2 m .
√
Proof Set a = (a, r + m). Clearly,
√ √
γ = as − rt − t m = as − t (r + m ) ∈ a,

hence a | (γ ). Moreover,
√
an = (a n , a n−1 α, . . . , aα n−1 , α n ) = (α)(r − m, a n−1 , . . . , α n−1 ) = (α)

since (α , α n−1 ) ⊇ (α , α) = (1). In fact, if p is a prime ideal dividing (α , α), then

either p is ramified, or m ≡ 1 mod 4 and p | (2). Since we have excluded the last

9 The class number formula roughly implies that fields with large fundamental units tend to have

small class numbers; constructing families of fields with large fundamental units is therefore
important with respect to Gauss’s conjecture that there are infinitely many real quadratic number
fields with class number 1.
7.4 Parametrized Units 183

case, p is ramified. Since p | Nα = a n , this implies p | (a). But then p | (m) implies
p | (r) contradicting the assumption that r and a are coprime.
Now γ ∈ a and |Nγ | = Na implies a = (γ ). This shows that (α) = (γ )n , and
hence ε is a unit as claimed.
It remains to show that the√unit ε is nontrivial, i.e., that ε = ±1. But ε = ±1 is
equivalent to ±γ n = α = r + m, and this is impossible for n ≥ 2 √ as soon as a > 1.
√ √ √
Clearly, ±(t + u m )2 = r + m is impossible; similarly, ±( t +u2 m )3 = r + m
implies t = u = 1 and m = 5, which in turn is only possible if r = 2 and a = 1.  
Now let m = r 2 + a 3 and Q = (−a, 2r, a 2). Setting Q(x, 1) = 1 and solving
for r, we obtain

1 − a 2 + ax 2
r= .
2x

This value of r is an integer, e.g., when x = a − 1 is even. Then r = a −2a−1

2
2 , and
we have Q(a − 1, 1) = 1 for the quadratic form Q = (−a, a − 2a − 1, a ), and
2 2

hence
√
a 2 − 2a − 1 √ a2 + 1 − 2 m
γ = a(a − 1) − − m=
2 2
has norm −a.
An explicit calculation yields the unit

a 5 − a 4 + 3a 3 + a 2 + 2 √
ε= + (a 3 − a 2 + 2a) m.
2
The first few examples are given in the following table:

a r m γ ε
√ √
5 7 174 13 − m 1451 + 110√174
√
9 31 1690 41 − m 27379 + 666 √1690
√
13 71 7238 85 − m 174747 + 2054√ 7238
√
17 127 21042 145 − m 675683 + 4658 21042

There are many other choices of r, each of which yields a similar family of units.
Now let Δ = (2a + 1)2 + 4 · 2n for some integer a. Then

1−Δ
(2a + 1)2 − Δ = −4 · 2n , or a2 + a + = −2n .
4

This shows that (a, 1) is an integral point on the conic x 2 + xy + 1−Δ

= −2n ;
√ 4
equivalently, the element α = 2a+1+ Δ
2 has norm Nα = −2n .
184 7 The Pell Equation

Next we look at conics of the form Q(x, y) = 1 with Q = (2, b, c) and

disc Q = b2 − 8c = (2a + 1)2 + 4 · 2n

that have an integral point. The simplest possible form is Q = (2, −2a −1, −2n−1),
and the simplest possible integral points are those with y = ±1. A necessary
condition for the existence of an integral solution of Q(x, ±1) = 1, that is, of

2x 2 ± (2a + 1)x − 2n−1 = 1,

is that the discriminant of the quadratic equation in x is a square:

(2a + 1)2 + 8 · (2n−1 − 1) = 4a 2 + 4a + 4 · 2n + 9 = .

Setting this expression equal to (2a + 3)2 quickly yields a = 2n−1 . In this case, the
quadratic equation

2x 2 − (2n + 1)x − (2n−1 − 1) = 0

has the solutions

2n + 1 ± (2n + 3) 1
x1,2 = , i.e., x1 = − , x2 = 2n−1 + 1.
4 2

Thus we now have Δ = (2n + 3)2 − 8 = (2n + 1)2 + 4 · 2n , and the conic
Q(x, y) = 1 with Q = (2, −2n − 1, −2n−1 ) has the integral point (2n−1 + 1, 1).
Since

8Q(x, y) = (4x − (2n + 1)y)2 − Δy 2 ,

this provides us with the element

√
2n + 3 + Δ
γ =
2
√
with norm Nγ = −2. Since α = 12 [(2n + 1) − Δ ] has norm −2n , the solution of
the Pell equation is given by

γn
ε=− ,
α
which is a unit with norm −1. This family is due to Michael Nyberg [100] and
(independently) to Daniel Shanks [115].
7.5 Factorization Algorithms 185

n Δ ε
√
1 17 4+ Δ
√
2 41 32 + 5 Δ
√
3 113 776 + 73 Δ
√
4 353 71264 + 3793 Δ
√
5 1217 27628256 + 791969 Δ
√
6 4481 46496952832 + 694603585 Δ

In this case, the discriminant Δ is asymptotically equal to Δ ∼ 22n , and we have

n
γ ∼ 2n . Moreover, α1 = Nα α
∼ − 22n = −1 is bounded, and hence ε ∼ γ n ∼
(2n )n ∼ Δn/2 . Thus log ε/ log Δ is not bounded.

7.5 Factorization Algorithms

The same idea that we have used for computing the fundamental unit of a real
quadratic number field can be applied directly for factoring large integers. As a
modest example,
√ we choose N = 4469 and begin by factoring the integers a 2 − N
for a ≈ 4469 ≈ 67. We keep only those factorizations that involve sufficiently
small prime numbers:

a −1 2 5
62 1 0 4
63 1 2 3
67 0 2 1

The first line in this table encodes the factorization 622 − N = −54 .
Already the Indian mathematician Narayana Pandit (ca. 1340–1400) and later
Pierre Fermat had used a similar method for factoring integers that do not have
small factors. They checked whether any of the numbers a 2 − N for N = 1, 2,
3, . . . is a square number: If a 2 − N = b2 , then we obtain the factorization N =
a 2 − b 2 = (a − b)(a + b).
The essential idea behind the modern factorization methods based on this idea
(see, e.g., [130]) is the observation that we do not need a solution of the equation
a 2 − N = b 2 but only a solution of the congruence a 2 ≡ b2 mod N. Once we have
186 7 The Pell Equation

found such a pair of integers a and b, the numbers gcd(a + b, N) and gcd(a − b, N)
are (possibly trivial) factors of N. Now observe that

(632 − N)(672 − N) = −24 · 54

implies the congruence

632 · 672 ≡ −24 · 54 mod N.

Moreover we have 622 ≡ −54 mod N, and hence 632 · 672 ≡ 42 · 622 mod N, and
we find only the trivial factor gcd(63 · 67 − 4 · 62, N) = 1.
By enlarging our factor base, we obtain

a −1 2 5 11 13
62 1 0 4 0 0
63 1 2 3 0 0
67 0 2 1 0 0
71 0 2 0 1 1
72 0 0 1 1 1
83 0 2 1 2 0

Now we see 672 · 722 ≡ 712 · 52 mod N, but this solution gives us once again just
the trivial factorization. We are more lucky with 672 · 112 ≡ 832 mod N since now
gcd(67 · 11 − 83, N) = 109, and in fact we have N = 41 · 109.
Finding such relations is essentially linear algebra: We interpret the exponents in
the factorizations as elements of an F2 -vector space, and then finding squares boils
down to finding linear dependent vectors. The factorization method based on this
idea is called the quadratic sieve.
Factoring Integers with the Pell Equation The computation of the fundamental
unit is, for many values of m, about as difficult as factoring m. Indeed it follows
from x 2 − my 2 = 1 that my 2 = x 2 − 1 = (x − 1)(x + 1), and gcd(m, x − 1) is a
√ factor of m. For m = 91, for example, the fundamental unit is ε =
(possibly trivial)
1574 + 165 91, and we have gcd(91, 1573) = 13. The Bohemian mathematician
Franz von Schafgotsch [128] factored a = 909 191 by solving the Pell equation for
m = 5a = 4 545 955; he obtained

790482741705651738629349656268492900551186678587245833797608742 =
m · 370748861793367258280487230881607848045136342896607634986552 + 1,
7.6 Diophantine Equations 187

and used the Euclidean algorithm to find the greatest common divisor of

79048274170565173862934965626849290055118667858724583379760874 + 1

and m = 1315, which gave him the factorization

909 191 = 263 · 3457.

7.6 Diophantine Equations

There is a large class of Diophantine equation whose solution depends crucially

on the structure of the unit group of quadratic number fields. To give the readers
an idea of a few elementary techniques in this area, we will prove a result due to
J.H.E. Cohn (see, e.g., [21]).
Let m ≡ 5 mod 8 be√ a squarefree natural number, and assume that the
fundamental unit ε = a+b2 m has norm −1 and satisfies a ≡ b ≡ 1 mod 2. We
will consider the sequence of integers
n
Vn = ε n + ε ,
√
where ε = a−b2 m = − 1ε . The first three elements of the sequence (Vn ) are V0 = 2,
V1 = a, and V2 = a 2 + 2.
If m = 5 (and therefore a = 1), these are called Lucas numbers after Édouard
Lucas (1842–1891):

n 0 1 2 3 4 5 6 7
Vn 2 1 3 4 7 11 18 29

One consequence of the theorem we are about to prove is that the only squares in
this sequence are V1 = 1 and V3 = 4.
We will need the following observations:
Proposition 7.17 For all k, n ∈ Z, we have

Vn+2 = aVn+1 + Vn , (7.8)

V2n = Vn2 − 2(−1)n , (7.9)
Vn+2k ≡ (−1)k+1 Vn mod Vk . (7.10)
188 7 The Pell Equation

Equation (7.8) follows from

n+2 n+1 n+1

Vn+2 = εn+2 + ε = (ε + ε )(εn+1 + ε ) − εε − ε εn+1
= V1 Vn+1 − εε Vn = V1 Vn+1 + Vn

since V1 = a and εε = −1. Next

2n n
V2n = ε2n + ε = (εn + ε )2 − 2(εε )n = Vn2 − 2(−1)n .

Equation (7.9) immediately implies that the numbers V2n cannot be squares.
Finally,

n+2k k n+k n+k k

Vn+2k = εn+2k + ε = (εk + ε )(εn+k + ε ) − εk ε − ε εn+k
= Vk Vn+k − (−1)k Vn ≡ (−1)k+1 Vn mod Vk .

Next we observe that Vn is even if and only if n is divisible by 3. This follows

from the recursion

Vn+2 = aVn+1 + Vn

by induction.
In the following, k will always denote an integer not divisible by 3. Thus

3 mod 8 if k is odd,
V2k = Vk2 − 2(−1) ≡
k
7 mod 8 if k is even.
√
a+b m
Theorem 7.18 Let m ≡ √ 5 mod 8 be squarefree, and let ε = 2 denote the
fundamental unit of Q( m), where we assume that a and b are odd. The number
Vn = εn + ε n is a square only in the following cases:
1. n = 1 and a is a square;
2. n = 3 and a(a 2 + 3) is a square.
Using sage, it is possible to show that the elliptic curve y 2 = a(a 2 + 3) has exactly
four integral points, namely (0, 0), (1, 0), (3, 6), and (12, 42). A proof by hand leads
to the Diophantine equation x 4 − 3y 4 = −2, which seems to be difficult to solve
with the methods presented here.
For the proof of Theorem 7.18, we will distinguish several cases.
1. a ≡ 5, 7 mod 8 and n ≡ 3 mod 4 We write n = 2 · 3r k − 1 for an even integer
k not divisible by 3. Then Vk ≡ 3 mod 4 and

Vn = V2·3r k−1 ≡ −V−1 ≡ a mod Vk

7.6 Diophantine Equations 189

by (7.10); hence,
V  a 
n
= since Vn ≡ a mod Vk ,
Vk Vk
 −1  V 
since ( Vak ) = ( −V
k
= k
a )
a a
 −2 
= sinceVk ≡ 2 mod a if k is even.
a
= −1 since a ≡ 5, 7 mod 8.

But this implies our claim that Vn is not a square in this case.
2. a ≡ 5, 7 mod 8 and n ≡ 1 mod 4 Here we write n = −3 + 2 · 3r k for some
even integer n not divisible by 3 and find Vn ≡ −V−3 = V3 mod Vk . Now V3 =
a(a 2 + 3) = a · 4b for some odd integer b; hence,
V   a  b   
3
= since 4
Vk =1
Vk Vk Vk
 a  −V 
k
= since Vk ≡ 3 mod 4
Vk b
a 
= since Vk ≡ V2 = a 2 + 2 ≡ −1 mod b.
Vk
   −2 
= −1 since a
Vk = ( −V
a )=
k
a = −1 as above.

3. a ≡ 1, 3 mod 8 and n ≡ 1 mod 4 We write n = 2 · 3r k + 1 for an even integer

k not divisible by 3; since Vn ≡ −V1 ≡ −a mod Vk if n > 1, we have
V   −a  a   −2 
n
= =− =− = −1.
Vk Vk Vk a

4. a ≡ 1, 3 mod 8 and n ≡ 3 mod 4 If n = 3, we can write n = 3 + 2 · 3r k, where

k is even and not divisible by 3. Then Vn ≡ −V3 ≡ −a mod Vk , and again we find
V   −V  V   −2 
n 3 3
= =− =− = −1.
Vk Vk Vk a

If n = 3, then V3 = a 3 + 3a must be a square.

190 7 The Pell Equation

7.6.1 Summary

In this chapter we have shown

• that the Pell equation x 2 − my 2 = 1 has nontrivial solutions in integers for each
nonsquare natural number m, that the unit group EK of a real quadratic number
field K is isomorphic to EK  Z/2Z × Z, and
• how to find the solutions of the Pell equation for modest values of m by studying
elements of K with small norms.
For learning more about the Pell equation, see [8, 66, 91], and [46], as well as the
series of articles [78].

7.7 Exercises

7.1. Let k be a real quadratic number field; assume that η = α 2 and√Nα < 0 for
√
elements η, α ∈ k × . Show that, as real numbers, Tr α = η − η .
7.2. Show that if m = n2 is a square, then the equation x 2 − my 2 = 1 has only the
trivial solutions x = ±1 in integers.
7.3. Show using Dirichlet’s pigeonhole principle that for each real number x, there
exist infinitely many pairs (p, q) ∈ Z × Z such that |x − pq | < q12 .
Hint: Consider the remainders modulo 1 of the numbers 0, x, 2x, . . . , nx;
these n + 1 remainders lie in the n intervals [0, n1 ), [ n1 , n2 ), . . . , [ n−1
n , 1).
7.4. Find elements
√ with small nontrivial norm in the family of quadratic number
fields Q( m) with m = t 2 − 1 and m = t 2 ± 4.
Use this result for finding examples of real quadratic number fields with
large class number.
7.5. Prove the √
following lemma (Hasse [58]): If m > 0 is not a square and
t +u m √
ε = 2 the fundamental unit of Q( m), and if n is the smallest positive
nonsquare for which x 2 − my 2 = ±4n is solvable in nonzero integers, then

t
, if Nε = −1,
n≥ u2
t −2
u2
, if Nε = +1.

7.6. Show: If m = 2p for primes√ p ≡ 5 mod 8, then Nεm = −1 for the

fundamental unit εm of Q( m).
7.7. Show: If m = 2p for primes p ≡ 3 mod 4, then either x 2 − my 2 = 2 or
x 2 − my 2 = −2 is solvable √
in nonzero integers. Also show that, in this case,
2εm is a square in K = Q( m), where εm denotes the fundamental unit in
K. √
7.8. Compute the fundamental units of Q( m) for m = 3, 19, 43, 67, 131, 159,
199.
7.7 Exercises 191

√ √
7.9. Show: If ε = t +u2 m is the fundamental unit of Q( m) for m ≡ 1 mod 8,
then t and u are even. √
7.10. Let m = n2 −√1 for some natural number n ≥ 2. Show that ε√= n + m
is a unit in Z[ m ] and that it is the fundamental unit of Q( m) if m is
squarefree.
More generally, find units for m = n2 ± 1 and m = n2 ± 4. √
7.11. Compute the class number and the fundamental unit of K = Q( 478).
Hint: Consider the prime ideal above (2) and the√prime ideals above 3 and
7. Determine the prime ideal factorizations of (a + 478) for a = 10, 17, 22,
24, and 25, and conclude that K has class number 1.
7.12. The solvability of the Pell equation x 2 − my 2 = 1 for positive nonsquares
m may be formulated as follows: The part of the Euclidean plane defined
by the hyperbolas x 2 − my 2 = 1 and x 2 − my 2 = −1 that contains their
asymptotes contains infinitely many lattice points. In this formulation, the
claim even holds when m is a square; in this case, all integral points lie on the
asymptotes.
Show that the region between the two hyperbolas 2x 2 − 5y 2 = 1 and
2x − 5y 2 = −1 does not contain any lattice point
2
√ except (0, 0).
7.13. Show that the continued fraction expansion of m for m = t 2 − 1 is given by
√
m = [t − 1; 1, 2t − 2, 1, 2t − 2, 1, 2t − 2, . . .] = [t − 1; 1, 2t − 2].

For example,

√ 1
3=1+ .
1
1+
1
2+
1
1+
1
2+
1
1+
2 +...
√
7.14. Show that the continued fraction expansion of m for m = t 2 + 2 is given by
√
m = [t; t, 2t].

7.15. Show that x 2 = a 3 + 3a for odd integers a is equivalent to

 a − 1 3  a + 1 3
+ = y 2,
2 2

where y = x2 .
192 7 The Pell Equation

Show moreover that the equation y 2 = x(x 2 + 3) has the only integral
points (0, 0), (1, ±2), (3, ±6), and (12, ±42) assuming that the equation r 3 −
3s 4 = −2 has the only integral solution r = s = s.
√
7.16. Let p ≡ 3 mod 4 be a prime number, and let ε = t + u p denote the
√
fundamental unit of Q( p). Show that t is even and that t ≡ 1 − ( p2 ) mod 4.
7.17. Show that the function
√ f defined in (7.2) is injective.
√
7.18. Let ε = 2 + 3 be the fundamental unit of Z[ 3 ]. Define the numbers
Vn = εn + ε n for n ≥ 0. Show that these numbers satisfy the recurrence
relation

Vn+1 = 4Vn − Vn−1 .

Also show that V2n = Vn2 − 2 and that the subsequence V2n consists of the
numbers occurring in the Lucas–Lehmer test.
Chapter 8
Catalan’s Equation

In this chapter we will show how to apply the arithmetic of quadratic number fields
to special cases of Catalan’s conjecture.
In 1844, Catalan conjectured that the only powers of (positive) natural numbers
that differ by 1 are 23 = 8 and 32 = 9; in other words, the Diophantine equation

xp − yq = 1

has 32 − 23 = 1 as its only nontrivial solution. This conjecture was proved by Preda
Mihailescu [94] in 2004. His proof uses the work of many other mathematicians and
in particular results about the arithmetic of cyclotomic number fields that are beyond
the scope of the present book.
We will, however, be able to cover the equations x p − y q = 1 with p = 2 or
q = 2 because these cases can be attacked using the arithmetic of quadratic number
fields.

8.1 Lebesgue’s Theorem

Already in 1850, Victor-Amédée Lebesgue [74] published a proof of the following

special case of Catalan’s conjecture:
Theorem 8.1 The equation y 2 + 1 = x m does not have any solutions in natural
numbers x, y with m ≥ 2.

The following proof based on the arithmetic of the ring Z[i] of Gaussian integers
is essentially the one given by Lebesgue. Clearly, y cannot be odd since otherwise
y 2 + 1 ≡ 2 mod 4 cannot be a nontrivial power. Thus y is even.
The exponent m must be odd; in fact, if m is even, then y 2 and x m are consecutive
squares, which implies x = 1 and y = 0, a case we have excluded.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 193
F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6_8
194 8 Catalan’s Equation

Now we factor our equation:

x m = y 2 + 1 = (y + i)(y − i).

Since the two factors are coprime (recall that y is even), we deduce that there exists
a Gaussian integer a + bi and a unit i k with

y + i = i k (a + bi)m and y − i = i −k (a − bi)m .

Observe that 2+i has odd norm, and hence a and b must have different parity. These
equations imply

2i = i k (a + bi)m − i −k (a − bi)m = i k [(a + bi)m − (−1)k (a − bi)m ]. (8.1)

Now there are two cases:

• k = 2r is even; then comparing the coefficients of i in (8.1) shows that
 m m−2 3 
1 = (−1)r ma m−1 b − a b + . . . ± bm . (8.2)
3

Since the expression in the bracket is divisible by b, we must have b = ±1, and
a must be even.
• k = 2r + 1 is odd; then we find
 m m−2 2 
1 = (−1)r a m − a b + . . . ± mab m−1 . (8.3)
2

In this case we find a = ±1, and b must be even.

Both cases lead to an equation of the form

m 2 m 4
1− c + c − . . . ± mcm−1 = ±1,
2 4

where c is an even integer. If the right side of this equation is −1, then c2 would
divide 2, which is nonsense. Thus we can subtract 1 from both sides and divide
through by −c2 ; in this way, we obtain

m m 2
− c + . . . ± mcm−3 = 0.
2 4
  
If m = 3, this equation says 32 = 0, which is nonsense. Thus m ≥ 5, and then m2
 
must be divisible by 4 since c is even. But m is odd, and hence m2 = m(m−1)
2 is
divisible by 4 if and only if m ≡ 1 mod 8.
8.2 Euler’s Theorem 195

 
We will now finish the proof by showing that m2 is divisible by a smaller power
of 2 than all the other terms. This will then imply that the sum cannot vanish.
Observe that the factor (m−2)(m−3)
3·4 c2 of

m 2 m (m − 2)(m − 3) 2
c = · c
4 2 3·4

is even: In fact, the factor 4 in the

mdenominator cancels against c2 , and the numerator
 
(m − 2)(m − 3) is even; thus 4 c is divisible by a higher power of 2 than m2 . In
2

general we have

m 2r−2 m m−2 2 m m−2 1

c = · c2r−2 = · c2r−2 .
2r 2 2r − 2 2r(2r − 1) 2 2r − 2 r(2r − 1)

Now c2r−2 is divisible by 22r−2; for r ≥ 3, the factor r is not divisible by 22r−2
since r < 22r−2 . This implies our claims.

8.2 Euler’s Theorem

Euler solved the equation y 2 = x 3 + 1 in rational numbers; using the basic

machinery from the theory of elliptic curves,1 such proof can be given in a couple
of lines. Direct proofs of this result, on the other hand, tend to be rather technical.
Theorem 8.2 The only rational solutions of the Diophantine equation x 2 = y 3 + 1
are (x, y) = (0, −1), (±1, 0), and (±3, 2).

Euler’s proof is based on the key fact that the equation

z2 = p4 + 9p2 q 2 + 27q 4

does not have solutions in nonzero integers. The proof is quite involved but only uses
the arithmetic of the ordinary integers. Wakulicz [131] was apparently unaware of
the fact that his proof is essentially that of Euler.

8.2.1 Monsky’s Proof

We will now present Paul Monsky’s beautiful solution of the Diophantine equation
y 2 = x 3 +1. Euler first showed that the (2, 3) is the only solution in positive rational
numbers.

1 Everything you need is contained in [117].

196 8 Catalan’s Equation

The proof of Theorem 8.2 is based on a reformulation of the theorem similar to

the one we have used in our proof of Fermat’s Last Theorem for cubes:
Theorem 8.3 Let α, β, γ ∈ Q(ρ)× . If α + β + γ = 0 and αβγ = 2μ3 , then after
a suitable permutation of the three numbers α = 0 or β = γ .

Observe that the equations α +β +γ = 0 and αβγ = 2μ3 are homogeneous, and
hence it will be sufficient to prove the result for algebraic integers α, β, γ ∈ Z[ρ].
For proving that Theorem 8.3 implies Theorem 8.2, assume that x 2 = y 3 + 1
for rational numbers x, y. Setting α = 1 − x, β = 1 + x, and γ = −2, we find
α + β + γ = 0 and αβγ = 2(x 2 − 1) = 2y 3 , and hence α = 0 (and x = 1), β = 0
(and x = −1), α = β (and x = 0), α = γ (and x = 3), or β = γ (and x = −3).
Thus we obtain Theorem 8.2, and in fact we have also proved that the only rational
points on the curve x 2 = y 3 + 1 are the integral points given in Theorem 8.2.
Proof Let (α, β, γ ) be a counterexample. Then α, β, and γ are pairwise coprime
in Z[ρ], and so (after a suitable permutation of the numbers) we find that there exist
A1 , B1 , C1 ∈ Z[ρ] with

α = 2ρ a A31 , β = ρ b B13 , γ = ρ c C13

because 2 is prime in Z[ρ]. Among all such counterexamples, we choose one in

which Nα is minimal. Dividing all three elements by ρ a , we obtain a = 0.
Now we observe that all cubes in Z[ρ] are either ≡ 0 or ≡ 1 mod 2 (Exer-
cise 5.14). This implies that 0 ≡ α ≡ β + γ ≡ ρ b + ρ c mod 2, which is only
possible if b = c. Since αβγ is two times a cube, we must even have a = b = c and
hence a = b = c = 0.
Therefore

α = 2A31 , β = B13 , γ = C13 .

Since B13 ≡ C13 ≡ 1 mod 2, we may assume according to Proposition 5.10 that
B1 ≡ C1 ≡ 1 mod 2.
Now we set α1 = B1 + C1 , β1 = ρB1 + ρ 2 C1 , and γ1 = ρ 2 B1 + ρC1 . Then
• α1 + β1 + γ1 = B1 (1 + ρ + ρ 2 ) + C1 (1 + ρ + ρ 2 ) = 0.
• α1 β1 γ1 = B13 + C13 = β + γ = −α = 2(−A1 )3 .
• β1 + γ1 = (B1 + C1 )(ρ + ρ 2 ) = −(B1 + C1 ) = 0 since β + γ = −α = 0.
• N(α1 β1 γ1 ) = Nα | N(αβγ ); if we had equality, it would follow that N(β) =
N(γ ) = 1 and thus β, γ = ±1. But this yields β = 1, γ = −1, and α = 0
contradicting our assumption.
Thus (α1 , β1 , γ1 ) is a solution with N(α1 β1 γ1 ) < N(αβγ ), which contradicts our
assumption on the minimality of Nα. This completes the proof. 

8.3 The Theorems of Størmer and Ko Chao 197

8.3 The Theorems of Størmer and Ko Chao

√ √
Consider units ε = t + u m in Z[ m ]; if u = 1, then √ ε is fundamental in √
the sense
nontrivial power of another unit in Z[ m ]. The unit 3 + 2 √
that it is not a √ 2 is the
square of 1 + 2, but all other units with u = 2 are also fundamental in Z[ m ].
√Størmer [119] has proved a general result that guarantees that certain units t +
u m are not powers of other units.
Theorem
√ 8.4 Let m be a positive integer, and assume that m is not a square. Let
t + u m be the unit corresponding to the minimal positive solution (t, u) of the Pell
equation t 2 − my 2 = e = ±1, and define natural numbers tn , un by
√ √
tn + un m = (t + u m )n . (8.4)

If each prime dividing un also√divides m,√then n = 1, with the single exception

m = 2 and n = 2, where 3 + 2 2 = (1 + 2 )2 .

Before we prove this result, we formulate an obvious corollary:

Corollary 8.5 Given a positive integer m, the equation t 2 − mu2 = 1 has at most
one solution (t, u) with the property that every prime dividing u also divides m.
√
This is clear since the exception 1 + 2 in Størmer’s Theorem has norm −1.
For the proof of Størmer’s Theorem, we assume that un has the property that
each of its prime divisors divides m. Equation (8.4), with t = t1 and u = u1 , tells
us that

n n−3 3
un = nt1n−1 u1 + t u1 m + . . . ,
3 1

which implies t1 | tn . Write tn = sn t1 and mu21 = t12 −e = A. Since m is a nonsquare

> 1, so is A. Plugging these numbers into (8.4), we obtain
√ √
tn + sn A = (t1 + A )n .

We know that each prime divisor of sn divides A.

If n > 1, let p denote one of these prime divisors and set n = pk. Then
√ √
tn + sn A = (tp + sp A )k ,

and hence

k k−3
sn = ktpk−1 sp + t sp A + . . . .
3 p
198 8 Catalan’s Equation

Thus sn is divisible by sp , and hence each prime dividing sp will divide A. But since

p−1 p p−3
sp = pt1 + t A + ..., (8.5)
3 1

p−1
we see that each prime dividing sp divides pt1 . The equation t12 = A + e shows
that t1 and A are coprime, and hence the only prime dividing sp is p. Since sp > 1,
we can write sp = pr for some integer r ≥ 1. Plugging this into (8.5), we obtain

p−1 p p−3
pt1 + t A + . . . = pr . (8.6)
3 1

We now distinguish several cases.

√ √
p = 2 Here (t + u m )2 = t 2 + mu2 + 2tu m; since every prime divisor of 2tu
divides m, this is true for every prime divisor of t. But if p | t divides m, then p also
− mu2 = ±1, which
divides t 2√ √ is impossible. Thus t = 1, and the only unit of the
form 1 + m is the unit 1 + 2.
p = 3 In this case, s3 = 3s12 + A = 3r together with the fact that A = t12 − e
implies 4t12 − e = 3r .
If e = −1, then er = 4t12 + 1 is a sum of coprime squares and cannot be divisible
by 3. Thus e = 1, and we have

3r = 4t12 − 1 = (2t1 − 1)(2t1 + 1).

Since the factors are coprime, this is only possible if 2t1 − 1 = 1, which implies
t1 = 1, r = 1 and then A = 0, which is impossible.
p > 3 Here all the terms in (8.6) except possibly the first one are divisible by p2
p−1
since p | A. Since t1 and A are coprime, the first term pt1 is not divisible by p2 ,
and this implies r = 1. Dividing (8.6) by p yields

p−1 (p − 1)(p − 2) p−3

t1 + t1 A + . . . = 1,
6
which is impossible since the left side is clearly > 1.
Størmer proved his result in connection with the numerical computation of
logarithms; to this end, he was looking for pairs (N, N + 1) of numbers such that
both N and N + 1 are divisible only by a given finite set of prime numbers, and he
showed how to construct such pairs by solving a finite set of Pell equations.
8.3 The Theorems of Størmer and Ko Chao 199

8.3.1 Application to Catalan’s Equation

We now apply Størmer’s Theorem to the equation x 2 − y q = 1, where q is an odd

integer. For proving that there are no integral solutions with x > 1, it is sufficient to
prove the claim in the case where q is an odd prime number.
The analog of the following result2 for the general Catalan equation plays a
central role in Mihailescu’s proof:

Theorem 8.6 (Nagell) If there are positive integers x, y with x 2 − y q = 1 for some
odd prime number q, then 2 | y and q | x.
For proving the first claim, we write the equation in the form y q = x 2 − 1 =
(x − 1)(x + 1). Then gcd(x − 1, x + 1) | 2; if y is odd, then x is even and the two
factors are coprime. But then x − 1 = a q and x + 1 = bq must be q-th powers,
hence bq − a q = 2, which is impossible. This contradiction shows that y must be
even as claimed.
For the second claim, we write the equation in the form

yq + 1
x2 = yq + 1 = (y + 1).
y+1

+1
q
Observe that yy+1 = Qq (y, −1) in the notation of Sect. 3.5. By (3.18), we have
gcd(Qq (y, −1), y + 1) | q. Thus if q  y, the factors are coprime and must both be
squares, i.e., there exist natural numbers a and b with

yq + 1
y + 1 = a 2, = b2 , x = ab.
y+1

Now a 2 − y = 1; if y is a square, then y = 0, which is impossible. Thus y is not a

√ √
square and ε = a + y is the fundamental unit of the order Z[ y ]. But the equation
q−1 √ √
x 2 − y q = 1 implies η = x + y 2 y also is a unit in Z[ y ], so we must have
η = εn . By Størmer’s Theorem, we must have n = 1, hence x = a, b = 1, and
finally q = 1, which is impossible.
Now we give Chein’s proof of the following theorem of Ko Chao:
Theorem 8.7 The equation x 2 − y q = 1, where q ≥ 5 is prime, does not have any
solutions in nonzero integers.

Nagell’s Theorem 8.6 tells us that x is odd. If x ≡ 3 mod 4, then y q = x 2 − 1 =

(x − 1)(x + 1) implies the existence of natural numbers a and b with

x + 1 = 2q−1 a q and x − 1 = 2bq .

2 See Theorem 8.14 below.

200 8 Catalan’s Equation

Observe that a < b since a q = (bq + 1)/2q−2 < bq . Now

b 2q + (2a)q  x − 1 2  x + 3 2
(b2 + 2a) = b 2q
+ (2a) q
= + 2(x + 1) = .
b2 + 2a 2 2

By Theorem 8.6, we have q | x. Since q = 3, the term x+3 2 is not divisible by q.

Since the factors on the left are coprime, they are squares. But b + 2a lies between
two consecutive squares because b2 < b2 + 2a < b2 + 2b < (b + 1)2 . This is a
contradiction.
If x ≡ 1 mod 4, then x − 1 = 2q−1 a q and x + 1 = 2bq , and hence we obtain in
a similar way
 x − 3 2
b2q − (2a)q = ,
2
and the rest of the proof carries over almost word for word.

8.4 Euler’s Equation via Pure Cubic Number Fields

We now return to Euler’s equation x 2 = y 3 + 1 and determine its integral solutions.

We begin by writing our equation in the form y 3 = x 2 − 1 = (x − 1)(x + 1); a
common divisor of x + 1 and x − 1 divides their difference 2, and hence there are
two possibilities:
1. x is even. Then gcd(x + 1, x − 1) = 1, and according to Corollary 4.13, there
exist integers a, b ∈ Z such that x + 1 = ±a 3 and x − 1 = ±b3. By pulling
−1 = (−1)3 into the cube, we may omit the signs and obtain x + 1 = a 3 and
x − 1 = b3 . Subtracting these equations from each other yields 2 = a 3 − b 3 =
(a − b)(a 2 + ab + b 2 ); thus a − b divides 2.
If a − b = ±1, then

±2 = a 2 + ab + b 2 = (b ± 1)2 + b(b ± 1) + b 2 = 3b2 ± 3b + 1.

Solving these quadratic equations yields a contradiction as the solutions are not
integers.
If a − b = ±2, on the other hand, then we find

±1 = a 2 + ab + b2 = (b ± 2)2 + b(b ± 2) + b 2 = 3b2 ± 6b + 4,

and now we obtain the unique solution b = −1, a = 1, x = 0, and y = −1.

2. x is odd. Then gcd(x +1, x −1) = 2, and according to Corollary 4.13, there exist
integers a, b ∈ Z with x + 1 = 2a 3 and x − 1 = 4b3 , where the signs may be
omitted as before (the possibility x + 1 = 4a 3 and x − 1 = 2b3 can be reduced
8.4 Euler’s Equation via Pure Cubic Number Fields 201

to the first: simply replace x by −x). In a similar way as above, we now find the
equation 1 = a 3 − 2b 3 .
We will show below that the only integral solutions of this equation are
given by (a, b) = (1, 0) and (−1, −1). These lead to the solutions (x, y) =
(±1, 0), (±3, 2) of the original equation.
We will attack the equation a 3 − 2b 3 = 1 directly by writing it in the form

3√ 3√ 3√
1 = (a − b 2 )(a 2 + 2 ab + 4 b2 )

3√ 3√
and observing that a − b 2 is a unit in the ring Z[ 2 ]. It can be shown that
3√ 3√
R × = −1, 1− 2 , and the claim then boils down to showing that ±(1− 2 )n =
3√ 3√ 3√
a−b 2 implies |n| ≤ 1 (in general, this power will have the form r +s 2 +t 4
for some t = 0). √
The calculations3 will be performed in the pure cubic number field Q( 3 2 ). Its
ring of integers is
√
3
√
3
√
3
Z[ 2 ] = {a + b 2 + c 4 : a, b, c ∈ Z}.

This ring is Euclidean with respect to the absolute value of the norm, and hence it
has unique factorization. The solution of the equation a 3 + 2b3 = 1 that we √ will
give does not use any of this:
√ All we need is the fact that the units of the ring Z[ 3
2]
are generated by −1 and 3 2 − 1, and we will prove this below.

8.4.1 Units in Pure Cubic Number Fields

√
A pure cubic number field is a number field of the form K = Q( 3 m ) for some
integer m > 0, which we may assume to be cubefree, i.e., not divisible by a cube
√ √ 2
= ±1. The elements of K have the form x + y 3 m + z 3 m with x, y, z ∈ Q. We
will not determine the ring of integers of K and are content
√ with observing that if
√ 2 3 2
m = ab for squarefree
2
√ integers
√ a, b ∈ N, then m = b a b. If r, s, t ∈ Z, then
3
3 3
the elements r + s ab2 + t a 2 b belong to the ring of integers in √
K. √
3 3
We also need to determine the norm of an element α = r + s ab2 + t a 2 b,
which is defined as the product Nα = αα α of the conjugates of α, where

3

3

3

3
α = r + sρ ab2 + tρ 2 a 2 b and α = r + sρ 2 ab2 + tρ a 2 b,

3 We will follow Nagell’s publication [99] (see also [92]).

202 8 Catalan’s Equation

√
−1+ −3
and where ρ = 2 . A straightforward calculation yields

Nα = r 3 + ab2s 3 + a 2 bt 3 − 3abrst.

As in quadratic number fields, units have norm ±1, and integral elements with
norm ±1 are units. In particular, if (x,
√ y) is an integral
√ solution of the Diophantine
equation x 3 + dy 3 = 1, then x + y 3 d is a unit in Z[ 3 d ]. According to a theorem
due to Dirichlet, this ring has a fundamental unit ε with the property that all units
can be written in the form η = ±εn for some n ∈ Z. The nontrivial part of this
theorem claims that the equation

r 3 + ab2s 3 + a 2 bt 3 − 3abrst = 1

has solutions, whereas the assertion that each unit can be written up to sign as a
power of the fundamental
√ unit √
follows as in the real quadratic case by studying
3 3
absolute values |r + s ab2 + t a 2 b |.
Let us determine the√fundamental √ unit in the case we are mainly interested in,
namely for the field Q( 3 2 ). Here 3 2 − 1 is a unit since
√
3
√
3
√
3
( 2 − 1)(1 + 2 + 4) = 1.
√ √ √
If we interpret 3
2 as a real number, then ε = 1 + 3
2 + 3 4 > 1. Now we claim the
following:
√ √ √
Lemma 8.8 Let ε = 1 + 3 2 + 3 4. Then each unit η > 1 in Z[ 3 2 ] has the form
η = εn for an integer n ≥ 1.
Proof The units εn all have value > 1 for n ≥ 1. If there is a unit η > 1 not of this
form, then η lies between two powers of ε:

εm < η < εm+1 .

But then η1 = ηε−m is a unit with 1 < η1 < ε. Since

1 = |η1 η1 η1 | = η1 |η1 |2 ,

this implies

1
√ < |η1 | < 1.
ε
√ √
If we write η1 = r + s 3 2 + t 3 4, then the triangle inequality shows that

3|r| = |η1 + η1 + η1 | ≤ |η1 | + |η1 | + |η1 | ≤ ε + 2 < 5.9,

8.4 Euler’s Equation via Pure Cubic Number Fields 203

and hence |r| ≤ 1. Similarly, we find

√
3
3|s| 2 = |η1 + ρ 2 η1 + ρη1 | < 5.9,

and thus |s| ≤ 1, as well as

√
3
3|t| 4 = |η1 + ρη1 + ρ 2 η1 | < 5.9,

and therefore |t| ≤ 1. Going through all possible values then yields the desired
contradiction. 

If 0 < η < 1, then 1/η = εn for some n ≥ 1, and hence every positive unit has
the form η = εn for some n ∈ Z. Finally, if η < 0, then −η must be a power of ε.
We have shown the following:
√
Proposition 8.9 Each unit ε ∈ Z[ 3 2 ] can be written uniquely in the form

η = (−1)m εn
√ √
for√m ∈ {0, 1} and n ∈ Z, where ε = 1 + 3
2+ 3
4 is the fundamental unit of
Z[ 3 2 ].
√
This statement remains correct if we replace ε by ε−1 = 3
2 − 1.

8.4.2 The Equation x 3 + 2y 3 = 1

Let us first consider the equation

√
3
√
3
(1 − 2)n = x + y 2. (8.7)

Expanding the left hand side using the binomial theorem and comparing coeffi-
cients, we obtain

n n n
x =1−2 +4 −8 +...
3 6 9
n n n
−y = −4 + 42 ∓
1 4 7
n n n
0= −4 + 42 ∓...
2 5 8
n
The last equation implies that 2 must be divisible by 4, which happens if and only
if n ≡ 0, 1 mod 4.
204 8 Catalan’s Equation

nWe now assume n ≥ 2 (and thus n ≥ 4); dividing the last equation through by
2 , we find

n−2 2(−2)k
−1 = .
3k (3k + 1)(3k + 2)
k≥1

Since −2 ≡ 1 mod 3 and (3k + 1)(3k + 2) ≡ 2 mod 3, reduction modulo 3 yields

the congruence

n−2 n−2
1+ + + . . . ≡ 0 mod 3.
3 6

The following lemma shows that this is impossible.

Lemma 8.10 For each positive integer m, we have

m m m
+ + + . . . ≡ 0 mod 3.
0 3 6

Proof If we set

m m m
S0 = + + + ...,
0 3 6
m m m
S1 = + + + ...,
1 4 7
m m m
S2 = + + + ...,
2 5 8

then we find

S0 + S1 + S2 = 2m ≡ (−1)m mod 3

as well as

m m m m−3 m m
S1 = + +... ≡ ·m+ · m + . . . ≡ mS0 mod 3,
0 1 3 4 0 3
m m−1 m m−4
S2 = + +...
1 2 4 5
m m
≡ · (1 − m) + · (1 − m) + . . . ≡ −mS1 + S1 mod 3,
1 4
8.4 Euler’s Equation via Pure Cubic Number Fields 205

and hence

(−1)m ≡ S0 + S1 + S2 ≡ (1 + 2m − m2 )S0 mod 3.

The claim follows. 


For negative exponents,
√ √ √
( 2 − 1)−1 = 1 + 2 + 4
3 3 3

shows that (8.7) boils down to the equation

√
3
√
3
√
3
(1 + 2+ 4)n = x + y 2.
√
This equation cannot hold for n ≥ 1 since the coefficient of 3 4 in the multinomial
development of the left side only contains positive summands. We have proved the
following result:

Proposition 8.11 The only integral solutions of the equation (8.7) are n = 0 and
n = 1.
√ √ √
Now if x 3 + 2y 3 =√1, then x + y √3
2 is a unit in Z[ 3 2 ] since N(x + y 3 2 ) =
x 3 + 2y 3. Thus x + y 3 2 = ±(1 − 3 2 )n according to Proposition 8.9, and now
Proposition 8.11 implies that n = 0 or n = 1. Therefore (x, y) = (1, 0) and
(x, y) = (−1, 1) are the only integral solutions of the equation x 3 + 2y 3 = 1.

8.4.3 The Theorem of Delaunay and Nagell

√
For solving the equation x 3 + dy 3 = 1, we have to study units of the form x + y 3 d
in pure cubic number fields. A theorem of Boris Nikolaevic Delaunay4 and Trygve √
Nagell essentially states that with explicitly
√ given exceptions, the unit x + y 3 d
is the fundamental unit of the field Q( 3 d ), so that the equation has at most one
integral solution.
Detailed proofs can be found in Nagell [99] and Mordell [97], as well as in
Leveque [92, S. 104ff]. An elegant proof due to Thoralf Skolem of the theorem
that x 3 + dy 3 = 1 has at most one solution in nonzero integers is given in Cassels
[15, Thm. 10.1]. For a somewhat surprising connection with elliptic curves, see [84].

4 Another often used transliteration is Delone; Delaunay is the French variant. In 1915, Delaunay

published his theorem in Russian, but it became known in the West only through a publication in
French in 1920.
206 8 Catalan’s Equation

8.5 Mihailescu’s Proof

So far we have presented the solution of the Catalan equation x p − y q = 1 when

p = 2 or q = 2. It would have been possible to cover a few more results, in
particular Nagell’s solution of the equations x 3 − y q = 1 and x p − y 3 = 1. For
proving that there are no nontrivial integral solutions of these equations, he wrote
them in the form y q = (x − 1)(x 2 + x + 1) and x p = (y + 1)(1 − y + y 2 ) and had
to solve the equations x 2 + x + 1 = y q and x 2 + x + 1 = 3y q . In order to give the
readers an idea of the complexity of these investigations, we will present his results:
Theorem 8.12 The integral solutions of the Diophantine equation x 2 + x + 1 = y q
are
• (x, y) = (0, ±1), (−1, ±1) if q is even;
• (x, y) = (0, 1), (−1, 1) if q = 3 is odd;
• (x, y) = (0, 1), (−1, 1), (18, 7), (−19, 7) if q = 3.
The corresponding result for the equation x 2 + x + 1 = 3y q is as follows:

Theorem 8.13 The integral solutions of x 2 + x + 1 = 3y q for q ≥ 3 are given by

• (x, y) = (1, ±1), (2, ±1) if q is even;
• (x, y) = 1, 1), (−2, 1) if q is odd.
Another result with an elementary (but technical) proof is the following observa-
tion by Cassels:
Theorem 8.14 If x p − y q = ±1 for nonzero integers x, y and odd prime exponents
p, q, then p | y and q | x.

Using the action of the Galois group on the class group of cyclotomic number
fields,5 in particular a result called Stickelberger’s Theorem, Mihailescu was able to
strengthen Cassels’ result:
Theorem 8.15 If x p − y q = ±1 for nonzero integers x, y and odd prime exponents
p, q, then p2 | y and q 2 | x.

This result then quickly implies the following:

Corollary 8.16 If x p −y q = ±1 for nonzero integers x, y and odd prime exponents
p, q, then (p, q) is a Wieferich pair, i.e., p and q satisfy the congruences

pq−1 ≡ 1 mod q 2 and q p−1 ≡ 1 mod p2 .

5 We will give an example of the strength of such investigations in Chap. 9.

8.6 Exercises 207

These are strong conditions; there are only 7 Wieferich pairs known; the smallest
are (2, 1093) and (83, 4871).
The full proof (presented in the books [12] and [113]) uses a more detailed
analysis of Stickelberger’s method. The state of the art before Mihailescu’s proof
is presented in Ribenboim’s book [108], where the full proofs of Nagell’s results on
the equations x 3 − y q = 1 can be found.

8.5.1 Summary

In this chapter we have proved some special cases of Catalan’s conjecture that were
accessible with elementary methods.

8.6 Exercises

8.1. (Nagell) Show that if x 2 − y q = 1 has a nontrivial solution for primes q ≥ 5,

then q ≡ 1 mod 8.
8.2. Show that the sums

m m m
S0 = + + +...
0 3 6

satisfy

1 mod 3 if m ≡ 0, 1, 2 mod 6,
S0 ≡
2 mod 3 if m ≡ 3, 4, 5 mod 6.

8.3. Show that

m m m m m m
+ + +... = + + + . . . = 2m−1 .
0 2 4 1 3 5

8.4. Show that


2m +(−1)m ·2
m m m if m ≡ 0 mod 3,
+ + +... = 3
2m −(−1)m
0 3 6
3 if m ≡ 1, 2 mod 3.

These equations provide us with a new proof that 3  S0 .

208 8 Catalan’s Equation

8.5. Show that

⎧ m m−2
⎪
⎪ 2m−2 + (−1) 4 2 2 if m ≡ 0 mod 4,
⎪
⎪
m m m ⎨2m−2 + (−1) m−1
4 2 2
m−3
if m ≡ 1 mod 4,
+ + +... =
0 4 8 ⎪
⎪ 2m−2 if m ≡ 2 mod 4,
⎪
⎪
⎩ m−2 m+1 m−3
2 + (−1) 4 2 2 if m ≡ 3 mod 4.

8.6. Let S = {p1 , . . . , pn } be a finite set of prime numbers. An S-smooth integer

is an integer N all of whose prime factors are contained in S. Prove Størmer’s
Theorem: The equation x−y = 1 has at most 3n solutions in S-smooth integers
x and y.
8.7. Show that the only integral solutions of the equation x 2 +x +1 = 3y 2 (compare
Theorem 8.13) are given by (xm , ym ) with
√
3 √ √  1
xm = ± (2 + 3 )2n+1 − (2 − 3 )2n+1 −
4 2
1  √ √ 
ym = ± (2 + 3 )2n+1 − (2 − 3 )2n+1 .
4
Chapter 9
Ambiguous Ideal Classes and Quadratic
Reciprocity

It is quite difficult to determine class numbers, even in the simplest case of quadratic
number fields, for fields with large discriminant. It is, however, possible to make
several rather precise statements concerning the parity of class numbers of quadratic
number fields. The theory behind these statements is called genus theory and goes
back to Gauss, who worked with quadratic forms rather than quadratic number
fields. Genus theory may be generalized to cyclic extensions, and in fact the question
we will answer is how the Galois group of an extension acts on the ideal classes.
In this chapter we will only scratch the surface of genus theory by proving the
ambiguous class number formula.
The essential idea behind the proof is to reduce the action of the Galois group on
ideal classes to the action on ideals, then on principal ideals and finally on elements,
where everything can be done explicitly. Once more we will be studying a difficult
object, namely the class group, by studying homomorphisms into simpler structures.

9.1 Ambiguous Ideal Classes

Let A be a finite abelian group. Then A can be written as a direct sum of cyclic
groups, say A = A1 ⊕ · · · ⊕ An . If A is a finite 2-group, i.e., a group whose order
is a power of 2, then the 2-rank of A is the number n of cyclic components. Since it
is easy to see that A/A2  A1 /A21 ⊕ · · · ⊕ An /A2n , and since Aj /A2j  Z/2Z for
cyclic groups Aj , the 2-rank of A is n if and only if #A/A2 = 2n .
The determination of the order of the quotient group Cl(k)/Cl(k)2 , i.e., of the
2-rank of the ideal class group, goes back to Gauss, who solved this problem in
the language of binary quadratic forms. It is almost impossible to miss the central
questions of this theory when studying the operation of the Galois group G = {1, σ }
of k/Q on the ideal class group.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 209
F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6_9
210 9 Ambiguous Ideal Classes and Quadratic Reciprocity

For an ideal class c = [a] we set cσ = [aσ ]; of course we have to show that this
action is well defined (see Exercise 9.1). Clearly an ideal class c and its conjugate
cσ always have the same order. Moreover, since c · cσ = [a][aσ ] = [(Na)] = (1) is
the principal class, cσ = c−1 is always the inverse class of c.
We call an ideal class c ∈ Cl(k) ambiguous if cσ = c. Similarly, an ideal a is
called ambiguous, if aσ = a.
√ √ √
Lemma 9.1 The nontrivial automorphism σ : m → − m of k = Q( m ) acts
as −1 on the class group Cl(k). In particular, an ideal class c is ambiguous if and
only if c2 = 1.
Proof We have already seen that a1+σ = aa = (Na) is principal, and that this
implies that cσ = c−1 .
If c is ambiguous, i.e., if c = cσ , then c2 = c1+σ = 1. Conversely, if c2 = 1,
then cσ = c−1 = c. 

If k is a number field with class√ number 2, then the nontrivial ideal class c is
always ambiguous.√For k = Q( −5 ), the nontrivial ideal class is generated √ byσthe
prime ideal
√ (2, 1+ −5 );
√ since this ideal is ambiguous because of (2, 1+ −5
√) =
(2, 1− −5 ) =√ (2, 1+ −5 ). The√ideal class c is also √ generated by
√ (3, 1+ −5 ),
and here (3, 1 + −5 )σ = (3, 1 − −5 ) = (3, 1 + −5 ). In Q( −5 ), each ideal
class contains an ambiguous ideal (the principal class contains the ambiguous ideal
(1)), as well as many non-ambiguous ideals.
For ideal class groups of order 4, the number of ambiguous classes determines
the structure. If Cl(k)  Z/2Z ⊕ Z/2Z is elementary abelian, then the number
of ambiguous ideal classes is 4 since in this case, every ideal class is ambiguous.
If Cl(k)  Z/4Z, on the other hand, then the two classes with order 4 are not
ambiguous, whereas the class with order 2 and the principal class are ambiguous,
Thus there are only 2 ambiguous ideal classes in this case.
If an ideal a is ambiguous, then so is the ideal √ class c = [a] it generates; the
converse is not true in general: Since k = Q( 34 ) has class number 2, the ideal
class c of order 2 is ambiguous. This ideal class is not generated by an ambiguous
ideal for the simple reason that all ambiguous ideals in k are principal. As we will
see below, each ambiguous ideal is a product of ramified √ prime ideals √ and ideals
generated
√ by ordinary√ integers. But in k we have (2, 34 ) = (6 + 34 ) and
(17, 34 ) = (17 + 3 34 ).
The ambiguous ideal classes form a group Am(k), in which the ideal classes
generated by ambiguous ideals form a subgroup, namely the group Amst (k) of
strongly ambiguous ideal classes. Our goal is determining the structure of the group
Am(k).
This will allow us to deduce information about the elements of order 2 in the class
group. In fact, since cσ = c−1 we have c1−σ = c2 , and therefore the homomorphism
c → c1−σ maps the class group Cl(k) of a quadratic number field k to the group
Cl(k)1−σ = Cl(k)2 of ideal classes that are squares, and this homomorphism is
onto. Its kernel consists of the ideal classes c with c1−σ = 1, i.e., of the ambiguous
9.1 Ambiguous Ideal Classes 211

ideal classes. This implies that the order of the group Am(k) of ambiguous ideal
classes is equal to the order of Cl(k)/Cl(k)2 :
Proposition 9.2 Let k be a quadratic number field. Then

#Cl(k)/Cl(k)2 = # Am(k),

and, in particular, the class number of k is odd if and only if the number of
ambiguous ideal classes is 1.
Actually, since both groups are elementary abelian, equal cardinality implies
isomorphism. The last claim follows from the observation that squaring is an
isomorphism on a finite group if and only if it has odd order.

9.1.1 Exact Sequences

The calculations below are far easier to digest by using exact sequences. A short
sequence of abelian groups A, B, C consists of group homomorphisms α : A −→ B
and β : B −→ C, which are composed as follows:

α β (9.1)
1 −−−−→ A −−−−→ B −−−−→ C −−−−→ 1.

The map 1 −→ A (which is often denoted by 0 −→ A if A is written additively)

sends the element of the trivial group {1} to the neutral element of A. Similarly,
C −→ 1 is the homomorphism sending each element of C to the element of the
trivial group {1}.
A sequence of abelian groups is called exact if the kernel of each map in the
sequence is equal to the image of the preceding map (if there is one). Thus the
sequence (9.1) is exact if and only if the following conditions are satisfied:
• ker α = im (1 −→ A) = {1}; in other word, α must be injective;
• C = ker(C −→ 1) = im β; in other words, β must be surjective;
• ker β = im α.
Essentially, this short exact sequence contains the same information as the homo-
morphism theorem C  B/im A, but it has the advantage that all the maps occur
explicitly in the diagram. Perhaps this advantage will only become clear by studying
homological algebra more carefully. One goal of this chapter is showing that this is
a useful thing to do for those who are interested in algebraic number theory.
The proof of Proposition 9.2 consisted in verifying the exactness of the sequence

1−σ
1 −−−−→ Am(k) −−−−→ Cl(k) −−−−→ Cl(k)2 −−−−→ 1.
212 9 Ambiguous Ideal Classes and Quadratic Reciprocity

The definitions of principal ideals and the ideal class group Cl(k) of a number field
k provide us with two exact sequences, namely

1 −−−−→ Ek −−−−→ k × −−−−→ Hk −−−−→ 1,

1 −−−−→ Hk −−−−→ Ik −−−−→ Cl(k) −−−−→ 1,

where Ek is the unit group, Hk the group of (fractional) principal ideals = (0), and
Ik the group of all fractional ideals = (0).

9.1.2 Ambiguous Ideal Classes

The group Amst (k) of strongly ambiguous ideal classes is, by definition, equal to
Amst (k) = AH /H  A/A ∩ H , where A denotes the group of nonzero ambiguous
ideals and H the group of nonzero principal ideals. Clearly A∩H = H G is the group
of ambiguous principal ideals, and so we have Amst (k)  A/H G . This observation
gives us the exact sequence
ι
1 −−−−→ H G −−−−→ A −−−−→ Amst (k) −−−−→ 1.

The group P of all fractional ideals (a) with a ∈ Q× is a subgroup of both H G and
A; this allows us to modify the exact sequence slightly and turn it into
ι π
1 −−−−→ H G /P −−−−→ A/P −−−−→ Amst (k) −−−−→ 1. (9.2)

Since Am(k) is elementary abelian, i.e., since c2 = 1 for each ambiguous

ideal class c, for determining the structure of Am(k) and Amst (k) it is sufficient
to compute the orders of these groups. The exact sequence (9.2) is a first step in this
direction. The next steps consist in the computation of the order of H G /P and of
A/P . Before we do so we present a simple but very effective tool.

9.1.3 Hilbert’s Theorem 90

Hilbert’s Theorem 90 (in Hilbert’s report on algebraic numbers, his famous

Zahlbericht, the theorems were numbered, and this one had the number 90) comes
in two versions, one for elements and one for ideals.
Theorem 9.3 (Hilbert’s Theorem 90 for Elements) Let k be a quadratic number
field and α ∈ k × . Then Nα = 1 if and only if α has the form α = β 1−σ . Here β is
determined uniquely up to rational factors.
9.2 The Ambiguous Class Number Formula 213

Equivalent formulations of Hilbert’s Theorem 90 are the following:

1. There is an exact sequence

N
1 −−−−→ (k × )1−σ −−−−→ k × −−−−→ k × ,

where N denotes the norm map Nk/Q : k × −→ Q× .

2. The group k × [N]/(k × )1−σ is trivial. Here k × [N] denotes the kernel of the norm
map N : k × −→ Q× .

√ of “⇐” is trivial. Assume therefore that Nα = 1. If α

Proof The proof = −1,
we set β = m; if α = −1, we set β = α σ + 1; then β σ −1 = αα+1
+1 = α(α+1)
αα +α =
α(α+1)
1+α = α. 

The corresponding result for ideals is
Theorem 9.4 (Hilbert’s Theorem 90 for Ideals) If a is a fractional ideal1 in Ok ,
then we have Na = (1) if and only if a has the form a = bσ −1 for some (integral)
ideal b.
Proof As in the case of elements, the proof of “⇐” is trivial. Assume therefore
that Na = 1 (hence a = cd−1 is the quotient of two integral ideals c and d with
the same norm). By the uniqueness of prime ideal factorization we may assume
that c and d are coprime. This immediately implies that c and d are not divisible by
any inert prime ideals: If, for example, we had (q) | c, then q 2 would occur in the
factorization of Nd, hence d would also be divisible by (q), and this contradicts our
assumption that c and d are coprime. For the same reason, no ramified prime ideals
can divide c. Thus c and d are products of split prime ideals. If c = pe11 · · · per r is the
prime ideal factorization of c, then we must have Nc = p1e1 · · · prer = Nd. Since
c and d are coprime, none of the pj can divide d, hence the only possibility is that
d = p1 e1 · · · pr er = c . But then a = cd = d d−1 = dσ −1 . 


9.2 The Ambiguous Class Number Formula

As a warm-up we construct a few exact sequences involving the following groups:

• E = Ok× is the unit group of Ok ;
• E[N] = {ε ∈ E : Nk/Q (ε) = 1} is the kernel of the norm map on the unit group,
that is, the subgroup of units with norm +1;
• E 1−σ = {ε1−σ : ε ∈ E};
• H G = {(α) : (α)σ = (α)} is the group of ambiguous principal ideals;
• P = {(a) : a ∈ Q× } is the subgroup of A consisting of all nonzero ideals
generated by rational numbers.

1 For integral ideals, the statement is trivial since then Na = (1) is equivalent to a = (1).
214 9 Ambiguous Ideal Classes and Quadratic Reciprocity

Now we claim
Proposition 9.5 There is an exact sequence

λ
1 −−−−→ E 1−σ −−−−→ E[N] −−−−→ H G /P −−−−→ 1.

Proof The map E 1−σ −→ E[N] is the inclusion map: Each unit ε1−σ has norm
1 and thus is an element of E[N]. For constructing λ : E[N] −→ H G /P assume
that ε ∈ E[N], i.e., Nε = 1. By Hilbert’s Theorem 90 there is an α ∈ k × such that
ε = α 1−σ ; clearly (α) ∈ H G since (α)σ = (α σ ) = (εα) = (α). The map ε → (α)
is not well defined, however, since with α each element αa for any a ∈ Q× has
the property (αa)1−σ = ε. For this reason we set λ(ε) = (α)P , and this map now
is well defined. Clearly ε ∈ ker λ if and only if λ(ε) = P ; this is equivalent to
(α) = (a), i.e., to α = aη for some unit η. This implies ε = α 1−σ = η1−σ , which
shows that ker λ = E 1−σ .
The surjectivity of λ is clear: If (α) is ambiguous, then (α)σ = (α) and thus
εα = α for some unit ε, hence ε = α 1−σ .
σ 

The content of this proposition may also be expressed by the isomorphism

E[N]/E 1−σ  H G /P .

The quotient group H −1 (G, E) = E[N]/E 1−σ is a cohomology group. We

have come across such a group already in Hilbert’s Theorem 90, which says that
H −1 (G, k × ) = k × [N]/(k × )1−σ = 1. Hilbert’s Theorem 90 for ideals claims
accordingly that H −1 (G, Ik ) = Ik [N]/Ik1−σ = 1, where Ik denotes the group of
nonzero fractional ideals in a quadratic number field. Such cohomology groups for
cyclic Galois groups G = σ  are all over the place in class field theory, the theory
of abelian extensions of number fields.
Galois cohomology2 gives the exact sequence in Proposition 9.5 in the other
direction (Exercise 9.10).
The order of the group E[N]/E 1−σ can be determined quickly. If Δ < 0, then E
consists only of roots of unity with norm 1. Thus εσ = ε−1 , hence E 1−σ = E 2 and

2 Those who are familiar with the first principles of cohomology get the sequence for free: The
trivial sequence

1 −−−−−→ E −−−−−→ k × −−−−−→ H −−−−−→ 1,

in which H denotes the group of nonzero fractional principal ideals, provides the long exact
sequence

1 −→ E G −→ (k × )G −→ H G −→ H 1 (G, E) −→ H 1 (G, k × ),

from which the claim follows using Hilbert’s Theorem 90 (H 1 (G, k × ) = 1), the periodicity
H 1 (G, A)  H −1 (G, A) for cyclic groups G, as well as (k × )G = Q× , E G = {±1} and
Q× /E G  P .
9.2 The Ambiguous Class Number Formula 215

E[N]/E 1−σ = E/E 2  Z/2Z. If Δ > 0, then let ε denote the fundamental unit. If
Nε = +1, then again E[N] = E and E 1−σ = E 2 , hence E[N]/E 1−σ = E/E 2 =
−1, ε/ε2   (Z/2Z)2 . If Nε = −1, on the other hand, then E[N] = −1, ε2 
and E 1−σ = E 2 = ε2 , hence E[N]/E 1−σ = E/E 2  Z/2Z.
Lemma 9.6 Let k be a quadratic number field whose unit group E is generated by
the fundamental unit ε (and −1). Then
⎧
⎪
⎨Z/2Z,
⎪ if d < 0,
−1
H (G, E) = E[N]/E 1−σ
 Z/2Z, if d > 0, Nε = −1,
⎪
⎪
⎩(Z/2Z)2 , if d > 0, Nε = +1.

It remains to determine the order of A/P . To this end we will use the following
lemma.
Lemma 9.7 An ideal a is ambiguous if and only if a is the product of ramified prime
ideals and an ideal (a) with a ∈ Q× . More exactly we have

A/P  (Z/2Z)t ,

where t is the number of primes that ramify in k/Q, in other words, the number of
distinct prime factors of the discriminant of k.
Proof We may assume that a is an integral ideal (otherwise we multiply it by a
suitable rational integer). Among all decompositions a = (a)b with an integral
ideal b we pick one in which a ∈ N is maximal.
Let p denote a prime ideal with pσ = p; if p divides b, then we must have pσ | b.
In fact by applying σ to p | a we see that pσ | bσ = b. Thus (p) | b, where
(p) = ppσ , which contradicts the maximality of a. This shows that b is not divisible
by a split prime ideal.
For the same reason, b is not divisible by any inert prime ideal (p). Thus b is a
product of ramified prime ideals. If p is such a prime ideal, then p2 = (p), and the
maximality of a implies that we can write a uniquely in the form
 e
a = (a) pj j ,

where pj runs through the ramified prime ideals and where ej ∈ {0, 1}. Now we set
 e
φ : A/P −→ (Z/2Z)t : (a) pjj −→ (e1 , . . . , et )

and show that φ is a group isomorphism, which is left as an exercise. 


216 9 Ambiguous Ideal Classes and Quadratic Reciprocity

If we collect everything, then the exact sequence (9.2) now implies

Corollary 9.8 In the quadratic number field k with discriminant Δ and fundamen-
tal unit ε we have
⎧
⎪
⎪ t −1
⎨2 if Δ < 0,
# Amst (k) = 2 t −1 if Δ > 0, Nε = −1,
⎪
⎪
⎩2t −2 if Δ > 0, Nε = +1,

where t denotes the number of primes that ramify in k.

Thus it remains only to determine the difference between the group of ambiguous
ideal classes Am(k) and that of strictly ambiguous ideal classes Amst (k):
Proposition 9.9 There is an exact sequence
μ
1 −→ Amst (k) −→ Am(k) −→ (EQ ∩ Nk × )/NEk −→ 1.

In particular, Am(k) = Amst (k) except when −1 is the norm of an element, but not
of a unit. In this case, # Am(k) = 2 · # Amst (k).
Proof Let c = [a] be ambiguous. Then aσ ∼ a, hence aσ = αa. Taking norms
yields (Nα) = (1), that is Nα = ±1 ∈ EQ ∩ Nk × . We set μ(c) = Nα · NEk
and claim that μ is well defined. In fact if we start from c = [b], then b = γ a, and
bσ = γ σ aσ = γ σ αa = γ σ −1 αb shows that N(γ σ −1 α) · NEk = Nα · NEk since
elements of the form γ σ −1 have norm 1. Thus μ is well defined.
If c ∈ ker μ, then Nα = Nη, d.h. N(αη) = 1. According to Hilbert’s Theorem
90, we have αη = β 1−σ , and now aσ = αa implies (βa)σ = (β)a. Thus b = βa
is an ambiguous ideal equivalent to a, and therefore c = [b] is strongly ambiguous.
Conversely, strongly ambiguous ideal classes are clearly contained in ker μ.
In order to prove the surjectivity of μ we have to show that −1NEk lies in the
image of μ if −1√ is the norm of an element from k. Assume therefore that Nα = −1
for α = x + y m. Then x 2 − my 2 = −1, hence −1 is a quadratic residue modulo
each odd prime divisor p of m. We know from elementary number theory (or from
the arithmetic of Gaussian integers) that this holds if and only if m = a 2 + b2
is a sum of √ two squares; here we may assume that a is odd. Now we verify that
a = (a, b + m ) generates an ambiguous ideal class c = [a], and that μ(c) = −1.
In fact we have
√ √
a2 = (a 2 , ab + a m, b2 + 2b m + m)
√ √
= (a 2 , ab + a m, 2b2 + 2b m )
√ √ √ √
= (a 2 , a(b + m ), 2b(b + m )) = (a 2 , b + m ) = (b + m )
9.2 The Ambiguous Class Number Formula 217

√ √
√ of gcd(a ,σ2b) = 1 and (b + m )(b − m ) = b2 − m = −a 2. Thus√a2 =
because 2

(b + m ) and aa = Na = (a), and therefore a 1−σ = a2 /a1+σ = a1 (b + m ).

√
b2 −m
This yields μ(c) = N( b+a m
)= a2
= −1 as claimed. 

The group (EQ ∩ Nk × )/NEk is small, because even EQ = {±1} has only two
elements. In fact we have (EQ ∩ Nk × )/NEk = 1 unless −1 is the norm of an
element from k or if Nε = −1, and (EQ ∩ Nk × )/NEk  Z/2Z if −1 is the norm
of an element, but not the norm of a unit. As we just have seen, −1 is the norm of
an element if and only if Δ =  +  is the sum of two squares. Thus we have
Theorem 9.10 (Ambiguous Class Number Formula) In quadratic number fields
k with discriminant Δ and fundamental unit ε we have

2t −2, if Δ > 0, Nε = +1, Δ =  + ,
# Am(k) =
2t −1, otherwise.

where t denotes the number of primes ramified in k.

Examples

Δ t Nε  +  # Amst (k) # Am(k)

8 1 −1 12 + 12 1 1
10 2 −1 12 + 32 2 2
12 2 +1 no 1 1
30 3 +1 no 2 2
34 2 +1 32 + 52 1 2
−30 3 − no 4 4

As an additional consequence of the ambiguous class number formula we claim:

Corollary 9.11 The class number of the quadratic number field with discriminant
Δ is odd if and only if we are in one of the following cases; there p denotes prime
numbers ≡ 1 mod 4 and q, q prime numbers ≡ 3 mod 4:
(1) Δ is a prime discriminant, i.e., Δ = −4, ±8, p, −q;
(2) Δ is a product of two negative prime discriminants: Δ = 4q, Δ = 8q or
Δ = qq .
Proof The class number of k is even if and only if # Am(k) = 1, thus if the
number of ambiguous ideal classes is even. The other claims follow directly from
the ambiguous class number formula. 

218 9 Ambiguous Ideal Classes and Quadratic Reciprocity

9.3 The Quadratic Reciprocity Law

The quadratic reciprocity law is a corollary of Corollary 9.11. We begin by proving

the two supplementary laws.
Theorem 9.12 (First Supplementary Law) For all odd prime numbers p, the
following assertions are equivalent:
(1) ( −1
p ) = +1, i.e., the congruence x ≡ −1 mod p is solvable.
2

(2) p = a + 4b is sum of two squares.

2 2

(3) We have p ≡ 1 mod 4.

The equivalence of (1) and (3) may also be expressed by the equation
 −1  p−1
= (−1) 2 .
p

Proof (1) ⇒ (2): If (−1/p) = 1, then p splits in k = Q(i). Multiplying through

by i we may assume that the coefficient of i is even. Thus p = (a + 2bi)(a − 2bi),
and taking the norm yields p = a 2 + 4b 2 .
(2) ⇒ (3): Since p and a are odd, p = a 2 + 4b 2 implies p ≡ 1 mod 4.
(3) ⇒ (1): If p ≡ 1 mod 4, then ( −1
p ) = (−1)
(p−1)/2 = 1 according to Euler’s

Criterion. 

Similarly we can prove
Theorem 9.13 (Second Supplementary Law) For all odd prime numbers p, the
following assertions are equivalent:
(1) ( p2 ) = +1, i.e., the congruence x 2 ≡ 2 mod p is solvable.
(2) We have p = e2 − 2f 2 for integers e, f ∈ Z.
(3) We have p ≡ ±1 mod 8.
The equivalence of (1) and (3) can also be expressed by the equation
2 p2 −1
= (−1) 8 .
p
√
Proof (1) ⇒ (2): If ( p2 ) = +1, then p splits in Q( 2 ), and we have ±p =
√ √
x 2 − 2y 2 ; multiplying x + y 2, if necessary, by the unit 1 + 2 we can make sure
that p = e2 − 2y 2 .
(2) ⇒ (3): Reduction modulo 8 yields p ≡ ±1 mod 8 in all cases.
√
(3) ⇒ (1): Let h denote the class number of k = Q( p ), which is odd by
Corollary 9.11. If p ≡ ±1 mod 8, then 2 splits in k/Q, hence 2Ok = pp for prime
√
ideals p, p . Since ph = 12 (x + y p ) is a principal ideal, taking the norm yields
x 2 − py 2 = ±4 · 2h . Reduction modulo p shows that ±2h and thus ±2 is a quadratic
residue modulo p; the claim now follows from the first supplementary law. 

9.4 Exercises 219

The quadratic reciprocity law for odd prime numbers is the content of the
following theorem.
Theorem 9.14 (Quadratic Reciprocity Law) If p and q are odd primes, then
 p  q  p−1 q−1
= (−1) 2 2 .
q p

Proof We first discuss the case where one of the

 primes, say p,is congruent to
1 mod 4. We will show that in this case we have pq = +1 ⇐⇒ pq = +1.
  √
Since pq = +1, the prime q splits in k = Q( p). Thus qOk = qq and
√
qh = 12 (x + y p ) is a principal ideal, where h is the class number of k, which
is odd by Corollary 9.11. Taking the norm yields ±4q h = x 2 − py 2
 . This in turn
−1
provides us with the congruence ±4q ≡ x mod p, and then p = +1 implies
h 2
q 
p = +1

as claimed.
√
If pq = +1, on the other hand, then we use the number field k = Q( q ),
  the fact that p splits in Ok yields the
which also has odd class number h. Again
equation ±4ph = x 2 − qy 2 and thus ±p q = +1. Since either q ≡ 1 mod 4 and
( −1
q ) = +1 or q ≡ 3 mod 4 and the sign is necessarily positive (Exercise 9.15), we
p
obtain q = +1.
√
Finally assume that p ≡ q ≡ 3 mod 4. Consider the field k = Q( pq ).
According to Corollary 9.11, the class number h of k is odd. Thus the prime ideal
√
p = (p, pq ) above p must be principal: In fact we have p2 ∼ (1) and ph ∼ 1, and
√
since h = 2j +1 we get p = ph−2j ∼ (1). Assume therefore that p = 12 (x+y pq ).
Then ±4p = x 2 − pqy 2 , hence x = pz and ±4 = pz2 − qy 2 . If the positive sign
holds, then reduction modulo q and p shows that ( pq ) = +1 and ( pq ) = −1. If the
negative sign holds, then we find accordingly that ( pq ) = −1 and ( pq ) = +1. This
completes the proof. 


9.3.1 Summary

In this chapter we have proved the ambiguous class number formula for quadratic
number fields, and derived the quadratic reciprocity as a corollary.

9.4 Exercises

9.1. Show that the operation [a]σ = [aσ ] on the ideal class group of a quadratic
number field is well defined, i.e., that [a] √
= [b] implies [aσ ] = [bσ ]. √
√ the ideal class of√order 2 in Q( 10 ) contains the ideals (2, 10 ),
9.2. Show that
(3, 1 + 10 ) and (5, 1 + 10 ). Which of these ideals are ambiguous?
220 9 Ambiguous Ideal Classes and Quadratic Reciprocity

√
9.3. Let p ≡ 5 mod 8 be prime.√ Show that the ideal class Q( 2p ) generated by
the ambiguous ideal (2, 2p ) has order 2. √
9.4. Let p ≡ 1 mod 8 be √ prime. Show that the ambiguous ideal (2, 2p ) is
principal in k = Q( 2p ) if and only if the norm of the fundamental unit
in k is +1.
write 2p = a 2 + b2 with a > b > 0 and show that the ideal
In this case √
a = (a, b + m ) generates an ambiguous ideal class of order 2.
9.5. Show that if k is a quadratic number field with class number 2, then Am(k) =
Cl(k).
9.6. Show that if k is a quadratic number field with odd class number, then
Am(k) = 1.
9.7. Show: If A and B are subgroups of an abelian group, then AB/B  A/A∩B.
Hint: Show that A ∩ B is the kernel of the natural map A −→ AB/B.
9.8. Show that the inclusion ι : H G /P −→ A/P in (9.2) is injective and that
the map π : A/P −→ Amst (k) defined by π(aP ) = [a] is well defined and
surjective. Also show that ker π = im ι.
9.9. (O. Taussky) Solve the Pythagorean equation x 2 + y 2 = z2 using Hilbert’s
Theorem 90. Hint: α = x+yi z ∈ Q(i) satisfies the equation Nα = 1. Write
α = m−ni and rationalize the denominator.
m+ni

Generalize this exercise to all equations of the form x 2 − my 2 = z2 for

squarefree values m ∈ Z \ {0, 1}.
9.10. Show that there is an exact sequence

1 −−−−→ P −−−−→ H G −−−−→ E[N]/E 1−σ −−−−→ 1,

where H denotes the group of nonzero principal ideals. √

9.11. Let m = a 2 + b 2 be a sum of two squares. Then the ideals (a, b + m ) do
not necessarily lie in the same ideal class for each choice of a and b. Verify
this for m = 10 = 12 + 32 = 32 + 12 .
For the distribution of these ideals over
√ the ideal classes see [82] and [9].
9.12. Let p be a ramified prime in k = Q( m ), where m = ±p, and assume that
the prime ideal p above p is principal, say p = (π). Show that ε = p1 π 2 is a
unit in Ok , and that neither ε nor −ε is a square. Generalize this to products
√ of
ramified prime ideals. Use this to compute the fundamental
  unit of Q(  30
 ).
9.13. Let p ≡ 1 mod 4 be a prime number. Show that pq = +1 implies pq =
+1. √ √
Hint: Use k = Q( q ∗ ) for q ∗ = ( −1 q )q instead of Q( q ).
9.14. Show that the solvability of the Pell equation implies that the norm of the
√
fundamental unit εp of Q( p ) for primes p is equal to Nεp = −( −1 p ).
p
Show also that Nεpq = −1 if p ≡ q ≡ 1 mod 4 are primes with ( q ) = −1.
9.15. Let ±4ph = x 2 − qy 2 for prime numbers p ≡ 1 mod 4 and q ≡ 3 mod 4.
Show that x and y are both even, and that the plus sign must hold.
9.4 Exercises 221

√
9.16. Let k = Q( m ) be a quadratic number field with fundamental unit εm . Show:
If Nεm =√ +1, then there is an ambiguous principal ideal a = (α) with
a = (1), ( m ).
Hint: By Hilbert’s Theorem 90 we have ε = α /α.
√
9.17. Show that the norm of the fundamental unit ε of Q( p ) is negative if p ≡
1 mod 4 is prime.
Hint: Use the preceding exercise.
9.18. The idea behind Kummer’s ideal numbers was the construction of ring
homomorphisms Ok −→ Fq of the ring of integers of number fields into
finite fields. Restrict these homomorphisms to the multiplicative group, that
is, consider the group homomorphism ψ : Ok× −→ F× q . Find examples of
real quadratic number fields and primes q for which this homomorphism is
trivial, or where it is surjective.
9.19. Let p be a prime number such that ( 10 p ) = +1. Then there exist two
possibilities:
1. ( p2 ) = ( p5 ) = +1; in this case p = x 2 − 10y 2 .
2. ( p2 ) = ( p5 ) = −1; in this case ±2p = X2 + 10y 2 and, using X = 2x,
±p = 2x 2 − 5y 2.
√ √
Show that this implies that each element x + y 10 ∈ Z[ 10 ] can be written √
uniquely
√ as √ a product of a unit and irreducible elements of the form a + b 10
or c 2 + d 5. √
9.20. Let q ≡ 3 mod 8 be a prime number. Show that the class number of Q( 2q )
is odd and deduce that the equation 2x 2 − qy 2 = −1 is solvable. Deduce that
( q2 ) = −1.
Chapter 10
Quadratic Gauss Sums

In Chap. 3 we have already pointed out the importance of Euler’s Modularity

Theorem, which is not an isolated curiosity but a part of a whole family of related
modularity theorems (most of which are beyond the scope of this book). Here we
will apply the method of generating functions, which we have used in our proof
of Binet’s formula (2.5) for Fibonacci numbers in Sect. 2.5, to the investigation of
problems connected with Euler’s Modularity Theorem.

10.1 Dirichlet Characters

At the heart of the notion of a Dirichlet character is the idea of studying algebraic
structures by constructing (and investigating) homomorphisms into simpler struc-
tures. Characters map groups to groups of complex numbers, and the multiplicative
group of complex numbers is simple in the sense that its finite subgroups are cyclic.
An example of a character is the Legendre symbol ( p· ), which is a group
homomorphism from the coprime residue class group (Z/pZ)× , where p is an odd
prime number, to the subgroup {−1, +1} of the complex numbers. More generally,
a Dirichlet character χ defined modulo m is a group homomorphism

χ : (Z/mZ)× −→ C×

assigning complex numbers to all the coprime residue classes modulo m. Since
(Z/mZ)× is a finite abelian group of order n = φ(m), the Theorem of Euler-Fermat
a n ≡ 1 mod m implies 1 = χ(1) = χ(a n ) = χ(a)n , from which we can read off
that the image of a Dirichlet character is an n-th root of unity. The Dirichlet character
χ is called a quadratic Dirichlet character if χ only attains the values +1 and −1.
Example There exist three nontrivial Dirichlet characters defined modulo 8. For
positive representatives a of the coprime residue classes modulo 8 these may be

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 223
F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6_10
224 10 Quadratic Gauss Sums

defined by the Legendre symbols

 −1  2  −2 
χ−4 (a) = , χ8 (a) = , χ−8 (a) = .
a a a
The fact that all Dirichlet characters modulo 8 are quadratic characters reflects the
structure of (Z/8Z)× : Since this group is elementary abelian (the square of each
coprime residue class a modulo 8 is the unit element), the same must be true for the
values χ(a), which attain only the values +1 or −1. We can define these characters
also by the following table:

a mod 8 1 3 5 7
χ−4 +1 −1 +1 −1
χ8 +1 −1 −1 +1
χ−8 +1 +1 −1 −1

In many cases it is necessary to extend these Dirichlet characters χ from residue

classes modulo m to all natural numbers by setting

χ(a + mZ) if gcd(a, m) = 1,
χ(a) =
0, if gcd(a, m) = 1.

This extension clearly has the property that χ(a + m) = χ(a) for all natural
numbers a.
Example The Dirichlet character χ−4 defined modulo 4 by χ−4 (1 + 4Z) = 1 and
χ−4 (3 + 4Z) = −1 may be extended to all natural numbers by setting χ−4 (2n) = 0
and χ−4 (2n + 1) = (−1)n . For odd integers a ∈ N we then have χ−4 (a) = ( −4
a )=
( −1
a ).
The extension to negative integers, when needed, must be done with care. For
the Dirichlet character χ−4 we have χ(−1 + 4Z) = χ(3 + 4Z) = −1, whereas
( −1
−1 ) = +1.

10.1.1 Primitive Characters

The Dirichlet character χ−4 may be interpreted in a natural way as a Dirichlet

character ψ8 defined modulo 8 by setting ψ8 (1 + 8Z) = ψ8 (5 + 8Z) = 1 and
ψ8 (3 + 8Z) = ψ8 (7 + 8Z) = −1. We also say that ψ8 factors over Z/4Z since
χ−4 ◦ π(a) = ψ8 (a), where π : (Z/8Z)× −→ (Z/4Z)× is the natural projection
map that sends residue classes modulo 8 to residue classes modulo 4. This property
10.1 Dirichlet Characters 225

becomes a little bit more impressive when stated via the commutativity of the
diagram

ψ8
(Z/8Z)× −−−−→ {−1, +1}
⏐ ⏐
⏐
π
⏐
id
χ−4
(Z/4Z)× −−−−→ {−1, +1}.

A Dirichlet character χ defined modulo N is called primitive if there is no proper

divisor N1 of N such that χ is already defined modulo N1 . In this case we call N
the conductor of χ. We have to show, however, that the conductor is well defined.
To this end we have to show that if a Dirichlet character χ is defined modulo N1
and modulo N2 , then χ is also defined modulo gcd(N1 , N2 ) (Exercise 10.4).
In the following we will classify the primitive Dirichlet characters. This clas-
sification is deeper than it might first appear, and it will lead us into the heart of
number theory, namely reciprocity laws, the notion of modularity, and class number
formulas.

10.1.2 The Character Group of Finite abelian Groups

Let A be a finite abelian and multiplicatively written group. A character on A is a

homomorphism χ : A −→ C× into the multiplicative group of complex numbers.
If n denotes the order of an element a ∈ A, then χ(a)n = χ(a n ) = χ(1) = 1
implies that the image χ(a) is an n-th root of unity. In particular, the values that
χ attains are roots of unity. Characters on A = (Z/nZ)× are the usual Dirichlet
characters defined modulo n, which are our main objects of interest.
The set X(A) of all characters on A is a group with respect to the multiplication
defined by

χ1 χ2 (a) = χ1 (a) · χ2 (a).

The group X(A) is called the character group of A. Our goal is the determination of
the algebraic structure of the character group; in fact we will find that the character
group of a finite abelian group is isomorphic to the group itself, which means that
we can read off all algebraic properties of such groups from their character group.
Lemma 10.1 For finite abelian groups A and B we have

X(A ⊕ B)  X(A) ⊕ X(B). (10.1)

226 10 Quadratic Gauss Sums

If χA is a character on A and if χB is a character on B, then

χ((a, b)) = χA (a) · χB (b)

defines a character on A ⊕ B. Conversely, a character χ on A ⊕ B defines characters

on A and B by restriction, that is, by setting χA (a) = χ(a, 1) and χB (b) = χ(1, b).
The map χ → (χA , χB ) defines a homomorphism

λ : X(A ⊕ B) −→ X(A) ⊕ X(B),

which is surjective by what we have already said, and whose kernel consists of all
characters χ of A ⊕ B for which we have χ(1, b) = χ(a, 1) = 1. But this implies
χ(a, b) = χ(a, 1) · χ(1, b) = 1 for all a ∈ A and b ∈ B, hence χ is the trivial
character, and λ is injective.
Next we show

Proposition 10.2 For each finite abelian group A we have X(A)  A.

Each finite abelian group can be written as a direct product of cyclic groups.
According to Lemma 10.1 it is therefore sufficient to prove the claim for cyclic
groups.
If A = g is cyclic, then each character χ ∈ X(A) is completely determined by
the value χ(g). If n denotes the order of A (and thus also of g) and if ζn is a primitive
n-th root of unity, then ω(g) = ζn defines a character ω ∈ X(A) with the property
that each χ can be written as a power of ω. Thus X(A) = ω is cyclic with the same
order as A, and the homomorphism that sends a = g m ∈ A to χ = ωm ∈ X(A)
provides us with an isomorphism between A and X(A).
Let us denote the subgroup of quadratic characters on A, that is, the characters
that attain only the values ±1, by X2 (A). Then again X2 (A⊕B)  X2 (A)⊕X2 (B).
Moreover we have

Proposition 10.3 For each finite abelian group A we have X2 (A)  A/A2 .
The proof is similar to the one above: It is sufficient to prove the claim for cyclic
groups. If A = g and if the order n of A (and g) is odd, then A/A2 = 1 and
X2 (A) = 1, since 1 = χ(1) = χ(g)n = χ(g)n and χ(g) = ±1 imply χ(g) = 1. If
n is even, then χ0 (g) = 1 and χ1 (g) = −1 define the only two possible quadratic
characters on A, and then A/A2  Z/2Z and X2 (A)  Z/2Z.
If B is a subgroup of the finite abelian group A, then each character χ0 on A/B
defines a character χ on A via

χ(a) = χ0 (aB).

Each character that is not already defined on a proper quotient of A is called

primitive.
10.1 Dirichlet Characters 227

Lemma 10.4 In the decomposition (10.1), a character χ = χA · χB is primitive if

and only if χA and χB are primitive.
Proof If χ is not primitive, then there is a nontrivial subgroup A1 ⊕ B1 of A ⊕ B
such that χ is induced by a character on A/A1 ⊕B/B1 . Then χA and χB are induced
by characters on A/A1 and B/B1 , and at least one of the subgroups A1 or A2 is
nontrivial.
If χA is not primitive, then χA is induced by a character on A/A1 , hence χ is
induced by a character on (A ⊕ B)/(A1 ⊕ 1). 

Not every finite abelian group admits primitive quadratic characters; groups of
odd order, for example, have only the trivial quadratic character. More generally we
have
Lemma 10.5 If A = B ⊕ U for a group U of odd order, then X2 (A)  X2 (B) and
B  A/U (where we have identified U  1 ⊕ U ); in particular, A does not have
any primitive quadratic character if U is nontrivial.
This is clear since X2 (U ) = 1.

10.1.3 Classification of Quadratic Dirichlet Characters

Now we can determine the primitive quadratic Dirichlet characters modulo N. We

write N = p1a1 · · · ptat ; then

(Z/NZ)×  (Z/p1a1 Z)× ⊕ · · · ⊕ (Z/ptat Z)× .

Next we know that for odd prime numbers p we have

(Z/pm Z)×  Z/(p − 1)Z ⊕ Z/pm−1 Z.

According to Lemma 10.5 there exists a primitive quadratic Dirichlet character

on (Z/pm Z)× ) only if m = 1. Finally, X2 ((Z/pZ)× ) only consists of the trivial
character and the quadratic Dirichlet character χ(a) = ( pa ) defined by the Legendre
symbol. Thus we have
Lemma 10.6 Let p denote an odd prime number. Then there exist exactly two
quadratic Dirichlet characters defined modulo p, namely the trivial character and
the primitive quadratic Dirichlet character χ defined by χ(a) = ( pa ). For n ≥ 2
there does not exist any primitive quadratic Dirichlet character modulo pn .
In the case p = 2 each coprime residue class modulo 2m can be written as a
product of a power −1 and of 5, which shows that

(Z/2m Z)×  Z/2Z ⊕ Z/2m−2 Z.

228 10 Quadratic Gauss Sums

With A = (Z/2m Z)× we thus have A/A2  Z/2Z ⊕ Z/2Z, hence there are four
quadratic characters modulo 2m ≥ 8; apart from the trivial character these are the
characters χ−4 , χ8 and χ−8 defined above; here χ−4 is a primitive character modulo
4, the other two are primitive characters modulo 8.
Lemma 10.7 There exist exactly four quadratic characters defined modulo 2m for
m ≥ 3, namely the trivial character, as well as the characters χ−4 with conductor 4
and the characters χ8 and χ−8 with conductor 8.
Thus primitive quadratic Dirichlet characters exist only modulo 4, 8 and for
odd prime numbers p. Because of Lemma 10.1 there is exactly one primitive
quadratic Dirichlet character modulo N, where N is a product of such moduli. These
integers N are exactly those positive integers that are, up to sign, discriminants
of quadratic number fields: N = |Δ|. The decomposition of Δ = Δ1 · · · Δt into
prime discriminants corresponds to a decomposition χ = χ1 · · · χt of a primitive
quadratic character χ into primitive quadratic characters defined modulo Nj =
|Δj |. According to Lemma 10.4 χ is primitive if and only if the components χj
are primitive. Thus we have the following

Theorem 10.8 There exists a bijection between primitive quadratic Dirichlet char-
acters and discriminants of quadratic number fields.
The fact that there is a bijection between the primitive quadratic Dirichlet
characters and quadratic number fields suggests the question whether this bijection
may be extended from quadratic to arbitrary Dirichlet characters. The answer is yes,
and the primitive Dirichlet characters correspond to cyclotomic number fields.
Proposition 10.9 Let N = |Δ| be a natural number. If χ is a primitive quadratic
Dirichlet character defined modulo N, then

+1 for Δ > 0,
χ(−1) =
−1 for Δ < 0.

In particular, Δ = χ(−1) · N.

In fact we have χΔ (−1) = sgn(Δ) for each primitive quadratic Dirichlet

character with prime conductor N = |Δ|; this follows from the observation that
for odd prime conductors N we have

 −1  −1 for Δ = −p, p ≡ 3 mod 4,
χΔ (−1) = =
p +1 for Δ = +p, p ≡ 1 mod 4,

and since the claim is also true for the three primitive quadratic Dirichlet characters
defined modulo 4 and 8, the proposition is now completely proved.
10.2 Pell Forms 229

10.1.4 Modularity and Reciprocity

Quite often in mathematics there is a deep conceptual reason why bijections such
as the one in Theorem 10.8 exist. In our case, the existence of the bijection would
be explained by the fact that for quadratic number fields with discriminant Δ there
exists a Dirichlet character χ with conductor N = |Δ|. This is indeed true: The
Kronecker symbol ( Δ p ) introduced in Sect. 3.2, which describes the splitting of
primes p in the quadratic number field with discriminant Δ (see Thm. 6.14), defines
a “Kronecker character” κΔ (a) = ( Δ a ) for all natural numbers a ≥ 1, which assigns
the value +1 or −1 to all integers a coprime to Δ. It is, however, not at all obvious
that κ is a Dirichlet character, i.e., that there exists a modulus m with
Δ  Δ 
= for all k ≥ 0.
a a + km

It is the Modularity Theorem for Kronecker characters that guarantees the existence
of such a modulus m:

Theorem 10.10 (Modularity Theorem) Every Kronecker character is modular.

More exactly, κ(a) = ( Δ
a ) defines a primitive quadratic Dirichlet character with
conductor N = |Δ|.
We have already proved this Theorem in Chap. 3 using elementary means,
namely Gauss’s Lemma. Here we will present an approach using generating
functions.
Dirichlet used this bijection between Dirichlet and Kronecker characters in his
proof of the theorem on primes in arithmetic progression in order to turn quadratic
Dirichlet characters into Kronecker characters: This allowed him to reduce the non-
vanishing of his L-series (we will say a few things about this below) to the arithmetic
of quadratic number fields. Harvey Cohn [22, 23] called this bijection Dirichlet’s
Lemma.

10.2 Pell Forms

For proving the modularity of Kronecker characters we will proceed as in our

derivation of Binet’s formula (2.5)
 and study the generating function for a Kronecker
character κ, namely fκ (q) = n≥1 κ(n)q n . Without modularity, however, we know
next to nothing about fκ , and we are not in a position to derive essential properties
of fκ .
For this reason we will investigate the generating function
∞
fχ (q) = χ(n)q n
n=1
230 10 Quadratic Gauss Sums

of a Dirichlet character χ defined modulo N. To this end we set χ(a) = 0 for all
integers a that are not coprime to N. Clearly the geometric series majorizes fχ (q),
hence this series converges absolutely for all complex numbers q with |q| < 1. Let
us now compute fχ (q) for the two discriminants Δ = −4 and Δ = 8:
• Δ = −4: For κ(p) = ( −4
p ) we obtain

q
fχ (q) = q − q 3 + q 5 − q 7 + . . . = q(1 − q 2 + q 4 − q 6 + . . .) = .
1 + q2

This is a rational function with poles at the primitive 4-th roots of unity. In
addition, we find

1 1
q
q
fχ = = = fχ (q),
q 1+ 1 q2 + 1
q2

hence fχ satisfies the functional equation fχ ( q1 ) = fχ (q), which connects the

values of fχ inside the unit circle, where fχ converges, with values of fχ outside
the domain of convergence.
• Δ = 8: For κ(p) = ( −4 p ) we find in a similar way

fχ (q) = q − q 3 − q 5 + q 7 + q 9 − . . . = (q − q 3 − q 5 + q 7 )(1 + q 8 + q 16 + . . .)

q − q3 − q5 + q7 q − q3
= = 4
1−q 8 q +1

because of

q − q 3 − q 5 + q 7 = q(q − 1)2 (q + 1)2 (q 2 + 1) and

q 8 − 1 = (q − 1)(q + 1)(q 2 + 1)(q 4 + 1).

Here we obtain

1 q − q3
1 1
q3 − q
fχ = = = −fχ (q).
q 1
+1 q4 + 1
q4

For general Dirichlet characters we obtain in a similar way

∞ ∞  N 
fχ (q) = χ(n)q n = χ(n)q n q kN
n=1 k=0 n=1

 N  Fekχ (q)
= χ(n)q n (1 + q N + q 2N + . . .) = ,
1 − qN
n=1
10.2 Pell Forms 231

Table 10.1 Fekete polynomials with small conductor

Δ N Fekχ (q) Δ N Fekχ (q)
−3 3 q − q2 −7 7 q + q2 − q3 + q4 − q5 − q6
−4 4 q − q3 8 8 q − q3 − q5 + q7
5 5 q − q2 − q3 + q4 −8 8 q + q3 − q5 − q7

where
N−1
Fekχ (q) = χ(n)q n
n=1

denotes the Fekete polynomial for the Dirichlet character χ with conductor N (see
Table 10.1).

Proposition 10.11 The Pell form fχ of a Dirichlet character χ with conductor N

represents, for all q ∈ C with |q| < 1, a rational function

Fekχ (q)
fχ (q) =
1 − qN

that can be extended, except for possible poles at the N-th roots of unity, to the
whole complex plane.
Fekete polynomials first occurred explicitly in Dirichlet’s proof of the theorem
on primes in arithmetic progression, according to which there exist infinitely
many primes in each coprime residue class modulo some integer N. Implicitly,
Fekete polynomials already showed up in Gauss’s sixth proof [44] of the quadratic
reciprocity law; later Cauchy, Jacobi and Eisenstein published variants of this proof
in which they replaced x by a p-th root of unity.
Yet Fekete polynomials have remained mathematical wallflowers; one of the few
articles that underline the importance of Fekete polynomials for the arithmetic of
quadratic number fields is Ayoub [6].
The periodicity of χ allowed us to write the generating function fχ as a rational
function; but rational functions can be extended to meromorphic functions on the
whole complex plane, and the only possible poles are at the N-th roots of unity.
Our first task is the determination of the poles of Pell forms fχ , which we know
can only occur at the N-th roots of unity. A few calculations for Pell forms with
small conductor show that fχ does not have poles at each N-th root of unity. If we
232 10 Quadratic Gauss Sums

factor numerator and denominator of the rational function fχ and cancel as many
factors as possible, then we find, for small values of N:

q − q2 q(1 − q) q
f−3 (q) = = = ,
1 − q3 (1 − q)(1 + q + q 2 ) 1 + q + q2
q − q3 q(1 − q 2 ) q
f−4 (q) = = = ,
1 − q4 (1 − q 2 )(1 + q 2 ) 1 + q2
q − q2 − q3 + q4 q − q3
f5 (q) = = ,
1−q 5 1 + q + q2 + q3 + q4

Already these few examples suggest that the poles of the function fχ are exactly
at the primitive N-th roots of unity. Here an N-th root of unity ζ is called primitive
if the equation ζ m = 1 holds for m = N, but not for any smaller value 1 ≤ m < N.
For proving this claim we proceed as in our derivation of Binet’s formulas: We
determine the partial fraction decomposition of fχ . To this end we set

N−1
ak
fχ (q) = ;
ζk − q
k=0

then a simple application of Euler’s formulas (2.4) shows that the coefficients ak are
given by

Fekχ (ζ k ) ζ k Fekχ (ζ k )
ak = =− .
−Nζ k(N−1) N

The expression

N−1
Fekχ (ζ k ) = χ(n)ζ kn =: τk (χ)
n=1

is called a Gauss sum. If χ is a quadratic Dirichlet character, then τ is called a

quadratic Gauss sum. Gauss sums are important tools in number theory; in our
approach, these objects show up naturally.
Thus we have
N−1 N−1
1 ζ k τk (χ) 1 τk (χ)
fχ (q) = − = . (10.2)
N q − ζk N 1 − qζ −k
k=1 k=1

It is clear that fχ (q) has a pole in q = ζ k if and only if τk (χ) = 0. The question of
the location of the poles of Pell forms thus boils down to determining the values of
k for which the quadratic Gauss sums τk (χ) vanish.
10.2 Pell Forms 233

It turns out that the quadratic Gauss sums τk are, up to a root of unity, equal to
τ = τ1 (χ). In fact we have:
Proposition 10.12 For primitive Dirichlet characters defined modulo N and all
natural numbers k we have

τk (χ) = χ(k) · τ, (10.3)

where χ is the conjugate character of χ, which is defined by χ (a) = χ(a).

In particular, we have τk (χ) = 0 if gcd(k, N) = 1.
Proof Assume first that gcd(k, N) = 1. Then

N−1 N−1 N−1

τk (χ) = χ(a)ζ ka = χ(k) χ(a)ζ ka = χ(k) χ(b)ζ b = χ(k) τ,
a=1 a=1 b=1

where we have used that b = ka runs through all coprime residue classes of
(Z/NZ)× when a does.
If gcd(k, N) = d > 1, on the other hand, then we write N = dn and k = ds for
coprime integers n and s. We first claim that there exists an integer b ≡ 1 mod n
with χ(b) = 1. Since χ is primitive, χ is not trivial on the kernel of the projection
map (Z/NZ)× −→ (Z/nZ)× , and this is exactly what we have claimed.
Next we have k ≡ bk mod N since bk − k = k(b − 1) ≡ 0 mod dn; in particular,
we have ζ k = ζ bk . Now we get
N−1 N−1
χ(b)τk (χ) = χ(ab)ζ ka = χ(ab)ζ kab = τk (χ),
a=1 a=1

and since χ(b) = 1 we obtain τk (χ) = 0 as claimed. 


This simple result implies
Theorem 10.13 The partial fraction decomposition of fχ (q) is given by

N−1 N−1
τ χ(k) τ χ(k)
fχ (q) = −q · = . (10.4)
N q − ζk N 1 − qζ −k
k=1 k=1

Observe that this implies τ = 0 since we already know that fχ (q) is a nontrivial
rational function.
Before we continue, let us give two simple examples of Gauss sums.
• Consider the Dirichlet character χ(a) = ( a2 ) defined modulo 8. If ζ denotes a
primitive 8th root of unity, then

τ1 (χ) = ζ − ζ 3 − ζ 5 + ζ 7 = ζ(1 − i + 1 − i) = ζ(2 − 2i),

which implies that τ12 = i(2 − 2i)2 = 8.

234 10 Quadratic Gauss Sums

• Now let χ(a) = ( a5 ) denote the quadratic Dirichlet character defined modulo 5,
and let ζ denote a primitive 5th root of unity. Then

τ1 = ζ − ζ 2 − ζ 3 + ζ 4

and thus

τ12 = ζ 2 + ζ 4 + ζ 6 + ζ 8 − 2ζ 3 − 2ζ 4 + 2ζ 5 + 2ζ 5 − 2ζ 6 − 2ζ 7
= ζ + ζ 2 + ζ 3 + ζ 4 4 − 2ζ − 2ζ 2 − 2ζ 3 − 2ζ 4
= −1 + 4 + 2 = 5,

where we have used 1 + ζ + ζ 2 + ζ 3 + ζ 4 = 0 several times.

These calculations suggest that quadratic Gauss sums for primitive
√ quadratic
Dirichlet characters with conductor N have absolute value |τ | = N . From the
many possible proofs we choose one that uses the partial fraction decomposition of
fχ .
Theorem
√ 10.14 For primitive Dirichlet characters with conductor N we have |τ | =
N . If χ is a quadratic character, then we even have

τ2 = Δ (10.5)

for a discriminant Δ with |Δ| = N.

Among the many possibilities of proving this theorem we choose the one based
on Pell forms. According to (10.2) the partial fraction decomposition of the Pell
form fχ (q) is given by

N−1
τ χ(k)
fχ (q) = . (10.6)
N 1 − ζ −k q
k=1

Expanding the left side into a power series we get n≥1 χ(n)q n , and on the right
side we obtain, when we develop the fractions into geometric series,

χ(k)
= χ(k)(1 + ζ −k q + ζ −2k q 2 + . . .) = χ(k) + χ(k)ζ −k q + . . . .
1 − ζ −k q

Comparing the coefficients of q on both sides of (10.6) we find

N N
τ τ τ
1= χ(k)ζ −k = χ(k)ζ k = · τ,
N N N
k=1 k=1
√
hence τ τ = N and |τ | = N.
10.3 Fekete Polynomials 235

For proving the second claim we observe that, in the case of quadratic characters,
we have χ = χ, hence
N N
τ= χ(k)ζ −k = χ(k)ζ −k = χ(−1)τ.
k=1 k=1

Thus it follows from the proof above that 1 = τ

N · χ(−1)τ, and so, taking
Proposition 10.9 into account,

τ 2 = χ(−1)N = Δ.

Since τ by definition is an element of Q(ζN ), this implies that each quadratic number
field is a subfield of some cyclotomic number field Q(ζN ), and in fact that we can
choose N = |Δ|.

10.3 Fekete Polynomials

Gauss’s sixth proof of the quadratic reciprocity law is today usually presented in
the form given by Jacobi and Cauchy, who used the basic arithmetic of cyclotomic
number fields. These proofs have the advantage of being very slick and short. Here
we will present Gauss’s original sixth proof of the quadratic reciprocity law in such
a way that the role of the Fekete polynomials becomes clearly visible. The necessary
changes are mainly of a cosmetic nature. Apart from Fekete polynomials, Gauss also
uses the cyclotomic polynomial
xp − 1
Φp (x) = 1 + x + x 2 + . . . + x p−1 = .
x−1
This polynomial is known to be irreducible over the rationals, as can be seen most
easily using a method due1 to Schönemann and Eisenstein: one shows that Φp (x+1)
is an “Eisenstein polynomial,” i.e., that the it has the form

Φp (x + 1) = x p−1 + ap−2 x p−2 + . . . + a1 x + a0 ,

where all coefficients aj are divisible by p, and a0 is not divisible by p2 . We now

claim
Lemma 10.15 Let p denote an odd prime number and n a natural number. Then

0 mod Φp (x) if p  n,
Φp (x ) ≡ n
(10.7)
p mod Φp (x) if p | n.

1 See [26].
236 10 Quadratic Gauss Sums

In fact we have

Φp (x n ) x np − 1 x − 1
= n · .
Φp (x) x − 1 xp − 1

If p  n, let m denote a natural number such that mn ≡ 1 mod p. With mn = hp + 1

it follows that

Φp (x n ) x np − 1 x mn − 1 + x − x hp+1
= n ·
Φp (x) x −1 xp − 1
x np − 1 x mn − 1 x(x np − 1) x hp − 1
= · − · p ,
xp − 1 xn − 1 xn − 1 x −1

and this implies the claim.

If p | n, on the other hand, then n = mp and

Φp (x n ) − p = 1 + x n + x 2n + . . . + x n(p−1) − (1 + 1 + . . . + 1)
= x n − 1 + x 2n − 1 + . . . + x n(p−1) − 1.

Clearly each term x kn − 1 is divisible by x n − 1, and from

xn − 1 x mp − 1 x mp − 1 x p − 1
= = p ·
x−1 x−1 x −1 x−1
−1
p
we deduce that it is divisible by Φp (x) = xx−1 .
In the following, let Fekp (x) be the Fekete polynomial for the primitive quadratic
Dirichlet character with odd prime conductor p.
Lemma 10.16 For every natural number 1 ≤ q < p, the polynomial
q 
Fekp (x q ) − Fekp (x)
p

is divisible by x p − 1, that is, we have the congruence

q 
Fekp (x q ) ≡ Fekp (x) mod (x p − 1)
p

in the polynomial ring Z[x].

Let ζ denote a primitive p-th root of unity. Then Fekp (ζ ) = τ and Fekp (ζ q ) =
τk (χ) are quadratic Gauss sums. Thus plugging x = ζ into the identity
q 
Fekp (x q ) − Fekp (x) = g(x)(x p − 1)
p
10.3 Fekete Polynomials 237

implies that
q 
τq (χ) = τ.
p

This is just Eq. (10.3) in the special case where χ = χ = ( p· ).

Proof of Lemma 10.16 We have

p−1 p−1
Fekp (x q ) = χp (a)x aq = χp (q) χp (aq)x aq .
a=1 a=1

Thus if a runs through a coprime system of residue classes modulo p, then so does
aq. Each exponent aq is thus congruent modulo p to exactly one number c with
1 ≤ c < p, i.e., we have aq = c + ka p for an integer ka depending on a. This
implies

x aq = x c+ka p = x c x ka p = x c + x c (x ka p − 1) ≡ x c mod (x p − 1),

hence
p−1 p−1
Fekp (x q ) = χp (q) χp (aq)x aq = χp (q) χp (c)x c mod (x p − 1)
a=1 c=1

as claimed. 

Next Gauss turns his attention to the polynomial Fekp (x)2 . Clearly

p−1 
k k
Fekp (x)2 = x Fekp (x).
p
k=1

According to Lemma 10.16 we have

p−1
Fekp (x)2 ≡ x k Fekp (x k ) mod (x p − 1).
k=1

Now we develop the second Fekete polynomial and find

p−1 
h  kh
p−1 
h
p−1 p−1
Fekp (x)2 ≡ xk x = x kh+k
p p
k=1 h=1 h=1 k=1
p−1 
h
p−1 
h
= (Φp (x h+1 ) − 1) = Φp (x h+1 ) mod Φp (x),
p p
h=1 h=1
238 10 Quadratic Gauss Sums


where we have used that ( ph ) = 0. Using Lemma 10.15 we now obtain

p − 1  −1 
Fekp (x)2 ≡ Φp (x p ) ≡ p mod Φp (x).
p p

We have proved
Proposition 10.17 Fekete polynomials satisfy the congruence
 −1 
Fekp (x)2 ≡ p mod Φp (x).
p

If we set x = ζ for a primitive p-th root of unity ζ , then the congruence above turns
into the equation
 −1 
τ2 = p τ,

which is a special case of (10.5).

10.3.1 Gauss’s Sixth Proof

The heart of the proof is simple: We combine the congruences

Fekp (x)2 ≡ p∗ mod Φp (x), (10.8)

Fekp (x)q ≡ Fekp (x q ) mod q, (10.9)
q 
Fekp (x q ) ≡ Fekp (x) mod Φp (x), (10.10)
p

that we have proved above. Instead of working with double congruences modulo
q and modulo Φp (X) we write the congruences as equations—another possibility
would be working modulo q in cyclotomic number fields. The congruences above
then become the following equations:

Fekp (x)2 = p∗ + Φp (x)A(x),

Fekp (x)q = Fekp (x q ) + qB(x),
q 
Fekp (x q ) = Fekp (x) + Φp (x)C(x).
p
10.3 Fekete Polynomials 239

Here A, B, C ∈ Z[x] are suitably chosen polynomials. Now

  q−1   q−1
Fekp (x)q = Fekp (x)2 2 Fekp (x) = p∗ + Φp (x)A(x) 2 Fekp (x)
q−1
= (p∗ ) 2 Fekp (x) + Φp (x)A1 (x) Fekp (x)
 p∗ 
= Fekp (x) + qh Fekp (x) + Φp (x)A1 (x) Fekp (x),
q

as well as
q 
Fekp (x)q = Fekp (x q ) + qB(x) = Fekp (x) + Φp (x)C(x) + qB(x).
p

Thus
q   p∗ 
Fekp (x) − Fekp (x) = qR(x) + Φp (x)S(x)
p q

for polynomials R, S ∈ Z[x]. Our goal is showing that the polynomial on the left
hand side is 0. To this end we first write

Fekp (x) = εΦp (x) + F (x)

with ε = ( −1
p ) and some polynomial F (x) of degree ≤ p − 2.
Next F (0) = Fekp (0) − εΦp (0) = −ε. Thus we have
 q   p∗ 
− F (x) = qR(x) + Φp (x)T (x).
p q

Now we write R(x) = Φp (x)q(x) + r(x) for some polynomial r of degree ≤ p − 2,

and we find
 q   p∗ 
− F (x) − qr(x) = Φp (x)U (x).
p q

The polynomial on the left side has degree ≤ p − 2 and is divisible by Φp (x). Since
Φp is irreducible, this is only possible if the polynomial vanishes:
 q   p∗ 
− F (x) − qr(x) = 0.
p q
240 10 Quadratic Gauss Sums

Plugging in x = 0 yields
 q   p∗   q   p∗ 
− F (0) − qr(0) = −ε − − qr(0) = 0,
p q p q

and since ε = ±1 is not divisible by q, the expression in the bracket must be a

multiple of q But since q > 2 this is only possible if the two Legendre symbols
coincide.

10.4 The Analytic Class Number Formula

In this last section we will sketch possible extensions of our investigations. We have
already seen that the factor 1 − q of the Fekete polynomial may be canceled with
the corresponding factor in 1 − q N . This fact allows us to determine the value fχ (1)
(see Table 10.2).
The fact that fχ (1) = 0 for Δ > 0 follows immediately from the functional
equation of fχ (see Exercise 10.9). The values for negative discriminants are
mysterious; if we extend the table far enough, then it turns out that, for negative
√
discriminants Δ < −3, the value fχ (1) is related to the class number of Q( Δ ) in
a very simple and striking way:
Theorem 10.18 We have fχ (1) = 0 if and only if the unit group of the quadratic
number field with discriminant Δ has rank 1, i.e., if and only if the Pell equation
T 2 − ΔU 2 = 4 has a nontrivial solution.

Table 10.2 The values fχ (1)

Δ N χ(−1) fχ (q) fχ (1)
q
−3 3 −1 1
1 + q + q2 3
q
−4 4 −1 1
1 + q2 2

q − q3
5 5 +1 0
1 + q + q2 + q3 + q4
q + 2q 2 + q 3 + 2q 4 + q 5
−7 7 −1 1
1 + q + q2 + q3 + q4 + q5 + q6
q − q3
8 8 +1 0
1 + q4
q + q3
−8 8 −1 1
1 + q4
q − q3
12 12 +1 0
1 − q2 + q4
q − q 3 + 2q 4 − q 5 + q 7
−15 15 +1 2
1 − q + q3 − q4 + q5 − q7 + q8
10.4 The Analytic Class Number Formula 241

If Δ < 0, on the other hand, then

2h h (#Cl(K) : #Cl(Q))
fχ (1) = = = , (10.11)
w w/2 (#WK : #WQ )

where h √= #Cl(K) denotes the class number, w the number of roots of unity in
K = Q( Δ ), and WK the group of roots of unity in K.
Observe that Cl(Q) = 1 since Z has unique factorization, and that WQ = {±1},
hence #WQ = 2.
The expression on the right shows that the formula fχ (1) = 2h w is actually a
relative class number for the quadratic extension K/Q and beautifully explains the
occurrence of the factor 2 in the numerator.
The investigation of the generating functions of Kronecker and Dirichlet charac-
ters has led us into rather deep waters. Although the terms in (10.11) all are closely
related to the arithmetic of number fields, the natural proof of this equation uses
analytic methods.
In this proof, a central role is played by Dirichlet L-series, which Dirichlet had
also used for proving his theorem on primes in arithmetic progression. L-series
provide a second possibility of writing down a generating function for Dirichlet
characters χ, which is different from the Pell form, which is a power series. We set
∞
L(s, χ) = χ(n)n−s
n=1

and then show that this series converges absolutely for all s > 1.
By manipulating divergent series without fear and evaluating the L-series L(s, χ)
at places where it is not defined we find

fχ (1) = lim χ(n)q n = χ(n) = lim χ(n)n−s = L(0, χ).

q→1 s→0
n≥1 n≥1 n≥1

We can assign a value to the meaningless expression L(0, χ) by extending the

function analytically to the whole complex plane. This function then satisfies a
functional equation relating the values of the L-series at s and 1 − s; in particular,
it allows to compute L(0, χ) from L(1, χ). It is rather easy to see that the
series L(1, χ) converges conditionally for all quadratic Dirichlet characters with
conductor N > 1. For χ = χ−4 , for example, we have, according to Leibniz,

1 1 1 π
L(1, χ) = 1 − + − +... = .
3 5 7 4
242 10 Quadratic Gauss Sums

There is a connection between this Leibniz series and Pell forms: Clearly

q3 q5 q7
Fχ (q) = q − + − +...
3 5 7
is a primitive of

1 fχ (q)
1 − q2 + q4 − q6 + . . . = = ,
1 + q2 q

and this can be done for arbitrary Dirichlet characters since we have
 1  1  1
fχ (q) χ(n)
dq = χ(n)q n−1 dq = χ(n) q n−1 dq = = L(1, χ),
0 q 0 n≥1 0 n
n≥1 n≥1

where we once more point out that interchanging the order of taking limits requires
a proof.
For χ = χ8 , for example, we obtain

1 1 1 1 1 − q2
L(1, χ) = 1 − − + +... = dq.
3 5 7 0 1 + q4

A numerical integration shows that

√
log(1 + 2 )
L(1, χ) ≈ 0.31161262007011525669701004 ≈ √ .
8
√
log(1+
√ 2)
The fact that L(1, χ) = can be proved using the partial fraction
8
fχ (q)
decomposition of q .
For arbitrary quadratic Dirichlet character we have the following important and
deep
Theorem 10.19 Let K be a quadratic number field with discriminant Δ and class
number h, and let χ be the quadratic Dirichlet character defined modulo N = |Δ|
which is attached to K. Moreover, let ε > 1 denote the fundamental unit of the real
quadratic number field K if Δ > 0. Then
⎧
⎨ 2πh
√ , if Δ < 0,
L(1, χ) = w N
⎩ √ ε,
h log
if Δ > 0,
N
10.5 Modularity 243

where the value of the L-series on the left is given by

∞  1
χ(n) fχ (q)
L(1, χ) = = dq.
n 0 q
n=1

These class number formulas, which underline again the central importance of
the Pell forms fχ and the Fekete polynomials for the arithmetic of quadratic number
fields, are due to Dirichlet, who proved them for quadratic forms rather than for
1 f (q)
quadratic number fields. The integral representation of L(1, χ) = 0 χq dq may
be transformed via the partial fraction decomposition of fχ into a finite sum, which
has a certain charm, but is not very well suited for the computation of class numbers
except for small discriminants.
Dirichlet’s main motivation for working out the class number formula was the
obvious corollary that L(1, χ) = 0 for all quadratic Dirichlet characters. Since
the corresponding claim for Dirichlet characters that attain nonreal values may be
proved rather easily, Dirichlet obtained that L(1, χ) = 0 for all Dirichlet characters
modulo N. This in turn quickly implies (by an idea going back to Euler) that for
any pair of coprime integers a and N there exist infinitely many prime numbers
p with p ≡ a mod N. This is Dirichlet’s famous theorem on primes in arithmetic
progression.
For a proof of these results we refer the reader to the wonderful books by
Scharlau and Opolka [111] and by Zagier [134].

10.5 Modularity

Euler’s Modularity Theorem is not a reciprocity law in the sense of Legendre

because it does not connect the solvability of the congruence x 2 ≡ p mod q with
that of x 2 ≡ q mod p. But, as Kronecker has made clear, the Modularity Theorem
is more fundamental than the reciprocity law because higher reciprocity laws are
governed by modularity.
Already in the rational integers, the Modularity Theorem has certain advantages.
For example, the formulation of Legendre’s reciprocity law requires two supple-
mentary laws for computing the symbols ( −1 2
p ) and ( p ); the Modularity Theorem,
on the other hand, also holds for a = −1 and a = ±2.
The generalization of Legendre’s quadratic reciprocity law from rational integers
to algebraic integers in general number fields turns out to be very difficult,
since there is no simple formula for the inversion factor ( βα )( βα ). More seriously,
Legendre’s reciprocity law only makes sense for principal ideals, which restricts the
applicability of the reciprocity law considerably; in particular, the reciprocity law
cannot be used directly for computing power residue symbols of the form ( αp ) for
nonprincipal ideals p.
244 10 Quadratic Gauss Sums

The generalization of the Modularity Theorem to arbitrary number fields is rather

straightforward. Essentially we have ( βα ) = ( γα ) if β ≡ γ mod 4α and if certain sign
conditions are satisfied. The modulus 4α may often be replaced by√a smaller one,
for example, the relative discriminant of the quadratic extension K( α )/K.
In addition, the Modularity Theorem may be extended to arbitrary ideals coprime
to 2α. In fact we have ( αb ) = ( αc ) if b ≡ c mod 4α, by which we mean that a and
b are coprime to (2α), and that the ideal bc−1 = (δ) is principal and generated by
an element δ ≡ 1 mod 4α. Again there are a couple of sign conditions that must be
observed.
We also remark that the most general reciprocity law for abelian extensions,
namely Artin’s reciprocity law, is by its nature a modularity theorem. Similar
remarks apply to generalizations to non-abelian extensions inside Langlands’
program, and for corresponding results in the theory of elliptic curves.

10.5.1 Modularity of Polynomials

Let f ∈ Z[x] be a monic polynomial with integral coefficients. We denote by Spl(f )

the set of all prime numbers p not dividing the discriminant disc f such that f
is a product of linear factors when considered over the ring Fp [x]. For example,
the polynomial f (x) = x 2 − 2 splits into two linear factors modulo all primes
p ≡ ±1 mod 8.
We say that such a polynomial f is modular2 if there exists a natural number
N such that the set of primes Spl(f ) can be described (up to at most finitely many
exceptions) by congruence relations modulo N. As an example consider f (x) =
x 3 − 3x + 1. This polynomial is a cube modulo 3 since f (x) ≡ (x + 1)3 mod 3,
and it is easily checked that f does not have roots modulo primes 5 ≤ p ≤ 13
and therefore is irreducible modulo these primes. For p = 17, however, we have
f (x) ≡ (x + 3)(x + 4)(x − 1) mod 17. If we continue these calculations we are led
to suspect that f splits into three distinct linear factors if and only if p ≡ ±1 mod 9.
The reason for this behavior of f modulo p has to do with the fact that the roots
of f are elements of the field of 9th roots of unity. In fact, if ζ is a primitive 9th root
of unity, then ζ 6 + ζ 3 + 1 = 0; setting α = ζ + ζ −1 we then find

α 3 = ζ 3 + 3ζ + 3ζ −1 + ζ −3 = ζ 3 + ζ 6 + 3α = 3α − 1,

hence α is a root of f . Thus the roots of f generate a cubic subfield of Q(ζ ), and
this implies that f is a polynomial with an abelian Galois group.

2 In the theory of complex multiplication there exists something called “the modular polynomial.”
10.5 Modularity 245

The ring homomorphism σ sending ζ to ζ 2 is an automorphism of Q(ζ ), and we

find

σ (α) = σ (ζ + ζ −1 ) = ζ 2 + ζ −2 = α 2 − 2.

This map permutes the roots of f and makes the fact that f has an abelian Galois
group explicit.
The classification of modular polynomials is achieved by class field theory; the
result is
Theorem 10.20 A polynomial is modular if and only if its Galois group is abelian.
The Galois group of a polynomial is abelian if and only if its splitting field (up to
isomorphism, the smallest extension of Q containing all the roots of f ) is abelian.
The “finitely many exceptions” have to do with the choice of f . Clearly f (x) =
x 2 − x − 1 and g(x) = x 2 − 5 have the same splitting behavior for every odd prime
since 4f (x) = (2x − 1)2 − 5 = g(2x − 1). √ But f is irreducible modulo 2 (which
corresponds to the fact that 2 is inert in Q( 5 )), yet x 2 − 5 ≡ (x + 1)2 mod 5. Note
that disc f = 5 and disc g = 20.

10.5.2 Modularity of Number Fields

√
Observe, for example, that Q( −3 ) = Q(ζ3√ ) and Q(i) √= Q(ζ4 ) are fields of
roots of unity. The quadratic number fields Q( √ √
2 ) and Q( −2 ) are contained in
2+ −2 √
the field of eighth roots of unity since ζ8 = , which implies that −2 =
√ 2
ζ8 + ζ83 and 2 = ζ8 + ζ8−1 . In all these examples, the quadratic number field with
discriminant Δ is contained in the field of N-th roots of unity with N = |Δ|. This
is no coincidence: Let us call a quadratic number field with discriminant Δ modular
if it is contained in some field of N-th roots of unity. We may (and will) assume in
addition that N ≡ 2 mod 4 since Q(ζ2m+1 ) = Q(ζ2(2m+1)).
Proposition 10.21 If the quadratic number field k is contained in Q(ζm ) and Q(ζn ),
then it is also contained in Q(ζgcd(m,n) ).
If k is contained in both fields, then it is contained in their intersection. Thus the
claim follows from the observation

Q(ζm ) ∩ Q(ζn ) = Q(ζgcd(m,n) ),

which we do not prove here.

The smallest positive integer N for which the quadratic number field k is
contained in Q(ζN ) is called the conductor of k.
Theorem 10.22 Each quadratic number field is contained in some cyclotomic field.
In fact, if Δ = disc k and N = |Δ|, then N is the conductor of k.
246 10 Quadratic Gauss Sums

This follows by writing the discriminant of k as a product of prime discriminants.

It is a very special case of a more general result. Let us call a number field K
modular if there is a natural integer N such that K ⊂ Q(ζN ). Then we have
Theorem 10.23 (Theorem of Kronecker-Weber) A number field K is modular if
and only if it is a Galois extension of Q with abelian Galois group.
This theorem was conjectured by Kronecker, who claimed to have a partial proof.
The first published proofs are due to Weber and Hilbert, and nowadays there are
many different proofs.

10.5.3 Pell Forms

Let us now call the Pell form fκ of a Kronecker symbol κ = ( Δ· ) modular if the
following conditions are satisfied:
• There exist polynomials A, B ∈ Z[q], with B monic, such that fκ (q) = ± A(q)
B(q) ;
• fκ satisfies a functional equation of the form fκ ( q1 ) = ±fκ (q) for some choice
of the sign.
We say that fκ is strongly modular if we can choose B(q) = q N − 1 for N = |Δ|.
The following theorem tells us that the modularity of the Kronecker symbol is a
consequence of analytic properties of the associated Pell forms:
Theorem 10.24 The modularity of fκ implies the modularity of the Kronecker
symbol κ(p) = ( Δ
p ).
A(q)
Assume that fκ (q) = B(q) is rational and satisfies the functional equation
= ±fκ (q). Since fκ converges absolutely inside the unit circle, fκ does not
fκ ( q1 )
have any poles there. By the functional equation, it cannot have any poles outside
the unit circle. Thus the rationality and the functional equation imply that fκ has all
its poles on the unit circle.
Since B(q) is monic, the poles of fκ must be algebraic integers. Thus if fκ has a
pole in q = ζ , then ζ and all of its conjugates lie on the unit circle. Now we invoke
the following result due to Kronecker:
Proposition 10.25 (Kronecker) If η is an algebraic integer with the property that
all of its conjugates lie on the unit circle, then η is a root of unity.
Let η be a root of a monic polynomial with degree n. By Dirichlet’s pigeonhole
principle, there exist natural numbers r < s such that |ηs − ηr | < 2−n . The
conjugates ηjk of ηk all lie on the unit circle, hence |ηjs − ηjr | ≤ 2. Since the norm
of an algebraic number is the product of its conjugates (see Exercise 2.46), we have
|N(ηs − ηr )| < 2−n 2n−1 = 12 . Since η is an algebraic integer, its norm is a rational
integer, and we conclude that its norm is 0. But then ηs = ηr , hence ηs−r = 1, and
this implies that η is a root of unity.
10.5 Modularity 247

Here is a second proof based on a similar idea: Let η be an algebraic integer,

that is, a root of a monic polynomial of degree n. Then ηk is an algebraic integer of
degree m ≤ n, and its minimal polynomial is

(x − η1k )(x − η2k ) · · · (x − ηm

k
) = x m + am−1 x m−1 + a1 x + a0 ∈ Z[x],

where η1k , . . . , ηm
k are the conjugates of ηk . Clearly

am−1 = η1k + η2k + . . . + ηm

k
,
am−1 = η1k η2k + η1k η3k + . . . + ηm−1
k k
ηm ,
... = ...,
a1 = η1k · · · ηm−1
k
+ . . . + η2k · · · ηm
k
,
a0 = η1k η2k · · · ηm
k
.

Since the absolute values of the ηjk are = 1, this implies that

m m
|am−1 | ≤ m, |am−2 | ≤ , . . . , |ak | ≤ , . . . , |a1 | ≤ m, |a0 | = 1.
2 k

These bounds show that there are only finitely many such polynomials, hence there
must exist natural numbers r < s with ηr = ηs , and this implies as above that η is
a root of unity.
Now we can finish the proof of Theorem 10.24. Since we have just shown that
the poles of fκ are roots of unity, we can choose an integer N such that the poles
are roots of x N − 1. Then we can write

C(q)
fκ (q) = ,
1 − qN

where the rational function is not necessarily in written in lowest terms.

The functional equation tells us that f ( q1 ) = ±f (q). Since f (0) = 0 and f is
continuous at q = 0, this implies that f (x) −→ 0 for x → ∞, and this implies that
deg A < deg B and therefore deg C < N.
If we now compare the power series expansion

C(q)
fκ (q) = = C(q) + C(q)q N + C(q)q 2N + . . .
1 − qN

with the definition of fκ (q) we find that κ(m) only depends on the value of m
modulo N, and this finally shows that κ is modular.
248 10 Quadratic Gauss Sums

10.6 Modularity of Elliptic Curves

The notion of modularity is essential for understanding quadratic (and higher)

reciprocity, but it was developed in a different area of mathematics (if we disregard
the early insights of Euler and Kronecker). The idea that all elliptic curves y 2 =
f (x) with a cubic polynomial f ∈ Z[x] should be modular goes back to the
Japanese mathematicians Yutaka Taniyama and Goro Shimura.
We only present the material in this section in order to emphasize the importance
of the notion of modularity in modern number theory. We also remark in passing
that the modularity of elliptic curves was used in an essential way by Andrew Wiles
in his proof of Fermat’s Last Theorem for arbitrary exponents p ≥ 5.

10.6.1 Group Law

The affine points on an elliptic curve E : y 2 = x 3 + ax + b, together with the point

at infinity, carry a group law that has a geometric interpretation: Given two affine
points P and Q, the line through P and Q (or the tangent in P if P = Q) intersects
the elliptic curve in a third point R; the reflection of R at the x-axis is, by definition,
the sum P ⊕ Q. The neutral element is the point at infinity. Checking the axioms of
the group structure is easy except for associativity (Fig. 10.1).

Fig. 10.1 The elliptic curve y 2 = x 3 − x over the reals and the group law
10.6 Modularity of Elliptic Curves 249

10.6.2 Curves with Complex Multiplication

Let us consider the elliptic curve E : y 2 = x 3 − x. This curve is said to have

complex multiplication by Z[i]; we will be content with mentioning that this has to
do with the fact that the substitutions y = iy1 and x = −x1 leave the equation of E
invariant.
We now count the number of Fp -rational points on this elliptic curve. For p = 5,
for example, there are the following F5 -rational points on E besides the point at
infinity:

E(F5 ) = {∞, (0, 0), (1, 0), (2, ±1), (3, ±2), (−1, 0)}.

Thus N5 = #E(F5) = 8.
Similar calculations for other odd primes yield the following table:

p 3 5 7 11 13 17 19 23 29 31 37 41
Np 4 8 8 12 8 16 20 24 40 32 40 32

This table suggests that Np = p + 1 for primes p ≡ 3 mod 4. For understanding

what is going on for primes p ≡ 1 mod 4 we write Np = p + 1 − ap . Then ap = 0
for primes p ≡ 3 mod 4; and for primes p ≡ 1 mod 4 we obtain

p 5 13 17 29 37 41
ap −2 6 2 −10 −2 10

The pattern becomes visible if we write these primes p as sums of two squares: In
fact, if p = a 2 + b2 , where a ≡ 1 mod 4, then ap = −2a. We have already proved
this result in Theorem 3.31.

10.6.3 Hasse’s Theorem

It follows from the formula Np = p + 1 − 2a, where E : y 2 = x 3 − x and p is an

√
odd prime p = a 2 + b2 with a ≡ 1 mod 4, that |Np − (p + 1)| = 2a ≤ 2 p. The
fact that this bound holds for all elliptic curves y = x + ax + b defined over Q
2 3

was proved by Helmut Hasse in the 1930s. Hasse’s theorem can be interpreted as a
Riemann conjecture for the zeta function attached to the elliptic curve over Fp . For
the history of this result, see [110].
250 10 Quadratic Gauss Sums

10.6.4 Modularity of Elliptic Curves

It is rather difficult to explain the modularity of elliptic curves from scratch.3 As for
Pell conics, the main content is the existence of a modulus N for each elliptic curve
E such that the values ap = p + 1 − Np , where Np = #E(Fp ) is the number of
Fp -rational points on the elliptic curve E, is determined by what is called a modular
form on Γ0 (N).
Consider the following example, which is essentially already contained in
Shimura’s work. Let E : y 2 − y = x 3 − x 2 be an elliptic curve; its discriminant is
Δ = −11. Consider the function
∞
 ∞
f (q) = q (1 − q n )2 (1 − q 11n )2 = an q n .
n=1 n=1

This is a cusp form of weight 2 living on Γ0 (11). What this means is that this
function satisfies a functional equation of the following form: Set q = e2πiz and
interpret f as a function of the complex variable z. Then
 az + b 
f = (cz + d)2 f (z)
cz + d
 
for all matrices  ac db  with a, b, c, d ∈ Z, determinant ad − bc = 1 and c ≡
0 mod 11. Since 10 11 ∈ Γ0 (N) for every N, we have in particular f (z+1) = f (z);
but this was clear from the fact that f is a function of q = e2πiz .
A simple calculation yields

f (q) = q − 2q 2 − q 3 + 2q 4 + q 5 + 2q 6 − 2q 7 − 2q 9 − 2q 10 + q 11
− 2q 12 + 4q 13 + 4q 14 − q 15 − 4q 16 − 2q 17 + 4q 18 + 2q 20 + · · ·

If we compute the numbers ap = p + 1 − Np for E and some small primes p, we

obtain

p 2 3 5 7 11 13 17 19
ap −2 −1 1 −2 −1 4 −2 0

The pattern now is clear: For all prime numbers p not dividing the modulus N = 11,
the coefficient ap in the power series expansion of f (q) coincides with the number
ap = p + 1 − Np that determines the number of Fp -rational points on E.

3 I highly recommend the books [4, 5] to everyone interested in learning more about the big picture.
10.6 Modularity of Elliptic Curves 251

And there is more: Define the Tribonacci numbers Tn by T0 = 0, T1 = T2 = 1

and Tn+3 = Tn+2 + Tn+1 + Tn for n ≥ 3. Then the following theorem4 holds:
Theorem 10.26 For all primes p = 2, 11, 19, the following assertions are
equivalent:
(1) Tp−1 ≡ 0 mod p;
(2) p = x 2 + 11y 2;
p
(3) ap is even and ( 11 ) = +1.

The first few primes p for which p | Tp−1 are p = 19, 47, 53, 103 and 163. The
prime p = 19 is exceptional, and the others are represented by x 2 + 11y 2 :

47 = 62 + 11, 53 = 32 + 11 · 22 , 103 = 22 + 11 · 32 , 163 = 82 + 11 · 32 .

The Tribonacci numbers can be expressed explicitly using the roots of the cubic
polynomial f (x) = x 3 −x 2 −x −1; the corresponding elliptic curve E2 : y 2 = x 3 −
x 2 − x − 1 has discriminant Δ2 = −26 · 11 and is a “quadratic twist” of the elliptic
curve E above. In fact, consider the elliptic curve E : y 2 −y = x 3 −x 2 . Multiplying
through by 4 and completing the square shows that (2y − 1)2 = 4x 3 − 4x 2 + 1,
hence
√
[ −2(2y − 1)]2 = −8x 3 + 8x 2 − 2 = (−2x)3 + 2(−2x)2 − 2.
√
Setting Y = −2(2y − 1) and ξ = −2x we obtain the equation Y 2 = ξ 3 + 2ξ 2 − 2.
Finally, setting ξ = X − 1 gives E2 : Y 2 = X3 − X2 − X − 1.
This implies that both curves have the same number Fp -rational points if ( −2
p )=
+1; if ( −2
p ) = −1, on the other hand, then the number of points is Np = p + 1 − ap
on one and Np = p +1+ap on the other curve. In all cases, ap (E) = ( −2p )·ap (E2 ).
This in turn implies that the condition ap ≡ 0 mod 2 in Theorem 10.26 is equivalent
to the character sum
p−1  3
x − x2 − x − 1 
S=
p
x=0

being odd. I do not know whether there is a link between the value of S and the
representations of p in the form x 2 + 11y 2.
These examples are only the tip of a massive iceberg. Following the breakthrough
by Wiles it was shown that every elliptic curve defined over Q is modular. The
modularity theorems for quadratic number fields (and actually for all abelian
number fields) and for elliptic curves are pieces of a large area of conjectures due to
Robert Langlands.

4 See Evink and Helminck [40].

252 10 Quadratic Gauss Sums

10.7 Exercises

10.1. Let A and B be finite abelian groups. Show that the set A ⊕ B of all pairs
(a, b) with a ∈ A and b ∈ B becomes a group by setting (a1 , b1 )·(a2 , b2 ) =
(a1 a2 , b1 b2 ).
This is a purely formal exercise. If 1A and 1B denote the neutral elements of
A and B, then (1A , 1B ) is the neutral element of A ⊕B. The inverse element
of (a, b) is (a −1 , b −1 ), and associativity is directly inherited from A and B.
10.2. Let A and B be finite abelian groups. Show that each subgroup of A ⊕ B has
the form A1 ⊕ B1 , where A1 and B1 are subgroups of A and B, respectively.
10.3. Let χ1 and χ2 denote two Dirichlet characters defined modulo N1 and
modulo N2 , respectively, and assume that N1 and N2 are coprime. Then

χ(a + NZ) = χ1 (a + N1 Z)χ2 (a + N2 Z)

defines a Dirichlet character defined modulo N = N1 N2 .

10.4. If χ is a Dirichlet character defined modulo N, and if χ is defined modulo
N1 and modulo N2 , where N1 | N and N2 | N, then χ is also defined modulo
gcd(N1 , N2 ).
10.5. The set X((Z/NZ)× ) of all Dirichlet characters defined modulo N becomes
a multiplicatively written abelian group by setting

(χ1 χ2 )(a + NZ) = χ1 (a + NZ) · χ2 (a + NZ).

Show that, for coprime moduli N1 and N2 with N = N1 N2 we have

X((Z/NZ)× )  X((Z/N1 Z)× ) ⊕ X((Z/N2 Z)× ).

10.6. Let χ be a Dirichlet character defined modulo 5. Show that χ is determined

by the value χ(2 + 5Z), and that χ(2 + 5Z)4 = 1. Conclude that there are
exactly four nontrivial Dirichlet character defined modulo 5.
10.7. Show that a Dirichlet character χ defined modulo N is primitive if and only
if χ is nontrivial on the kernel of the projection map π : (Z/NZ)× −→
(Z/nZ)× for each proper divisor n | N.
10.8. Write the Pell forms for the Kronecker characters with conductor N ≤ 12
as rational functions.
10.9. Show that the Pell form fχ (q) satisfies the functional equation

−fχ (q), for Δ > 0,
fχ ( q1 ) =
fχ (q), for Δ < 0.
10.7 Exercises 253

10.10. Prove without using Euler’s formulas (2.4) that the partial fraction decompo-
sition of the Pell form for the primitive Dirichlet character χ defined modulo
4 is given by

q 1 1 1 
fχ (q) = = − .
1 + q2 2i 1 − qi 1 + qi

10.11. Compute the partial fraction decomposition of the Pell form for the primitive
Dirichlet character modulo 8 defined by χ(n) = ( n2 ).
10.12. Since Fekχ (q) is divisible by q, we can determine the partial fraction
decomposition of

Fekχ (q)
.
q(1 − q N )

Show that an application of Euler’s formulas yields

N−1
Fekχ (q) 1 Fekχ (ζ k )
=− .
q(1 − q )
N N q − ζk
k=1

10.13. Prove the congruence

p−1
Fekp (x) ≡ nm x n mod p. (10.12)
n=1

Deduce that Fekp (1) ≡ 0 mod p.

10.14. Show that Fek(k)
p (1) ≡ 0 mod p for 0 ≤ k < m, and that Fekp (1) ≡
(m)

−1 mod p.
10.15. Show that the cyclotomic polynomial Φp (x) is irreducible for prime values
of p.
Hint: Consider Φp (x + 1).
10.16. Count the number Np of solutions of the congruence y 2 = x 3 + 1 mod p
for various prime numbers p. Observe that multiplying x by a cube root of
unity ρ does not change the equation y 2 = x 3 + 1, so this elliptic curve
has complex multiplication by ρ. Use this information for writing down a
conjecture for Np .
10.17. Let x be a p-th root of unity, i.e., assume that x p = 1. Show that

p−1
Fekp (x) =
n
Jn (a)x a ,
a=0
254 10 Quadratic Gauss Sums

where Jn (a) is the character sum we have studied at the end of Sect. 3.4
defined by
t t · · · t 
1 2 n
Jn (a) = ,
p

where the sum is over all tj mod p with t1 + t2 + . . . + tn ≡ a mod p.

Appendix A
Computing with Pari and Sage

A.1 Pari

Pari1 is very easy to use, and the basic version is installed within seconds.

A.1.1 Arithmetic in Integers

For computing 3N−1 mod N for N = 267 − 1, simply type

N = 2^67-1; Mod(3,N)^(N-1)

(Observe that
Mod(3^(N-1),N)

is doing something completely different, even if the result is the same); the
answer
Mod(95591506202441271281, 147573952589676412927)

tells us that 3N−1 ≡ 95591506202441271281 mod N; in particular, N is not a

prime. The command
factor(2^67-1)

immediately yields the prime factorization of N in the form

[193707721 1]

[761838257287 1].

1 pari was developed at the University of Bordeaux by Henri Cohen and his colleagues.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 255
F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6
256 A Computing with Pari and Sage

The meaning of these “vectors” becomes clear by factoring, e.g., N = 48.

It is easy to realize small programs using pari. In order to implement the Lucas–
Lehmer-test, for example, we type the program between two braces into a text file
and then copy it by right-clicking the black pari window:
{p=61; N=2^p-1; S=Mod(4,N);
for(n=1,p-2,S=S^2-2);
print(lift(S)) }

The command lift transforms the residue class Mod(2,127) into the integer
2; its only purpose is to produce a nicer output. Other methods for programming
loops may be found by typing ?11; the command ?while produces an explanation
of how to program a while-loop.
The result 0 in the above computation shows that 261 − 1 is prime. Putting a loop
around the commands we obtain a program that finds the small Mersenne primes:
{forstep(p=3,2000,2,if(isprime(p),
N=2^p-1; S=Mod(4,N);
for(n=1,p-2,S=S^2-2);
if(S,,print(p)))) }

Within a few seconds, pari gives the following exponents:

p = 3, 5, 7, 13, 17, 19, 31, 61, 89, 107, 127, 521, 607, 1279.

A.1.2 Arithmetic in Quadratic Number Fields

You can obtain a generator of the ring of integers of the quadratic number field with
discriminant d = 12 by typing
w = quadgen(12)

Squaring this element you can convince yourself that w2 = 3. Similarly

w = quadgen(13)
√
generates an element with w2 = 3+w, thus w = 1+2 13 . Using these generators, the
basic arithmetic operations +, −, · and : can easily performed in quadratic number
fields.
The solutions of the Pell equation are given with respect to this integral basis:
quadunit(4*67)
√
yields 48842 + 5967*w, that is, the fundamental unit ε = 48842 + 5967 67,
whereas
quadunit(21)
A Computing with Pari and Sage 257

√ √
produces the result ε = 2 + w = 2 + 1+2 21 = 5+ 21
2 . The norm and the trace of
the fundamental unit are computed via
eps = quadunit(21); print(norm(eps)," ",trace(eps))

Class numbers and the class groups of quadratic number fields are obtained
easily:
quadclassunit(-84)[1]
√
yields the class number 4 of Q( −21 ), and
quadclassunit(-84)[2]

gives the structure of the class group: [2, 2] denotes the abelian group Z/2Z⊕Z/2Z.
Residue classes modulo rational primes may be realized via
w = quadgen(21)*Mod(1,7)

using
(3-2*w)^7
√
then shows that (3 − 2 1+2 21 )7 ≡ 2 mod 7.
For other calculations, e.g., with ideals we have to define a number field. This is
accomplished by
nf = bnfinit(x^2-79);

This command computes the basic invariants of the quadratic number field
√
Q( 79 ), namely an integral basis, the discriminant, the fundamental unit, and the
class group. The semicolon at the end tells pari not to print the results of these
calculations. We have access to the individual results by commands such as
nf.zk

Here [1, x] denotes the integral basis {1, x}, where x is the root of the polynomial
x 2 − 79.
We get the ideal class group of this number field with
nf.clgp

the expression
[3, [3], [[3, 2; 0, 1]]]

gives the class number 3, the structure of the class group ([3] denotes the cyclic
group of order 3), and an ideal (here it is a prime ideal q above 3) that generates the
class group. Using
idealfactor(nf,5)

we obtain the prime ideal factorization of 5 in K. With

p = %[1,1]
258 A Computing with Pari and Sage

we choose the first prime ideal, which we will denote by p in the following. The
command
bnfisprincipal(nf,p)

then yields
[[2]~, [19/9, -2/9]~]

which means that the prime ideal p lies in the ideal class q2 , where q is the prime
ideal above (3) found above, and that the principal ideal pq−2 is generated by 19
9 −
√ √
2
79, i.e., that we have 9p = (19 − 2 79 )q 2 ist.
9 √
The prime ideal decomposition of 19 − 2 79 may be controlled by
idealfactor(nf,19-2*x)

A.2 Sage

In pari, only a few very basic functions for doing arithmetic with elliptic functions
are implemented. For computing on elliptic curves it is a good idea to familiarize
yourself with sage.2 As a matter of fact, sage is also more comfortable for doing
arithmetic in number fields, and you can access pari from within sage.

A.2.1 Number Fields

In sage we define number fields by

K.<a> = NumberField(x^2-79)

Now a is a root of the polynomial x 2 − 79 in the number field K, i.e., a 2 = 79.

With
K.class_group()

you obtain the information

Class group of order 3 with structure C3 of Number Field,

and
K.units()

2 This program was developed under William Stein and uses work done for other computer algebra

systems such as pari, Cremona’s mwrank or GAP, to mention but a few.

A Computing with Pari and Sage 259

√
yields the fundamental unit 9 79 − 80. The command
K.integral_basis()
√
explains itself. The ideal I = [5, 2 + 79] ] is defined by
I = K.ideal([5,2+a])

and the order of the ideal class generated by I is found by typing

C = K.class_group()
order(C(I))

For everything else we refer the readers to several introductions to sage that can
be found quickly on the world wide web.

A.2.2 Elliptic Curves

In sage , the elliptic curve y 2 = x 3 + ax + b is defined by the command

E = EllipticCurve([a,b])

In order to find the integral solutions of the equation y 2 = x 3 −26, we first define
the elliptic curve
E = EllipticCurve([0,-26])

The command
E.rank()

then shows that the group of rational points on this elliptic curve has rank 2; with
E.gens()

we find the generating points

(3 : 1 : 1), (35 : 207 : 1),

corresponding to the affine points (x, y) = (3, 1) and (35 : 207). Finally,
E.integral_points() ,

shows that these are the only integral solutions of the equation y 2 = x 3 − 26. By
copying
for a in [1..30]:
E = EllipticCurve([0,-a])
print(a, E.integral_points())
260 A Computing with Pari and Sage

into the sage window and pressing Enter you obtain the following table with all
integral solutions of the equations y 2 = x 3 − d for 1 ≤ d ≤ 30:

d y2 = x3 − d d y2 = x3 − d d y2 = x3 − d
1 (1, 0) 11 (3, 4), (15, 58) 21
2 (3, 5) 12 22
3 13 (17, 70) 23 (3, 2)
4 (2, 2), (5, 11) 14 24
5 15 (4, 7) 25 (5, 10)
6 16 26 (3, 1), (35, 207)
7 (2, 1), (32, 181) 17 27 (3, 0)
8 (2, 0) 18 (3, 3) 28 (4, 6), (8, 22), (37, 225)
9 19 (7, 18) 29
10 20 (6, 14) 30

In order to test the truth of Theorem 6.20 we run the following program in sage
for t in [2,4,..20]:
d = 3*t^2+1
E = EllipticCurve([0,-d])
K.<a> = QuadraticField(-d)
print(d, K.class_number(), E.integral_points())

and obtain

d h Solutions d h Solutions
13 2 (17, 70) 433 12 (13, 42), (577, 13860)
49 1 (65, 524) 589 16 (785, 21994)
109 6 (5, 4), (145, 1746) 769 20 (1025, 32816)
193 4 (257, 4120) 973 12 (1297, 46710)
301 8 (401, 8030) 1201 16 (1601, 64060)

The limits of sage become visible by extending the loop until t = 20: For
t = 14 and d = 2353, sage does not produce an answer. The reason for this
behavior is that either the generators of the group of rational points on E are huge,
or that the elliptic curve has a nontrivial Tate–Shafarevich group.
By looking at the table one is led to the conjecture that the class numbers of
√
Q( m ) for all m = 12t 2 + 1 are divisible by 3 whenever t is a multiple of 3. This is
indeed true, but quite likely this is very difficult to prove without class field theory.
Appendix B
Solutions

Chapter 1

1.1. Let (m2 −n2 , 2mn, m2 +n2 ) be the first triple. If we choose m even and n odd,
then m2 + n2 is odd, and we can find integers r and s such that m2 + n2 =
r 2 − s 2 ; for example, we can set r − s = 1 and r + s = m2 + n2 , that is
r = 12 (m2 + n2 + 1) and s = 12 (m2 + n2 − 1). With these values, we have

(r 2 + s 2 )2 = (r 2 − s 2 )2 + (2rs)2 = (m2 + n2 )2 + (2rs)2

= (m2 − n2 )2 + (2mn)2 + (2rs)2

as desired.
1.2. Write a = m2 −n2 , b = 2mn and c = m2 +n2 . For making b = 2mn a square
it is only necessary to set m = a 2 and n = 2b2. For making c = m2 + n2 a
square, write m2 + n2 = p2 and set m = r 2 − s 2 , n = 2rs and p = r 2 + s 2 .
1.3. For solving 2a 2 = c2 − b2 = (c − b)(c + b) it is sufficient to set c − b =
4s 2 and c + b = 2r 2 . Then 2a 2 = 8r 2 s 2 shows that a = 2rs. Moreover,
2c = (c + b) + (c − b) = 2r 2 + 4s 2 , which gives us c = r 2 + 2s 2 . Similarly,
b = r 2 − 2s 2 .
For a geometric parametrization of the ellipse x 2 + 2y 2 = 1, consider the
lines through P (−1, 0). These have the equation y = m(x + 1); intersecting
these lines with the ellipse we get x 2 + 2m2 (x + 1)2 = 1, which is equivalent
to

0 = x 2 − 1 + 2m2 (x + 1)2 = (x + 1)(x − 1 − 2m2 (x + 1)).

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 261
F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6
262 B Solutions

The equation x + 1 = 0 gives us P ; from x − 1 − 2m2 (x + 1) = 0 we obtain

1 + 2m2 2m
x= and y = m(x + 1) = .
1 − 2m2 1 − 2m2

Writing m = s
r and simplifying the resulting expressions we get

r 2 + 2s 2 2rs
x= and y = ,
r 2 − 2s 2 r2 − 2s 2

which leads to the same formulas as above.

1.4. Consider the lines through the point (−1, 0, 0) on the unit sphere; these are
given by the equations

x = −1 + at, y = bt, z = ct.

Intersecting this line with the unit sphere results in a quadratic equation with
the solutions t1 = 0 and t2 = a 2 +b2a2 +c2 , which then provides us with the
points

a 2 − b2 − c2 2ab 2ac
x= , y= , z= .
a 2 + b2 + c2 a 2 + b2 + c2 a 2 + b2 + c2

1.5. This is clear:

(a 2 − mb 2 )(c2 − md 2 ) = (ac + mbd)2 − m(bc + ad)2.

2
1.6. Implicit differentiation yields 2yy = 3x 2 , hence y = 3x
2y . Thus the tangent
in the point (u, v) on Bachet’s curve y = x − k has the equation y =
2 3
3u2
2v (x − u) + v. Intersecting this line with Bachet’s curve gives rise to the
equation
 3u2 2
x3 − (x − u) + v − k = 0.
2v
This equation has a double root x = u; if we denote the third root by x3 , then
the sum of the roots 2u + x3 is the negative coefficient of x 2 in this equation:

9u4
2u + x3 = − .
4v 2
B Solutions 263

This gives us (1.5):

9u4 u4 + 8ku
x3 = − 2u = .
4v 2 4v 2
2
Plugging this value of x = x3 into the line equation y = 3u 2v (x − u) + v we
also get (1.6).
1.7. Applying the duplication formulas to (3, 5) on the elliptic curve y 2 + 2 = x 3
we find

34 + 8 · 2 · 3 129 383
x1 = = 2 y1 = ,
4 · 52 10 103
2340922881 113259286337292
x2 = y2 =
76602 76603
1.8. We find

24 + 8 · 4 · 2 −26 + 20 · 4 · 23 + 8 · 42
x1 = = 5, y1 = = 11.
4 · 22 8 · 23
Two more applications of the duplication formula yield

785 5497
x2 = , y2 = − ,
222 223
3227836439105 5799120182710629023
x3 = , y3 = − .
2418682 2418683

As in the case of Bachet’s equation y 2 + 2 = x 3 it can be shown easily that

the power of 2 dividing the denominator is strictly increasing. This shows that
(5, 11) is the only integral point obtained through duplication.
1.9. Assume that p2 + q 2 = r 2 , where p and q are prime. Then p = m2 − n2 and
q = 2mn. Since q is prime, we must have mn = ±1, hence p = m2 −n2 = 0:
Contradiction.
Now assume that (p, b, q) is a Pythagorean triple in which one leg p and
the hypotenuse q are primes. Then p = m2 − n2 = (m + n)(m − n) and
q = m2 + n2 are prime, which is only possible if m − n = 1. In this case,
p = m2 −n2 = 2n+1 and q = m2 +n2 = 2n2 +2n+1 and b = 2m(m+1) =
2m2 + 2m = q − 1.
1.10. If (a, b, c) is a Pythagorean triple, then the equation

(t − a)2 + (t − b)2 = (t + c)2

is a quadratic equation in t with the solution t = 0. The other solution is

given by t = 2a + 2b + 2c, which produces the new Pythagorean triple
264 B Solutions

(a+2b+2c, 2a+b+2c, 2a+2b+3c). This construction is due to B. Berggren

(1934) and F.J.M. Barning (1963).
The equation

(t + a)2 + (t + b)2 = (2t + c)2

leads to the same result. The same approach works for equations of the form
x12 + x22 + . . . + xn2 = y 2 .
1.11. We have 24 · 13 = 172 + 23 · 12 and 24 = 12 + 23 · 12 , yet 13 cannot be
represented by the form x 2 + 23y 2.
1.12. Let p1 , . . . , pt be distinct primes of the form 4n+1, and set N = 4p12 · · · pt2 +
1. Clearly N is not divisible by any pj . If N is prime, then we have found a
new prime of the form 4n + 1. If N is composite, any of its prime divisors q
divides N, which is a sum of coprime squares; but then q has the form 4N +1.
If q1 , . . . , qt are primes of the form 4N −1, set N3 = 4q1 · · · qt −1. Clearly N
is not divisible by any qj . If N is prime, then we are done; if not, then at least
one of the prime factors q of N has the form 4n + 3: in fact, if all of them had
the form 4n + 1, then the product N would also have this form. Since q = pj ,
this completes the proof.
1.13. The discriminant of the quadratic equation x 4 − 2ty 2 = t 2 in t is D = 4(x 4 +
y 4 ). If x 4 −2y 2 = 1 has a rational solution with y, then the quadratic equation
in t must have a rational solution, so its discriminant is a square; this leads
to y 4 + x 4 = w2 , which implies that x = 0 or y = 0. But then xy = 0 in
x 4 − 2y 2 = 1, which is only possible if y = 0. This proves the claim.
1.14. Assume that y 2 = x 3 − dx has a nontrivial rational solution. Then the
Diophantine equation dxt 2 + y 2 t − x 3 = 0 has a rational solution with
t = 1, hence its discriminant D = y 4 + 4dx 4 must be a square, hence
y 4 + 4dx 4 = w2 must have a rational solution.
Observe that the trivial solution x = 0 of the second equation corresponds to
the trivial solution x = 0 of y 2 = x 3 − dx.
1.15. Assume first that p = 8n + 1. Then

a p−1 − 1 = a 8n − 1 = (a 4n − 1)(a 4n + 1).

Choose a in such a way that p divides a 4n + 1. The identity a 4n + 1 =

(a 2n − 1)2 + 2(a n )2 then shows that −2 is a quadratic residue modulo p.
If p ≡ 3 mod 8, then p ≡ 3 mod 4 implies that −1 is a quadratic nonresidue
modulo p. We also claim that 2 is a quadratic nonresidue modulo primes p ≡
±3 mod 8. Assume to the contrary that p divides c2 −2d 2 for integers c and d
not divisible by p. Reducing c and d modulo p we may assume that |c|, |d| <
p
2 . This implies that c − 2d < p , hence we can write c + 2d = kp for
2 2 2 2 2

some nonzero integer k with |k| < p. Cancelling common divisors of c and
d from our equation we may assume that c and d are coprime. In particular,
c is odd, and this implies c2 − 2d 2 ≡ ±1 mod 8. Since p ≡ ±3 mod 8 we
B Solutions 265

must have k ≡ ±3 mod 8. This implies that k must be divisible by some

prime number q ≡ ±3 mod 8. This prime number is smaller than p, and it
satisfies c2 ≡ 2d 2 mod q. Thus for every prime p ≡ ±3 mod 8 for which
2 is a quadratic residue there is a smaller prime q with the same properties.
Infinite descent now yields a contradiction.
1.16. We claim that all primes p ≡ 1, 3 mod 8 can be represented in the form
p = c2 + 2d 2 . This is true for p = 3 since 3 = 12 + 2 · 12 . Assume that the
result is true for all primes less than some prime number p ≡ 1, 3 mod 8.
We know from the last exercise that −2 is a quadratic residue modulo p;
thus there is an integer x with x 2 + 2 = kp. Reducing x modulo p we may
assume that |x| < p2 , and this implies that |k| < p. If x = 2x1 is even, then
4x12 + 2 = kp implies k = 2k1 and 1 + 2x12 = k1 p; thus we may assume that
c2 + 2d 2 = kp for coprime integers c and d, where c is odd.
For each prime factor q of k we have c2 ≡ −2d 2 mod q, which implies that
−2 is a quadratic residue modulo q. By induction assumption, q has the form
q = e2 + 2f 2 . We now claim that by suitably choosing the sign of f , we can
make sure that the left hand side in the equation

c2 + 2d 2 k
= ·p
e + 2f
2 2 q

is an integer of the form c12 + 2d12 . In this way we can eliminate all prime
factors of k and end up with a representation of p in the form p = c2 + 2d 2 .
Note that

e2 (c2 + 2d 2 ) = c2 e2 + 2d 2 e2 and c2 (e2 + 2f 2 ) = c2 e2 + 2c2 f 2

are both divisible by q, hence so is their difference

2(d 2 e2 − c2 f 2 ) = 2(de − cf )(de + cf ).

Thus we can choose the sign of f in such a way that q | (de − cf ).

Now consider the identity

qkp = (c2 + 2d 2 )(e2 + 2f 2 ) = (ce + 2df )2 + 2(cf − de)2 .

Since q divides cf −de, it must also divide ce+2df . Setting c1 = (ce+2df )q

and d1 = (cf − de)q we obtain

k
· p = c12 + 2d12
q

as desired.
266 B Solutions

√
1.17. From√21 = 12 + 5 · 42 = 42 + 5 · 12 we read off the elements 1 + 2 −5 and
4 + −5 with norm 21. Squaring these elements we obtain
√ √ √ √
(1 + 2 −5 )2 = −19 + 4 5 and (4 + −5 )2 = 11 + 8 −5.

The representations 212 = 62 +5·92 = 142 +5·72 come from 72 = 22 +5·32

and 32 = 22 + 5 · 12 .
1.18. The problem whether y 2 + 2 = x 3 can be solved by elementary means, for
example, by writing (y−5)(y+5) = y 2 −25 = x 3 −27 = (x−3)(x 2 +3x+9),
remains open. √ √ √ √
1.19. The equation y 2 + 5 = (a 2 + b 5 )3 leads to y = 2a 3 + 15ab2 and
1 = 6a 2 b + 5b3 ; the second equation implies b = ±1 since it is equivalent
to 1 = b(6a 2 + 5b2). But then ±1 = 6a 2 + 5 does not have a solution in the
reals let alone in integers.
On the other hand we have
√ √ √ √ √ √ √
4 2+ 5 (4 2 + 5 )(− 2 + 5 ) −3 + 3 10 √
√ √ = √ √ √ √ = = −1 + 10,
2+ 5 ( 2 + 5 )(− 2 + 5 ) 3
√ √ √
as well as ( 2 + 5 )2 = 7 + 2 10, hence
√ √ √
4 2+ 5 −1 + 10 √
√ √ = √ = −3 + 10.
( 2+ 5) 3 7 + 2 10

This shows that the equation

√ √ √ √ √
4 2 + 5 = (a 2 + b 5 )3 (3 + 10 )n

has the solution a = b = 1 and n = −1.

1.20. If a is even, then b must be odd and b4 ≡ 1 mod 16; thus −q ≡ 1 mod 16
contradicting our assumption. Thus a must be odd and we find qb4 = a 4 −
1 = (a 2 − 1)(a 2 + 1) with gcd(a 2 − 1, a 2 + 1) = 2. Since q  a 2 + 1 we
have a 2 − 1 = 8qc4, a 2 + 1 = 2d 4 and therefore d 4 − 4qc4 = 1. Thus
4qc4 = (d 2 − 1)(d 2 + 1), and since q  d 2 + 1 we find d 2 + 1 = 2e4 and
d 2 − 1 = 2qf 4 , which yields e4 − qf 4 = 1. By infinite descent we conclude
that the only integral solution is the one with b = 0.
1.21. If x is even, then y 2 ≡ 7 mod 8 is not solvable. Therefore x is odd.
Now write y 2 + 1 = x 3 + 8 = (x + 2)(x 2 − 2x + 4). If x ≡ 1 mod 4,
then x + 2 ≡ 3 mod 4. Thus x + 2 must be divisible by a prime number
q ≡ 3 mod 4, but such primes cannot divide a sum of two coprime squares.
If x ≡ 3 mod 4, then x 2 − 2x + 4 ≡ 3 mod 4, and we get a contradiction in
the same way.
B Solutions 267

1.22. Here y 2 + 25 = x 3 + 8 = (x + 2)(x 2 − 2x + 4).

If x is even, then y is odd and y 2 + 25 ≡ 2 mod 4; this is impossible since
x 3 + 8 ≡ 0 mod 8.
Thus x is odd and y is even, hence x 3 ≡ 17 mod 4 and therefore x ≡ 1 mod
4. But then x + 2 ≡ 3 mod 4, hence the first factor is divisible by a prime
q ≡ 3 mod 4. Such primes divide the sum of squares y 2 + 52 only if q | 5,
which is impossible.
1.23. If y is even, then x 3 = y 2 + k ≡ k ≡ 3 mod 4, hence x ≡ 3 mod 4. Write
the equation in the form

y 2 + B 2 = x 3 − A3 = (x − A)(x 2 + Ax + A2 ).

Since x 2 + Ax + A2 ≡ 3 mod 4, this number is divisible by an odd prime

q ≡ 3 mod 4. But such a prime can divide a sum of squares y 2 + B 2 only if
q | B and q | y. Since B is not divisible by primes q ≡ 3 mod 4, this is a
contradiction.
1.24. We write the equation in the form y 2 +B 2 = x 3 −A3 = (x−A)(x 2+Ax+A2).
If y is odd, then x is even and y 2 + B 2 ≡ 2 mod 4, which contradicts the fact
that x 3 −A3 is divisible by 8. Thus y is even and x is odd. Now x 2 +xA+A2 ≡
1 + A ≡ 3 mod 4. Now x 2 + xA + A2 > 0, hence there exists a prime number
q ≡ 3 mod 4 dividing this number. But then q | (y 2 + B 2 ) implies q | B, and
we have a contradiction.
For k = (−2)3 + 212 = 433, the equation y 2 = x 3 − k has two integral
points (13, 42) and (577, 13860). This example shows that the condition on
B is necessary.
1.25. Clearly (x, y) = (A, B) is an integral point.
For k = 17, sage finds the following integral points on y 2 = x 3 + 17:

(x, y) = (−2, 3), (−1, 4), (2, 5), (49), (8, 23), (43, 282), (52, 375), (5234, 378661).

1.26. We have
   
a b a b  2 2 2 2
  = p2 + q 2 + r 2 + s 2 and  =p +q +r +s .
c d c d

Thus the left hand side is the product of two sums of four squares.
Now

(aa + bc )(cb + dd ) = [(p + qi)(p + q i) + (r + si)(−r + s i)]

· [(−r + si)(r + s i) + (p − qi)(p − q i)]

= (pp − qq − rr − ss )2 + (pq + qp + rs − r s)2 ,

268 B Solutions

−(ca + dc )(ab + bd ) = [(r − si)(p + q i) + (p − qi)(r − s i)]

· [(p + qi)(r + s i) + (r + si)(p − q i)]

= (rp + sq + pr − qs )2 + (rq − sp − ps − qr )2 .

Thus the determinant on the right hand side is a sum of four squares.
1.27. Multiplying through by a shows that it is sufficient to consider equations of
the form x 2 +ay 2 = bz2 . Assume now that (ξ, η, ζ ) is a nontrivial solution of
this equation (such solutions exist by the Local–Global Principle if and only
if the conic has nontrivial points in every completion of Q). Then multiplying
bz2 = x 2 + ay 2 through by bζ 2 gives

(bζ z)2 = bζ 2x 2 + abζ 2y 2 = (ξ 2 + aη2 )x 2 + (aξ 2 + a 2 η2 )y 2

= (ξ x + aηy)2 + a(ξy − ηx)2 .

Similarly,

(aηy)2 = abη2z2 − aη2x 2 = b(bζ 2 − ξ 2 )z2 − (bζ 2 − ξ 2 )x 2

= (ξ x + bζ z)2 − b(ξ z + ζ x)2 ,

or

(ξ X)2 = bξ 2 z2 − aξ 2 y 2 = b(bζ 2 − aη2 )z2 − a(bζ 2 − aη2 )y 2

= (bζ z + aηy)2 − ab(ηz + ζy)2 .

Thus “Euler’s trick” provides us with three different factorizations of the form
AB = mC 2 , which we have collected in the following table:

A B C m
I bζ z + aηy + ξ x bζ z − aηy − ξ x ξy − ηx a
II bζ z + aηy + ξ x bζ z − aηy + ξ x ξ z + ζ x b
III bζ z + aηy + ξ x bζ z + aηy − ξ x ηz + ζy ab

Chapter 2
√
2.1. Clearly we can add, subtract, and multiply numbers of the form a + b m,
where a, b ∈ Q, in the obvious way. For example,
√ √ √
(a + b m )(c + d m ) = ac + mbd + (ad + bc) m.
B Solutions 269

The quotient of two elements is given by

√ √ √
a+b m (a + b m )(c − d m ) ac − mbd bc − ad √
√ = = 2 + 2 m.
c+d m c − md
2 2 c − md 2 c − md 2
(2.1)

This formula works except when c2 − md 2 = 0, which happens if and only

if either c = d = 0 or if m = ( dc √
)2 is a square, which we have excluded.
2.2. Since α, β ∈ K and since {1, m √ is a Q-basis of √ K, there exist rational
 
numbers a, b, c, d with α = a + b m and β = √ c + d m. Thus M = ac db .
Clearly {α, β} is also a Q-basis of K if 1 and m can be expressed as Q-
linear combinations of α and β, i.e., if and only if M has an inverse. This is
the case if and only if det M = 0. √
2.3. Since α, β ∈ OK and since {1, m is an integral basis of K, there exist 
integers a, b, c, d ∈ Z with α = a + bω and β = c + dω. Thus M = ac db .
Clearly {α, β} is also an integral basis of K if 1 and ω can be expressed as
Z-linear combinations of α and β, i.e., if and only if M has an inverse. This
is the case if and only if det M = ±1.
It is now easily checked that the discriminant of the integral basis {α, β},
 α β 2
namely  α β  = (αβ − α β)2 is equal to (det M)2 disc k, hence equal to
disc k since det M = ±1.
2.4. We have
2
U0 U1 01 U1 U2 11 01
= and = = .
U1 U2 11 U2 U3 12 11

The first claim is now proved by induction, the induction step being

Un Un+1 01 Un+1 Un + Un+1 Un+1 Un+2

· = = .
Un+1 Un+2 11 Un + Un+1 Un+1 + Un+2 Un+2 Un+3

For diagonalizing the matrix T we determine its eigenvalues. These are the
roots of the characteristic polynomial

det(T − λI ) = λ2 − λ − 1 = 0,
√ √
which gives λ1 = 1+2 5 = ω and λ2 = 1+2 5 = ω .
   
The corresponding eigenvectors are v1 = ω1 and v2 = ω1 : In fact
 0 1    ω   ω   
ω = ω+1 = ω2 = ω ω .
1 1
11  
Therefore the diagonalizing matrix S is given by S = ω1 ω1 . We now find
    0 1  1 1 
S −1 = ω−ω 1
· −ω 1 , hence D = S −1 T S = 1 · −ω 1
ω −1 ω −1 1 1 ω ω =
    ω−ω
ω−ω ·
1 2+ω
0 −2−ω
0
= ω0 ω0 . Since T n = (S −1 DS)n = S −1 D n S we now
270 B Solutions

find

Un Un+1 ωn 0
Tn = = S −1 S,
Un+1 Un+2 0 ωn

and this implies Binet’s formula

ωn − ω n
Un = .
ω−ω
√
2.5. Let α = a+b2 m be an algebraic integer in some quadratic number field
√  
Q( m ). Since the binomial coefficients pk are divisible by p for 1 ≤ k ≤
p − 1 (since p divides the numerator p!, but not the denominator k!(p − k)!),
we find
√ p
a p + bp m
αp ≡ mod p.
2p
By Fermat’s Little Theorem we have a p ≡ a, bp ≡ b and 2p ≡ 2 mod p.
√ p p−1 √ √
Moreover, m = m 2 m ≡ ( m p ) m mod p by Euler’s criterion. This
shows that
 a+b√m
 a + b √m p mod p p ) = +1,
if ( m
≡ 2√
a−b m
p ) = −1.
if ( m
2 mod p
2
√
In the special case α = ω = 1+ 5
2 we have

ωp ≡ ω mod p if ( p5 ) = +1,

ωp ≡ ω mod p if ( p5 ) = −1,
√
where ω = 1−2 5 . In the first congruence we may cancel ω, and we find
ωp−1 ≡ 1 mod p. If we multiply the second congruence by ω we obtain
ωp+1 ≡ ωω ≡ −1 mod p.
Applying these congruences to Binet’s formula we find, if ( p5 ) = +1,

ωp−1 − ω p−1 ωp − ω p ω−ω

Up−1 = ≡ 0 mod p, Up = ≡ ≡ 1 mod p.
ω−ω ω−ω ω−ω

In the case ( p5 ) = −1, we find similarly

ω −ω
Up ≡ ≡ −1 mod p and Up+1 ≡ 0 mod p.
ω−ω
B Solutions 271

2.6. By definition, N(α) = αα , hence N(αβ) = (αβ)(αβ) = αβα β =

αα ββ = N(α) · N(β). Similarly, Tr(α + β) = α + β + α + β =
Tr(α) + Tr(β). √ √
For α = a + b m, Tr(α) = 2a, so clearly Tr(α) = 2a for α = a + b m,
hence Tr(α) = 0 if and only if a√= 0.
Next disc α = (α − α )2 = (2b m )2 = 4mb2, hence disc α = 0 if and only
if b = 0.
Finally 0 = Nα = αα if and only if α = 0 or α = 0; but α = 0 implies
α = 0 and thus a = b = 0.
2.7. If α | β, then β = αγ ; taking norms this implies Nβ = NαNγ , and this
means that Nβ | Nα as claimed.
2.8. We have ω + ω = −p and ωω = q, hence

disc ω = (ω − ω )2 = (ω + ω )2 − 4ωω = q 2 − 4p.

If ax 2 +bx+c = 0, then a straightforward calculation yields disc ω = b −4ac

2
.
√ a√
2
2.9. Clearly Q( m ) is a field if we can divide by any nonzero
√ element a + b m.
By (2.1) this holds if and only if a 2 −mb 2 = N(a +b m ) = 0, which in turn
is true if and only if a = b = 0 or m is a square. Thus division by nonzero
elements is possible if and only if m is not a square in Q, which is equivalent
to x 2 − √
m being an irreducible polynomial
√ in√Q[x].
2.10. Clearly b ∈ K if and √ only if b √ = r + s m. Squaring this equation we
get b = r 2 + ms 2 + 2rs m. Since m is irrational, we deduce that rs = 0.
If s = 0, then b = r 2 is a square; if r = 0, then b = ms 2 .
2.11. We already have shown that σ respects the ring operations
√ since σ (α) = α . It
remains to prove the last
√ claim. But √for α = a + b m we find that α = σ (α)
is equivalent to a + b m = a − b m, i.e., to b = 0. Thus α = σ (α) if and
only if α ∈ Q.
2.12. The elements of K form an abelian additive group, and multiplication by
elements of Q is the scalar multiplication. Vector space axioms such as
(ab)v = a(bv) or 1v = v for a, b ∈ Q and v ∈ K follow immediately
from the field axioms for K.
For v ∈ K √ let μ : K −→ K denote the multiplication of elements of K by
α = a + b m, i.e., set μ(v) = αv. This map μ is Q-linear, that is, we have
μ(u + v) = μ(u) +√μ(v) and μ(rv) = rμ(v).
Fix the Q-basis {1, m } of K. Then
√ √
μ(1) = (a + b m ) · 1 = a + b m,
√ √ √ √
μ( m ) = (a + b m ) · m = bm + a m,
a
which
 shows
 that the matrix describing multiplication
 a mb  by α has columns b
and mba and thus is given by A = b a .
Clearly det A = a 2 − mb 2 = N(α) and Tr(A) = 2a = Tr(α).
272 B Solutions

Changing the basis corresponds to replacing A by a matrix of the

form B −1 AB for some nonsingular matrix B. Clearly det(B −1 AB) =
det(B)−1 det(A) det(B) = det(A).
For proving the invariance of the trace we first show that Tr(AB) = Tr(BA)
for arbitrary matrices; then clearly Tr(B −1 AB) = Tr(AB −1 B) = Tr(A).
2.13. By definition, an element α ∈ k is integral if and only if α + α and α · α are
integers. Since these expressions are invariant under switching α and α , the
claim follows.
2.14. Assume that a, b, c, d are integers with ad − bc = 0. Given an integral basis
 ω    
{ω1 , ω2 } of Ok , set ω1 = ωω12 ab dc . We have to show that ω1 and ω2 are
2    d −c 
Z-linear combinations of ω1 and ω2 . But this follows from ab dc · −b a =
1 0  ω1   ω1  d −c 
0 1 and ω2 = ω2 −b a .
2.15. Assume first that m ≡ 2, 3 mod 4. Then elements of norm 2 or 3 exist if and
only if the Diophantine equations x 2 + |m|y 2 = 2 and x 2 + |m|y 2 = 3 have
solutions in integers.√ This is the case for m = −1 and√m = −2, where the
elements 1 + i and −2 have norm 2, and where 1 + −2 has norm 3.
If m ≡ 1 mod 4, then elements of norm 2 and 3 exist if the norm equations
x 2 +|m|y 2 = 8 and x 2 +|m|y 2 = 12 are solvable in integers.
√
Clearly m ≤ 11,
and a case by case analysis shows that the elements 1± 2 −7 have norm 2, and
√ √
that −3 and 1± 2−11 have norm 3.
Thus the only such m are m = −1, −2, −3, −7, and −11.
2.16. These are formal verifications of the axioms. In the case of k × , for example,
we have to verify that
a. σ (αβ) = σ (α)σ (β),
b. (σ τ )α = σ (τ α),
c. id α = α
for all σ, τ ∈ Gal (k/Q) and all elements α, β ∈ k × .
2.17. Multiplying x 2 + y 2 = 2z2 through by 2 we obtain. (x + y)2 + (x − y)2 =
(2z)2. Thus (x+y, x−y, 2z) is a Pythagorean triple, hence there exist integers
m and n with x + y = m2 − n2 , x − y = 2mn and 2z = m2 + n2 , where m
and n have the same parity. Solving for the unknowns we find

m2 + 2mn − n2 m2 − 2mn − n2
x= , y= , z = m2 + n2 .
2 2
√ √
2.18. If m ≡ 1 mod 4, then clearly ω = 1+2 m and σ (ω) = 1−2 m form an integral
basis since 1 = ω + σ (ω). √
If√m ≡ 2, 3 mod 4, then {1, m} is an integral basis. Assume that ω = a +
b m generates a normal integral basis. Then there exist integers r, s ∈ Z
such that
√ √
1 = r(a + b m ) + s(a − b m ).
B Solutions 273

√
Comparing the coefficients of m we find that r = s, hence 1 = 2ar, which
is a contradiction. √
2.19. It is clear that K = Q( 3 2 ) is closed with respect to addition and
multiplication.
For proving that it is always possible to divide by nonzero elements we
observe that it is sufficient to show that α1 is an element of K. If we write
√
α = β, then αβ = 1. With α(x) = a + bx + cx we have α( 2) = α. The
1 2 3

polynomials α(x) and x 3 − 2 are coprime, hence there √ exist polynomials β

and f with α(x)β(x)−(x 3 −2)f (x) = 1. Setting
√ x = 3
2 we obtain αβ = 1.
Clearly
√ the
√ elements
√ of the form a + b 3
2 are not√multiplicatively√ closed
since √3
2 · 3√2 = 3√ 4 does not have
√ this form: If 3
√ 4 = a + b 3
2, then
2 = a 3 2 + b 3 4 = a 3 2 + b(a + b 3 2 ) implies that 3 2 is rational, which is
a contradiction.
2.20. The identities are easy to check. For explaining how to find them we start
with the observation that
√ √
−2(2 + −5 ) = (1 − −5 )2 .
√ 2
Now the identities follow
√ from −2√= i(1 + i)2 = 2 .
Similarly, 2(31 + 6 26 ) = (6 + 26 )2 , hence

√  6 + √26 2 √ √
31 + 6 26 = √ = (3 2 + 13 )2 .
2
√ √ √
2.21. We
√ have√ 172+ 4 15 √ = (2 3 + 5 )2 . Finding more examples is trivial:
( 2 + √5 ) = 7 + 2√ 10.
2.22. If a + b m = (r + s m )2 , then a = r 2 + ms 2 . Since 1 ≤ a ≤ m we must
have s = 0, contradicting our assumptions.
√ √
2.23. We have u2 = 22 + m = (2 + −m √ )(2 − −m ); since the only units are
±1 and since the elements ±(2 ± −m ) are not squares (see the preceding
exercise),
√ this means that the Square Product Theorem does not hold in
Z[ −m ].
2.24. We have to show that the factors in the equation
√ √
169 = 13 · 13 = (4 + 3 −17 )(4 − 3 −17 )
√
are irreducible in Z[ −17 ]. Clearly 13 = a 2 + 17b 2 is not solvable in
integers,√which implies that 13 is irreducible.
If 4 + 3 −17 ) = αβ, then taking norms we find 132 = Nα · Nβ, and unless
α or β is a unit, this implies Nα = Nβ = 13, which is impossible.
2.25. The verification of
√ √
5 + −7  −1 − −7 3
=
2 2
274 B Solutions

is straightforward. Similarly,
√  1 + √−7 3
181 + −7
=− .
2 2
2.26. Consider the points P (x1 , y1 ) and P2 (x2 , y2 ) on the unit circle. Then

P ⊕ Q = (x1 x2 − y1 y2 , x1 y2 + x2 y1 ).

Since

x1 = cos(α), y1 = sin(α), x2 = cos(β), y2 = sin(β)

and

x3 = cos(α + β), y3 = sin(α + β)

we can deduce that

cos(α + β) = cos(α) cos(β) − sin(α) sin(β),

sin(α + β) = sin(α) cos(β) + cos(α) sin(β).

2.27. Consider the point P (r, s) on the unit circle, where r = cos α and s = sin α.
By similarity, the projection P (1|t) of P onto the line x = 1 satisfies 2t =
1+r , so t = 1+r .
s 2s

By elementary geometry, addition of points P and Q on the tangent line

corresponds to adding the angles P ZN and Q ZN; for P (1|t), the angle
is given tan P ZN = 2t , hence the sum of two points P1 (1|t1 ) and P2 (1|t2 )
is given by P1 ⊕ P2 = P3 (1|t3 ), where

t1 + t1
t3 = .
1 − t1 t2

2.28. Let P = (x1 , y1 ), where x1 = 1+x 2 and y1 =

1−x
2 (thus the sign of xy is
positive). The addition formula gives 2P = (x3 , y3 ) for
!
1+x 1−x 1 − x2
x3 = x12 − y12 = − = x, y3 = 2x1 y1 = 2 = y.
2 2 4
√ √
Applying this procedure to the point P ( 22 , 22 ) corresponding to the
 √  √
angle π4 we obtain 12 P = ( 12 2 + 2, 12 2 − 2) as claimed.
B Solutions 275

2.29. We have to verify two properties:

• If x1 y1 = x2 y2 = 1, then x1 x2 · y1 y2 = 1. This is trivially true.
• The slope m1 = yx22 −y y3 −1
−x1 is equal to m = x3 −1 . But after clearing
1

denominators in the equation m1 = m we get, using x1 y1 = x2 y2 = 1,

(y1 y2 − 1)(x2 − x1 ) = (x1 x2 − 1)(y2 − y1 )

y1 x2 y2 − x2 − x1 y1 y2 + x1 = x1 x2 y2 − y2 − x1 x2 y1 + y1
y1 − x2 − y2 + x1 = x1 − y2 − x2 + y1 ,

and this is clearly true.

2.30. We have to verify two properties:
• If y1 = x12 and y2 = x22 , then y1 + y2 + 2x1 x2 = (x1 + x2 )2 . This is
obviously true.
• The slopes m1 = yx22 −y y3
−x1 and m = x3 are equal. But clearly
1

y3 y1 + y2 + 2x1 x2 (x1 + x2 )2
m= = = = x1 + x2 , and
x3 x1 + x2 x1 + x2
y2 − y1 x 2 − x12
m1 = = 2 = x1 + x2 .
x2 − x1 x1 + x2
q
2.31. We have f (q) = 1−q−q 2
, hence

1 1
q −q
q
f = = = = f (−q).
q 1− q − q2
1 1 q2 − q − 1 1 + q − q2

2.32. This is an immediate consequence of Binet’s formula:

Un+1 ωn+1 − ω n+1 1 − α n+1

= = ω · ,
Un ωn − ω n 1 − αn

where α = ωω = − ω12 . Since |α| < 1, the fraction tends to 1, and this implies
the claim.
2.33. We have to show:
1. If x12 − x1 y1 − y12 = x22 − x2 y2 − y22 = 1, then x32 − x3 y3 − y32 = 1 for

x3 = x1 x2 + y1 y2 , y3 = x1 y2 + x2 y1 − y1 y2 .
276 B Solutions

This can be done by brute force:

x32 − x3 y3 − y32 = (x1 x2 + y1 y2 )2 − (x1 x2 + y1 y2 )(x1 y2 + x2 y1 − y1 y2 )

− (x1 y2 + x2 y1 − y1 y2 )2
= (x12 − x1 y1 − y12 )(x22 − x2 y2 − y22 ).

2. The slopes m1 = yx22 −y

−x1 and m =
1 y3
x3 −1 are equal. Clearing denominators
yields the equation

y2 (x12 − x1 y1 − y12 − 1) = y1 (x22 − x2 y2 − y22 − 1),

which is clearly correct.

2.34. Starting with (1, 0) we obtain, using Vieta jumping, the sequence

(1, 0), (1, −1), (−2, −1), (−2, 3), (5, 3), (5, −8), . . .

of integral points on the Fibonacci hyperbola x 2 − xy − y 2 = 1. The second

sequence is given by

(−1, 0), (−1, 1), (2, 1), (2, −3), (−5, −3), (−5, 8), . . . .

Observe that the coordinate with the largest absolute value is conserved. If,
for example, (x, y) is an integral point with x > y > 0, then the second
solution of the quadratic equation Y 2 + xY − x 2 + 1 = 0 is Y = −y − x, and
we obtain the second integral point (x, −x − y). In all examples, |x| + |y| is
increasing.
We claim that every integral point on the Fibonacci hyperbola belongs to one
of these two sequences. Assume therefore that (x, y) is an integral point on
the Fibonacci hyperbola with |y| > 0. Vieta jumping gives us a new point
(x1 , y1 ) with |y1 | ≤ |y| and |x1 | + |y1 | < |x| + |y| until we find one with
y-coordinate 0. But then x = ±1, and (x, y) belongs to one of the two
sequences above.
2.35. We will show more generally that the group law on the Pell conic x 2 − my 2 =
1 is given by P1 ⊕ P2 = P3 , where Pj = (xj , yj ) and

x3 = x1 x2 + my1 y2 , y3 = x1 y2 + x2 y1 .

We show that P3 is on the conic and that the slopes of the lines P1 P2 and NP3
coincide:

x32 − my32 = (x1 x2 + my1 y2 )2 − m(x1 y2 + x2 y1 )2 = (x22 − my22 )x12 − m(x22 − my22 )y12

= x12 − my12 = 1,

hence P3 lies on the conic.

B Solutions 277

Next we compare the slopes m1 = yx22 −y

−x1 and m1 =
1 y3
x3 −1 . We will show that
m1 = m2 ; this equation is equivalent to

y2 − y1 y3
=
x2 − x1 x3 − 1
(x3 − 1)(y2 − y1 ) = y3 (x2 − x1 )
(x1 x2 + my1 y2 − 1)(y2 − y1 ) = (x1 y2 + x2 y1 )(x2 − x1 )
y2 (x12 − my12 ) − y2 = y1 (x22 − my22 ) − y1
y2 − y1 = y2 − y1 ,

and the last equation is true.

Clearly the integral multiples of (2, 1) are integral points on the hyperbola
x 2 − 3y 2 = 1. If Q = (x, y) is any integral point not of this form, then
it must lie between two consecutive multiples kP and (k + 1)P . But then
Q − kP is an integral point between N and P : Contradiction.
Finally we have 2(x, y) = (x 2 + 3y 2, 2xy); since x 2 − 3y 2 = 1, we can
write this equation as 2(x, y) = 2x 2 − 1, 2xy).
2.36. Assume that n is prime. Then a n−1 ≡ 1 mod n by Fermat’s Little Theorem.
If we choose a as a primitive root modulo n, then a k ≡ 1 mod n for each
proper divisor k of n − 1.
Now assume conversely that a n−1 ≡ 1 mod n for some integer a and a k ≡
1 mod n for each proper divisor k of n − 1. Then a is coprime to n, and so
are all the powers a k for 1 ≤ k ≤ n − 1. If we can show that these powers
are distinct modulo n, then there are n − 1 coprime residue classes, and then
n must be prime.
But if a r ≡ a s mod n for 1 ≤ s < r ≤ n − 1, then a r−s ≡ 1 mod n, and this
contradicts our assumptions.
2.37. Let E be the field with p2 elements, and let Fp denote its√subfield with p
elements. We represent the elements of E in the form a + b 3, where a, b ∈
Z/pZ and where a 2 − 3b 2 = 1.
√ √
Observe that for primes p with ( p3 ) = −1, we have (a + b p )p ≡ a − b p,
hence the norm map E × −→ F× p is given by a − 3b = N(α) = α · α .
2 2 p

Since its kernel has at most p + 1 elements, it must be onto. Thus the kernel
C(Z/pZ), which consists of the points on the conic x 2 − 3y 2 = 1 over Z/pZ,
has exactly p + 1 elements. Since the multiplicative groups of finite groups
are cyclic, and since subgroups of cyclic groups are cyclic, it follows that the
points modulo p on the conic x 2 − 3y 2 = 1 form a cyclic group of order
p + 1.
If P ∈ C(Z/pZ) is any point on the conic x 2 − 3y 2 = 1 modulo p, where
( p3 ) = −1, then (p + 1)P = N = (1, 0). Since the group C(Z/pZ) is cyclic,
p+1 p+1
2 P = N or 2 P = T , where T (−1, 0) is the unique point of order 2.
278 B Solutions

Clearly p+1 2 P = N for all points P of the form P = 2Q, and 2 P = T

p+1

otherwise.
We now claim that P = (2, 1) does not have the form P = 2Q for some
Q ∈ C(Z/pZ). In fact, if Q = (a, b), then 2Q = (a 2 + 3b 2, 2ab); but
the system of congruences a 2 + 3b2 ≡ 2 mod p and 2ab ≡ 1 mod p is
equivalent to a 2 + 3( 2a 1 2
) ≡ 2 mod p, i.e., to 0 ≡ 4a 4 − 8a 2 + 3 = (2a 2 −
1)(2a −3) mod p. The congruence 2a 2 ≡ 3 mod p
2
√
is not solvable for primes
p = 2q − 1 ≡ 7 mod 8 with ( p3 ) = −1. Let a ≡ 22 mod p be a solution of
the congruence 2a 2 ≡ 1 mod p. Then b ≡ a mod p, but the point (a, b) is
not in C(Z/pZ).
Thus p+1 2 P = (−1, 0) for P = (2, 1) if p = 2 − 1 is prime. Assume
q

conversely that p+1 2 P = (−1, 0). Since 2 = 2

p+1 q−1 is a power of 2, this

implies that P has order p+1. This in turn implies that C(Z/pZ) is cyclic, and
that p is prime: If p = qr is a product of coprime integers, then C(Z/pZ) 
C(Z/qZ) × C(Z/rZ), which contradicts the fact that C(Z/pZ) is cyclic; if p
is divisible by the square q 2 of an odd prime q, then the order of C(Z/pZ) is
a multiple of q.
Finally let us compute the point Q with 2Q = p+1 2 P = (−1, 0). Setting
Q = (a, b) we obtain 2Q = a 2 + 3b 2 , 2ab). If b = 0, then a 2 ≡ −1 mod p,
which is impossible since p ≡ 3 mod 4. Thus a = 0 and 3b2 ≡ −1 mod p.
Since ( p3 ) = ( −1
p ) = −1, this congruence is solvable, and Q has the form
(0, ±b) as claimed.
2.38. Jumping upwards we construct the sequence of integral points (2, 0), (8, 2),
(30, 8), (112, 30), . . . ; the remaining integral points are obtained from these
by switching x and y and by replacing (x, y) with (−x, −y). Inverting the
process we easily see that there are no other integral points.
There √ integral points. Using ε =
√ are explicit formulas of Binet type for these
2 + 3 we define integers Un , Vn via Un + Vn 3 = εn ; then induction shows
that the integral points in the first quadrant are given by (2Vn+1 , 2Vn ).
2.39. The conic C : x 2 + y 2 − 3xy + 1 = 0 has the integral point (x, y) = (1, 1).
Applying Vieta jumping we obtain the sequence of integral points

(1, 1), (1, 2), (2, 5), (5, 13), (13, 34), . . .

and one in which x and y are interchanged. We now prove that there are no
other integral points on the conic lying in the first quadrant (we obtain similar
sequences in the third quadrant by switching the signs of x and y) (Fig. B.1).
In fact, assume that (x, y) is an integral point on C lying in the first quadrant.
If y > x, then (x, y ) with y = 3x − y is another integral point on C in the
first quadrant with y ≤ x. In fact, the equation yy = x 2 − 1 immediately
implies y = x y−1 < xy < x.
2 2
B Solutions 279

Fig. B.1 Vieta Jumping on the conic x 2 + y 2 − 3xy + 1 = 0

Continuing in this way we eventually must find an integral point (ξ, η) in the
first quadrant with ξ = η, and this implies (ξ, η) = (1, 1). Thus (x, y) must
arise by Vieta jumping from (1, 1), and this is what we wanted to prove.
2.40. We first study the conic x 2 + y 2 − 3xy + x = 0. It has the integral point
(x, y) = (1, 1). Applying Vieta jumping we obtain the sequence of integral
points

(1, 1), (1, 2), (4, 2), (4, 10), (10, 25), . . . .

In fact, assume that (a, b) is an integral point. Then the equation x 2 +

b2 + (1 − 3b)x = 0 has the solution x1 = a; and the second solution x2
satisfies x1 x2 = b2 and x1 + x2 = 3b − 1. The second equation tells us that
x2 = 3b − 1 − a. Observe that exactly one of x1 and x2 is < b, and the other
is > b.
y
Now consider the equation x+1 y + x = k, i.e., the conic Ck : x − kxy + y +
2 2

x = 0. Assume that we have an integral point (a, b) on Ck ; we have to show

that k = 3.
We will show that if b = a, then there exists an integral point (a , b ) with
0 < b < b or 0 < a < a. Applying this step sufficiently often we will arrive
at an integral point (a, a) with a > 0. But then (2 − k)a 2 + a = 0 implies
a = k−21
, and this is a positive integer if and only if k = 3.
It remains to construct (a , b ). If b > a, then (a, b ) with b = ka − b is
another integral point, and bb = a 2 + a implies that b < b. Similarly, if
a > b, then a = a − (1 − kb) is an integer with aa = b 2 , hence a < a.
2.41. The equation of Platon’s hyperbola H : x 2 − 2y 2 = 1 in the new coordinates
X and Y determined by the substitution x = Y + Y , y = Y is H : X2 −
2XY − Y 2 = 1. Given a point P (x, y) on C (Z), Vieta jumping gives rise
280 B Solutions

to P∗ (−x − 2y, y) and P ∗ (x, −2x − y); starting from (1, 0) we obtain the
sequence of integral points

(1, 0), (1, 2), (−5, 2), (−5, −12), (29, −12), (29, 70), . . . ,

which correspond to the points

(1, 0), (3, 2), (−3, 2), (−17, −12), (17, −12), (99, 70), . . .

on Platon’s hyperbola H.
The standard argument shows that every integral point on H comes from the
sequence beginning with (1, 0) or the one with (−1, 0).
2.42. The substitution x = X − 2Y and y = Y transforms the hyperbola C :
x 2 − 3y 2 = 1 into C : X2 − 4XY + Y 2 = 1. Given a point P (x, y) on C (Z),
Vieta jumping gives rise to P∗ (4y − x, y) and P ∗ (x, 4x − y); the sequence
of integral points starting from (1, 0) is

(1, 0), (1, 4), (15, 4), (15, 56), . . . ;

it corresponds to the sequence of integral points

(1, 0), (−7, 4), (7, 4), (−97, 56), . . .

on C. The other sequence of integral points on C is

(0, 1), (4, 1), (4, 15), (56, 15), . . .

corresponding to the points

(−2, 1), (2, 1), (−26, 15), (26, 15), . . .

on C (Fig. B.2).

Fig. B.2 Vieta jumping on C X 2 − 4XY + Y 2 = 1

B Solutions 281

2.43. The substitution x = X − nY and y = Y transforms the conic C : x 2 − (n2 −

1)y 2 = 1 into C : X2 − 2nXY + Y 2 = 1. Applying Vieta jumping to P (x, y)
we find the points P ∗ (x, 2nx −y) and P∗ (2ny −x, y), hence to the sequences

(1, 0), (1, 2n), (4n2 − 1, 2n), (4n2 − 1, 8n3 − 4n), . . .

and

(0, 1), (2n, 1), (2n, 4n2 − 1), (8n3 − 4n, 4n2 − 1), . . .

of integral points on C .
2.44. The field Q(α, β) as basis {1, β, β 2 α, αβ, αβ 2 }. We now multiply each basis
element with α + β and find

(α + β) · 1 = 0·1 + 1·β + 0 · β2 + 1·α + 0 · αβ + 0 · αβ 2

(α + β) · β = 0·1 + 0·β + 1 · β2 + 0·α + 1 · αβ + 0 · αβ 2
(α + β) · β 2 = 2·1 + 0·β + 0 · β2 + 0·α + 0 · αβ + 1 · αβ 2
(α + β) · α = 3·1 + 0·β + 0 · β2 + 0·α + 1 · αβ + 0 · αβ 2
(α + β) · αβ = 0·1 + 3·β + 0 · β2 + 0·α + 0 · αβ + 1 · αβ 2
(α + β) · αβ 2 = 0·1 + 0·β + 3 · β2 + 2·α + 0 · αβ + 0 · αβ 2

Using the vector B = (1, β, β 2 , α, αβ, αβ 2 )t we write this set of equation in

matrix form:
⎛ ⎞
010100
⎜0 0 1 0 1 0⎟
⎜ ⎟
⎜ ⎟
⎜2 0 0 0 0 1⎟
(α + β) · B = ⎜ ⎟ · B.
⎜3 0 0 0 1 0⎟
⎜ ⎟
⎝0 3 0 0 0 1⎠
003200

Call the matrix in this equation M; then (α + β)B = MB tells us that α + β is

an eigenvalue of the eigenvector B, hence α +β must be a root of the equation
det(xI − M) = 0. Working out the determinant produces a monic polynomial
f of degree 6 with f (α + β) = 0, namely

f (x) = x 6 − 9x 4 − 4x 3 + 27x 2 − 36x − 23.

This procedure shows that if α and β are algebraic integers (if you cannot
√
see
where we are using this fact, go through the calculation with α = 1+2 3 ), then
so is α + β.
The same procedure works for products of algebraic integers; here we
multiply B with α · β.
282 B Solutions

2.45. If f (a) = a0 + a1 x + . . . + an−1 x n−1 and g(x) = b0 + b1 x + . . . + bn−1 x n−1 ,

then α = f (ζ ) and β = g(ζ ) are added and multiplied like polynomials, i.e.,
we set s(x) = f (x) + g(x), m(x) = f (x)g(x) and α + β = s(zeta) and
αβ = m(ζ ); in the case of the product, we replace ζ n (and all higher powers
of ζ ) by smaller powers using ζ n = −1 − ζ − . . . − ζ n−1 . This gives Z[ζ ] a
ring structure (distributivity and associativity follow from the corresponding
properties of polynomial rings).
2.46. The claims are simple results of Galois theory and the fact that algebraic
integers form a ring. Since the product of all conjugates is fixed by the Galois
group of the normal closure of K, it is a rational number, and since it is a
product of algebraic integers, it must be an integer.
If N(ω) = ±1, then ω and ω = ±ω2 · · · ωn are elements of K whose product
is 1, hence ω is a unit. Conversely, if ω is a unit, then ωω = 1, and taking
norms shows that N(ω) divides 1 in Z. This implies that Nω = ±1.
2.47. If x 2 − 8y 2 = −1, then x 2 + 1 = 8y 2 , and clearly both x 2 and y 2 + 1 = 8y 2
are powerful. Similarly, x 2 and x 2 − 1 are powerful if x 2 − 8y 2 = 1. Since
both equations have infinitely many integral solutions, the claim follows.

Chapter 3

3.1. For fields with characteristic = 2, the equation of P is equivalent to (x +

y 2 y 2
2 ) − Δ( 2 ) = 1. According to Theorem 3.1, we have

y Δs 2 + r 2 y 2rs
x+ = , = .
2 Δs 2 − r 2 2 Δs 2 − r 2

The number of Fp -rational points on C for odd primes p follows from the
corresponding result for Pell conics of the form X2 − dY 2 = 1: We have

4x 2 + 4xy − 4my 2 = (2x + y)2 − Δy 2 = 4,

and this implies #P(Fp ) = p − ( Δ

p ) for all odd primes.
The equation #P(Fp ) = p −( Δ p ) also holds for p = 2 if we define ( 2 ) = +1
Δ

or = −1 according as Δ ≡ 1 or Δ ≡ 5 mod 8. In fact, if Δ ≡ 1 mod 8, then

m is even, and the congruence x 2 + xy ≡ 1 mod 2 has the unique solution
(x, y) = (1, 1) modulo 2. If Δ ≡ 5 mod 8, on the other hand, then m is odd,
and x 2 + xy + y 2 ≡ 1 mod 2 has three solutions (x, y) = (1, 0), (0, 1), and
(1, 1) modulo 2.
3.2. Intersecting the pencil of lines y = tx with the curve C : y 2 = x 3 yields
the equation t 2 x 2 = x 3 . The lines intersect the curve twice in x = 0;
the other solution is given by x = t 2 and y = tx = t 3 . Thus we obtain
the parametrization (x, y) = (t 2 , t 3 ), and this parametrization includes the
B Solutions 283

singular point (0, 0). The same formulas hold for Fp -rational points, hence
#C(Fp ) = p.
For C : y 2 = x 3 +x 2 we find with the same pencil y = tx that t 2 x 2 = x 3 +x 2 ;
this is equivalent to x 2 (x + 1 − t 2 ) = 0. This yields the parametrization
(x, y) = (t 2 − 1, t 3 − t). The singular point (0, 0) is parametrized twice,
namely for t = ±1. The last fact is responsible for #C(Fp ) = p − 1.
3.3. The map λ is well defined since λ(s + Z) = λ(s + 1 + Z). Now we find

λ(s + Z) + λ(t + Z) = (cos 2πs, sin 2πs) + (cos 2πt, sin 2πt)
= (cos(2πs) cos(2πt) − sin(2πs) sin(2πt),
sin(2πs) cos(2πt) + sin(2πt) cos(2πs))
= (cos(2π(s + t)), sin(2π(s + t)) = λ(s + t + Z).

The kernel of λ consists of all cosets t + Z with cos 2πt = 1 and sin 2πt = 0;
these equations imply that t is an integer, hence t + Z = Z, and λ is injective.
Since λ is clearly surjective, it must be bijective.
Since λ is an isomorphism, the image of the cyclic subgroup of order n
generated by n1 + Z generates a cyclic subgroup of order n on the unit circle.
2π i
The claims now follow since e n = cos 2π n + i sin n is a primitive n-th root
2π

of unity in the complex plane.

2
3.4. This is clear since ( pa ) = ( bcp ) = ( pb )( pc )2 = ( pb ).
2
3.5. For computing ( 15 ) we work modulo 15:

2·1 ≡ 2 2·4 ≡ −7
2·2 ≡ 4 2·5 ≡ −5
2·3 ≡ 6 2·6 ≡ −3
2·7 ≡ −1

2
which implies that ( 15 ) = (−1)4 = +1.
3
For computing ( 35 ), we choose the half system {1, 2, . . . , 17} and compute
the remainders of the products with 3; the only negative remainders occur for

3 · 1 ≡ −17 3 · 4 ≡ −8
3 · 2 ≡ −14 3 · 5 ≡ −5
3 · 3 ≡ −11 3 · 6 ≡ −2,

3
which implies that ( 35 ) = (−1)6 = +1.
284 B Solutions

3.6. Write m = p1 · · · pr q1 · · · qs for primes pj ≡ 1 mod 4 and qj ≡ 3 mod 4.

Then m ≡ (−1)s mod 4 and

m−1 0 mod 2 if s ≡ 0 mod 2,
≡
2 1 mod 2 if s ≡ 1 mod 2.
m−1
2 ≡ s mod 2 and (−1)
Thus m−1 = (−1)s .
2

On the other hand,

 −1  r 
 −1    −1 
s
= · = (−1)s .
m pi qi
i=1 j =1

This proves the claim.

3.7. The permutation (a1 a2 )(a2 a3 ) · · · (an−1 an ) maps a1 to a2 , a2 to a3 , . . . , and
an−1 to an (recall that these maps are applied from right to left). The element
an is first mapped to an−1 , then to an−2 , . . . , and finally to a1 . This proves the
claim.
3.8. We will give a proof by example. Consider the sets A = {1, 2} and B =
{1, 2, 3}. Then

A × B = {(1, 1), (1, 2), (1, 3), (2, 1), (2, 2), (2, 3)}.

The permutation πA that swaps 1 and 2 has signature −1, and the induced
permutation on A × B swaps #B = 3 elements.
3.9. If we take the product over all φ(mn)/2 congruences a · aj ≡ (−1)sj aj , then
we obtain, after cancelling the products of all integers in the half system, the
congruence

a φ(mn)/2 ≡ (−1) sj
mod mn.

Now φ(mn) = φ(m)φ(n), so from a φ(m)/2 ≡ ±1 mod m it follows that

a φ(mn)/2 ≡ (±1)φ(n) ≡ +1 mod m since φ(n) is even. Similarly we can
show that a φ(mn)/2 ≡ 1 mod n, and since m and n are coprime, this implies
that a φ(mn)/2 ≡ 1 mod mn, and our claim follows.
3.10. If n = 2k + 1 is odd, then for each prime p dividing 2m − 1 we have p |
32k+1 − 1, hence ( p3 ) = +1. By modularity, this condition is equivalent to
p ≡ ±1 mod 12. But then 2n − 1 ≡ ±1 mod 12, hence 2n ≡ 0, 2 mod 12,
which is impossible.
3.11. If we sum over −t instead of t, then we get

p−1 
−t  (−t)2 − 1   −1 
p−1 
t  t 2 − 1 
S= = = −S,
p p p p p
t =0 t =0

hence S = 0.
B Solutions 285

3.12. Each residue class t mod mn can be written uniquely in the form t = rm+sn,
where r and s run through the residue classes modulo n and m, respectively.
Thus
pq−1 
t  t 2 − 1 
n−1 m−1 
rm + sn  (rm + sn)2 − 1 
φmn (1) = =
mn mn mn mn
t =0 r=0 s=0
n−1 m−1 
sn  rm  (sn)2 − 1  (rm)2 − 1 
=
m n m n
r=0 s=0
m−1 
sn  (sn)2 − 1 
n−1 
rm  (rm)2 − 1 
=
m m n n
s=0 r=0

= φm (1)φn (1).

3.13. I do not know how to prove this claim.

3.14. The first equation is clear since Q2 (m, n) = m + n. Write m + n = 2k for
some odd integer k.
 m+n   2  k 
= .
Qq (m, n) Qq (m, n) Qq (m, n)

Since Qq (m, n) ≡ q mod 8 we have ( Qq (m,n)

2
) = ( q2 ).
For evaluating the second symbol we use quadratic reciprocity; to this end we
observe that since mn ≡ 1 mod 8 we have k ≡ 1 mod 4:
 k   Q (m, n) 
q
= =1
Qq (m, n) k

because n ≡ −m mod k implies that

mq − nq 2mq  q−1 2
Qq (m, n) = ≡ ≡ mq−1 = m 2 mod k
m−n 2m

is a square modulo k.
3.15. We have
m2t − n2t m2 − n2
Qr (m, n) = = Qt (m2 , n2 ) · (m + n),
m2 − n2 m − n
hence
 Q (m, n)   Q (m2 , n2 )  Q (m2 , n2 ) 
r 2 t
= .
Qq (m, n) Qq (m, n) Qq (m, n)
The claim now follows from (3.22).
286 B Solutions

3.16. The claim is true for q = 1 and all odd integers p since Q1 (m, n) = 1.
Assume that the claim holds for all odd integers q < q and all p = q. If
p < q, we have, by the quadratic reciprocity law,
 Q (m, n)  
p−1 q−1 Qq (m, n)
   p
p−1 q−1 q
= (−1) 2 · 2 = (−1) 2 · 2
p
= .
Qq (m, n) Qp (m, n) p q

If p > q write p ≡ r mod q with 0 < r < q and use the preceding exercise.
Applying this result inductively to r = 2j t for some odd integer t < q we
find
 Q (m, n)   2 j  Q (m2 , n2 )   2 j  t   r 
r t
= = = .
Qq (m, n) q Qq (m, n) q q q

This implies the claim if p > q, and thus finishes the proof.
3.17. 1. For p = 13, only the pairs (3, 4) and (9, 10) are consecutive quadratic
residues, hence RR = 2. Similarly, the pairs (5, 6), (6, 7), and (7, 8) are
consecutive nonresidues, hence NN = 3. Similarly we find RN = NR = 3.
2. The equation RR + RN + NR + NN = p − 2 follows from the fact that
there are exactly p − 2 pairs of consecutive nonzero residue classes modulo
p.
3. Assume that a(a + 1) is a quadratic residue modulo p, and write a(a +
1) = y 2 in Fp . completing the square gives (2a + 1)2 = 4y 2 + 1, hence
(2a + 1 + 2y)(2a +1 −2y) = 1. Setting 2a + 1 + 2y = t and 2a + 1 − 2y = 1t
for some t ∈ F× p we obtain a parametrization of the conic a + a = y . The
2 2

elements t = ±1 give rise to the trivial solutions a = 0 and a + 1 = 0;

moreover, the values t and 1t give rise to the same value of a. Thus we obtain
p−3
2 pairs (a, a +1) for which a(a +1) is a nonzero quadratic residue modulo
p.
The second claim follows from 2. and RR + NN = p−3 2 .
2 2 ×
4. Let a = x and a + 1 = y be squares in Fp ; then y 2 − x 2 = 1. Thus
each pair (a, a + 1) of consecutive quadratic residues gives rise to four points
(±x, ±y) on the conic H : Y 2 − X2 = 1. Conversely, each of these points
produces the pair (x 2 , y 2 ) of consecutive quadratic residues.
For p = 13, this correspondence is given by

a 3 9
P (±4, ±2) (±3, ±6)

Observe that the group law on C with neutral element N(0, 1) is given by

(x1 , y1 ) ⊕ (x2 , y2 ) = (x1 y2 + x2 y1 , x1 x2 + y1 y2 ).

B Solutions 287

Thus P = (5, 0) has order 4 since 2P = (0, −1) is the element of order 2.
Moreover, (x, y) ⊕ (0, −1) = (−x, −y) and (x, y) ⊕ (5, 0) = (5y, 5x).
3.18. Since ( −1p ) = −1, the quadratic nonresidues {n1 , . . . , nm } form a half system
modulo p = 2m + 1.
If ( pa ) = −1, then ani ≡ −nj mod p; similarly ani ≡ nj mod p if ( pa ) =
+1. In the first case, there are an odd number of sign changes (namely m), in
the second case there is none. Thus Gauss’s Lemma holds in both cases.
3.19. We have N2 = p−1 and N4 = p2 (p−1)+pN2 = p3 −p2 +p2 −p = p3 −p.
n−4
Assume that Nn−2 = pn−3 − p 2 ; then
n−4 n−2 n−2
Nn = pn−2 (p − 1) + p(pn−3 − p 2 ) = pn−1 − pn−2 + pn−2 − p 2 = pn−1 − p 2

as claimed.
3.20. It is easy to produce infinitely many integral solutions of Q4 (m, n) = x 4 : If
Q4 (m, n) = c, then Q4 (mc, nc) = c4 . If m ≡ n ≡ 1 mod 4, then

m4 − n4
Q4 (m, n) = = (m + n)(m2 + n2 ) = 4c
m−n

for some odd integer c, hence Q4 (mc, nc) = 4c4 and mc ≡ nc mod 4.
3.21. The first claim is Gauss’s Lemma.
Assume that hq ≡ r mod p for some 0 < r < p2 ; then hq − kp = r for some
integer k with 0 < k < q2 , and then kp ≡ −r mod q. Thus if r is positive
in the first row, then −r shows up in the second row. The other negative
remainders in the second row are the numbers −r with p2 < r < q2 , and they
come in pairs. In fact, if k < q−1
2 and

1 1
kp ≡ −r mod q and p < r < q,
2 2

then we also have

1 1
k p ≡ −r mod q and p < r < q,
2 2
where
q−1 p+q
k = −k and r = − r.
2 2
288 B Solutions

Clearly k = k if and only if k = q−1

4 , which happens if and only q ≡ 1 mod
4. Moreover, the value k = q−1 2 yields the positive remainder q−p
2 mod q
since
q−1 p−1 q −p
p= q+ .
2 2 2
Thus the negative remainders consist of
• the p−1
2 numbers −1, −2, . . . , −r;
• the pairs of negative numbers (−r, −r ) with p2 < r, r < q2 , which is an
even number;
• the number −p±q 4 ≡ q−14 p mod q, which exists if q ≡ 1 mod 4 and is
negative if, in addition, p ≡ 3 mod 4.
p−1
This shows that the number of negative remainders is odd if and only if 2
is odd and q ≡ 3 mod 4. But this implies the quadratic reciprocity law.

Chapter 4

4.1. Euclidean division shows that f (x) = (x − a)q(x) + r for some constant r.
Plugging in x = a shows that f (a) = 0 if and only if r = 0, i.e., if and only
if x − a divides f (x). This argument holds in all polynomial rings over fields
because they are Euclidean.
These results are in fact valid over arbitrary polynomial rings: if f (x) =
an x n + . . . + a1 x + a0 , then a0 = 0 implies that f (x) = xg(x) for
g(x) = an x n−1 + . . . + a1 . Conversely, f (x) = xg(x) implies f (0) = 0.
The substitution X = x − a allows us to prove this for general a.
Observe, however, that in (Z/8Z)[x], the polynomial x 2 − 1 is divisible by
x − a for a = 1, 3, 5, 7 since x 2 − 1 = (x − 1)(x + 1) = (x − 3)(x + 3). In
√ f (x) =√3x + 2 does not have any root.
(Z/6Z)[x], the linear polynomial
4.2. The relation 2 · 3 = (1 + −5 √ )(1 − −5 ) is a counterexample to the
Four Numbers Theorem in Z[ −5 ] since all factors are irreducible. The
Four Numbers Theorem claims that all factorizations can be explained by
a common refinement. √ √
The equation 2 · 3 = (2√+ −2 )(2 − −2 ) is compatible with the Four
Numbers Theorem in Z[ −2 ] since
√ √ √ √
2 = − −2 · −2, 3 = (1 + −2 )(1 − −2 ),
√ √ √ √ √ √
2 + −2 = −2 (1 − −2 ), 2 − −2 = − −2 (1 + −2 ).

4.3. Clearly (p, q) ∼ (p, q) since pq = qp, and if (p, q) ∼ (r, s), then (r, s) ∼
(p, q) since ps = qr is equivalent to rq = ps.
B Solutions 289

For checking transitivity assume that (p, q) ∼ (r, s) and (r, s) ∼ (t, u). Then
ps = qr and ru = st. Multiplying these equations yields prsu = qrst;
since R is a domain, we can cancel rs and obtain pu = qt, which implies
(p, q) ∼ (t, u).
The cancellation rule in domains may be proved as follows: If ac = bc for
c = 0, then (a − b)c = 0. Since R is a domain, this implies a = b since c = 0
by assumption.
When verifying the next claims keep in mind that we think of (p, q) as the
“fraction” pq . Clearly (p, q) + (0, 1) = (p, q) and (p, q) · (1, 1) = (p, q),
so (0, 1) and (1, 1) are the neutral elements with respect to addition and
multiplication, respectively. The additive inverse of (p, q) is (−p, q), and
the multiplicative inverse of (p, q) is (q, p) if p = 0.
Finally, the map ι : R −→ K : r → (r, 1) is an injective ring homomorphism
(which allows us to interpret R as a subring of the field we just have
constructed). In fact, 1 ∈ R is mapped to (1, 1) ∈ K, and λ(rs) = (rs, 1) =
(r, 1)(s, 1) = λ(r)λ(s). Finally, r ∈ ker λ if and only if (r, 1) ∼ (1, 1), which
is equivalent to r · 1 = 1 · 1 = 1, i.e., to r = 1.
4.4. We have a ≡ b mod m in R if and only if a − b = mq for some q ∈ R. Since
R ⊆ S, this implies a ≡ b mod m in S.
The converse does not hold in general; in the ring S = Z[ 12 ], we have 1 ≡
0 mod 2 since 1 − 0 = 2 · 12 .
4.5. Another example is
√
2+ −5 3
= √ .
3 2 − −5

4.6. Since Nα = αα we clearly have α | Nα. If α | β, then α = βγ , and taking

the√norm yields Nα√ = Nβ · Nγ , which implies that Nα√| Nβ in Z.
4.7. If −2 | y in Z[ −2] for some y ∈ Z, then 2 = N( −2 ) | N(y) = y 2 ,
and√since 2 is prime in Z we conclude that 2 | y.
If m | y, where m us squarefree, then m | N(y) = y 2 as above, and this
implies m | y (prove this one prime at a time).
If α = y ∈ Z, then clearly α | y but Nα  y.
4.8. This follows from a + bi − (a + b) = b(i − 1) = bi(1 + i).
4.9. Assume that a ≡ b mod m and c ≡ d mod m. Then a − b = mq and c − d =
mr, hence (a + c) − (b + d) = m(q + r), which means a + c ≡ b + d mod m.
Moreover, ac − bd = ac − ad + ad − bd = (a(c − d) + d(a − b) =
amr + dmq = m(ar + dq), hence ac ≡ bd mod m.
4.10. If m | (a + bω), then a + bω = m(c + dω) = mc + mdω, hence a − mc =
−(b + md)ω. Since ω is irrational, we must have a = mc and b = md, i.e.,
m | a and m | b.
290 B Solutions

4.11. This is a special case of Exercise 4.4.

4.12. If e ∈ R is a unit, then ee = 1 for some e ∈ R. This implies that e has
an inverse, namely e . If e1 and e2 are units, then e1 e1 = e2 e2 = 1, hence
(e1 e2 )(e1 e2 ) = 1, which implies that the product e1 e2 is a unit.
4.13. In a field, each nonzero element has a multiplicative inverse and thus is a unit.
4.14. If R is a domain, then deg(fg) = deg(f ) + deg(g) for polynomials f, g ∈
R[X]. Thus f (x)g(x) = 1 implies deg(f ) + deg(g) = 0, i.e., deg(f ) =
deg(g) = 0. Thus f and g are constants and therefore units of R.
The polynomial 2X + 1 in (Z/4Z)[X] is a unit since (2X + 1)(2X + 1) =
X2 + 4X + √ 1 ≡ 1 mod 4. √
4.15. If ε = r + s m is a unit in R = Z[ m ] for m < −1, then 1 = r 2 − ms 2 =
r 2 + |m|s 2 implies that s = 0 and ε = x = ±1.
4.16. Let σ denote the nontrivial automorphism of the quadratic number field. If
ε is a unit then so is εσ since εεσ = N(ε) = ±1. In addition, we have
(ε1 ε2 )σ = ε1σ ε2σ and (εσ )σ = ε = εσ ·σ . The other properties are trivially
true.
4.17. If π | n for some natural number n and if n = p1 · · · pt , then π must divide
some pj since it is prime.
4.18. Clearly α = a+bi a−bi has norm Nα = 1. Such an element is a unit only if a + bi
is a product of powers of i and 1 + i times a natural number.
4.19. Given any pair of nonzero integers a and m, we can repeatedly subtract m
from a until the remainder is smaller than |m|; then a − qm = r with 0 ≤
r < |m|, and hence Z is Euclidean with respect to the absolute value.
4.20. Given any pair of nonzero polynomials a, b ∈ K[x], long division provides
us with polynomials q, r ∈ K[x] such that a = bq + r and deg r < deg b.
The last deg r deg b .
√ equality is equivalent to 2 √ < 2
4.21. In Z[ −6], the elements 2, 3, and −6 are irreducible since there do not
exist elements with norms 2 or 3 (the equation x 2√+ 6y 2√= 2, for example, √
clearly is not solvable in integers). Thus 2 · 3√= − −6 · −6 in Z[ −6 ] is
an example of nonunique √ √ Z[ −6].
factorization in
Similarly, 2 · 7 =√(2 + −10 )(2 − −10 ) is an example of nonunique
factorization in Z[ −10]. √ √ √
The factorization 2 · 3 = 6 · 6 in Z[ 6 ], on the √ other hand, is not an
example of nonunique √ factorization
√ since 2, 3, and
√ 6 are√not irreducible.
√
Clearly√ 2 = −(2
√ + 6 )(2 − 6 ), 3 = (3 + 6 )(3 − 6 ), and 6 =
(2 + 6 )(3 − 6 ).
4.22. We find the following factorizations; if none is given, the element is irre-
ducible.
B Solutions 291

p 2 3 5
√
−5 −( −5 )2
√
−3 −( −3 )2
√ √ √
−2 −( −2 )2 (1 + −2 )(1 − −2 )
−1 i(1 − i)2 (2 + i)(2 − i)
√ 2
2 2
√ √ √ 2
3 (2 − 3 )(1 + 3 )2 3
√ 2
5 5

4.23. Assume that π = αβ. Taking norms shows that Nπ = NαNβ. Since Nπ is
a prime by assumption, it is irreducible, hence Nα = ±1 or Nβ = ±1; this
implies that α or β is a unit, hence π is irreducible.
4.24. Most of these claims can be proved using the prime factorization.
 a  b  min(ai ,bi )
1. Here we write a = pi i and b = pi i . Then gcd(a, b) = pi
 min(2ai ,2bi )
and gcd(a 2 , b 2 ) = pi = (gcd(a, b))2 as claimed.
2. Assume there is a prime p | gcd(a 2 , b). Then p | a 2 and p | b. Since
p is prime, p | a 2 = a · a implies that p | a, and then p | gcd(a, b):
Contradiction.
3. Let d = gcd(a, b); then d | a, d | b, hence d | (a + b) and therefore
d | gcd(a + b, b).
Conversely, if d = gcd(a + b, b), then d | (a + b) and d | b, hence d
divides (a + b) − b = a, and we have d | gcd(a, b). But then gcd(a, b)
and gcd(a + b, b) divide each other, hence differ at most by a unit.
 a  b  r
4. Write a = pi i , b = pi i and r = pi i . Then
 min(ai +ri ,bi +ri )
 r +min(ai ,bi )
gcd(ra, rb) = pi = pi i = r gcd(a, b).
√ √
4.25. Any common divisor of a = 1 + −5 and b = 1 − −5 divides their sum
2; since 2 is irreducible,
√
the greatest common divisor is either 1 or 2. But it
√
cannot be 2 since 1+ 2 −5 is not an element of Z[ −5 ].
√ √
On the other hand, a 2 = −4 + 2 −5 and b2 = −4 − 2 −5 have common
divisor 2, which is easily seen to be their greatest common divisor.
4.26. Clearly ω ∈ R[ 12 ]; it is therefore sufficient to show that 12 ∈ S. But
√ √ √ √
( 1+ 2 −5 )2 = −2+2 −5
, so S contains −2+ −5
2 − 1+ 2 −5 + 2 = 12 . This proves
that S = R[ 12 ].
√
Every element of S has the form a+b2m −5 , and such an element is in Q if and
only if b = 0. Thus S ∩ Q consists of all elements of the form 2am , which is
Z[ 12 ].
292 B Solutions

√ √
The factorization 6 = 2 · 3 = (1 + −5 )(1 + −5 ) is not an example of
nonunique factorization in S. In fact, 2 is a unit, and

1 √ √
3= (1 − −5 )(1 + −5 )
2

is a factorization of 3 into the unit 12 and the two irreducible (and even prime)
√
elements 1 ± −5. √ √
The factorization 3 · 3 = (2 − −5 )(2 + −5 ) can be refined:

1 √ √
3·3= (1 − −5 )2 (1 + −5 )2 ,
4
and we also have
√ √
(2 + −5 ) = −2(1 − −5 )2 ,

where −2 is a√unit in S. √
4.27. Setting x + y −5 = (r + s −5 )2 gives x = r 2 − 5s 2 and y = 2rs. Clearly
the solution (x, y, z) = (2, 1, 3) of x 2 + 5y 2√= z2 does not have this√form.
Now let us work in the domain S = Z[ −5, 12 ]. Here x + y −5 =
√
±2n (r + s −5 )2 for some unit ±2n . This implies x = ±2n (r 2 − 5s 2 ) and
y = ±2n+1 rs. We are interested in coprime integral solutions, so we may
assume gcd(r, s) = 1. Now there are two cases:
• r and s have different parity; then n = 0 and x = ±(r 2 − 5s 2 ), y = ±2rs.
• r and s are both odd; then n = −1 and x = r −5s
2 2
2 , y = rs.
Choosing r = 1, s = −1 and the negative sign gives us the solution
(x, y, z) = (2, 1, 3).
4.28. Assume that ab = ex n for some unit e, and that gcd(a, b) = p. Then both a
and b must be divisible by p, but not both of them are divisible by p2 . Assume
therefore that p  a, i.e., that p | a and p2  a. Since ab = ex n we must have
pn−1 | b. Thus we can write a = pa1 and b = pn−1 b1 ; Proposition 4.12
shows that there exist units e1 and e2 with a1 = e1 cn and b1 = e2 d n . This
implies the claim.
4.29. We have x 3 = 4y 2 − 1 = (2y − 1)(2y + 1). Since the factors on the right
are coprime, we must have 2y − 1 = a 3 and 2y + 1 = b3. This implies
b3 − a 3 = 2, and since there are no cubes that differ by 2, the equation does
not have any integral solutions. √
√ only ring homomorphism κ2 : Z[ −5 ] −→ Z/2Z. is given
4.30. The √ by κ2 (a +
b −5 ) = a +b +2Z. Its kernel consists of all elements
√ a +b −5 for which
a and b have the same parity; equivalently, a + b −5 has even norm.
B Solutions 293

There are two ring homomorphisms κ3 and κ3 to Z/3Z, and they are defined
√ √
by κ3 (a + b −5 ) = a + b + 3Z and κ3 (a + b −5 ) = a√ − b + 3Z. The
kernel of κ3 consists of all elements that
√ are congruent to 1 − −5 modulo
√ 3.
The only ring homomorphism κ5 : Z[ −5 ] −→ Z/5Z is κ5 (a √ + b −5 ) =
a + 5Z. Its kernel consists of all elements of the form 5c + b −5.
4.31. The set mZ of multiples of m is an ideal in Z: it is closed under addition
and subtraction since am ± bm = (a ± b)m is also a multiple of m; it is
also closed with respect to multiplication by arbitrary elements r ∈ Z since
r · (am) = ra · m is also a multiple of m.
4.32. If a | b, then b = ar for some r ∈ R, which implies ∈ (a) and therefore
(b) ⊆ (a). The converse is also clear.
As for the remaining claims, we immediately deduce that (1) implies (2).
Now assume that a and b divide each other. Then b = ad and a = be, hence
a = ade and thus de = 1. Thus d and e are units, and we have a = be as
claimed.
Finally, if a = be for some unit e, then (a) = (b) since clearly a ∈ (b) and
b ∈ (a).
4.33. The sum and the product of upper triangular matrices  is upper triangular,
which shows that T is a subring of R with unit 1 0 . But T is not an ideal in
     01
R since the product 10 01 · 01 00 = 01 00 is not upper triangular.
4.34. Clearly I ∩ R is closed with respect to addition and subtraction. Moreover it
is closed with respect to multiplication by elements r ∈ R since if a ∈ I ∩ R,
then r · a ∈ I since I is an ideal in S and r · a ∈ R since r, a ∈ R and R is a
domain. Thus r · a ∈ I ∩ R, and I ∩ R is an ideal in R as claimed.
4.35. Since I is a nonzero ideal in OK , it contains an element α = 0. Since I is
closed with respect to multiplication by elements of Ok , the element α · α =
N(α) is also in I . Thus I contains a nonzero integer.
The ideal (X) in Z[X] or Q[X], on the other hand, consists of multiples of X,
and so the only constant polynomial in (X) is the zero polynomial 0.
4.36. Reducing a polynomial f ∈ Z[x] modulo a prime number p yields a
polynomial in Fp [x]; clearly this map is a ring homomorphism. Reducing
f modulo x is the same as evaluating f at x = 0 and therefore also is a ring
homomorphism. Since both maps commute our claims follow.
4.37. Clearly Z is a subring of Ok . It is not an ideal since Z√is not closed with
respect to multiplication by ring√elements. For example, m · 1 is not √in Z.
4.38. For showing that√I = (2a + 2 b : a, b ∈√Z} is an ideal in Z[ 2 ] we
show √ that I = ( 2 ). For proving that I ⊆ √ ( 2 ) take
√ an arbitrary
√ element
2a + 2 b ∈ I ; the claim follows√ from 2a + 2 b
√ = 2 · (a
√ 2 + b). On√the
other hand, every element in ( 2 ) has the form 2(b + a 2 ) = 2a + b 2,
and these are elements in√I . √
√ O = Z + 2 2√
The order Z is clearly√a subring √ of Z[ 2 ]; But although
1 + 2 2 ∈ O, the element 2 · (1 + 2 2 ) = 4 + 2 is not in O.
4.39. If f1 ω ∈ Ok and f2 ω ∈ O, then clearly (f1 ± f2 )ω ∈ O. Thus F is an
additive group. For showing that it is an ideal observe that if f ∈ F , then
294 B Solutions

f ω ∈ O for all ω ∈ Ok , hence rf ω ∈ O for all ω ∈ Ok and all r ∈ Ok ,

hence F is an ideal in Ok .
If O is the maximal order, then 1 · ω ∈ O for all ω ∈ O, hence the conductor
is (1). √
The order Z[ √m ] for squarefree integers m ≡ 1 mod 4 has conductor (2)
since 2ω ∈ Z[ m ] for all ω ∈ Ok .
4.40. The only divisors of 2 in Z[x] are ±1 and ±2; clearly 2  x, and this shows
that gcd(2, x) = 1.
Yet there do not exist Bézout elements. In fact, if 1 = 2p(x) + xq(x) for
polynomials p and q, then plugging in x = 0 yields 1 = 2f (0), which is a
contradiction since 2  1 in Z.
If (2, x) = (f ) for some polynomial f then f (x) | 2 implies that f is
constant, which is impossible. Thus (2, x) is not principal in Z[x]. We do
have, √however, (2, x) = (1) in Q[x] since 2 is a unit√ in Q[x].
4.41. If (2, −6 ) = (α), √ then α must divide both 2 and −6. But both elements
are irreducible in Z[ −6 ]. The proof in the second case is similar.
In the last case, showing that 2 is irreducible
√ is a little bit more challenging:
If ±2 = αα , then setting α = a + b 10 gives ±2 = a 2 − 10b2. Reducing
this equation modulo 5 we find ±2 = a 2 mod 5, and this congruence is not
solvable. √
4.42. If π is a factor of√ 2, then
√it cannot be irreducible since π is also an algebraic
integer and π = π · π. √ √ √
We now claim that the ideal I = (2, 2, 4 2, 8 2, . . .) is not principal
in R; it suffices to show that it is not finitely generated, i.e., that there do
not exist elements ai ∈ R with I = (a1 , . . . , an ). Assume therefore that
I = (a1 , . . . , an ). Let K denote the finite extension K = Q(a1 , . . . , an ).
Since
√ this extension is finite, there
√ must be some integer k = 2m such that
k k
2 is not in K. This implies that 2 is not in I .
4.43. Assume that a and b are coprime in Z. Then there exist integers x, y ∈ Z
with ax + by = 1. This relation also holds in R, hence any common divisor
of a and b in R divides 1 and thus is a unit.
4.44. We find

21 = 15 + 6,
15 = 2 · 6 + 3,
6 = 2 · 3,

which shows that gcd(21, 15) = 3. Working backwards we find

3 = 15 − 2 · 6 = 15 − 2(21 − 15) = 3 · 15 − 2 · 21.

B Solutions 295

4.45. We claim that


x−1 if n is odd,
gcd(x n + x 2 − 2, x 2 − 1) =
x2 −1 if n is even.

Set f (x) = x n + x 2 − 2. Since f (1) = 0, x − 1 divides fn . Observe that

x 2 − 1 = (x − 1)(x + 1) is a product of two prime elements, so the gcd can
only be x − 1 or s 2 − 1.
If n is odd, then f (−1) = −2, hence x + 1 does not divide n, and the claim
is proved.
If n is even, then f (−1) = 0, hence in this case (x − 1)(x + 1) = x 2 − 1
divides f .
4.46. If (Nα, Nβ) = 1 in Z, then there exist integers m and n with mNα + nNβ =
1. But then mα · α + nβ · β = 1, hence gcd(α, β) ∼ 1 in Ok .
4.47. If a and m are coprime, then ab + mn = 1 for suitable integers b, n. But then
ab ≡ 1 mod m, hence b represents the inverse of a modulo m.
Clearly 12 ≡ 1+21
2 = 11 mod 21. For computing the inverse of 5 mod 33, we
use 1 = 2 · 33 − 13 · 5, which shows that 15 ≡ −13 mod 33.
4.48. We write the equation in the form x 3 = y 2 − 9 = (y − 3)(y + 3). The greatest
common divisor of the factors on the right hand side divides their difference
6, hence there are four cases:
• gcd(y −3, y +3) = 1. Then y −3 = a 3 and y +3 = b3 , hence b 3 −a 3 = 6.
But his equation does not have any integral solution since (b−a)(b2 +ab+
a 2 ) = 6 is impossible in integers.
• gcd(y − 3, y + 3) = 2. Changing the sign of y if necessary we may assume
that y − 3 = 2a 3 and y + 3 = 4b3, hence 4b3 − 2a 3 = 6 and therefore
2b3 − a 3 = 3.
Solving this equation seems to require less elementary means. The solution
2 · 43 − 53 = 3 yields the solution (x, y) = (40, ±253) of the original
equation.
• gcd(y − 3, y + 3) = 3. Here y − 3 = 3a 3 and y + 3 = 9b 3, which
leads to 9b3 − 3a 3 = 6 and thus to 3b3 − a 3 = 2. The obvious solutions
a = b = 1 gives the solutions (x, y) = (3, ±6). Again, the solution of this
cubic equation seems to be rather difficult.
• gcd(x − 3, x + 3) = 6. Here either x − 3 = 6a 3 and x + 3 = 36b 3, or
x − 3 = 12a 3 and x + 3 = 18b3.
In the first case we get 6b3 − a 3 = 1; in the second case we obtain
3b − 2a 3 = 1 with the obvious solution a = b = 1.
3

There seems to be no way of avoiding cubic equations of the form ax 2 +by 3 =

c in this approach. Such equations can be solved in a rather straightforward
way (the keyword is Thue equations), but they require methods beyond the
scope of this book. For avoiding these problems it might be a better idea to
296 B Solutions

invoke
√ cubic fields right from the start and factor the equation y 2 = x 3 + 9 in
Q( 9 ).
3

4.49. As above, gcd(x − k, x + k) | 2k. If the factors are coprime, then x − k = a 3

and x + k = b3 , hence b3 − a 3 = 2k. If k = 4m3 , this equation does not have
a nontrivial integral solution since the resulting equation is the cubic Fermat
equation.
4.50. Assume that k is an odd prime number. From y 2 + k 2 = x 3 we deduce that y
must be even; in fact if y is odd then the left hand side is divisible by 2, but not
by 4, and such integers cannot be cubes. Write (y + ki)(y − ki) = x 3 . Since
gcd(y +ki, y −ki) | 2k and k is prime, we either have gcd(y +ki, y −ki) = 1
or gcd(y+ki, y−ki) = k. The last case is impossible for primes k ≡ 3 mod 4:
If y = km, then x 3 = y 2 + k 2 = k 2 (m2 + 1); since x 3 is a cube, k must divide
m2 + 1: Contradiction.
Assume now that gcd(y +ki, y −ki) = 1; since all the units in Z[i] are cubes,
we must have

y + ki = (a + bi)3, y − ki = (a − bi)3.

Subtracting these equations we obtain k = b(3a 2 − b2 ). Since k is prime, we

either have
• b = ±k and 3a 2 − b 2 = ±1.
• 3a 2 − b = ±k and b = ±1.
In this case we find k = 3a 2 − 1 and b = 1. Examples:

a 2 4 6 8 12
k 11 47 107 191 407
x 5 17 37 65 145
y 2 52 198 488 1692

4.51. We compute the greatest common divisor of 1 + 8i and 5 + 4i using the

5+4i = 41 + 41 i we take 1 + i as the quotient and
Euclidean algorithm: Since 1+8i 37 36

obtain 1 + 8i − (5 + 4i)(1 + i) = −i. This shows that gcd(1 + 8i, 5 + 4i) = 1.

Multiplying the equation through by i we obtain

(1 + 8i)i + (5 + 4i)(1 − i) = 1,

so we have obtained the special solution x = i, y = 1 − i.

The general solution is obtained by adding multiples of the homogeneous
equation

(1 + 8i)(5 + 4i) + (5 + 4i)(−1 − 8i) = 0

to the special solution.

B Solutions 297

Chapter 5

5.1. We find that 1 − 2i is the nearest Gaussian integer to 26−29i

13+4i ≈ 1.4 − 1.9i;
thus

26 − 29i − (1 − 2i)(13 + 4i) = 5 − 7i

is the first step in the Euclidean algorithm.

5−7i = 0.5 + 1.5i, and so
Next 13+4i

13 + 4i − i(5 − 7i) = 6 − i.

Finally

5 − 7i = (1 − i)(6 − i).

Thus gcd(26 − 29i, 13 + 4i) ∼ 6 − i ∼ 1 + 6i.

In fact, we have (26−29i) = −i(1+6i)(5−4i) and 13+4i = (1+2i)(1+6i).
This implies

6 − i = 13 + 4i − i(5 − 7i)
= 13 + 4i − i(26 − 29i − (1 − 2i)(13 + 4i))
= (3 + i)(13 + 4i) − i(26 − 29i).

5.2. Write x 2 + 1 = kp; then both x + i and p are divisible by one of the primes
above p, hence gcd(x + i, p) = (a + bi), where a 2 +√b2 = p. √
If p ≡ 1, 3 mod 8 and x 2 ≡ −2 mod p, then gcd(x − −2, p) = c +d −2,
where c2 + 2d 2 = p.
5.3. We begin by observing that the elements of the second system are pairwise
incongruent modulo π = 1 + 2i. Now −1 ≡ 4, i ≡ 2 and −i ≡ 3 mod π.
5.4. This is a trivial exercise: Just multiply a + bi by the units ±1 and ±i.
5.5. Clearly N(a + bi) = a 2 + b2 is odd if and only if a ≡ b mod 2. In this
(a+bi)(1−i)
1+i =
case, a+bi = a+b
2 − 2 i. Conversely, (1 + i)(c + di) =
a−b
2
c − d + (c + d)i has even norm since c − d ≡ c + d mod 2.
If N(a + bi) = a 2 + b2 is odd, then a and b have different parity. If a is
odd and b is even, then q 2 equiv1 and b2 ≡ 0 mod 4, hence N(a + bi) =
a 2 + b 2 ≡ 1 mod 4.
If a + bi has odd norm and a is even, then (a + bi)i = −b + ai has an odd
real part. Thus every Gaussian integer with odd norm is associated with an
element a + bi ≡ 1 mod 2. Observe that this congruent is equivalent to a ≡ 1
and b ≡ 0 mod 2.
Finally observe that a complete system of coprime residue classes modulo
2 + 2i is {±1, ±i, ±1 + 2i, 2 ± i}. If a + bi ≡ 1 mod 2, then a + bi ≡ 1
298 B Solutions

or a + bi ≡ 1 + 2i mod 2 + 2i. In the second case, −a − bi ≡ −1 − 2i ≡

−1 − 2i + 2 + 2i ≡ 1 mod 2 + 2i. Thus every element a + bi with odd norm
has an associate congruent to 1 mod 2 + 2i.
5.6. Since x and y have different parity, we may assume that y is even. We also
assume that the solution is primitive, i.e., that gcd(x, y) = 1. Since x + yi
and x − yi are coprime, the equation z2 = (x + yi)(x − yi) implies that
x + yi = ε(a + bi)2 and x − yi = ε i(a − bi)2. Since y is even it follows
that ε = ±1, and since −1 = i 2 we can subsume it into the square. Thus
x + yi = (a + bi)2 , which implies x = a 2 − b 2 , y = 2ab and z = a 2 + b2.
5.7. Let (x, y, z) be a nonzero solution in integers. Then x must be divisible by 3,
say x = 3x1 . This implies 27x13 + 3y 3 + 9z3 = 0, hence 9x13 + y 3 + 3z3 = 0.
Thus y = 3y1 , which leads to 3x13 + 9y13 + z3 = 0. Now z = 3z1 yields
x13 + 3y13 + 9z13 = 0. If the equation x 3 + 3y 3 + 9z3 = 0 has a nonzero
solution (x, y, z), then (x1 , y1 , z1 ) is a smaller nonzero solution. By infinite
descent, this is impossible.
5.8. We have 1 + 2i ≡ 1 + 2i − (3 + 2i) ≡ −2 mod 3 + 2i. Thus [ 1+2i 3+2i ] =
−2 −2
[ 3+2i ] = ( 13 ) = −1, where we have used the fact that [ π ] = ( p ) for primes
a a

π with norm N(π) = p.

−5
Next 1+4i ≡ 1+4i−2(3+2i) = −5 mod 3+2i, hence [ 1+4i 3+2i ] = ( 13 ) = −1.
Finally 4i ≡ −1 mod (1 + 4i) implies 2i ≡ −9 mod (1 + 4i), hence 1 + 2i ≡
−8
1 − 9 ≡ −8 mod (1 + 4i). Thus [ 1+2i 1+4i ] = ( 13 ) = −1.
5.9. 1. We begin by showing that [ π ] = ( p ) for elements π with prime norm
a a
p−1
Nπ = p. By definition we have [ πa ] ≡ a 2 mod π. Since both sides are
p−1
elements of Z, the congruence even holds modulo p. But then [ πa ] ≡ a 2 ≡
( pa ) mod p. Since p is odd and both sides differ by ±1, the congruence
implies equality [ πa ] = ( pa ).
q 2 −1 q+1
If q ≡ 3 mod 4 is prime, then [ qa ] ≡ a 2 = (a q−1 ) 2 ≡ 1 mod q by
Fermat’s Little theorem. Thus [ qa ] = 1 by the same argument as above.
a +b 2 2 2
2. Next [ a+bi
a
] = ( a 2 +b
a
2) = ( a ) = ( a ) = 1, where we have used
b

quadratic reciprocity.
3. Multiplying the trivial congruence c + di ≡ 0 mod (c + di) through by i
we find ci ≡ d mod (c + di). Thus
 a + bi   a + bi  c   ac + bci   ac + bd   ac + bd 
= = = = .
c + di c + di c + di c + di c + di q

4. We have ac + bd ≡ 1 mod 2 and pq ≡ 1 mod 4; moreover

pq = (a 2 + b 2 )(c2 + d 2 ) = (ac + db)2 + (ad − bc)2 .

B Solutions 299

Thus
 ac + bd   pq   (ac + db)2 + (ad − bc)2   ad − bc 2
= = = = 1.
pq ac + bd ac + bd ac + bd

5. Now
 ac + bd   a + bi  c + di 
= .
pq c + di a + bi

This implies the claim.√ √

5.10. Each ideal class of Q( −19 ) contains an element with norm ≤ 19/3 < 3.
Since ( −19
2 ) = 1, Ok has unique factorization.
If Δ = −43, then ( −43 −43
2 ) = ( 3 ) = −1, so again there is nothing to check.
For Δ = −67 we have ( Δ p ) = −1 for p = 2 and p = 3, and for Δ = −163
p ) = −1 for p = 2, 3, 5, and 7.
we have ( Δ
√ √
−17 a+b −17
5.11. We claim that Nu ( 1+ − γ ) ≥ 1 for all γ ∈ S. Write γ = 2n ;
3 √
−17
since Nu (2) = 1, the inequality Nu ( 1+ − γ ) ≥ 1 is equivalent to
√ √ 3
√
Nu ( 1+ 3−17 · 2n − delta) ≥ 1 for δ = a + b −17 ∈ Z[ −17 ]. Finally
√ √ √
1+ −17 n
·2 ≡ ± 1+ 3−17 mod 1 shows that for proving Nu ( 1+ 3−17 −γ ) ≥ 1
3 √
we may assume
√
that γ ∈ Z[√ −17 ].
Write 1+ 3−17 − γ = a+b 3 −17 and observe that a, b = 0; if both a and b
are even, the norm does not change if we divide through by the unit 2. Thus
we may assume that√a and b have different √ parity or are both odd. In the
first case, Nu (a + b −17 ) = N(a + b√ −17 ) ≥ 18, in the√second case
a 2 + 17b2 ≡ 2 mod 4, hence Nu (a + b −17 ) = 12 N(a + b −17 ) ≥ 9.
This proves our claim.
5.12. The norm Nu is multiplicative, hence it is sufficient to find,√for every ξ ∈ K,
an element γ ∈ R with Nu (ξ − γ ) < 1. Write ξ = a+b2j c−5 for ordinary
integers a, b, c with c odd and j ≥ 0. Since 2 is a unit,√we may multiply
through by 2j and therefore may assume that ξ = a+bc −5 for some odd
√
integer c; subtracting suitable integral multiples of 1 and −5 we may
assume that | ab | ≤ 12 and | bc | ≤ 12 .
√
−5 )
≤ a +5b
2 2
If | bc | ≤ 13 , then Nu (ξ ) = Nu (a+b
c2 c2
≤ 14 + 59 < 1.
Assume therefore that 3 < | c | ≤ 2 . We now distinguish the following
1 b 1

cases:
√
• a ≡ b mod 2: Then Nu (a + b −5 ) ≤ a +5b
2 2
2 , hence Nu (ξ ) ≤ 12 · 1+5
4 =
3
4 < 1.
• a ≡ 1, b ≡ 0 mod 2: Replace a by a ± 1 such that | ab | ≤ 1; then Nu (ξ ) ≤
1 a 2 +5b2
4 c2 ≤ 14 (1 + 54 ) < 1.
300 B Solutions

• a ≡ 0, b ≡ 1 mod 2: Replace b by b ± 1 such that 1

2 < | bc | < 2
3. Then
Nu (ξ ) ≤ 14 ( 14 + 20
9 ) < 1.
Thus R is Euclidean with respect to Nu . √
Clearly −1 and√2 are units in R. Now a + b −5 ∈ R is a unit if and only if
−5
its inverse a−b
a 2 +5b2
∈ R,—which is the case if and only if a 2 + 5b 2 = 2m is
a power of 2. Writing a = 2An and b = 2Bn for ordinary integers A and B we
find that A2 + 5B 2 = 2m+2n . If B is odd, then 2m+2n ≥ 5, hence 2m+2n ≥ 8,
and reduction modulo 8 yields a contradiction. If B is even, then so is A, and
we can cancel a common factor 4 and repeat the reasoning. This shows that
A2 + 5B 2 = 2m+2n is only possible if B = 0 and thus b = 0. Thus the unit
group of R is generated by −1 and 2.
5.13. We have 7 = (3+ρ)(3+ρ 2), 13 = (4+ρ)(4+ρ 2) and 19 = (5+2ρ)(5+2ρ 2).
5.14. For a conceptual proof we simply observe that Z[ρ]/(2) has three elements,
which implies α 3 ≡ 1 mod 2 for all nonzero residue classes modulo 2.
For a computational proof write α = a + bρ. Then (a + bρ)2 = a 3 + 3a 2 bρ +
3ab2ρ 2 +b3 = a 3 +3a 2bρ−3ab2(1+ρ)+b3 = a 3 −3ab2 +b3 +3ab(a−b)ρ.
The claim now follows from the observation that ab(a − b) is always even.
5.15. The integral solutions of the equation y 2 = x 3 + 24 are (1, 5), (−2, 4),
(10, 32) and (8.158, 736.844). How close to this result√can you come by
factoring y 2 − 24 = 3
√ x in the √quadratic number field Q( 6 )?
Write x = (y − 2 6 )(y√+ 2 6 ). Clearly the gcd of the factors on the right
3

divides their difference 4 6. Moreover, if y is even then it must be divisible

by 4, which implies that the gcd of the two factors cannot have norm divisible
exactly by 2. Similarly we cannot have 3 | y since in this case y 2 is divisible
by 9, but x 3 + 24 is not. Thus we are left with the following possibilities:
√ √
1. gcd(y − 2 6, y +√2 6 ) ∼ 1,
In this case y − 2 6 = ηα 3 , where η is a unit. Subsuming cubes of units
into α 3 we may assume √ that η ∈ {1, η,
√ η }.
If η = 1, then y − 2 6 = (a + b 6 )3 leads to y = a 3 + 18ab2 and
2 = 3a 2b + 6b 3. The
√ second equation is impossible modulo 3.
If η = ε = 5 + 2 6, then y = 5a 3 + 36a 2b + 90ab2 + 72b3 and 2 =
2a 3 + 15a 2b + 36ab2 + 30b 3. If a is even we obtain a contradiction after
dividing through by 2 and reducing modulo 2; if b = 2c then we obtain
1 = a 3 + 15a 2c + 72ac2 + 120c3. The solution a = 1 and c = 0 yields
(x, y) = (1, 5). Without advanced techniques it does not seem possible to
exclude other
√ solutions.√ √ √
2. gcd(y√− 2 6, y + 2 √ 6 ) ∼ 4 + 2 6; in this case y ± 2 6 is divisible by
(2 + 6 )3 = 44 + 18 6, and we obtain the equations
√ √ √
y − 2 6 = ε (44 − 18 6 )(a − b 6 )3 ,
√ √ √
y + 2 6 = ε(44 + 18 6 )(a + b 6 )3 .
B Solutions 301

Subtracting these equations from each other we obtain, if ε = 1,

1 = 9a 3 + 66a 2b + 162ab2 + 132b3,

which is impossible
√ since the right hand side is divisible by 3.
If ε = 5 + 2 6 we obtain

1 = 89a 3 + 654a 2b + 1602ab2 + 1308b3.

This equation has the following solutions:

a b x y
−5 −2 −2 −4
−−7 3 10 32
−211 90 8.158 736.844

Again, showing that there are no others seems to be very hard.

5.16. For f (x) = x 2 + 19x − 19 we can simply verify that

f (x 2 + 20x − 19) = f (x) · f (x + 1).

The Taylor expansion of a polynomial is given by f (x + h) = f (x) + hg(x)

for a suitably chosen polynomial g with integral coefficients. Setting h =
f (x) we see that f (x + f (x)) = f (x)(1 + g(x)).
5.17. We factor the equation over Z[i] and get (y + i)(y − i) = 2x 3. Since y is odd,
the factors on the left have greatest common divisor 1 + i; since powers of i
may be subsumed into the cube we get

y + i = (1 + i)(a + bi)3, y − i = (1 − i)(a − bi)3 .

Subtracting these equations from each other we find

1 = a 3 + 3a 2b − 3ab2 − b3 = (a − b)(a 2 + 4ab + b 2 ).

This implies a − b = ±1, hence

1 = 6b2 ± 6b + 1

and so (a, b) = (±1, 0) or = (0, ±1). This shows √ y = ±1 and x = 1.

5.18. The identity can be verified by brute force. Since 5 divides the fifth power
√ 5
on the left, the expression on the right must√be divisible
√ by 5 ; thus either
one of the factors a, b, or c is divisible by 5 or 5 divides the expression
302 B Solutions

in the brackets;
√ but this is impossible since squares are congruent to 0 or
±1 mod 5.
5.19. This is a simple calculation:

φ(x 2 − xy + y 2 ,x 2 − 2xy + y 2 ) = (x 2 − xy + y 2 )2
+ (x 2 − xy + y 2 )(x 2 − 2xy + y 2 ) − (x 2 − 2xy + y 2 )2
= x 4 − x 3 y + x 2 y 2 − xy 3 + y 4 ,

and this implies

√ the claim.
5.20. In√the ring√Z[ m ] we have, for every prime number p  m and α = a +
b m ∈ Z[ m ],
√ √ p−1 √
(a + b m )p ≡ a p + b p m p ≡ a + bm 2 m
m √
≡a+ b m mod p.
p
√
a+b m
Similar calculations work for elements α = 2 in the case where m ≡
1 mod 4.
5.21. If ( p5 ) = +1, then, by Binet’s formula,

p
ωp − ω ω−ω
Up = ≡ ≡ 1 mod p and
ω−ω ω−ω
ωp+1 − ω p+1
ω2 − ω 2
Up+1 = ≡ = ω + ω ≡ 1 mod p.
ω−ω ω−ω

If ( p5 ) = −1, on the other hand, then

p
ωp − ω ω −ω
Up = ≡ ≡ −1 mod p
ω−ω ω−ω

and
p+1
ωp+1 − ω ωω − ω ω
Up+1 = ≡ ≡ 0 mod p.
ω−ω ω−ω

The residue class of Up−1 mod p now follows from Up−1 = Up+1 − Up .
B Solutions 303

Chapter 6

6.1. Write a + b = 2c; then a + bi = a + (2c − a)i = a(1 − i) + 2ci. Since 1-i
= -i(1+i) 2 = (1 + i)(1 + i), these elements are multiples of 1 + i.
Conversely, (a +bi)(1+i) = a −b +(a +b)i, and then (a −b)+(a +b) = 2a
is even.
6.2. If (a, b) = d, then there exist elements r, s ∈ R with d = ra + sb. This
implies that gcd(r, s) divides d.
Conversely, if d divides both a and b, then d divides gcd(a, b).
6.3. We find
√ √ √
ab = ((1 + −5 )2 , 2(1 +
−5 ), 3(1 + −5 ), 6)
√ √ √ √ √
= ((1 + −5 )2 , 2(1 + −5 ), 3(1 + −5 ), (1 + −5 )(1 − −5 ))
√ √ √ √
= (1 + −5 )(1 + −5, 2, 3, (1 − −5 ) = (1 + −5 )

since the second ideal contains 3 − 2 = 1. Similarly,

√ √ √ √ √
ac = (6, 2(1 − −5 ), 3(1 + −5 ), 6) = (1 − −5 )(1 + −5, 2, −2 + −5)
√
= (1 − −5 )
√ √ √
since 3(1 + −5 ) = (−2 + −5)(1 − −5 ). Finally
√ √
bc = (3)(2, 1 + −5, 1 − −5, 3) = (3).

6.4. If {n, a + ω} is a Z-basis of Ok , then so is {n, a + n + ω}. Conversely, if

a + ω ∈ M and a + k + ω ∈ M, then k ∈ M ∩ Z, hence k is a multiple of n.
6.5. The equation −2 + i = 5a + b(1 + 2i) implies −2 + i = 5a + b + 2bi;
comparing real and imaginary parts shows 2b = 1, which is impossible in
integers. We have√ (1 + √2i) = 5Z + (−2 + i)Z. √
6.6. Assume
√ that a m ≡ b m mod Z; then (a −√b) m ∈ Z, hence a = b since
m is irrational. Thus all residue classes b m + Z (b ∈ Z) in R/M are
√ and N(M) = ∞. √
pairwise distinct, √
6.7. Let a = (7, 1+ −5 ). Then 6 = (1+ −5 )(1+ −5 ) ∈ a, hence 7−6 ∈ a
and therefore a = (1).
More generally, let a = (a, α) and assume that gcd(a, Nα) = 1. Then Nα =
αα ∈ a, and since
√ (a, Na) = (1) in Z we have 1 ∈ a and √ therefore a = (1).
6.8. Since N(4 + −5 ) = 21 = 3 · 7 the ideal a√= (4 + −5 ) is divisible √ by
prime ideals above 3 and 7. Write p = (3,√ 1 + −5 ) and√q = (7, 3 + −5 );
then (3) = pp and (7) √ = qq . Since 4 + −5 √ = 3 + 1 + −5 ∈ p we clearly
have p | a. Next 4 + −5 = 7 − (3 − −5 ∈ q , hence q | a and thus
a = pq .
304 B Solutions

This can be verified computationally as follows: We have

√ √ √ √ √
(3, 1 + −5 )(7, 3 − −5 ) = (21, 9 − 3 −5, 7 + 7 −5, 8 + 2 −5 ).
√ √ √ √
= (4 + −5 )(4 − −5, 1 − −5, 3 + −5, 2)
√
= (4 + −5 )
√ √
√ ideal contains 1 = 4 − −5
since the second √− (1 − −5 ) − 2.
6.9. Since N(8 + −14 ) = 2 · 3 · 13 and N(4 − −14 ) = 2 · 3 · 5, the norm of a
greatest common divisor must divide 6. Since the only elements
à ò6
of norm
are 1 and 4 = N(2), the greatest common divisor of 8+ −14 and 4− −14
is 1. √ √ √ √
6.10. Since 10 + −5√= 3 · 3 + 1 + √ −5 we have 10 + √ −5 ∈ (3, 1 + √−5 ).
Similarly, 10 + −5 = 7 + √3 + −5, hence√10 + −5 ∈ √ (7, 3 + −5 ).
This implies that (21,
√ 10 + −5 ) = (3, 1
√ + −5 ) · (7,
√ 3 + −5 ).
6.11. We have (a, b +√ m )2 =√(a 2 , a(b + m ), (b √ + m )2 ). Since √ −a =
2

b − m = (b√− m )(b + m ) we find (a, b + m ) = √

√
2 2 (b + m )(b √−
m, a, b + m ). The last ideal contains a and 2b = b − m + b + m,
hence it contains gcd(a, 2b) = 1.√This proves our claim. √
6.12. We have (2) = p22 for p2 = (2, −6 ) and (3) == p23 for p3 = (3, −6 )2 .
√
Then ( −6 ) = p2 p3 and (2) · (3) = p22 · p23 .
6.13. We have
√
−23
√ √ √
aa = (2, 1+ 2 )(2, 1− 2−23 ) = (4, 1 + −23, 1 − −23, 6)
√ √
= (2)(2, 1+ 2−23 , 1− 2−23 , 3) = (2)

ideal containing 2 and 3 contains√3 − 2 = 1 and √thus is the unit√ideal.

Since an √
Next ( 3− 2−23 ) is contained in a since 3− 2−23 = 2− 1+ 2−23 , and ( 3− 2−23 )
√
is not contained in a since it is not divisible by aa . Since ( 3− 2−23 ) and a3
both have norm 8, they must be equal. √
This can also be proved by brute force: One shows that a2 = (4, 3− 2−23 )
√
and then a3 = a2 a = ( 3− 2−23 ).
If a2 is principal, then there must be an element with norm 4 in Ok , which
does not exist. Alternatively, if a2 and a3 are principal, then so is a since
a3 = a · a2 , but a is not principal because there is no element with norm 2 in
Ok .
6.14. See Exercise 4.40.
6.15. We have
√ √ √ √ √
(2, 1 + −3 )(2, 1 + −3 ) = (4, 2 + 2 −3, 2 − 2 −3, 4) = (2)(2, 1 + −3 ).
B Solutions 305

√
√ the other hand, the ideals (2) and (2, 1 + −3 ) are distinct since 1 +
On
−3 ∈ (2). √
6.16. With I = (2, 1 + m ) we have I 2 = (2)I , yet clearly I = (2).
6.17. With p = (2, 1 + 3i) we easily check I 2 = (2). The prime ideals (q) are
inert in Z[i] and thus also in Z[i]. If p ≡ 1 mod 4, write p = a 2 + b 2 ; then
p1 = (p, 3a + 3bi) and p2 = (p, 3a − 3bi) satisfy p1 p2 = (p).
We have 1−3i = 2(3+6i)−5−15i ∈ (5, 3+6i) and 3+6i = 5−2(1−3i) ∈
(5, 1 − 3i).
Clearly (3) ⊃ (3 + 6i). If there was an ideal A in Z[3i] with (3)A = (3 + 6i),
then 3 + 6i = 3a for some a ∈ A; but a = 1 + 2i is not even an element of
Z[3i].
Finally we have

(45) = (3)2 (5, 3 + 6i)(5, 3 − 6i) = (3 + 6i)(3 − 6i),

and these ideals

 are irreducible.

6.18. Write A = pap and B = pbp . Then gcd(A, B) = (1) means that ap > 0
implies bp = 0. Since ap + bp is a multiple of n, both ap and bp must be
multiples of n. But this means that both ideals are n-th powers
6.19. Let α ∈ a and β ∈ b; then αβ ∈ a and αβ ∈ b since a and b are ideals, hence
αβ ∈ a ∩ b, and we have proved the claimed inclusion.
Now assume that a and b are coprime and that α ∈ a ∩ b. This implies
(α) = ac = bd for ideals c and d. Since a and b are coprime, we must
have b | c, hence c ⊆ b and thus (α) ⊆ ab.
6.20. We check these claims one by one.
• a ∼ a is true since 1 · a = 1 · a.
• a ∼ b implies b ∼ a. In fact, a ∼ b implies αa = βb; reading this equation
from right to left proves the claim.
• a ∼ b and b ∼ c imply a ∼ c. In fact, we have αa = βb and γ b = δc. But
then αγ a = βγ b = βδc.
6.21. If m ≡ 2 mod 4, then
√ 2 √ √
(2, m ) = (4, 2 m, m) = (2)(2, m, m2 ).

Since m2 is odd, the second ideal contains 1 and therefore is the unit ideal.
√
Thus (2) = (2, m )2 in this case.
If m ≡ 3 mod 4, then
√ 2 √ √ √
(2, 1 + m ) = (4, 2 + 2 m, m + 1 + 2 m ) = (4, 2 + 2 m, m − 1
√
= (2)(2, 1 + m, m−1
2 )
306 B Solutions

√ √
since m + 1 + 2 m − (2 + 2 m ) = n − 1. The last√ideal contains 2 and the
2 , hence is equal to (1). Thus (2, 1 + m ) = (2) in this case.
odd integer m−1 2

Now let m ≡ 1 mod 8; then

√ √ √ √
(2, 1+2 m )(2, 1−2 m ) = (2)(2, 1+2 m , 1−2 m , 1−m
4 ).
√ √
1+ m 1− m
The last ideal contains + = 1, hence it is equal to (1).
√ 2 √ 2
Moreover, (2, 1+2 m ) = (2, 1− m
) since otherwise these ideals would
√ √ 2
contain 1+2 m + 1−2 m = 1.
Finally consider the case m ≡ 5 mod 8.√If there exists a prime ideal with
norm 2, then it must have basis {2, a + 1+2 m ) with a = 0 or a = 1. Since
√ √
2 must divide the norm of a + 1+2 m = 2a+1+ 2
m
, we find (2a + 1)2 ≡
m mod 8, which implies that m ≡ 1 mod 8. Thus if m ≡ 5 mod 8, then (2) is
inert.
6.22. If Δ = −19, 21, 29, 37,√ the Gauss bound says that each ideal class contains
an ideal with norm ≤ |Δ|/3, and this bound is < 3 for these discriminants.
Thus each ideal class contains an ideal with norm 1, and this implies the
claim.
If√we demand in addition that Δ ≡ 2 mod 3, then we get class number
1 if |Δ|/3 < 5, i.e., if |Δ| < 75. This √ gives Δ = −43 and Δ = −67 if
Δ < 0; for positive Δ, the Gauss bound Δ/5 implies that h = 1 for the
discriminants Δ √ = 29, 53, 77, and 101. √
6.23. We have (2, 1 + −m )2 = (2); if the ideal (2, 1 + −m ) = (α) is principal,
then Nα = 2, i.e., a 2√+ mb2 = 2. But this is impossible for m > 1. Thus
√ the
ideal class of (2, 1+ −m ) has order 2, hence the class number of Q( −m )
is even.
6.24. This expression is equal to the class number h of the complex quadratic
number field with discriminant Δ. If Δ = −23, for example, we have

2
h= 1 + 1 + 1 + 1 − 1 + 1 − 1 + 1 + 1 − 1 − 1) = 3.
23
√
6.25. In each case, the primes below the Gauss bound |Δ|/3 are inert.
6.26. If the prime ideals above (2) are principal, then there must be elements with
norm 2, i.e., the equation x 2 + my 2 = 8 must have integral solutions. For
m ≡ 7 mod 8, this implies m = 7.
6.27. Consider the equation y 2 = x 3 − d for d = 3t 2 − 1 with t = 3c3 , that is,
y 2 = x 3 − 27c6 + 1. Clearly this equation has the solutions (3t 2 , ±1) not
√ if d = 27c − 1 is squarefree and
listed in Theorem 6.20. This implies that 6

≡ 7 mod 8 (that is, if c is odd), then Q( −d ) has class number divisible by

3. Computations suggest that this holds even in the case d ≡ 7 mod 8:
B Solutions 307

c d h(d) c d h(d)
1 26 6 5 421, 874 900
2 1, 727 36 6 125, 9711 1608
3 19, 682 108 7 3, 176, 522 1512
4 110, 591 444 8 7, 077, 887 2088

6.28. We go through the statements one by one:

1. For each prime ideal p of norm p = 5 either p or pa is principal. In fact, if
p lies in the principal class, then it is principal; if it lies in the class of [a],
then p ∼ a, hence ap ∼ a2 ∼ [(1)] and ap is principal.
2. If p is a prime with (−5/p) = +1, then p splits: (p) = pp . If p is
principal, then p = x 2 + 5y 2 ; if ap is principal, then 2p = x 2 + 5y 2 .
3. If p = x 2 + 5y 2 , then x and y have different parity; this implies p =
x 2 + 5y 2 ≡ x 2 + y 2 ≡ 1 mod 4 and thus p ≡ 1, 9 mod 20.
If 2p = x 2 + 5y 2 , on the other hand, then x and y are both odd, hence
2p ≡ 1 + 5 ≡ 6 mod 8 and therefore p ≡ 3 mod 4, which implies p ≡
3, 7 mod 20.
4. It follows that primes p ≡ 1, 9 mod 20 are represented by the form p =
x 2 + 5y 2 , and primes p ≡ 3, 7 mod 20 by 2p = x 2 + 5y 2.
5. Clearly (a 2 + 5b 2)(c2 + 5d 2 ) = (ac − 5bd)2 + 5(ad + bc)2.
6. Assume that 2p = a 2 + 5b2 ; then a and b are both odd, and 4p2 =
(a 2 + 5b2)2 = (a 2 − 5b2)2 + 5(2ab)2; since a 2 − 5b2 is divisible by 4, we
can cancel 4 and obtain p2 = x 2 + 5y 2 .
7. If 2p = a 2 + 5b2 and 2q = c2 + 5d 2, then a, b, c and d are odd, hence the
brackets in 4pq = (ac − 5bd)2 + 5(ad + bc)2 are both even; canceling 4
then yields the claim that pq = x 2 + 5y 2 .
√
6.29. The quadratic number field K = Q( −6 ) has √ class number 2; the nontrivial
ideal class is generated by the ideal a = (2, −6 ) above 2. This implies as
above that primes p that split in K (those with ( −6 p ) = +1, i.e., with p ≡
1, 5, 7, 11 mod 24) either are represented by the quadratic form Q0 (x, y) =
x 2 + 6y 2, or 2p is represented by Q0 . In the latter case, 2p = X2 + 6y 2
implies that X = 2x is even, hence p = 2x 2 + 3y 2.
Now p = x 2 + 6y 2 ≡ 1, 7 mod 8 if p and therefore x is odd, and p =
2x 2 + 3y 2 ≡ 3, 5 mod 8 if p and therefore y is odd.
Thus the primes p ≡ 1, 7 mod 24 are represented by Q0 , and the primes
p ≡ 5, 11 mod √ 24 are represented by Q1 (x, y) = 2x + 3y .
2 2

The field Q( −10 ) also has class number√2, and the nonprincipal ideal class
is generated by the prime ideal a = (2, −10 ) above 2. The primes p ≡
1, 7, 9, 11, 13, 19, 23, 37 mod 40 split in K, and either p = x 2 + 10y 2 (if the
prime ideals p and p above p are principal) or p = 2x 2 + 5y 2 (if p and p lie
in the same class as a). Since x 2 + 10y 2 ≡ ±1 mod 8, this form represents
the primes p ≡ 1, 7, 9, 23 mod 40, and the form 2x 2 + 5y 2 represents the
primes p ≡ 11, 13, 19, 37 mod 40.
308 B Solutions

6.30. The smallest primes p  23 for which f (x) = x 3 − x + 1 splits into three
linear factors modulo p are the following:

p f (x) mod p (x, y)

59 (x + 4)(x + 13)(x + 42) (5, 2)
101 (x + 20)(x + 89)(x + 93) (1, 4)
167 (x + 73)(x + 127)(x + 134) (11, 2)
173 (x + 97)(x + 110)(x + 139) (7, 4)
211 (x + 97)(x + 120)(x + 205) (−1, 6)
223 (x + 33)(x + 63)(x + 127) (1, 6)

The last column contains the values of x and y for which p = x 2 + xy + 6y 2 ;

observe that 4p = (2x + 1)2 + 23y 2 . Since x is odd and y is even, each such
prime is actually represented by the form X2 + 23Y 2 .
6.31. The ideal (2) is irreducible since R/(2)  (Z/2Z)[x] is the polynomial ring
over Z/2Z and thus a domain.
6.32. This is a standard exercise in the construction of the reals from the rational
numbers. The set of null sequences forms a subring of C since sums, differ-
ences, and products of null sequences are null sequences (the verification is
straightforward). The same holds for the other sets of sequences.
The subring N is an ideal in D since the product of a null sequence with a
converging sequence is again a null sequence. In fact, N is also an ideal in C
and B.
The subring D of converging sequences is not an ideal in C since the product
of a sequence converging to a rational number and of a Cauchy sequence need
not converge to a rational number.
Similarly the product of a Cauchy sequence not converging to 0 with the
bounded sequence an = (−1)n is not Cauchy, so C is not an ideal in B.
The sequences (1, 0, 13 , 0, 15 , 0, . . .) and (0, 12 , 0, 14 , 0, . . .) are nonzero
sequences whose product is the zero sequence (0, 0, 0, 0, . . .). Thus each
ring contains zero divisors.
Finally we claim that N is a maximal ideal in C. Assume that I is an ideal
in C with N ⊆ I ⊆ C. If the first inclusion is strict, then there is a Cauchy
sequence (an ) ∈ I that is not a null sequence. Take an arbitrary Cauchy
sequence (bn ) ∈ C. Then the sequence (cn ) defined by cn = bann if an = 0 and
cn = 0 if an = 0 is a Cauchy sequence, and the product (an )(cn ) = (bn ) up
to a null sequence, which implies that C = I . Thus N is a maximal ideal in C.
6.33. If y 2 = x 3 − 4f with f ≡ 3 mod 8 and if x = 2x1 and y = 2y1 are even,
then y12 + f = 2x13 . Since f ≡ 3 mod 8 the integer y1 is odd; but then
y12 + f ≡ 4 mod 8 is divisible by 4, but not by 8.
B Solutions 309

√ √
Thus x and y are odd. We find x 3 = y 2 +4f = (y+2 −f )(y−2 −f √ ). The
gcd of the factors on the right must be an ideal with odd norm dividing −f .
Assume that p is a prime ideal dividing both factors; since p is ramified, we
have p2 = p for some prime p | f ; but p | y and p | x then imply p2 | 4f ,
which contradicts our assumption that f is squarefree. √
By unique factorization into prime ideals we conclude√that (y + 2 −f ) =
a3 . Since we have assumed that the class number of Q( −f ) is not divisible
by 3, the ideal a must
√
be principal, say a = (α)
r+s −f
Now write α = 2 ; then, up to sign,
√
 3 r 3 − 3f rs 2 + s(3r 2 − f s 2 ) −f
y + 2 −f = α = ,
8
√
and comparing coefficients of −f we obtain

16 = s(3r 2 − f s 2 ).

Now there are the following cases:

• s = 1, f = 3r 2 − 16; this implies y = r −3f

3r
8 = r(r 2 − 6) and finally
x = r 2 − 4.
• s = −1, f = 3r 2 + 16; this implies y = r −3f
3 r
8 = r(r 2 + 6) and finally
x = r + 4.
2

• s = 2; then r = 2t is even and we find f = 3t 2 − 4, but this contradicts

f ≡ 3 mod 8.
• s = 4: Then r = 2r1 is even, and we find 4f = 3r12 − 1, which is
impossible in integers.
• s = −4: Then r = 2r1 is even, and we find 4f = 3r12 + 1; setting r1 =
2t + 1 we obtain f = 3t 2 + 3t + 1. In this case x = 16t 2 + 16t + 5 and
y = r −48f
3 r
8 = (2t + 1)(32t 2 + 32t + 11).
• s = ±8 or s = ±16 does not lead to any solutions.
The value of f for which there are two essentially distinct solutions have the
form f = 3r 2 ±16 and f = 3t 2 +3t +1. The equation 3r 2 +16 = 3t 2 +3t +1
leads to r 2 = t 2 +t −5, which is easily seen to have the only integral solutions
(r, t) = (1, 2) and (r, t) = 1, −3) leading to f = 19, and (r, t) = (5, 5)
leading to f = 91. Since the equation 3r 2 − 16 = 3t 2 + 3t + 1 is not solvable
in integers, only the equations y 2 = x 3 − 4f with the values f = 19 and
f = 91 possess a pair of integral solutions.
310 B Solutions

f h f integral points
11 1 3 · 32 − 16 (5, 9)
19 1 3 · 12 + 16 (5, 7), (101, 1015)
43 1 3 · 32 + 16 (13, 45)
59 3 3 · 52 − 16 (21, 95)
91 2 3 · 52 + 16 (29, 155), (485, 10681)
131 5 3 · 72 − 16 (45, 301)
163 1 3 · 72 − 16 (53, 385)

The equation y 2 = x 3 − 339 has two solutions (13, 291) and (61,√ 475) not
predicted by this result. We conclude that the class number of Q( −339 )
must be divisible by 3. In√fact, the class number is h = 6.
√
6.34. We claim that a1 = ( 11+2 85 ). Since a21 = (2 + 85 ) has norm 81, the ideal
√ √ √ √
a has norm 9. Moreover, 9 = 11+2 85 · 11−2 85 and 2 + 85 = 2 · 11+2 85 − 9
√
are both contained in ( 11+2 85 ), hence a divides this ideal, and since they have
the same norm, they must be equal. √
If the second ideal is principal, then there exists an element β = x+y2 85 with
norm ±7. But the equation x 2 − 85y 2 = ±4 · 7 is not solvable modulo 5.
We have m = 92 + 32√
6.35. √ 2 = 232 + 242 = 312 + 122 = 332 + 42 . Let a = (32 +
√ 1√
m, 9), a2 = (24 + m, 23), a3 = (12 + m, 31) and a4 = (4 + m, 33).
Since K has class group  (2, 2), each square of an √ ideal is principal.√In
31+ m 33+ m
particular, a must be principal. The elements α = 2 √ and β = 2
√
have norms Nα = −36 and Nβ = −4, hence γ = − 31+ m
√ = 133 + 4 m
33− m
has norm Nγ √ = 9.
N(1795 + 54 m ) = −5 · 31.
6.36. We first show that x and y must be odd. If both are even, set x = 2X and
y = 2Y ; then 8X3 + 4 = 4pY 2 , i.e., 2X3 + 1 = pY 2 . Then Y must be odd,
hence 2X3 + 1 ≡ p ≡ 5 mod 8; but this implies 2X3 ≡ 4 mod 8, which is
impossible.
Thus x and y are odd. Then
√ √
(−a)3 = 4 − py 2 = (2 − y p )(2 + y p ).
√
Since the factors are coprime, we must have (2 − y p ) = a3 . Since 3 does
√
not divide the class number h of K = Q( p ), a must be principal, hence
√
2 − y p = ηα 3

for some unit η and an element α ∈ OK .

Subsuming cubes into α 3 we may assume that η = 1, η = ε or η = ε . Now
2 is inert in K, hence α 3 ≡ 1 mod 2 by Fermat’s Little Theorem (observe
√
that Na is odd); thus η ≡ y p ≡ 1 mod 2 and η ≡ 1 mod 2. But the
B Solutions 311

√
±1± p
fundamental unit ε ≡ 2 mod 2, and this implies that η = 1. Thus

√  c + d √p 3
2+y p = ,
2
and this implies

d(3c2 + pd 2 )
16 = c(c2 + 3pd 2 ) and b = .
8
If c = 1, then 3pd 2 = 15, hence p = 5 and d = 1. If c is even, we get a
contradiction.
Primes of the form p = x 3 +4 have an obvious integral point (x, 1), hence the
√
class number of Q( p ) must be divisible by 3 for these primes. Examples
are p = 93 + 4 = 733 and p = 253 + 4 = 15629.
6.37. If y is odd, then x = 2x1 is even, and we have

 y + √k  y − √k 
2x13 =
2 2
in OK . If q is a prime number dividing both factors on the right, then q divides
their sum y and their difference k. But then q | x and q 2 | (x 3 − y 2 ) = k,
which contradicts the assumption that k is squarefree.
Thus the factors on the right are coprime; we choose the sign of y in such a
way that y ≡ 1 mod 4. This implies

 y + √k   y − √k 
3
= pa and = qb3 ,
2 2
where pq = (2) and ab = (x1 ). But then [p] lies in the cube of an ideal class,
which contradicts our assumption.
√ √
6.38. The prime ideal p = (2, 1+ 2−31 ) generates the class group of Q( −31 ),
which has order 3. By the preceding exercise, the equation y 2 = x 3 − 31 does
not have an integral solution with y odd. By Exercise 1.23 there is no solution
with y even since 31 = 33 + 22 .

Chapter 7
√ √
7.1. Observe that α = η > 0. Since√Nα = αα < 0 we have η = −α and
√
therefore Tr α = α + α = η − η .
7.2. If m = n2 , then

1 = x 2 − my 2 = m2 − n2 y 2 = (x − ny)(x + ny),
312 B Solutions

hence x − ny = ±1 and x + ny = ±1. Adding these equations yields x = ±1

and y = 0.
7.3. The real numbers {ax} = ax − "ax# for 0 ≤ a ≤ q lie in the interval [0, 1).
By Dirichlet’s pigeonhole principle there must be two such numbers a and b
for which {ax} and {bx} differ at most by q1 . Since

{ax} − {bx} = ax − bx + "bx# − "ax# = "ax − bx# + {ax − bx} + "bx# − "ax#

we find with q = a − b and p = "ax − bx# + "bx# − "ax# that − q1 <

qx − p < q1 ; dividing through by q proves the claim.
√
7.4. If m = t 2 − 1, then t +
√ m is a unit, and the elements with
√ smallest nontrivial
norm are N(t − 1 + m ) = −2t + 2 and N(t + 1 + m ) = 2t + 2.
We will prove that the only√norms n with |n| − 2t + 2 are N(a) = a 2 for
integers a and N(t − 1 + m ) = −2t + 2 along the lines of the proof of
Prop. 7.9. √
Set ξ = x + y m; we will show that if | Nξ | = n is not a square, √ then
|n| ≥ 2t + 2. √ Assume therefore that |n| < 2t + 2; since ε = t + m > √1
is a unit in Z[ m ], we can find a power η of ε for which ξ η = a + b m
has coefficients
√ a and b that satisfy the bounds from Theorem 7.8. Because
of 2t < ε < 2 m we find
√
n √ 1
|b| ≤ √ ε+ √ < 2.
2 m ε

Thus |b| ≤ 1. If b = 0 then

√ |Nξ | = a is a square; thus
2 b = ±1, and this
shows that α = ξ η =√a ± m. Now |Nξ | = |Nα| = |a 2 − m| is minimal for

values of a close to m, and we find

⎧
⎪
⎪−2t + 2 if a = t − 1,
⎨
|a − m| =
2
1 if a = t,
⎪
⎪
⎩2t + 2 if a = t + 1.

If t is√composite and divisible by an odd prime number q, this prime splits

in Q( m ); since it cannot be a norm, the class number must be > 1. This
also follows from the ambiguous class number formula (Chap. 9) and the
observation that m = t 2 − 1 = (t − 1)(t + 1) is composite and cannot be of
the form m = pq for primes p ≡ q ≡ 3 mod 4. √
Now consider the case m = t 2 + 4 for odd values of t. Then ε = t +2 m is a
√
unit with norm −1, and the elements α = t ±2+2 m have norms N(α) = ±t.
We claim that all elements
√
norms have absolute value < t are integers.
For a proof, set ξ = a+b2 m . We will show that if | Nξ | = n is not a square,
√
t+ m
then |n| ≥ t. Assume therefore that |n| < t; since ε = 4 > 1 is a unit in
B Solutions 313

√ √
Z[ m ], we can find a power η of ε for which ξ η = a + b m has coefficients
√
a and b that satisfy the bounds from Theorem 7.8. Because of t < ε < m
we find
√
n √ 1
|b| ≤ √ ε+ √ < 1.
m ε

This implies that b = 0 (and then ξ is an integer) or b = ± 12 . In this case, the

√
t ±2+ m
elements with minimal norm are as claimed.
√ 2
√
t +u m
7.5. Let ε = 2 be the fundamental unit of Q( m ), and let n denote the
smallest natural number for which x 2 − my 2 = ±4n is solvable in nonzero
integers. Among all
√
solutions, choose one for which |y| is minimal. If we
multiply α = x+y2 m by ε we get
t x−muy √
+ ux−ty m
αε = 2 2
.
2
Since y was chosen minimal we must have
 ux − ty 
 
  ≥ y.
2
Now there are two cases:
• ux ≥ (t + 2)y. Then the norm equation N(εα) = ±m implies
 t +2  
−m t +2
t 2 + 4t + 4 − mu2 if Nε = +1,
n≥ u
· y2 ≥ = v2
4 4u2 t
if Nε = −1.
v2

• ux ≤ (t − 2)y; then we get, similarly as above,

 t −2  
−m 2 t 2 − 4t + 4 − mu2 − tv−2 if Nε = +1,
−n ≤ u
·y ≤ 2
= 2
4 4u − vt2 if Nε = −1.

This proves the claim.

7.6. Let t 2 − 2pu2 = 1 be the minimal positive solution of the Pell equation. Then
t is odd and 2pu2 = (t − 1)(t + 1), hence we are in one of the following
cases:

t − 1 = 4a 2 , t + 1 = 2pb 2 ,
t − 1 = 2a 2 , t + 1 = 4pb 2 ,
t − 1 = 4pa 2 , t + 1 = 2b 2 ,
t − 1 = 2pa 2 , t + 1 = 4b 2 .
314 B Solutions

In each of these cases we obtain

1 = pb2 − 2a 2; 1 = 2pb2 − a 2 ; 1 = b2 − 2pa 2 ; 1 = 2b2 − pa 2 .

The first and the last equation are impossible modulo p, the third contradicts
the minimality of u. Thus the second equation a 2 − 2pb2 = −1 must be
solvable in integers.
7.7. Assume that t 2 − 2pu2 = 1 for minimal u ≥ 1. Then (t − 1)(t + 1) = 2pu2 ,
and since the factors on the left have greatest common divisor 2 we have one
of the following equations:

t − 1 = 4a 2 , t + 1 = 2pb 2 ,
t − 1 = 2a 2 , t + 1 = 4pb 2 ,
t − 1 = 4pa 2 , t + 1 = 2b 2 ,
t − 1 = 2pa 2 , t + 1 = 4b 2 .

In each of these cases we obtain

1 = pb2 − 2a 2; 1 = 2pb2 − a 2 ; 1 = b2 − 2pa 2 ; 1 = 2b2 − pa 2 .

Since p ≡ 3 mod 4, the second equation is impossible, and the third

contradicts the minimality of u. Thus 2a 2 − pb2 = 1 or 2b2 − pb2 = −1.
Multiplying these equations√ through by 2 proves the claims.
7.8. For m = 3 we have ε = 2 + 3 since this corresponds to the smallest positive
solution of the Pell equation t 2 − √
3u2 = 1.
m = 19. The√element α = 4 + 19 generates a prime ideal with norm 3.
Since N(5 + 19 ) = 6 we find that
√
5+ 19 √
α= √ = −(13 + 3 19 )
4 − 19

generates the prime ideal above 2, hence

1 2 √
ε= α = 170 + 39 19
2
√
√ the5 coefficient of 19 for squares is even, ε cannot be a square.3
is a unit. Since
Since (1 + 19 ) > ε, the unit ε is either fundamental or a cube. But ε = α
is easily shown to be impossible.
√ √ √
m = 43: We set a = (2, 1 + 43 ), p = (3, 1 + 43 ) and q = (7, 1 + 43 ).
B Solutions 315

√ √
a N(a + 43 ) (a + 43 )
5 −2 · 32 ap 2
6 −7 q
7 2·3 ap
8 3·7 pq

The ideal a is generated by

√
2(5 + 43 ) √
α= √ = 59 + 9 43,
(7 − 43 )2
√ √
hence ε = 12 α 2 = 3482 + 531 43 is a unit in Z[ 43 ]. Clearly ε is not a
square; since ε ≡ 4 mod p, it√is not a cube. This √
implies that ε is fundamental.
√
m = 67: We set√a = (2, 1 + 67 √), p = (3, 1 + 67 ) and q = (7, 2 + 67 ).
Here p = (8 − 67 ) and (7 + 67 ) = ap2. Thus a = (α) for
√
7 + 67 √
α= √ = 221 + 27 67,
(8 − 67 )2
√
and ε = 12 α 2 = 48842 + 5967 67 is a unit. We have to show that ε is not
a k-th power for 1 < k ≤ 5. √ Clearly ε is not a square; ε ≡ 4 mod p shows
that ε is not a cube. Next 6 + 67 generates a prime ideal r of norm 31, and
ε ≡ 20 mod r shows that ε is no fifth √
power. √
m = 131:
√ Here we need a = (2,
√ 1 + 131 ) and p = (5, 1 + 131 ). Using
(11 + 131 ) = ap and (16 + 131 ) = p3 we obtain the generator
√
11 +
131 √
α= √ = 103 + 9 131
2(16 + 131 )
√
of a and the unit ε = 12 α 2 = 10610 + 927 131. Here it is sufficient to
√
show that ε is not a square (this is obvious) and not a cube. But (12 + 131
generates a prime ideal r of norm 13, and ε ≡ 6 mod 13 shows that ε is not
congruent to a cube modulo r. √ √
√ = 159: Here we need
m √ a = (1, 1 + 159 ), p2= (3, 159 ),√q = (5, 2 +
√ From (12 + 159 ) = pq we obtain q =√(101 + 8 159 ). Next
159 ).
(13 + 159 ) = ap then gives us (q )2 = (164 + 13 159 ). Thus
√
164 + 13 159 √
ε= √ = 1324 + 105 159
101 − 8 159

is a unit that is easily shown to be fundamental.

316 B Solutions

√ √
m = 199: Here 14+ 199 generates a prime ideal p of norm 3 and 19+ 199
has norm 2 · 34 . Thus
√
19 + 199 √
α= √ = 127539 + 9041 199
(14 − 199 )4

generates the prime ideal above 2, and

1 2 √
ε= α = 16266196520 + 1153080099 199
2
is a unit, which we can show to be fundamental by checking that ε is not a
k-th power for k = 2, 3, 5, and 7.
7.9. From ±4 = t 2 − mu2 ≡ t 2 − u2 mod 8 we immediately deduce that t ≡ u ≡
0 mod 2. √ √
7.10. Clearly Nε = n2 −m = 1, so ε is a unit. Since (1+ m )2 = m+1+2 m >
ε, the unit must be fundamental. √
If m = n2 +1, the element ε = n+ √ m is a unit with norm −1. If m = n2 ±4
is squarefree, then n is odd, and n+2 m is a unit.
√ √
7.11. We have (2) = a2 for a = (2,√ 478 )2 , (3) = pp for p = (3, 1 + 478 ),
and (7) = qq for q = (7, 3 + 478 ). We find
√ √
a N(a + 478 ) (a + 478 )
10 2 · 33 · 7 ap3 q
17 33 · 7 p 3q
22 2·3 ap
24 2 · 72 aq2
25 3 · 72 pq 2
√ √ √
Next (10 + 478 )(17 + 478 ) = (27)aq, hence aq2 = (24 + 478 ), but
we already knew that. But
√
2(10 + 478 ) √
√ = −4635 + 212 478
((22 + 478 ))3

generates q, and therefore

√
24 + 478
α= √
(4635 − 212 478 )2
B Solutions 317

generates a. This implies that

1 2 √
ε= α = 1617319577991743 + 73974475657896 478
2
is a unit, and in fact the fundamental unit. The last claim requires showing
that ε is no p-th power for all primes p ≤ 11.
Since a is principal, so is p, and this implies that q is principal. For the class
number to be 1 we need to show that the prime ideals with norm less than the
Minkowski bound (thus with norm ≤ 19) are principal. This √ is now a √ matter
of a few
√ simple calculations involving the elements 18 + 478, 19 + 478,
23 + 478: It follows that the prime ideals above 11, 13, and 17 are also
principal.
7.12. The equation 2x 2 −5y 2 = ±1 is impossible in integers since it is not solvable
modulo 5. Thus |2x 2 −5y
√ | ≤ 1 implies 2x −5y = 0, which is only possible
2 2 2

for x = y = 0 since 10 is irrational.

7.13. Let x denote the continued fraction expansion

1
x= .
1
2+
1
1+
2 +...

1
Then x = yields, after simplifying the fraction, the quadratic
1
1+
1+x √
equation 2x 2 + 2x − 1 = 0, whose unique positive solution is x = 3 − 1.
The partial convergents in this case are

5 7 19 26
, , , ,....
3 4 11 15
7.14. Euclidean division shows
√ √
m=t + m−t
√ √
1 m+t m−t
√ = =t+
m−t 2 2
2 √ √
√ = m + t = 2t + m − t.
m−t
318 B Solutions

This implies that

√ 1
m=t+ ,
1
t+ √
2t + m − t

which implies the claim.

7.15. Clearly
 a − 1 3  a + 1 3 a 3 + 3a  x 2
+ = = .
2 2 4 2

For solving y 2 = x 3 + 3x we observe that x ≥ 0; excluding the point (0, 0)

we may assume that x > 0. Now there are two cases:
1. x = a 2, x 2 + 3 = b2. Since the only squares differing by 3 are 1 and 4 we
obtain a = 1, b = 2 and x = 1, y = ±2.
2. x = 3a 2, x 2 + 3 = 3b2. Here 9a 4 + 3 = 3b2 yields 3a 4 + 1 = b2 . If b is
odd, then we may assume that either
• b + 1 = 8r 4 and b − 1 = 6s 4 ; then 4r 4 − 3s 4 = 1. In the equation
3s 4 = 4r 4 − 1 = (2r 2 − 1)(2r 2 + 1) we cannot have 3 | 2r 2 − 1 since
( 23 ) = −1; thus 2r 2 + 1 = 3t 4 and 2r 2 − 1 = u4 , hence 3t 4 − u4 = 2.
The unique integral solution t 2 = u2 = 1 gives b = 7 and finally
x = 12.
• b + 1 = 2r 4 and b − 1 = 24s 4 . Then r 4 − 12s 4 = 1, hence 12s 4 =
r 4 − 1 = (r 2 − 1)(r 2 + 1). Since r 2 + 1 ≡ 2 mod 4 we must have
r 2 + 1 = 2t 4 and r 2 − 1 = 6u4 , which implies t 4 − 3u4 = 1. This
equation does not have an integral solution by Exercise 1.20.
If b is even, then b + 1 = ±r 4 and b − 1 = ±3s 4 , hence r 4 − 3s 4 = ±2;
clearly the minus sign must hold, hence r 4 − 3s 4 = −2. The only integral
solutions are given by r 2 = s 2 = 1, hence b = −2 (b = 2 is impossible
since b + 1 = 3 = ±r 4 ) and x = 3.
7.16. Write t 2 − 1 = pu2 ; if t is odd, then gcd(t − 1, t + 1) = 2, and there are two
cases:
• t − 1 = 2a 2 and t + 1 = 2pb2 ; then a 2 − pb2 = −1, which contradicts
the fact that p ≡ 3 mod 4.
• t − 1 = 2pa 2 and t + 1 = 2b2; then a 2 − pb2 = +1, and this contradicts
√
the minimality of t (recall that t + u p is fundamental).
Thus t must be even. Clearly t 2 − pu2 = 1 implies t 2 = 1 + pu2 ≡ 4 mod 8
if p ≡ 3 mod 8, and t 2 = 1 + pu2 ≡ 0 mod 8 if p ≡ 7 mod 8.
B Solutions 319

In fact we can show that t is divisible by 8 in the latter case. Since gcd(t −
1, t + 1) = 1 we have the two cases
• t − 1 = a 2 , t + 1 = pb2 ; then a 2 − pb 2 = −2, which contradicts the fact
that p ≡ 7 mod 8.
• t + 1 = a 2 , t − 1 = pb 2 . Since a is odd, the first equation implies t ≡
0 mod 8.
7.17. It follows immediately from f (a, b) = f (a , b ) that (a −a )ξ1 +(b−b )ξ2 =
0. Thus ξ1 /ξ2 = a−a
b−b
∈ Q if a − a = 0. This contradiction shows that
a − a = 0 and therefore b − b = 0, hence (a, b) = (a , b ) and finally the
injectivity of f .
7.18. Since ε + ε = 4 and εε = 1 we have
n n
Vn+1 = (εn + ε )(ε + ε ) − εε − ε εn = 4Vn − Vn−1 .

Similarly,

2n n
V2n = ε2n + ε = (εn + ε )2 − 2 = Vn2 − 2.

Chapter 8

+1 q
8.1. (See Mignotte [93]) We already know that in this case y +1 = qa 2 and yy+1 =
qb2, where ab = x.
Assume that q = 8k + r for r = 5, 7. Then y = qa 2 − 1 ≡ a − 1 mod 8.
Moreover,

x 2 = y q + 1 = (y 2 − 1 + 1)4k y a + 1 ≡ y a + 1 mod (y 2 − 1).

Thus y a + 1 is a quadratic residue modulo each prime divisor of y 2 − 1, and,

in particular, we have
 ya + 1   2 
1= = ,
y−1 y−1

which contradicts the fact that y − 1 ≡ a − 2 ≡ ±3 mod 8.

Now assume that q = 8k + 3 = 24h + a for a ∈ {11, 19} (here we are using
q = 3); then y ≡ 2 mod 8 and

x 2 = y q + 1 = (y 3 − 1 + 1)8h x a + 1 ≡ x a + 1 mod (x 3 − 1).

320 B Solutions

If a = 11, then x 11 − x 2 = x 2 (x 9 − 1), hence

 x 11 + 1   x2 + 1   x3 − 1   −x − 1   x2 + 1   2 
1= = = = = = = −1,
x3 −1 x3 −1 x2 +1 x2 +1 x+1 x+1

and this is a contradiction since x + 1 ≡ 3 mod 8.

If a = 19, then similarly
 x 19 + 1   x + 1   x3 − 1   2 
1= = = = = −1.
x3 − 1 x3 − 1 x+1 x+1

8.2. The congruence

(−1)m ≡ (1 + 2m − m2 )S0 mod 3

implies

(−1)m
S0 ≡ mod 3.
1 + 2m − m2

The residue class modulo 3 of the numerator depends on m mod 2, that of the
denominator on m mod 3. Thus the residue class of S0 mod 3 only depends on
m mod 6, and the claim follows by verifying it for all integers m with 1 ≤ m ≤
6.
8.3. We have

m m m m
(1 + 1)m = + + + + ...,
0 1 2 3
m m m m
(1 − 1)m = − + − + ..., hence
0 1 2 3
m m m
2m = 2 +2 +2 +...
0 2 4
m m m
=2 +2 +2 + ....
1 3 5

8.4. Let ρ denote a primitive cube root of unity. Then for k = 0, 1, 2 we have
m m m m m
(1 + ρ k )m = + ρk + ρ 2k + + ρk + ....
0 1 2 3 4

Adding these equations for k = 0, 1, 2 yields, since 1 + ρ = −ρ 2

( )
m m m
2m + (−ρ 2 )m + (−ρ)m = 3 + + +... .
0 3 6
B Solutions 321

• If m ≡ 0 mod 3, then

m m m 2m + 2(−1)m
+ + + ... = .
0 3 6 3

• If m ≡ 1, 2 mod 3, then the left hand side becomes 2m + (−1)m (ρ + ρ 2 ) =

2m − (−1)m , and the claim follows.
8.5. As above we find

m m m m m
(1 + i k )m = + ik + (−1)k + i 3k + +...
0 1 2 3 4

for k = 0, 1, 2, 3. Adding these equations yields

( )
m m m
4 + + + . . . = 2m + (1 + i)m + (1 − i)m ,
0 4 8

hence
⎧
⎪ m−2 + (−1) m m−2
if m ≡ 0 mod 4,
⎪2
⎪
4 2 2
⎪
⎨2m−2 + (−1) m−1 m−3
m m m 4 2 2 if m ≡ 1 mod 4,
+ + +... =
0 4 8 ⎪
⎪ 2m−2 if m ≡ 2 mod 4,
⎪
⎪
⎩ m−2 m+1 m−3
2 + (−1) 4 2 2 if m ≡ 3 mod 4

as claimed.
8.6. If y and y + 1 are S-smooth, then 2 ∈ S since either y or y + 1 is even. Thus
4y(y + 1) = (2y + 1)2 − 1 is S-smooth. We claim that there are at most 3n
integers a > 0 for which a 2 − 1 is S-smooth.
Assume that a 2 − 1 = p1e1 · · · pnen . Write ej = 2fj + gj with gj ∈ {0, 1, 2},
 gj
where gj = 0 if ej = 0 and gj = 2 otherwise, and set d = pj and
 fj
b = pj ; then a 2 − 1 = db 2 , or a 2 − db2 = 1, and each prime dividing b
also divides d. Størmer’s Theorem 8.4 then implies that, for a fixed value of d,
the equation a 2 − 1 = db2 has at most one positive solution with the property
g
that primes dividing b also divide d. Since d = pj j and 0 ≤ gj ≤ 2 there
are at most 3n choices for d, and this proves our claim.
For improvements of this procedure see [75].
8.7. Let x and y be natural numbers satisfying x 2 +x+1 = 3y 2 . Then x ≡ 1 mod 3,
hence we can write x = 3z+1 for some√natural number z. √Then 9z +3 = 12y
2 2

implies√(2y) − 3z √= 1, hence 2y + z 3 is a unit in Z[ 3 ], and we can write

2 2

2y + z 3 = (2 + 3 )h for some exponent h ≥ 1. If h is even, then so is z,

322 B Solutions

which is impossible since (2y)2 − 3z2 = 1; this shows that h = 2n + 1 must

be odd. Thus
√ √ √ √
2y + z 3 = (2 + 3 )2n+1 and 2y − z 3 = (2 − 3 )2n+1 .

These equations quickly imply the claims since x = 3z + 1.

Chapter 9

9.1. The equality [a] = [b] of ideal classes is by definition equivalent to the
existence of an element α ∈ k × with a = (α)b. Applying σ to this equation
shows that aσ = (α σ )bσ , which in turn implies that [aσ ] = [bσ ]. Since
σ 2 = id, applying σ to the last equation now √ proves the √converse.
9.2. The norm of the fundamental unit ε = 3 + 10 of Q( 10 ) has norm −1,
hence an ideal above a prime number p is principal if and only if the equation
x 2 − 10y 2 = p has integral solutions. Clearly x 2 − 10y 2 = 2 and x 2 −
10y 2√= 5 are impossible
√ modulo
√ 5 and modulo 8,√respectively. Moreover,
(2 − 10 ) = (2, 10 )(3, 1 + 10 ), hence (3, 1 + 10 ) cannot be principal
either. √ √
The ideals (2, 10 ) and (5, 1+ 10 ) are √ generated by ramified prime ideals,
hence are ambiguous, whereas (3, 1 + 10 ) is not ambiguous.
9.3. We know that the fundamental unit ε has norm −1, so ideals above primes q
are principal if and only if q = x 2 −2py 2 has integral solutions. The equation
2 = x 2 −2py 2 is not solvable modulo p since 2 is a nonsquare modulo primes
p ≡ 5 mod 8. √
9.4. Assume that (2, 2p ) = (α) is principal. Then ε = 12 α 2 is a unit, and ε
cannot be a square since 2 is no square in K. But Nε = 14 (Nα)2 = +1,
hence the fundamental unit must have norm +1.
Conversely, assume that Nε = +1. By Hilbert’s Theorem 90 there is an
element α ∈ OK with α 1−σ = ε. Then (α) is ambiguous, √ and getting√rid of
rational
√ prime we find that (α) is one of the ideals (1), (2, 2p ), (p, 2p )
or ( 2p).
If (α) = (1), then α = η for some unit η, but then ε = η11−σ cannot be
fundamental. √ √
Similarly, if (α) = ( 2p), then α = η 2p for some unit η, and again
α 1−σ = −η1−σ contradicts the fact that √ ε is fundamental.
√
Thus√ (α) must be one of the ideals (2, 2p ) or(p, 2p ); since their product
is ( 2p ), they must both be principal.
B Solutions 323

√
Finally assume that 2p = a 2 + b2 with a > b > 0 and set a = (a, b + m ).
Clearly
   
a2 = (a 2 , a(b + 2p ), (b + 2p )2 ) = (2p − b2 , a(b + 2p ), (b + 2p )2 )
   
= (b + 2p )(b − 2p, a, b + 2p ) = (b + 2p ).

Note that aaσ = (a) = a2 , so a is not an ambiguous ideal. But aaσ ∼ a2

clearly implies that aσ ∼ a, hence the ideal class of a is ambiguous.
9.5. Let c be the nontrivial ideal class. Since cσ must also be nontrivial, we have
c = cσ , and so the nontrivial ideal class is ambiguous.
9.6. Let c be an ambiguous ideal class. Then c = cσ , hence c2 = c · cσ = 1 since
the norm of an ideal is principal. Thus ambiguous ideal classes have order 1
or 2. Since the class group has odd order, every ambiguous ideal class must
have order 1, and this shows that Am(k) = 1.
9.7. Consider the natural map π : A −→ AB/B defined by sending an element
a ∈ A to the coset aB + B. Its kernel consists of all elements a with aB ∈ B;
this is equivalent to a ∈ B. Thus ker π = A ∩ B. On the other hand, π is
clearly onto, and this implies that A/A ∪ B = A/ ker π  im π = AB/B.
9.8. Let H denote the group of nonzero principal ideals, H G its subgroup fixed by
the Galois group G, A the group of nonzero ambiguous ideals and P the group
of all fractional ideals in Q× . The kernel of the map ι : H G /P −→ A/P
sending a coset (α)P with (α ) = (α) to the same coset in A/P consists of
all cosets (α)P satisfying (α) ∈ P , hence of the coset P . Thus ι is injective.
The map π : A/P −→ Amst (k), which sends a coset aP with aσ = a to the
ideal class [a], is well defined since changing a by a principal ideal does not
change its ideal class. Since every strongly ambiguous ideal class is generated
by an ambiguous ideal, the map π is surjective.
For showing that ker π = im ι assume that π(aP ) = [(1)]; then a = (α) is
principal and therefore in the image of ι. Since the image of ι is obviously
contained in ker π, we have proved the claim.
9.9. We have

m + ni (m + ni)2 m2 − n2 2mn
α= = = 2 + 2 · i.
m − ni (m − ni)(m + ni) m + n2 m + n2

Clearing denominators we find

x = m2 − n2 , y = 2mn and z = m2 + n2

as desired.
324 B Solutions

The generalization to arbitrary

√ quadratic number fields is straightforward;
elements of norm 1 in Q( m ) have the form
√ √
a+b m (a + b m )2 a 2 + mb2 2ab √
√ = √ √ = 2 + · m,
a−b m (a + b m )(a − b m )) a − mb2 a 2 − mb 2

which implies that

x = a 2 + mb 2, y = 2ab, and z = a 2 − mb2

is a solution of x 2 − my 2 = z2 .
9.10. An element α ∈ k × belongs to H G if and only if (α) = (α σ ). This is
equivalent to the existence of a unit ε with α = εα σ , i.e., to ε = α 1−σ .
Clearly ε ∈ E[N] since Nε = 1, and the kernel of the homomorphism
λ((α)) = εE 1−σ consists of all principal ideals (α) with α 1−σ = η1−σ for
some unit η. But then β = α/η has the property that (α) = (β) and β σ = β,
which shows that β√∈ Q× . Thus ker λ = P .
9.11. √ ideal (3, 1 + 10 ) has norm 3 and is not principal, whereas (1, 3 +
The
10 ) = (1) lies in the principal class.
9.12. If p = (π), then (p) = p2 = (π 2 ). Thus π 2 = εp for some unit ε. If ±ε is a
square, then so is ±p, and we must have m = ±p, which we have excluded.
This works more generally √ for products n of disjoint
√ ramified primes. If m =
30, the elements α = 6 + 30 and β = 5 + 30 generate ramified ideals,
2 2 √
and we have α6 = β5 = 11 + 2 30.
   ∗ √ ∗
9.13. If pq = +1, then qp = +1 for q ∗ = ( −1 q )q. Thus p splits in k = Q( q ),
and we have ±4ph = x 2 + q ∗ y2 , where h is the odd class number of k.
Reduction modulo q then implies pq = +1.
9.14. If p ≡ 3 mod 4, then the equation u2 −pu2 = −1 is impossible modulo p (as
well as modulo 4). Assume therefore that p ≡ 1 mod 4 is prime, and let (t, u)
be the smallest positive solution of the Pell equation t 2 − pu2 = 1. Then t
must be odd, and in pu2 = (t − 1)(t + 1) we have gcd(t + 1, t − 1) = 2. Thus
either t − 1 = 2a 2 and t + 1 = 2pb2 or t − 1 = 2pa 2 and t + 1 = 2b2 . In the
second case we obtain b2 − pa 2 = 1 for a smaller pair (a, b) contradicting
our assumptions. Thus pb2 − a 2 = 1 and therefore a 2 − pb2 = −1, hence
√
the fundamental unit of Q( p ) has negative norm if p ≡ 1 mod 4 is prime.
9.15. Since x 2 − qy 2 is even, x and y must have the same parity. If x and y are
odd, then x 2 − qy 2 ≡ x 2 + y 2 ≡ 2 mod 4, which contradicts the fact that
x 2 − qy 2 is divisible by 4. Thus x = 2A and y = 2Y are even, and we find
±ph ≡ X2 − qY 2 .
Again we have X2 − qY 2 ≡ X2 + Y 2 mod 4, and we find that X and Y must
be odd and that ±ph ≡ 1 mod 4. Since p ≡ 1 mod 4, the plus sign must
hold.
B Solutions 325

9.16. If Nεm = +1, then εm = α σ −1 by Hilbert’s Theorem 90. Set a = (α); then
aσ = (α σ ) = (αεm ) = (α), so a is an ambiguous √ principal ideal. If a = (1)
then εm = 1, which is nonsense; similarly, a = ( m ) leads to εm = −1.
9.17. Assume that p ≡ 1 mod 4 is a prime number, and let ε denote the fundamen-
√
tal unit of k = Q( p ). If Nε = +1, then there is an ambiguous principal
√
ideal (α) = (1), ( p ). But ambiguous principal ideals are generated by
√
ramified primes, and the only ramified prime in Q( p ) is p (here we have
used p ≡ 1 mod 4, so the discriminant √ of k is Δ =√p).
9.18. The fundamental unit ε = 170 + 39 19 of Z[ 19 ] is ≡ 1 mod 13, so
reduction modulo the prime ideals above 13 only yields the trivial residue
classes ±1. √
The fundamental unit ε = 1+2 5 , on the other hand, is a primitive root
modulo the prime ideals above 11, so in this case the image of the reduction
homomorphism
√ is the whole coprime residue class group modulo π =
4 + 5.
9.19. It suffices to prove the result for coprime
√ values of x and y since rational
primes p have√the form p = p + 0 10. Now write the norm n = x 2 − 10y 2
of α = x + y 10 as a product of primes p satisfying ( p2 ) = ( p5 ) = +1 and
primes q satisfying ( p2 ) = ( p5 ) = −1. If p | n, then p = ππ , and either
π | α or π | α. Thus it remains to prove the result for elements α whose
norm is a product of primes q.
Let (α) = q1 · qt denote its prime ideal factorization; observe that t = 2s
must be√ even since each ideal
√ qj has order √ 2 in the class group. Now√write
 
qj (2, 10 ) = (2aj + bj 10 ). Then (2, 10 )t (α) = (2aj + bj 10 ),
√ √
where  (2, √ 10 )t = √2s . Dividing each factor on the right by 2 we obtain
(α) = (aj 2 + bj 5 ), and this implies our claim. Analogous results hold
for other fields with class number 2.
9.20. By the ambiguous class number formula, the class number is odd since there
are two ramified primes (2 and q) and since the fundamental unit has norm
+1 since the equation t 2 − 2pu2 = −1 does not have a solution modulo p by
the first supplementary law.
√
Since the prime ideal a = (2, pq ) satisfies a2 = (2), it must be principal
(there is no class of even order since the class number is odd); thus there must
be an element with norm ±2: X2 − 2py 2 = ±2. Clearly X = 2x must be
even, and we deduce 2x 2 − py 2 = ±1. The equation 2x 2 − qy 2 = 1 is
impossible modulo 8; thus 2x 2 − qy 2 = −1 must be solvable. Reducing this
equation modulo q implies 2x 2 ≡ −1 mod q, hence ( q2 ) = ( −1 q ) = −1.
326 B Solutions

Chapter 10

10.1. This is a purely formal exercise. If 1A and 1B denote the neutral elements of
A and B, then (1A , 1B ) is the neutral element of A ⊕ B. The inverse element
of (a, b) is (a −1 , b −1 ), and associativity is directly inherited from A and B.
10.2. For a subgroup U of A ⊕ B define the subgroup A1 of A as the set of all
a ∈ A for which there exists an element (a, b) ∈ U , and define B1 similarly.
Clearly A1 ⊕ B1 is a subgroup of U . Conversely, given an element (a, b) ∈
U , we have a ∈ A1 and b ∈ B1 by definition, hence (a, b) ∈ A1 ⊕ B1 .
10.3. This is easy: Changing a by a multiple of N = n1 N2 does not change the
residue classes a + N1 Z and a + N2 Z.
10.4. Let d = gcd(N1 , N2 ) and write d = mN1 + nN2 . Then

χ(a + d + NZ) = χ(a + mN1 + nN2 + NZ)

= χ(a + nN2 + NZ) χ defined modulo N1
= χ(a + NZ) χ defined modulo N2

This shows that χ is defined modulo d.

10.5. This is a special case of Lemma 10.1 since, by the Chinese Remainder
Theorem, (Z/NZ)×  (Z/N1 )× × (Z/N2 )× because N1 and N2 are
coprime.
10.6. Since 2 is a primitive root modulo 5, each residue class coprime to 5 can
be represented in the form a ≡ 2j mod p, and therefore χ(a) = χ(2)j .
Since χ(2) ∈ {±1, ±i} there exist exactly four nontrivial Dirichlet character
defined modulo 5.
10.7. The kernel of the projection map π : (Z/NZ)× −→ (Z/nZ)× consists of
all residue classes a mod N for which a ≡ 1 mod n. Clearly χ is trivial on
this kernel if and only if χ is defined modulo N/n. This implies the claim.
10.8. For Δ = −3, −4, 5, and 8, we have computed the Pell forms in Sect. 10.2.
The only missing cases are the following:

q + q2 − q3 + q4 − q5 − q6 q + 2q 2 + q 3 + 2q 4 + q 5
Δ = −7 : f (q) = =
1−q 7 1 + q + q2 + q3 + q4 + q5 + q6
q + q3 − q5 − q7 q + q3
Δ = −8 : f (q) = =−
1−q 8 1 + q4
q + q 3 + 2q 4 + 3q 5 + 2q 6 + q 7 + q 9
Δ = −11 : f (q) =
1 + q + q 2 + . . . + q 10
q − q 5 − q 7 + q 11 q − q3
Δ = 12 : f (q) = = .
1−q 12 1 − q2 + q4
B Solutions 327

10.9. Since

Fekχ (q)
fχ (q) =
1 − qN

we have

1 Fekχ ( q1 ) q N Fekχ ( q1 )

fχ = =− .
q 1− 1N 1 − qN
q

If N = Δ > 0, then ( N−1

N
) = +1, hence ( Na ) = ( N−a
N
). This shows that
1 1
N  1  N  1 
q N Fekχ = qN + + . . . +
q q 2 q2 N − 1 q N−1
 N  N  1 N 
= q N−1 + + . . . + q
N −1 N − 2 q N−2 1
= Fekχ (q).

If N = Δ > 0, then ( N−1

N
) = −1, and the same calculation as above shows
1
q N Fekχ = − Fekχ (q).
q

This proves the functional equation.

10.10. From
q A B
fχ (q) = = +
1+q 2 1 − qi 1 + qi

we obtain

q = A(1 + qi) + B(1 − qi) = A + B + (A − B)qi.

This implies A + B = 0 and A − B = i, hence A = 1

2i and B = − 2i1 .
10.11. Here we find

q − q3 1  1 1 1 1 
fχ (q) = = √ − − + .
1 + q4 2 2 1 − ζq 1 − ζ 3q 1 − ζ 5q 1 − ζ 7q

10.12. The partial fraction decomposition of

Fekχ (q) N−1

q ak
=
1 − qN q − ζk
k=0
328 B Solutions

is given by Euler’s formulas:

Fekχ (ζ k )
ζk Fekχ (ζ k )
ak = =− .
−Nζ k(N−1) N

10.13. We begin by observing that ( pn ) ≡ nm mod p implies

p−1 
n n
p−1
Fekp (x) = x ≡ nm x n mod p.
p
n=1 n=1

p−1
Therefore Fekp (1) ≡ n=1 nm ≡ 0 mod p by Gauss’s congruence (3.12).
10.14. We form the derivatives of the polynomials in the preceding exercise:

Fekp (x) ≡ nm · nx n−1 mod p,

Fekp (x) ≡ nm · n(n − 1)x n−2 mod p,

··· ···

p ≡
Fek(k) nm · n(n − 1) · · · (n − k + 1)x n−k mod p.

After plugging in x = 1, the sum in Fek(k)

p (1) is over polynomials in n
(k)
whose degree is equal to m + k. According to (3.12), we have Fekp (1) ≡
0 mod p for 0 ≤ k < m. For k = m, on the other hand, we get Fek(m)
p (1) ≡
−1 mod p.
p −1
10.15. Since Φp (x) = xx−1 we have

(x + 1)p − 1 p p−2 p
Φp (x + 1) = = x p−1 + x +...+ .
x 1 p−1
 
This polynomial is Eisenstein since p | pk for 1 ≤ k ≤ p − 1 and since
 p 
p2  p−1 = p. Therefore Φp (x + 1) is irreducible.
10.16. We find the following values for Np :

p 5 7 11 13 17 19 23 29 31 37
Np 5 3 11 15 17 27 23 29 27 27

Clearly Np = p for primes p ≡ 2 mod 3. If p ≡ 1 mod 3, write p =

a 2 + 3b2 with a ≡ 1 mod 3. Then Np = p + 2a.
B Solutions 329

10.17. We have
 t  t   t 
x t1 +t2 +...+tn .
1 2 n
Fekp (x)n = ···
t1 ,...,tn
p p p

If x is a p-th root of unity, then x m only depends on the residue class of

m mod p. Thus if t1 + . . . + tn ≡ a mod p, then

p−1
Fekp (x)n = Jn (a)x a
a=0

as claimed.
Bibliography

1. M. Aigner, Markov’s Theorem and 100 Years of the Uniqueness Conjecture (Springer, Cham,
2013)
2. N.C. Ankeny, S. Chowla, H. Hasse, On the class-number of the maximal real subfield of a
cyclotomic field. J. Reine Angew. Math. 217, 217–220 (1965) √
3. G. Arendt, Éléments de la théorie des nombres complexes de la forme a + b −1. Programme
Collège Royal Français, September 1863
4. A. Ash, R. Gross, Fearless Symmetry. Exposing the Hidden Patterns of Numbers (Princeton
University Press, Princeton, 2006)
5. A. Ash, R. Gross, Elliptic Tales: Curves, Counting, and Number Theory (Princeton University
Press, Princeton, 2012)
6. R. Ayoub, On L-functions. Monatsh. Math. 71, 193–202 (1967)
7. R. Ayoub, S. Chowla, On Euler’s polynomial. J. Numb. Theory 13, 443–445 (1981)
8. E.J. Barbeau, Pell’s Equation (Springer, New York, 2003)
9. E. Benjamin, C. Snyder, Elements of order four in the narrow class group of real quadratic
fields. J. Aust. Math. Soc. 100, 21–32 (2016)
10. C. Bergmann, Über Eulers Beweis des großen Fermatschen Satzes für den Exponenten 3.
Math. Ann. 164, 159–175 (1966)
11. D. Bernoulli, Observationes de seriebus quae formantur ex additione vel subtractione
quacuncque terminorum se mutuo consequentium. Commentarii Acad. Sci. Imp. Petropol.
III (1728), 85–100
12. Y.F. Bilu, Y. Bugeaud, M. Mignotte, The Problem of Catalan (Springer, New York, 2014)
13. J.H. Bruinier, G. van der Geer, G. Harder, D. Zagier, The 1-2-3 of Modular Forms (Springer,
New York, 2008)
14. J.W.S. Cassels, Lectures on Elliptic Curves (Cambridge University Press, Cambridge, 1991)
15. J.W.S. Cassels, Local Fields (Cambridge University Press, Cambridge, 1986)
16. W. Castryck, A shortened classical proof of the quadratic reciprocity law. Am. Math. Monthly
115, 550–551 (2008)
17. H.H. Chan, L. Long, Y. Yang, A cubic analogue of the Jacobsthal identity. Am. Math. Monthly
118, 316–326 (2011)
18. P. Chebyshev, Sur les formes quadratiques. J. Math. Pures Appl. 16, 257–282 (1851)
19. K. Chemla, S. Guo, Les neuf chapitres. Le Classique mathématique de la Chine ancienne et
ses commentaires (Dunod, Paris, 2004)
20. H. Cohen, A Course in Computational Algebraic Number Theory (Springer, Berlin, Heidel-
berg, 1993)

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 331
F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6
332 Bibliography

21. J.H.E. Cohn, Eight Diophantine equations, Proc. Lond. Math. Soc. (3) 16, 153–166 (1966);
Corr. ibid. (3) 17, 381 (1967)
22. H. Cohn, Advanced Number Theory (Dover Publications, New York, 1980); Original: A
Second Course in Number Theory (Wiley, New York, 1962)
23. H. Cohn, A Classical Invitation to Algebraic Numbers and Class Fields, 2nd edn. Universitext
(Springer, New York, 1988)
24. J.B. Cosgrave, K. Dilcher, An Introduction to Gauss Factorials, Am. Math. Monthly 118,
812–829 (2011)
25. D. Cox, Primes of the Form x 2 + ny 2 (Wiley, New York, 1989)
26. D. Cox, Why Eisenstein proved the Eisenstein criterion and why Schönemann discovered it
first. Am. Math. Monthly 118, 3–21 (2011)
27. H. Davenport, The Higher Arithmetic, 8th edn. (Cambridge University Press, Cambridge,
2008)
28. R. Dedekind, Gesammelte mathematische Werke (Friedrich Vieweg & Sohn, Braunschweig,
1932)
29. P.G.L. Dirichlet, Mémoire sur l’impossibilité de quelques équations indéterminées du cin-
quième degré. Acad. Sci. Royale France 1825; Werke I, 1–46
30. P.G.L. Dirichlet, Einige Resultate von Untersuchungen über eine Classe homogener Functio-
nen des dritten und der höheren Grade, Ber. Verh. Königl. Preuß. Akad. Wiss. 1841, 280–285
(1841); Werke I, 625–632
31. P.G.L. Dirichlet, Vorlesungen über Zahlentheorie, 2nd edn., ed. by R. Dedekind (Brunswick
1871); English translation Lectures on Number Theory (American Mathematical Society and
London Mathematical Society, London , 1999) √
32. F.W. Dodd, Number theory in the integral domain Z[ 12 + 12 5 ], Dissertation Univ. Northern
Colorado, 1981; published as Number Theory in the Quadratic Field with Golden Section
Unit (Polygonal Publishing House, Passaic, NJ, 1983)
33. D.S.L. Eelkema, Integer factorisation using conics, Bachelor thesis, Groningen (2020)
34. R.B. Eggleton, C.B. Lacampagne, J.L. Selfridge, Euclidean quadratic fields. Am. Math.
Monthly 99, 829–837 (1992)
35. G. Eisenstein, Neuer und elementarer Beweis des Legendre’schen Reciprocitäts-Gesetzes. J.
Reine Angew. Math. 27, 322–329 (1844); Math. Werke I, 100–107
36. L. Euler, Theoremata circa divisores numerorum in hac forma paa ± qbb contentorum.
Commun. Acad. Sci. Petropol. 14, 151–158 (1751); Opera Omnia I - 2, 194–222
37. L. Euler, De numeris, qui sunt aggregata duorum quadratorum. Nova Comm. Acad. Sci.
Petropol. 4(1752/3), 1758, 3–40; Opera Omnia I - 2, 295–327
38. L. Euler, Vollständige Anleitung zur Algebra (Birkhäuser, Basel, 1770); Leipzig (1883)
39. L. Euler, Opera Postuma. Fragmenta arithmetica ex adversariis mathematicis deprompta,
vol. 1, (1862), pp. 231–232; S. 157
40. T. Evink, A. Helminck, Tribonacci numbers and primes of the form p = x 2 + 11y 2 . Math.
Slovaca 69, 521–532 (2019)
41. F.G. Frobenius, Über das quadratische Reziprozitätsgesetz I, Sitzungsberichte Berliner Akad.
335–349 (1914). Ges. Abhandl. 628–642
42. F.G. Frobenius (unter Benutzung einer Mitteilung des Herrn Dr. R. Remak), Über quadratis-
che Formen, die viele Primzahlen darstellen. Sitz. Kön. Preuß. Akad. Wiss. Berlin (1912),
966–980; Ges. Abh. III, 573–587
43. C.F. Gauß, Disquisitiones Arithmeticae, 1801; deutsche Übersetzung Maser 1889; Neuauflage
(K. Reich, Hrsg.), Georg Olms Verlag 2015
44. C.F. Gauß, Theorematis fundamentalis in doctrina de residuis quadraticis demonstrationes et
amplicationes novae, 1818; Werke II, 47–64
45. C.F. Gauß, Theorie der biquadratischen Reste. Zweite Abhandlung (Göttingen, 1832);
deutsche Übersetzung Maser 1889
46. K. Girstmair, Kroneckers Lösung der Pellschen Gleichung auf dem Computer. Math.
Semesterber. 53, 45–64 (2006)
Bibliography 333

47. M. Hall, Some equations y 2 = x 3 − k without integer solutions. J. Lond. Math. Soc. 28,
379–383 (1953)
48. F. Halter-Koch, Quadratische Ordnungen mit großer Klassenzahl. J. Numb. Theory 34, 82–94
(1990)
49. K. Halupczok, Euklidische Zahlkörper. Diplomarbeit (Hartung-Gorre Verlag, Konstanz,
1997)
50. S. Hambleton, Generalized Lucas-Lehmer tests using Pell conics. Proc. Am. Math. Soc. 140,
2653–2661 (2012)
51. S. Hambleton, F. Lemmermeyer, Arithmetic of Pell surfaces. Acta Arith. 146, 1–12 (2011)
52. S. Hambleton, V. Scharaschkin, Pell conics and quadratic reciprocity. Rocky Mt. J. Math. 42,
91–96 (2012)
53. G.H. Hardy, E.M. Wright, Einführung in die Zahlentheorie (R. Oldenbourg Verlag, München,
1958) √
54. M. Harper, A proof
√ that Z[ 14 ] is Euclidean, Ph.D. thesis, McGill University, 2000
55. M. Harper, Z[ 14 ] is Euclidean. Can. J. Math. 56, 55–70 (2004)
√
56. K. Hashimoto, L. Long, Y. Yang, Jacobsthal identity forQ( −2 ), Forum Math. 24, 1225–
1238 (2012)
57. H. Hasse, Über eindeutige Zerlegung in Primelemente oder in Primhauptideale in Integritäts-
bereichen. J. Reine Angew. Math. 159, 3–12 (1928)
58. H. Hasse, Über mehrklassige, aber eingeschlechtige reellquadratische Zahlkörper. Elem.
Math. 20, 49–59 (1965)
59. T.L. Heath, Diophantus of Alexandria. A Study in the History of Greek Algebra (Cambridge
University Press, Cambridge, 1910)
60. E. Hecke, Lectures on the Theory of Algebraic Numbers (Springer, Berlin, 1981)
61. D. Hilbert, Die Theorie der Algebraischen Zahlkörper, Jahresber. DMV 4, 175–546 (1897);
Engl. Transl. I. Adamson, The Theory of Algebraic Number Fields (Springer, New York,
1998)
62. F. Hirzebruch, D. Zagier, The Atiyah-Singer Theorem and Elementary Number Theory
(Publish or Perish, Boston, 1974)
63. J. Høyrup, Algebra in Cuneiform (Max-Planck-Gesellschaft zur Förderung der Wis-
senschaften, Berlin, 2017)
64. A. Hurwitz, Über eine Aufgabe der unbestimmten Analysis. Archiv. Math. Phys. 3, 185–196
(1907); Mathematische Werke 2, 410–421
65. K. Ireland, K. Rosen, A Classical Introduction to Modern Number Theory (Springer, New
York, 1990)
66. M. J. Jacobson, H. C. Williams, Solving the Pell Equation (CMS, New York, 2009)
67. E. Jacobsthal, Anwendungen einer Formel aus der Theorie der quadratischen Reste, Diss.,
Berlin, 1906
68. E. Jacobsthal, Über die Darstellung der Primzahlen der Form 4n + 1 als Summe zweier
Quadrate. J. Reine Angew. Math. 132, 238–246 (1907)
69. H.W.E. Jung, Einführung in die Theorie der quadratischen Zahlkörper (Jänicke, Leipzig,
1936)
70. L. Kronecker, Ueber die Potenzreste gewisser complexer Zahlen (Monatsber, Berlin, 1880),
pp. 404–407; Werke II, 95–101
71. E.E. Kummer, Zur Theorie der complexen Zahlen. J. Reine Angew. Math. 35, 319–326
(1847)
72. R.C. Laubenbacher, D. Pengelley, Eisenstein’s misunderstood geometric proof of the
quadratic reciprocity theorem. College Math. J. 25, 29–34 (1994)
73. V.A. Lebesgue, Recherches sur les nombres. J. Math. Pures Appl. 3, 113–144 (1838)
74. V.A. Lebesgue, Sur l’impossibilité, en nombres entiers, de l’équation x m = y 2 + 1. Nouv.
Ann. Math. (1) 9, 178–181 (1850)
75. D.H. Lehmer, On a problem of Störmer. Illinois J. Math. 8, 57–79 (1964)
76. F. Lemmermeyer, The Euclidean algorithm in algebraic number fields. Expositiones Math.
13, 385–416 (1995)
334 Bibliography

77. F. Lemmermeyer, Reciprocity Laws (Springer, Berlin, 2000)

78. F. Lemmermeyer, Higher Descent on Pell Conics, I. From Legendre to Selmer,
arXiv:math/0311309; II. Two Centuries of Missed Opportunities, math/0311296; III. The
First 2-Descent, math/0311310 (2003)
79. F. Lemmermeyer, Zur Zahlentheorie der Griechen. I: Euklids Fundamentalsatz der Arith-
metik. Math. Semesterber. 55, 181–195 (2008)
80. F. Lemmermeyer, Zur Zahlentheorie der Griechen. II: Gaußsche Lemmas und Rieszsche
Ringe. Math. Sem.ber. 56, 39–51 (2009)
81. F. Lemmermeyer, Jacobi and Kummer’s ideal numbers. Abh. Math. Sem. Hamburg 79, 165–
187 (2009)
82. F. Lemmermeyer, Relations in the 2-class group of quadratic number fields, J. Austr. Math.
Soc. 93, 115–120 (2012)
83. F. Lemmermeyer, Parametrization of algebraic curves from a number theorist’s point of view.
Am. Math. Monthly 119, 573–583 (2012)
84. F. Lemmermeyer, Binomial squares in pure cubic number fields. J. Théor. Nombres Bordeaux
24, 691–704 (2012)
85. F. Lemmermeyer, Mathematik à la Carte. Elementargeometrie an Quadratwurzeln mit
einigen geschichtlichen Bemerkungen (Springer-Spektrum, 2015)
86. F. Lemmermeyer, Mathematik à la Carte. Quadratische Gleichungen mit Schnitten von
Kegeln (Springer-Spektrum, Berlin, 2016)
87. F. Lemmermeyer, Composite values of irreducible polynomials. Elemente d. Math. 74, 36–37
(2019)
88. F. Lemmermeyer, 4000 Jahre Zahlentheorie (Springer-Verlag, to appear)
89. F. Lemmermeyer, M. Mattmüller (Hrsg.), Leonhardi Euler Opera Omnia (IV) 4. Correspon-
dence of Leonhard Euler with Christian Goldbach (Birkhäuser, Basel, 2015)
90. F. Lemmermeyer, P. Roquette (Hrsg.), Helmut Hasse und Emmy Noether – Die Korrespondenz
1925 – 1935 (Univ.-Verlag, Göttingen, 2006)
91. H.W. Lenstra, Solving the Pell equation. Notices Am. Math. Soc. 49, 182–192 (2002)
92. W.J. Leveque, Topics in Number Theory, vol. II (Addison-Wesley, Reading, MA, 1961)
93. M. Mignotte, A new proof of Ko Chao’s Theorem, Math. Notes 76, 358–367 (2004)
94. P. Mihailescu, Primary cyclotomic units and a proof of Catalan’s conjecture. J. Reine Angew.
Math. 572, 167–195 (2004)
95. R. Mollin, On the divisor function and class numbers of real quadratic fields. I. Proc. Jpn.
Acad. 66, 109–111 (1990)
96. M.G. Monzingo, An elementary evaluation of the Jacobsthal sum. J. Number Theory 22, 21–
25 (1986)
97. L.J. Mordell, Diophantine Equations (Academic, London, 1969)
98. T. Motzkin, The Euclidean algorithm. Bull. Am. Math. Soc. 55, 1142–1146 (1949)
99. T. Nagell, Solution complète de quelques équations cubiques à deux indéterminées. J. Math.
Pures Appl. 4, 209–270 (1925)
100. M. Nyberg, Culminating and almost culminating continued fractions (Norwegian). Norsk
Mat. Tidskr. 31, 95–99 (1949)
101. A. Oppenheim, Quadratic fields with and without Euclid’s algorithm. Math. Ann. 109, 349–
352 (1934)
102. D. Pengelley, F. Richman, Did Euclid need the Euclidean algorithm to prove unique
factorization?. Am. Math. Monthly 113, 196–205 (2006) √
103. J. Plemelj, Die Unlösbarkeit von x 5 + y 5 + z5 = 0 im Körper k 5. Monatsh. Math. Phys.
23, 305–308 (1912)
104. K. Plofker, Mathematics in India (Princeton University Press, Princeton, 2009)
105. G. Rabinovitch, Eindeutigkeit der Zerlegung in Primzahlfaktoren im quadratischen Zahlkör-
per. Proc. Int. Congr. Math. 1912, 418–421 (1912)
106. L. Rédei, Über die quadratischen Zahlkörper mit Primzerlegung. Acta Sci. Math. (Szeged)
21, 1–3 (1960)
Bibliography 335

107. L.W. Reid, The Elements of the Theory of Algebraic Numbers (The Macmillan Co., New York,
1910)
108. P. Ribenboim, Catalan’s Conjecture (are 8 and 9 the only Consecutive Primes? (Academic,
Boston, 1994)
109. P. Ribenboim, Meine Zahlen, meine Freunde. Glanzlichter der Zahlentheorie (Springer,
Berlin, 2009)
110. P. Roquette, The Riemann Hypothesis in Characteristic p in Historical Perspective (Springer,
Cham, 2018)
111. W. Scharlau, H. Opolka, Von Fermat bis Minkowski. Eine Vorlesung über Zahlentheorie und
ihre Entwicklung (Springer, Berlin, 1980)
112. A. Scholz, Einführung in die Zahlentheorie (de Gruyter, Berlin, 1939)
113. R. Schoof, Catalan’s Conjecture (Springer, London, 2008)
114. C.-O. Selenius, Rationale of the Chakravala Process of Jayadeva and Bhaskara II. Hist. Math.
2, 167–184 (1975)
115. D. Shanks, On Gauss’s class number problems. Math. Comp. 23, 151–163 (1969)
116. H. Siebeck, Die recurrenten Reihen, vom Standpuncte der Zahlentheorie aus betrachtet. J.
Reine Angew. Math. 33, 71–77 (1846)
117. J. Silverman, J. Tate, Rational Points on Elliptic Curves (Springer, New York, 1992)
118. J. Sommer, Vorlesungen über Zahlentheorie. Einführung in die Theorie der algebraischen
Zahlkörper (Teubner, Leipzig, 1907)
119. C. Størmer, Solution d’un problème curieux qu’on rencontre dans la théorie élémentaire des
logarithmes, Nyt tidsskrift for matematik 19, 1–7 (1908)
120. G. Szekeres, On the number of divisors of x 2 + x + A, J. Number Theory 6, 434–442 (1974)
121. G. Terjanian, Sur l’équation x 2p + y 2p = z2p . C. R. Acad. Sci. Paris 285, 973–975 (1977)
122. A. Thue, Über Annäherungswerte algebraischer Zahlen. J. Reine Angew. Math. 135, 284–305
(1909)
123. E. Trost, Eine Bemerkung zur diophantischen Analysis. Elem. Math. 26, 60–61 (1971)
124. E. Trost, Solution of Problem E 2332. Am. Math. Monthly 87, p. 77 (1972)
125. L. Tschakaloff,
√ Unmöglichkeitsbeweis der Gleichung α 5 + β 5 = ηγ 5 im quadratischen
Körper K( 5 ). Tôhoku Math. J. 27, 189–194 (1926)
126. K. Vogel, Vorgriechische Mathematik II. Die Mathematik der Babylonier (Schroedel, Han-
nover, 1959)
127. K. Vogel (Hrsg.), Neun Bücher arithmetischer Technik (Ostwalds Klassiker der exakten
Naturwissenschaften, Braunschweig, 1968)
128. F. von Schafgotsch, Abhandlung über einige Eigenschaften der Prim- und zusammengeses-
tzten Zahlen, Abhandlung der Böhmischen Gesellschaft der Wissenschaften in Prag (1786),
pp. 123–159
129. L. von Schrutka, Ein Beweis für die Zerlegbarkeit der Primzahlen von der Form 6n + 1 in ein
einfaches und ein dreifaches Quadrat. J. Reine Angew. Math. 140, 252–265 (1911)
130. S. Wagstaff, The Joy of Factoring (AMS, Providence, 2013)
131. A. Wakulicz, On the equation x 3 + y 3 = 2z3 . Colloq. Math. 5, 11–15 (1957)
132. A. Weil, Number Theory: An Approach Through History from Hammurapi to Legendre
(Birkhäuser, New York, 1984)
133. A. Widmer, Über die Anzahl der Lösungen gewisser Kongruenzen nach einem
Primzahlmodul, Diss. ETH Zurich, 1919
134. D. Zagier, Zetafunktionen und quadratische Körper (Springer, Berlin, Heidelberg, 1981)
135. Ch. Zeller, Beweis des Reciprocitätsgesetzes für die quadratischen Reste (Monatsber, Berlin,
1872), pp. 846–847
136. G. Zolotareff, Nouvelle démonstration de la loi de réciprocité de Legendre. Nouv. Ann. Math
(2) 11, 354–362 (1872)
Name Index

A Cohn, J.H.E., 187

Aigner, M., 47
Ankeny, N., 175 D
Arendt, G., 23 Davenport, H., 68, 127, 174
Ayoub, R., 231 Dedekind, R., 1, 18, 23, 25, 144
Delaunay, B.N., 205
B Descartes, R., 8
Bachet, C.G., 1, 8, 99 Diophantus, 1, 5, 6
Baker, A., 128, 161 Dirichlet, P.G.L., 23, 26,
Barning, F.J.M., 264 33, 100, 111, 122, 132, 168,
Beck, S., 45 174, 202, 231, 243
Berggren, B., 264 Dodd, F.W., 107
Bernoulli, D., 41
Bézout, É., 99 E
Bhaskara II, 93, 167 Eelkema, D.S.L., 51
Binet, J.P.M., 41 Eisenstein, G., 23, 78, 113, 231, 235
Brahmagupta, 5, 27, 93, 167 Euler, L., 1, 13, 64, 66, 107, 118,
Brouncker, W., 93, 167 167, 195, 248
Evink, T., 251
C
Carcavi, P., 11 F
Cassels, J.W.S., 118, 205, 206 Fermat, P., 1, 5, 10, 93, 116, 118,
Castryck, W., 78 185
Catalan, E., 193 Fibonacci, 41
Cauchy, A.-L., 231 Frénicle, B., 12
Chan, H.H., 72 Frobenius, G., 60, 62, 130
Chebyshev, P., 174
Chemla, K., 5 G
Chowla, S., 175 Gauss, C.F., 1, 22, 76, 77, 107,
Cohn, H., vi, 229 111, 116, 154, 209
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 337
F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6
338 Name Index

Girard, A., 14 M
Goldbach, Ch., 13 Mersenne, M., 118
Guo, S., 5 Mignotte, M., 319
Mihailescu, P., 193
H Mollin, R., 175
Hadamard, J., 174 Monsky, P., 116, 195
Halter-Koch, F., 175 Monzingo, M.G., 72
Hambleton, S., 51 Mordell, L.J., 205
Hardy, G.H., 107 Motzkin, Th., 126
Harper, M., 127
Hashimoto, K., 72 N
Hasse, H., 128, 175, 249 Nagell, T., 117, 201, 205
Hecke, E., 42 Narayana, 185
Heegner, K., 128, 161 Noether, E., 25, 128
Helminck, A., 251 Nyberg, M., 184
Hermite, 29
Heron, 6 O
Hilbert, D., 111, 112, 212, 246 Opolka, H., 243
Hurwitz, A., 144 Oppenheim, A., 126
Hypatia, 8
P
Pépin, Th., 51, 117
J
Platon, 41
Jacobi, C.G.J., 23, 231
Plemelj, J., 122
Jacobsthal, E., 72
Plofker, K., 93, 167
Jung, H., 26
Ptolemy, 6

K
R
Kronecker, L., 25, 243, 246, 248
Rabinowitsch, J., 130
Kummer, E.E., 1, 23, 26, 33, 221
Regiomontanus, J., 8
Ribenboim, P., 130, 207
L
Lagrange, J.-L., 14, 47, 93, 167
S
Lamé, G., 49
Schafgotsch, F., 186
Langlands, R., 251
Scharaschkin, V., 51
Lebesgue, V.A., 78, 193
Scharlau, W., 243
Legendre, A.-M., 66, 117
Schönemann, Th., 113, 235
Lehmer, D.H., 118, 321
Scholz, A., 68
Leibniz, G.W., 241
von Schrutka, L., 72
Leveque, W.J., 205
Shanks, D., 184
Liouville, J., 49
Shimura, G., 248
Long, L., 72
Siebeck, H., 134
Lucas, É., 118, 187
Name Index 339

Skolem, Th., 205 W

Sommer, J., 107 Wakulicz, A., 195
Stark, H., 128, 161 Wallis, J., 167
Stein, W., 258 Weber, H., 246
Steinitz, E., 32 Weil, A., 1
Stevin, S., 14, 100 Widmer, A., 72
Størmer, 197 Wiles, A., 248
Wolff, A., 21
T Wright, E.M., 107
Taniyama, Y., 248
Terjanian, G., 81 X
Theon of Alexandria, 8 Xylander, G., 8
Theon of Smyrna, 41
Thue, A., 158 Y
Trost, E., 27 Yang, Y., 72
Tschakaloff, L., 122
Z
V Zagier, D., 243
de la Vallée-Poussin, Ch.-J., 174 Zeller, Ch., 89
Vogel, K., 5 Zolotarev, Y.I., 60
Subject Index

A Diophantine equation
Algebraic integer, 34 x 2 + y 2 = 2z2 , 49
Associated, 93 x 2 + y 2 = z2 , 1–3, 220
Automorphism, 32 x 2 − 2y 2 = 1, 39
x 2 − 3y 2 = 1, 51
B x 2 − 4xy + y 2 = 1, 46
Bézout domain, 99 x 2 − my 2 = 1, 167
Bézout property, 100 x 2 − xy − y 2 = 1, 44
Binet’s formula, 41, 223, x 3 + y 3 = z3 , 116
229, 232, 270 x 3 − y q = 1, 206
x 4 + y 4 = z2 , 12
C x 4 − 2x 2 = 1, 28
Cancellation law, 145 x 5 + y 5 = z5 , 122
Catalan’s conjecture, 193 x p − y 3 = 1, 206
Character, 223 x p − y q = 1, 193
group, 225 x 2p + y 2p = z2p , 81
primitive, 225, 226 x12 + x22 + x32 = 3x1 x2 x3 , 46
sum, 71 y 2 + 1 = x m , 193
Class number, 150 y 2 = 2x 3 − 1, 133
Common divisor, 96 y 2 = x 3 + 1, 195
Conductor, 65, 105, 225, 245 y 2 = x 3 + 17, 28
Conjugate, 31 y 2 = x 3 + 3x, 192
Coprime, 97 y 2 = x 3 + 4, 133
y 2 = x 3 + 7, 28
D y 2 = x 3 − 2, 8, 11, 19
Dedekind domain, 160 y 2 = x 3 − d, 155, 161, 162
Dedekind-Hasse criterion, 128 y 2 = x 3 − dx, 28
Degree, 33 Dirichlet character, 223

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021 341
F. Lemmermeyer, Quadratic Number Fields, Springer Undergraduate
Mathematics Series, https://doi.org/10.1007/978-3-030-78652-6
342 Subject Index

Dirichlet’s Lemma, 229 I

Discriminant, 31 Ideal class
prime, 69, 228 ambiguous, 210
quadratic number field, 36 strongly ambiguous, 210
trick, 28 Ideal class group, 148–150
Divisible, 91 Ideal number, 221
Domain, 91 Ideals, 98
Duplication formula, 10 ambiguous, 210
conjugate, 138
E fractional, 145, 149
Elliptic curve, 8, 10 irreducible, 146
Euclidean domain, 97, 100, 126 maximal, 146
Euclidean function, 100 norm, 144
Euler polynomial, 130 prime, 146
Euler’s criterion, 56, 110, 111 primitive, 150
Euler’s formulas, 43 principal, 98, 137
Exact sequence, 211 product, 138
Infinite descent, 13, 116
F Integral basis, 35
Fekete polynomial, 231, 235, 236, normal, 49
243 Irreducible, 93
Fermat equation
n = 2p, 81 J
n = 3, 116 Jacobi symbol, 59, 61
n = 4, 12 Jacobsthal sums, 72
n = 4 in Z[i], 112
n = 5, 122 K
Fibonacci numbers, 41 Kronecker character, 229
Four Numbers Theorem, 102 Kronecker symbol, 148, 229
Fundamental unit, 170
L
G Legendre symbol, 56
Galois group, 32 Lemma
Gauss’s Lemma, 57 Gauss, 62
Gauss sum, 232 Zolotarev, 61
quadratic, 232 Lucas-Lehmer test, 121
G-module, 49 Lucas numbers, 187
Greatest common divisor, 96
M
H Markov’s equation, 47
Half system, 57 Maximal order, 36
Hilbert’s Theorem 90, 212 Mersenne number, 118
Subject Index 343

Modular form, 250 Principal ideal, 98

Modular polynomial, 244 Principal ideal domain, 97, 98, 137
Module, 140 Pythagorean triple, 2, 4, 6, 12, 26
norm, 142 primitive, 4
rank, 140
Z-basis, 141 Q
Quadratic nonresidue, 56
N Quadratic number field, 31
Norm, 31 Quadratic reciprocity law, 218
algebraic number, 52 Quadratic residue, 56
of an ideal, 144
Number R
powerful, 52 Reciprocity law, 111
Number field Ring of integers, 35
cyclotomic, 228, 235, 245 Root of unity
modular, 246 primitive, 232
quadratic, 31
S
O Sequence
Order, 36 exact, 211, 212

P T
Pell equation, 93, 165 Theorem
Pell form, 229, 246 Kronecker-Weber, 246
functional equation, 230, 240, unique factorization, 3, 20, 22, 26
246, 252 Trace, 31
Pigeonhole principle, 168, 169, Tribonacci numbers, 251
190 Two-Squares Theorem, 14
Plane numbers
similar, 4 U
Plimpton 322, 1 Unique factorization domain, 96
Polynomial Unit, 92
cyclotomic, 253 Unit group, 92
modular, 244
Prime, 93 V
Prime discriminant, 70 Vieta jumping, 45, 51, 278
Prime ideal factorization
unique, 140 W
Prime number Wieferich pair, 206
inert, 109, 148
ramified, 148 Z
split, 148 Zolotarev symbol, 60