The proof is based on the exposition in Davenport’s *Multiplicative Number Theory* and requires some understanding of complex analysis.

\(\newcommand{\re}{\operatorname{Re}}\newcommand{\im}{\operatorname{Im}}\)

Fix a finite field \(\mathbb F_q\) with \(q\) elements. Throughout we are only interested in monic polynomials in \(\mathbb F_q[x]\). For such a polynomial \(f\), we define its *norm* to be \(Nf=|\mathbb F_q[x]/(f)|=q^{\deg f}\). We define the *zeta function* for \(\re s>1\) by

\[\zeta_q(s)=\sum_f(Nf)^{-s}\]

(this and the following sums range over monic polynomials). Using multiplicativity of the norm and uniqueness of factorization in \(\mathbb F_q[x]\) we can establish and alternative expression for this zeta, known as the *Euler product*:

\[\zeta_q(s)=\prod_{p\text{ prime}}(1-(Np)^{-s})^{-1}.\]

It’s easy to give an explicit formula for \(\zeta_q\) (unlike for standard zeta function or many of its variants), but in order to show off analytic techniques, we will only use the following few facts:

- \(\zeta_q\) can be extended to a meromorphic function on the whole complex plane,
- \(\zeta_q\) is nonzero everywhere and has only simple poles at points \(1+2\pi in/\log q,n\in\mathbb Z\),
- \(\frac{\zeta_q’}{\zeta_q}\) has simple poles with residue \(-1\) at points \(1+2\pi in/\log q,n\in\mathbb Z\) and is holomorphic elsewhere (this follows from the previous two points),
- \(\left|\frac{\zeta_q'(s)}{\zeta_q(s)}\right|\) is bounded when \(|s-\rho|>\varepsilon\) for all poles \(\rho\) of \(\zeta_q\) and any fixed \(\varepsilon\).

For \(\re s>1\) we have can find the expression for \(\frac{\zeta_q’}{\zeta_q}\) by taking natural logarithm (denoted below by \(\log\)) of \(\zeta_q\) and differentiating (for this reason we call \(\frac{\zeta_q’}{\zeta_q}\) the *logarithmic derivative* of \(\zeta_q\)). Skipping the intermediate steps, we get

\[-\frac{\zeta_q'(s)}{\zeta_q(s)}=\sum_{p\text{ prime}}\log Np\cdot\sum_{k=1}^\infty (N(p^k))^{-s}.\]

If we introduce the von Mangoldt functions for polynomials, which is defined by \(\Lambda_q(f)=\log Np\) if \(f=p^k\) for some irreducible \(p\) and \(k\geq 1\), and \(\Lambda_q(f)=0\) otherwise, then we find

\[-\frac{\zeta_q'(s)}{\zeta_q(s)}=\sum_f\Lambda_q(f)(Nf)^{-1}\qquad(*)\]

(note: in my blog post on the Riemann hypothesis I define \(\Lambda_q\) using logarithm to the base \(q\). This only makes a difference of a factor \(\log q\) and the convention used here makes formulas simpler. In the last section we d get rid of it, though). This formula is the starting point for the analytic arguments which will establish an explicit formula for the partial sums \(\psi_q(x)=\sum_{Nf\leq x}\Lambda_q(f)\), meaning the sum over all polynomials with norm at most \(x\). In fact, it will be more convenient to deal with the modified summatory function \(\widetilde\psi_q(x)=\sum_{Nf\leq x}’\Lambda_q(f)\), where \(\sum’\) indicates that if \(Nf=x\), then we count in only *half* of the \(\Lambda_q(f)\) term.

\(\newcommand{\Res}{\operatorname{Res}}\)

There is a rather simple heuristic argument which works for many Dirichlet series and which shows how the partial sums of an arithmetic function “should” behave asymptotically. We start of with the following integral: for \(c,y\) positive and real we have

\[\frac{1}{2\pi i}\int_{c-i\infty}^{c+i\infty}\frac{y^s}{s}\mathrm ds=\begin{cases}

1 & \text{for }y>1,\\

\frac{1}{2} & \text{for }y=1,\\

0 & \text{for }y<1,

\end{cases}\]

where \(\int_{c-i\infty}^{c+i\infty}\) means the limit of line integrals \(\int_{c-iT}^{c+iT}\) as \(T\) goes to infinity. Therefore if we multiply \((*)\) by \(\frac{x^s}{s}\) and integrate from \(2-i\infty\) to \(2+i\infty\), we get (heuristically! we ignore issues with swapping the integral and the sum)

\[\frac{1}{2\pi i}\int_{2-i\infty}^{2+i\infty}-\frac{\zeta_q'(s)}{\zeta_q(s)}\frac{x^s}{s}\mathrm ds=\sum_f\Lambda_q(f)\frac{1}{2\pi i}\int_{2-i\infty}^{2+i\infty}\frac{(x/Nf)^s}{s}\mathrm ds=\widetilde\psi_q(x).\]

Now we move the integration contour — we continuously deform the line \((c-i\infty,c+i\infty)\) from \(c=2\) to \(-\infty\). Right now we use (heuristically) the residue theorem, which says that the only change in the value of the integral is due to the contour passing through a pole of the integrand. If the integral vanishes as \(c\rightarrow-\infty\), this will give us

\[\frac{1}{2\pi i}\int_{2-i\infty}^{2+i\infty}-\frac{\zeta_q'(s)}{\zeta_q(s)}\frac{x^s}{s}\mathrm ds=\sum_z\Res\left(-\frac{\zeta_q’}{\zeta_q}\frac{x^s}{s},z\right).\]

The poles of this function appear exactly at \(s=0\), where the residue is equal to \(-\frac{\zeta_q'(0)}{\zeta_q(0)}\), and at poles of \(\frac{\zeta_q’}{\zeta_q}\). The residue of \(-\frac{\zeta_q’}{\zeta_q}\) itself at each pole \(\rho\) is \(1\), but given that we multiply by \(\frac{x^s}{s}\), the residue is \(\frac{x^\rho}{\rho}\). In the end, taking into account the formula for poles of \(\zeta_q\), we obtain

\[\widetilde\psi_q(x)=-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{k=-\infty}^\infty\frac{x^{1+2\pi ik/\log q}}{1+2\pi ik/\log q}.\]

While the argumentation above is not enough to call it a proof, this formula turns out to be fully correct. The following section contains a more formal argument.

Formally deriving the above formula is a bit more work, but still doesn’t require anything beyond basic complex analysis. If someone is satisfied with the above heuristic and is more interested in consequences of this explicit formula, I recommend checking out the next section and returning to this one later.

For any \(x,T\) real positive we consider the integral \(J(x,T)=\frac{1}{2\pi i}\int_{2-iT}^{2+iT}-\frac{\zeta_q'(s)}{\zeta_q(s)}\frac{x^s}{s}\mathrm ds\). If \(T\) doesn’t coincide with an imaginary part of a pole, for any \(U>0\) we can apply the residue theorem to the rectangular contour with vertices \(2-iT,2+iT,-U+iT,-U-iT\) to get that \(J(x,T)\) is equal to the sum of residues, \(-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{|\im\rho|\leq T}\frac{x^\rho}{\rho}\), \(\rho\) ranging over poles, plus the sum of three integrals along line segments going through \(2-iT,-U-iT,-U+iT,2+iT\). Perturbing \(T\) by a bounded amount (which won’t affect the value as \(T\) goes to infinity, as the integrand goes to zero) we can make it so that the contour is not close to any of the poles (moving, for example, \(T\) to some \((2k+1)\pi/\log q\)). By one of the properties above, \(\left|\frac{\zeta_q’}{\zeta_q}\right|\) is bounded on that contour by some constant \(A\). For \(U\geq T\), we have \(|s|\geq T\) on this contour and \(|x^s|=x^{\re s}\). On the vertical line segment we have \(\re s=-U\), so the integral over this segment can be estimated by

\[\int_{-T}^T A\frac{x^{-U}}{T}\mathrm dt=2Ax^{-U},\]

which goes to zero as \(U\rightarrow\infty\) *provided \(x>1\)* (this is the first and last place where we need that assumption!) and on each of the horizontal segments the integral can be estimated by

\[\int_{-U}^2 A\frac{x^t}{T}\mathrm dt\leq\frac{A}{T}\int_{-\infty}^2x^t\mathrm dt=\frac{A}{T}\frac{x^2}{\log x}.\]

Hence we find \(J(x,T)=-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{|\im\rho|\leq T}\frac{x^\rho}{\rho}+O(T^{-1}x^2(\log x)^{-1})\) (the error term could be improved by a factor \(x\) if we took, say, \(1+(\log x)^{-1}\) in place of \(2\)).

Now let’s estimate the difference between \(J(x,T)\) and \(\widetilde\psi_q(x)\). For this, we again use the integral \(\frac{1}{2\pi i}\int_{c-i\infty}^{c+i\infty}\frac{y^s}{s}\mathrm ds\) used in the heuristic, but this time we need to know how quickly the integral converges in order to justify uniform convergence. Let

\[I(y,T)=\frac{1}{2\pi i}\int_{c-iT}^{c+iT}\frac{y^s}{s}\mathrm ds\\

\delta(y)=\begin{cases}

1 &\text{for }y>1,\\

\frac{1}{2} &\text{for }y=1,\\

0 &\text{for }y<1.

\end{cases}\]

Then the following estimate holds, which is proven in Davenport’s book and which I don’t reprove here:

\[|I(y,T)-\delta(y)|<\begin{cases} y^c\min\{1,T^{-1}|\log y|^{-1}\} &\text{for }y\neq 1,\\ cT^{-1} &\text{for }y=1. \end{cases}\] Note that we have \(\widetilde\psi_q(x)=\sum_f\Lambda_q(f)\delta\left(\frac{Nf}{x}\right)\) and, appealing to uniform convergence for \(\re s>1+\varepsilon\),

\[J(x,T)\stackrel{(*)}{=}\frac{1}{2\pi i}\int_{2-iT}^{2+iT}\left(\sum_f\Lambda_q(f)(Nf)^{-s}\right)\frac{x^s}{s}\mathrm ds=\sum_f\Lambda_q(f)I\left(\frac{Nf}{x},T\right),\]

therefore our goal is to estimate the difference

\[R(x,T)=J(x,T)-\widetilde\psi_q(x)=\sum_f\Lambda_q(f)\left(I\left(\frac{Nf}{x},T\right)-\delta\left(\frac{Nf}{x}\right)\right)\]

and show it goes to zero with \(T\) going to infinity. We have (since \(c=2\) here)

\[|R(x,T)|\leq\sum_{Nf\neq x}\Lambda_q(f)\left(\frac{x}{Nf}\right)^2\min\left\{1,T^{-1}\left|\log\frac{x}{Nf}\right|^{-1}\right\}+2T^{-1}\sum_{Nf=x}\Lambda_q(f).\]

In the last sum, note that \(\Lambda_q(f)\leq\log Nf=\log x\) and, if \(x=q^d\) (so that there even are nonzero terms), the number of terms is at most the number of degree \(d\) polynomials, \(q^d=Nf=x\), hence this last sum is \(O(T^{-1}x\log x)\).

For \(Nf\) smaller than \(\frac{3}{4}x\) or larger than \(\frac{5}{4}x\), \(\left|\log\frac{x}{Nf}\right|^{-1}=O(1)\), hence the sum over these terms is \(O\left(x^2T^{-1}\sum_f\Lambda_q(f)(Nf)^{-2}\right)=O(x^2T^{-1})\).

Let \(\langle x\rangle\) be the distance between \(x\) and the closest power of \(q\) (distinct from \(x\) if \(x\) happens to be one). Then for any \(f\) with \(Nf\neq x\) we have \(|Nf-x|\geq\langle x\rangle\). Hence we have

\[\left|\log\frac{x}{Nf}\right|=\left|\log\frac{Nf}{x}\right|\geq\left|\log\left(1\pm\frac{\langle x\rangle}{x}\right)\right|\geq\frac{\langle x\rangle}{x},\]

hence the contribution of any \(f\) with \(\frac{3}{4}x\leq Nf\leq\frac{5}{4}x\) into the first sum is, up to a constant, \(\Lambda_q(f)\frac{x}{T\langle x\rangle}=O\left(\frac{x\log x}{T\langle x\rangle}\right)\). There are \(O(x)\) polynomials of such norm, so they contribute \(O\left(\frac{x^2\log x}{T\langle x\rangle}\right)\). In the end, this gives

\[R(x,T)=O\left(\frac{x\log x}{T}\right)+O\left(\frac{x^2}{T}\right)+O\left(\frac{x^2\log x}{T\langle x\rangle}\right)=O\left(\frac{x^2}{T}\max\left\{1,\frac{\log x}{\langle x\rangle}\right\}\right).\]

Finally, we arrive at the equality

\[\widetilde\psi_q(x)=-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{|\im\rho|\leq T}\frac{x^\rho}{\rho}+O\left(\frac{x^2}{T}\max\left\{1,\frac{\log x}{\langle x\rangle}\right\}\right)\]

for \(x>1\), the sum being over the poles \(\rho\) of \(\zeta_q\). In particular, for a fixed \(x>1\), letting \(T\rightarrow\infty\) we get

\[\widetilde\psi_q(x)=-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{\rho}\frac{x^\rho}{\rho}=-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{k=-\infty}^\infty\frac{x^{1+2\pi ik/\log q}}{1+2\pi ik/\log q}.\]

*phew.*

There are two main reasons why we can’t derive the prime number theorem for polynomials (which one perhaps should call the irreducible polynomial theorem, but it doesn’t have a ring to it) in a manner similar to how one derives the standard PNT from the standard explicit formula (or, more precisely, uniform bounds on its rate of convergence):

- The error bound is horrible, since now we need \(T\) to be noticeably larger than \(x\) to make the error term smaller than the main term, and for \(T\) so large it’s becomes difficult to estimate the main term. Also, the error term cannot be easily improved, because the terms clutter at norms equal to powers of \(q\).
- The poles lie on the line \(\re s=1\), so \(\left|\frac{x^\rho}{\rho}\right|=\frac{x^{\re\rho}}{|\rho|}=\frac{x}{|\rho|}\), which has the same order of magnitude as the “intended” main term \(x\).

In fact, there have to be some problems here. The reason is that *PNT doesn’t hold in the expected way* — we do *not* have \(\widetilde\psi_q(x)\sim x\). This comes from the fact that the only possible norms are powers of \(q\), so \(\widetilde\psi_q\) is constant between them and the gaps are quite large. However, we can still derive a form of PNT, when we restrict \(x\) to only have the form \(q^n\) for \(n>0\). Indeed, for these \(x\) we have, for a pole \(\rho=1+2\pi ik/\log q\),\[x^\rho=(q^n)^{1+2\pi ik/\log q}=q^ne^{n\log q\cdot 2\pi ik/\log q}=q^ne^{2\pi ink}=q^n,\]

hence the explicit formula takes the form

\[\widetilde\psi_q(q^n)=-\frac{\zeta_q'(0)}{\zeta_q(0)}+q^n\sum_{k=-\infty}^\infty\frac{1}{1+2\pi ik/\log q}.\]

We can find the sum of the inner series — first we note that, if we pair up terms for \(k\) and \(-k\), we get

\[\frac{1}{1+2\pi ik/\log q}+\frac{1}{1-2\pi ik/\log q}=\frac{2}{1+(2\pi k/\log q)^2},\]

hence this sum is equal to \(1+2\sum_{k=1}^\infty\frac{1}{1+(\pi k/z)^2}\) for \(z=\frac{\log q}{2}\). This series is (equivalent to) a well-known partial fraction formula for hyperbolic cotangent:

\[1+2\sum_{k=1}^\infty\frac{1}{1+(\pi k/z)^2}=z\coth z=z\frac{e^{2z}+1}{e^{2z}-1}=\frac{\log q}{2}\frac{q+1}{q-1}.\]

We can also find the value of the logarithmic derivative at \(0\), which is most easily done using the explicit form of \(\zeta_q\) — omitting the calculations, we find \(\frac{\zeta_q'(0)}{\zeta_q(0)}=\frac{q\log q}{q-1}\). The explicit formula now says

\[\widetilde\psi_q(q^n)=\left(-\frac{q}{q-1}+\frac{q^n}{2}\frac{q+1}{q-1}\right)\log q.\]

Now we translate this to knowledge about the unmodified \(\psi_q\), using the fact \(\widetilde\psi_q(q^n)=\frac{1}{2}(\psi_q(q^{n-1})+\psi_q(q^n))\) for \(n\geq 1\). Note that \(\psi_q(q^0)=\psi_q(1)=0\). For \(n=1\), the explicit formula gives \(\widetilde\psi_q(q)=\frac{q}{2}\log q\), so clearly \(\psi_q(q)=q\log q\). For \(n=2\), we find \(\widetilde\psi_q(q^2)=\left(q+\frac{q^2}{2}\right)\log q\), so \(\psi_q(q^2)=\left(q+q^2\right)\log q\). A pattern slowly emerges — we have, for \(n\geq 0\),

\[\psi_q(q^n)=\log q\sum_{i=1}^nq^i,\]

which is most easily seen by rewriting the explicit formula as

\[\widetilde\psi_q(q^n)=\left(-\frac{q}{q-1}+\frac{q^n}{2}\frac{q+1}{q-1}\right)\log q=\frac{\log q}{2}\left(\frac{q^{n+1}-q}{q-1}+\frac{q^n-q}{q-1}\right)\\

=\frac{\log q}{2}(2q+2q^2+\dots+2q^{n-1}+q^n=\frac{\log q}{2}\left(\sum_{i=1}^nq^i+\sum_{i=1}^{n-1}q^i\right)\]

and using induction. From there, it is clear that we have

\[\sum_{\deg f=n}\Lambda_q(f)=\sum_{Nf=q^n}\Lambda_q(f)=q^n\log q.\]

(If we were to use base \(q\) logarithm in the definition of \(\Lambda_q\), we could write this in a very PNT-esque way — for \(x\) a power of \(q\), we would have \(\sum_{Nf=x}\Lambda_q(f)=x\).)

Let’s quickly rethink what this sum really counts — for every irreducible polynomial power \(p^d\) of degree \(n\), i.e. for every irreducible polynomial \(p\) of degree \(\frac{n}{d}\), for any divisor \(d\) of \(n\), we have a term \(\Lambda_q(p^d)=\log Np=\log q^{\deg p}=\log q\deg p\). Putting this into the formula above and getting rid of the \(\log q\) factor, we find

\[\sum_{d\mid n}\sum_{p\text{ prime},\deg p=d}d=q^n.\]

Writing \(c(d)\) for the number of irreducible polynomials of degree \(d\), we get the formula

\[\sum_{d\mid n}dc(d)=q^n.\]

Using Möbius inversion we can get an explicit formula for \(c(n)\) and from there find

\[c(n)=\frac{q^n}{n}+O(q^{n/2}),\]

or, in more PNT-esque way, when \(x\) is a power of \(q\),

\[\sum_{p\text{ prime},Np=x}1=\frac{x}{\log_qx}+O(\sqrt{x}).\]

Note that we have this nonzero error term, which one might find somewhat worrying, given that formulas up to now have been exact. This is because only counting irreducible polynomials is somewhat “wrong” — what one should do is count powers of these as well, properly weighted. More precisely, a power \(p^k\) should be counted as \(\frac{1}{k}\)-th of an irreducible polynomial. Then the “correct” prime-counting function would be

\[\sum_{k=1}^\infty\sum_{\deg p^k=n}\frac{1}{k}=\sum_{k=1}^\infty\frac{1}{k}c\left(\frac{n}{k}\right).\]

This turns out to be exactly equal to \(\frac{q^n}{n}\), and indeed is just the formula for \(\sum_{d\mid n}dc(d)\) divided by \(n\). Noteworthily, this formula is an analogue of Riemann’s explicit formula. It is possible, but is a bit more technically challenging, to derive Riemann’s formula directly, but in the polynomial setting we can derive it from the other explicit formula. To the best of my knowledge, it is not possible directly in the standard setting of natural numbers.

And we would have gotten away with it, too, if it wasn’t for you meddling nontrivial zeros!

]]>**Proposition:** Let \(A\) be a finite set and let \(B\) be a subset of \(A\). Then \(B\) is finite.

**Proof:** Suppose otherwise, that \(B\) is an infinite subset of \(A\). This means precisely that \(B\) is not an element of the Fréchet filter \(\mathcal F\) in \(A\), hence \(\mathcal F\) is a proper filter on \(A\). Since it’s a proper filter, we can apply the ultrafilter lemma to show that it is contained in some ultrafilter \(\mathcal U\). A standard result states that any ultrafilter containing Fréchet filter is nonprincipal. So \(U\) is a nonprincipal ultrafilter on \(A\). This implies that the Stone-Čech compactification \(\beta A\) is a proper superset of \(A\) (under the standard identification of elements of \(A\) as principal ultrafilters in \(A\)). In particular, by pigeonhole principle, \(\beta A\) and \(A\) are not bijective.

Now note that \(\beta A\), as a topological space, is the Stone-Čech compactification of \(A\) considered as a topological space with discrete topology. Since \(A,\beta A\) are not bijective, they are surely not homeomorphic as topological spaces. We will reach a contradiction as soon as we show that \(A\) is homeomorphic to its own Stone-Čech compactification.

To show that, we will use the characterization of Stone-Čech compactification as the unique, up to homeomorphism, compact Hausdorff topological space \(X\) containing \(A\) as a subspace and satisfying the universal property: any continuous function \(f:A\rightarrow Y\), where \(Y\) is some compact Hausdorff space, can be uniquely extended to a continuous function \(\widetilde f:X\rightarrow Y\) such that, for all \(a\in A,f(a)=\widetilde f(a)\). We need to verify all these properties.

Compactness: Let \(\displaystyle A\subseteq \bigcup_{i\in I}U_i\), where \(U_i\) are all open. Then for any \(a\in A\) there is an \(i_a\in I\) such that \(a\in U_{i_a}\). Since \(A\) is finite, this gives us a finite set of indices \(i_a,a\in A\) such that \(\displaystyle A\subseteq\bigcup_{a\in A} U_{i_a}\). This gives us a finite subcover of any open cover of \(A\). This means that \(A\) is compact.

Hausdorffness: Let \(a,b\in A\) be two distinct elements. Then \(\{a\},\{b\}\) are open, because we consider \(A\) with the discrete topology. Moreover, these two sets are disjoint, because every element in their intersection would be both \(a\) and \(b\), and these are different. This means precisely that \(A\) is Hausdorff.

Universal property: Let \(f:A\rightarrow Y\) be any continuous function, where \(Y\) is compact and Hausdorff. We define \(\widetilde f:A\rightarrow Y\) by \(\widetilde f(a)=f(a)\) for every \(a\in A\). Then for every \(a\in A\) we have \(f(a)=\widetilde f(a)\). Moreover, for any open set \(U\subseteq Y\) we have \(\widetilde f^{-1}(U)=f^{-1}(U)\), which is open, since \(f\) is continuous by assumption, so \(\widetilde f\) is continuous. We have shown existence, so we only need to confirm uniqueness. Suppose \(\widetilde{\widetilde f}\) is another such function. In particular, for all \(a\in A, \widetilde{\widetilde f}(a)=f(a)=\widetilde f(a)\). This means that \(\widetilde{\widetilde f}=\widetilde f\), as we wanted.

So we have a contradiction. Hence \(B\) is finite. \(\square\)

]]>**Thue’s theorem:** Suppose \(f(x,y)=a_0x^n+a_1x^{n-1}y+\dots+a_ny^n\) is a binary form which has degree \(n\geq 3\), is irreducible (i.e. \(f(x,1)\) is an irreducible polynomial in \(x\)) and \(f(x,1)\) has at least one nonreal root in \(\mathbb C\). Then for any nonzero integer \(c\) the equation \(f(x,y)=c\) has only finitely many integral solutions.

**Proof:** Suppose otherwise…

First of all, we may suppose \(a_0=1\), for otherwise, we replace \(f(x,y)\) with \(a_0^{n-1}f(\frac{1}{a_0}x,y)\), which still has integer coefficients. Write

\(f(x,1)=(x+\theta_1)(x+\theta_2)\dots(x+\theta_n)\).

The numbers \(\theta_1,\dots,\theta_n\) are all conjugates of \(\theta=\theta_1\), since we assumed \(f(x,1)\) is irreducible. It’s then easy to see

\(f(x,y)=(x+y\theta_1)(x+y\theta_2)\dots(x+y\theta_n)=N(x+y\theta) \qquad (1)\)

where \(N\) is the norm of the field \(k=\mathbb Q(\theta)\). Also put \(K=\mathbb Q(\theta_1,\dots,\theta_n)\). Hence we are interested in the solutions of \(N(\alpha)=c\), where \(\alpha\) is in the module (i.e. the additive subgroup) \(M\) generated by \(1,\theta\). Extend this two-element set to a basis of \(k\) \(\mu_1=1,\mu_2=\theta,\mu_3,\dots,\mu_n\) and denote by \(\overline{M}\) the module generated by these. To recover elements of \(M\) among these, we use the dual basis, i.e. elements \(\mu_1^*,\dots,\mu_n^*\) such that \(T(\mu_i\mu_j^*)=0\) for \(i\neq j\) and \(T(\mu_i\mu_i^*)=1\). Trace of \(\alpha\mu_i^*\) recovers then the coefficient of \(\mu_i\) in \(\alpha\), hence we want

\(T(\alpha\mu_i^*)=0\) for \(i=3,\dots,n\).

A general result (Theorem 1, Section 5.2, Chapter 2 in Borevich-Shafarevich, slightly rephrased) about elements of fixed norm in a module states the following.

**Theorem 1:** For a module \(\overline{M}\) of rank \(n\) in a field \(k\) of degree \(n\) there are elements \(\gamma_1,\dots,\gamma_k\in\overline{M}\) and \(\varepsilon_1,\dots,\varepsilon_r\in k\) such that every solution of \(N(\alpha)=c,\alpha\in\overline{M}\) can be uniquely written as

\(\alpha=\gamma_b\varepsilon_1^{u_1}\dots\varepsilon_r^{u_r}\).

Moreover, \(r=s+t-1\), where \(s\) is the number of real embeddings of \(k\) into \(\mathbb C\) and \(2t\) is the number of complex embeddings.

Therefore \(\alpha\) as above is in \(M\) if it satisfies the system of equations

\(T(\gamma_a\mu_i^*\varepsilon_1^{u_1}\dots\varepsilon_r^{u_r})=0\) for \(i=3,\dots,n\).

Since we assume there are infinitely many \(\alpha\) solving the above system, and \(\gamma_a\) ranges over a finite set, we can choose one of the \(\gamma\) such that infinitely many solutions of the above have \(\gamma_a=\gamma\). We can now write this system as

\(\displaystyle\sum_{j=1}^n\sigma_j(\gamma\mu_i^*)\sigma_j(\varepsilon_1)^{u_1}\dots\sigma_j(\varepsilon_r)^{u_r}=0\) for \(i=3,\dots,n\qquad (2)\),

where \(\sigma_j\) are embeddings of \(k\) into \(K\) ordered so that \(\sigma_j(\theta)=\theta_j\).

So now we want to derieve a contradiction from the assumption that \((2)\) has infinitely many solutions in integers \(a_1,\dots, a_r\).

The idea now is to prove that \((2)\) not only has finitely many integral solutions, but it has finitely many solutions in \(\frak P\)-adic integers, where \(\frak P\) is some prime of \(K\). More precisely, we take any prime (= prime ideal in the ring of integers) \(\frak P\) and the corresponding valuation \(\nu=\nu_{\frak P}\). Then we construct the completion \(K_{\frak P}\) of \(K\) with respect to this valuation. By a “\(\frak P\)-adic number” we mean any element of \(K_{\frak P}\), and ones with nonnegative valuations are going to be called “\(\frak P\)-adic integers”.

We now want to make sense of equations \((2)\) for \(a_i\) not necessarily integers, but also \(\frak P\)-adic integers. The problem reduces to making sense of \(a^b\) for \(a\) a fixed \(\frak P\)-adic number and \(b\) a \(\frak P\)-adic integer, which is meant to vary. For this, we employ exponential and logarithmic functions: we will write \(a^b=\exp(b\log a)\). \(\exp\) and \(\log\) are defined using their power series:

\(\displaystyle\exp x=\sum_{n=0}^\infty\frac{x^n}{n!}\),

\(\displaystyle\log(1+x)=\sum_{n=1}^\infty(-1)^{n+1}\frac{x^n}{n}\).

These two functions are each other’s inverses, that is,

\(\exp\log(1+x)=1+x,\log\exp x=x\).

There are many ways to justify this, the most straightforward one being that we know these equalities hold for complex numbers, hence they are formal equalities of power series, hence they must also hold for \(\frak P\)-adic numbers. However, these functions are not defined everywhere. Nevertheless, they can be shown to have positive radius of convergence. More precisely:

**Lemma 1:** There is a rational integer \(\kappa\) such that both \(\exp x\) and \(\log(1+x)\) are defined for \(\nu(x)\geq\kappa\). Moreover, \(\nu(\log(1+x))\geq\kappa\), so \((1+x)^b=\exp(b\log(1+x))\) is defined for any \(\frak P\)-adic integer \(b\).

Unfortunately, there is no reason to expect numbers \(\varepsilon_i\) suit our purposes. However, we can change them so that this is the case. First of all, we may suppose that \(\frak P\) is such that all of \(\sigma_j(\varepsilon_i)\) have valuation zero (there are finitely many of these numbers, and they have nonzero valuation only with respect to finitely many prime ideals). Now we look at reduction modulo \(\frak P^\kappa\) (or, more precisely, modulo any element with valuation \(\kappa\)). The quotient ring is finite, say it’s of size \(d\). Then \(\varepsilon_i^d\) always is congruent to \(1\) modulo \(\frak P^\kappa\), i.e. \(\varepsilon_i=1+x\) for \(x\) of valuation at least \(\kappa\).

Moreover, we can replace the set of \(\gamma_i\) by products of \(\gamma_i\) and suitable powers of \(\varepsilon_i\). we only need to multiply by powers between \(0\) and \(d-1\). To avoid introducing more notation, we will just assume that \(\varepsilon_i\), and hence also \(\sigma_j(\varepsilon_i)\), are of the form which allows us to speak of their exponential functions.

The exponential function on \(\frak P\)-adic numbers satisfies all the familiar properties. Thanks to this, equations \((2)\) can be rewritten as

\(\displaystyle\sum_{j=1}^nA_{ij}\exp L_j(u_1,\dots,u_r)=0\) for \(i=3,\dots,n,\qquad (3)\)

where \(A_{ij}=\sigma_j(\gamma\mu_i^*)\) and \(L_j(u_1,\dots,u_r)=\displaystyle\sum_{k=1}^ru_k\log\sigma_j(\varepsilon_k)\). Note that the involved functions are all continuous functions of \(u_k\).

Now we use the fact that \(\frak P\)-adic integers are compact (under the topology induced by the valuation). Since we assumed \((3)\) has infinitely many (\(\frak P\)-adic) integral solutions, there must be a subsequence of these solutions which converges to some tuple \((u_1^*,\dots,u_r^*)\). By continuity, this tuple constitutes another solution to \((3)\). By a change of variables \(v_i=u_i-u_i^*\), we get a system of equations

\(\displaystyle\sum_{j=1}^nA_{ij}^*\exp L_j(v_1,\dots,v_r)=0\) for \(i=3,\dots,n,\qquad (4)\)

where \(A_{ij}^*=A_{ij}\exp L_j(u_1^*,\dots,u_r^*)\), which by above has a sequence of solutions converging to the origin. We point out at this point that the equations in \((4)\) are linearly independent, i.e. the matrix \((A_{ij}^*)\) of coefficients has rank \(n-2\). This is because \(A_{ij}\) is the product of \(\exp L_j(u_1^*,\dots,u_r^*)\sigma_j(\gamma)\) and \(\sigma_j(\mu_i^*)\), and the matrix of all \(\sigma_j(\mu_i^*)\) is invertible, as square of its determinant is discriminant of linearly independent tuple, hence is nonzero.

We consider the *local analytic manifold* \(V\) of \((4)\), i.e. the set of solutions of this system in some small neighbourhood of the origin. By assumption on the sequence of solutions converging to the origin, this manifold consists of more than one point. Hence, by a general theorem, it must contain an *analytic curve* – there is a system of \(r\) (formal) power series \(\omega_1(t),\dots,\omega_r(t)\), not all identically zero and all with no constant term, which plugged in for \(v_k\) in \((4)\). Equivalently, if we put \(P_j(t)=L_j(\omega_1(t),\dots,\omega_r(t))\), we get

\(\displaystyle\sum_{j=1}^nA_{ij}^*P_j(t)=0\) for \(i=3,\dots,n. \qquad (5)\)

where \(P_j(t)\) are power series with no constant terms.

We have the system \((5)\) of equations involving (exponentials of) \(P_j(t)\). However, \(P_j(t)\) are also linear combinations of \(r\) power series. Therefore, by linear algebra, we can find a system of \(n-r\) independent linear equations

\(\displaystyle\sum_{j=1}^nP_j(t)=0\) for \(i=1,\dots,n-r\qquad (6)\)

satisfied by these power series. We will now use the assumption we haven’t used yet: that \(f(x,1)\) has a complex root. Recall this implies the field \(k\) has at least one complex embedding, i.e. \(t\geq 1\) (see statement of theorem 1). Therefore \(n-r=s+2t-s-t+1=t+1\geq 2\). Using \((5)\) and \((6)\) we can therefore use the following lemma:

**Lemma 2:** Suppose formal power series (over some field of characteristic zero) \(P_1(t),\dots,P_n(t)\) with no constant term satisfy a system of \(n-2\) equations of the form

\(\displaystyle\sum_{j=1}^nA_{ij}^*\exp P_j(t)=0\)

and also a system of two equations of the form

\(\displaystyle\sum_{j=1}^nB_{ij}P_j(t)=0\).

Then \(P_j(t)=P_k(t)\) for some \(j\neq k\).

Before we provide a proof of this lemma, we will show why it helps us complete the proof. Recalling the definition of \(P_j(t)\), this implies that any analytic curve contained in the manifold \(V\) is also contained in the manifold \(W\) defined by the equation

\(\displaystyle\prod_{1\leq j<k\leq n}(L_j(v_1,\dots,v_r)-L_k(v_1,\dots,v_r))\).

It follows (though not immediately) that \(V\subseteq W\). We will obtain a contradiction as soon as we deduce \(W\) contains only finitely many points \((v_1,\dots,v_r)\) corresponding to the solutions of \((3)\), since we assumed that \(V\) contains infinitely many such points. Equivalently, since product in the definition of \(W\) consists of finitely many terms, we need to show only finitely many tuples can satisfy

\(L_j(v_1,\dots,v_r)=L_k(v_1,\dots,v_r)\)

for \(j\neq k\).

Let \((u_1,\dots,u_r)\) be a solution of \((3)\) coming from \(\alpha=x+y\theta,x,y\in\mathbb Q\), and \(u_i=u_i^*+v_i\). We have

\(\sigma_j(\alpha)=\sigma_j(\gamma)\sigma_j(\varepsilon_1)^{u_1}\dots\sigma_j(\varepsilon_r)^{u_r}=\sigma_j(\gamma)\sigma_j(\varepsilon_1)^{u_1*}\dots\sigma_j(\varepsilon_r)^{u_r*}\sigma_j(\varepsilon_1)^{v_1}\dots\sigma_j(\varepsilon_r)^{v_r}\)

\(=c_j\exp L_j(v_1,\dots,v_r)\)

where \(c_j\) is a constant independent of \(\alpha\). Similarly,

\(\sigma_k(\alpha)=c_k\exp L_k(v_1,\dots,v_r)\).

Assuming \(L_j(v_1,\dots,v_r)=L_k(v_1,\dots,v_r)\), this implies

\(\displaystyle\frac{\sigma_j(\alpha)}{c_j}=\frac{\sigma_k(\alpha)}{c_k},\frac{\sigma_j(\alpha)}{\sigma_k(\alpha)}=\frac{c_j}{c_k}\).

Taking \(\alpha’=x’+y’\theta\) to be a different such solution, this implies

\(\displaystyle\frac{\sigma_j(\alpha)}{\sigma_k(\alpha)}=\frac{\sigma_j(\alpha’)}{\sigma_k(\alpha’)},\frac{x+y\theta_j}{x+y\theta_k}=\frac{x’+y’\theta_j}{x’+y’\theta_k}\)

and hence \((xy’-x’y)(\theta_j-\theta_k)=0\) and \(xy’=x’y,\frac{x}{x’}=\frac{y}{y’}\) (\(x’,y’\) can’t be both zero, so neither can be). It follows that \(\alpha’\) is a rational multiple of \(\alpha\), say \(\alpha’=d\alpha\). But recall that \(\alpha,\alpha’\) have the same norm, so \(d\) has norm \(1\), hence it is \(\pm 1\). Therefore \(\alpha,\alpha’\) are equal or opposite. Hence there are only two possible values of \(\alpha\), which is certainly a finite amount! As explained above, this gives us a contradiction. \(\square\)

Since \(n\) power series \(\exp P_j\) satisfy \(n-2\) independent linear equations, we can express all of them in terms of just two, say \(\exp P_{n-1}\) and \(P_n\). Put

\(\exp P_i=a_i\exp P_{n-1}+b_i\exp P_n\qquad (7)\).

Suppose \(a_i=0\). Then \(\exp P_i\) and \(b_i\exp P_n\) are equal. They have constant terms equal to, respectively, \(1,b_i\) since \(P_i\) have no constant term, so \(\exp P_i=\exp P_n\) and we can deduce from this (computing coefficients one-by-one) that \(P_i=P_n\). Hence we may assume \(a_i\neq 0\) (as otherwise we are already done). Putting \(Q_i=P_i-P_n\) we then have

\(\exp Q_i=a_i\exp Q_{n-1}+b_i\)

and we may also assume \(Q_i\) are nonzero. Differentiation gives

\(Q_i’\exp Q_i=a_iQ_{n-1}’\exp Q_{n-1}\).

Previous two equations combined give

\(\displaystyle Q_i’=Q_{n-1}’\exp Q_{n-1}\frac{1}{c_i+\exp Q_{n-1}}\qquad (8)\)

with \(c_i=\frac{b_i}{a_i}\) for \(i=1,\dots,n-2\). We now use the other pair of assumed equations. By subtracting suitable multiples of \(P_n\) from them we find

\(\displaystyle\sum_{j=1}^{n-1} B_{ij}Q_j=k_iP_n\) dla \(i=1,2\).

If either \(k_i\) is zero, this gives us a nontrivial linear relation between \(Q_j\). Otherwise, subtracting suitable multiples and using independence we again get a nontrivial linear relation. In either case, we get

\(\displaystyle\sum_{j=1}^{n-1}d_jQ_j=0\)

for \(d_i\) not all zero. Differentiation and \((8)\) give us

\(Q_{n-1}’\exp Q_{n-1}\left(\displaystyle\sum_{i=1}^{n-2}\frac{d_i}{c_i+\exp Q_{n-1}}+\frac{d_i}{\exp Q_{n-1}}\right)=Q_{n-1}’\exp Q_{n-1}\left(\sum_{i=1}^{n-1}\frac{d_i}{c_i+\exp Q_{n-1}}\right)=0\)

(setting \(c_{n-1}=0\)). As \(Q_{n-1}’,\exp Q_{n-1}\neq 0\) we deduce

\(\displaystyle\sum_{i=1}^{n-1}\frac{d_i}{c_i+\exp Q_{n-1}}=0\).

Hence we get that the rational function

\(\displaystyle\sum_{i=1}^{n-1}\frac{d_i}{c_i+z}\)

vanishes when we put \(z=\exp Q_{n-1}\). But unless this function vanishes identically, this would imply \(\exp Q_{n-1}\) is algebraic overits field of coefficients. But no nonconstant power series over a field is algebraic, so this can’t be as \(Q_{n-1}\neq 0\). Thus this rational function is identically zero. This means that some two \(c_i\) are equal (otherwise this function would have a pole as \(z\rightarrow -c_i\) for any \(c_i\) with \(d_i\neq 0\). Therefore \(c_j=c_k\) for some \(j\neq k\).

Since \(\frac{b_j}{a_j}=c_j=c_k=\frac{b_k}{a_k}\), \((7)\) gives us

\(\frac{1}{a_k}\exp P_j=\frac{1}{a_k}\exp P_k\).

Comparing constant coefficients and then other coefficients, we get \(P_j=P_k\) with \(j\neq k\). \(\square\)

The proof goes roughly as follows:

- Suppose otherwise.
- Using (a variation of) Dirichlet’s unit theorem and general results on modules, reduce the problem to showing finiteness of certain exponential equation in many variables.
- Generalize the context of the question to \(\frak P\)-adic-analytic setting so that we can speak of exponentials of (some) non-rational-integers.
- Using some difficult words like “local analytic manifold” reduce (a big part of) the problem to (essentially) showing it cannot contain an analytic curve.
- Use a fancy lemma to deduce the manifold is too algebraically constrained to contain infinitely many integral points.
- Write an ultrabrief summary.

Clearly two of these steps are (arguably) the most ingenious and crucial ones: passing from a number field to its completion and then reducing the problem to analoguous problem in functional setting (i.e. there is no formal power series blah blah). Both the complete fields (called more precisely *local fields*) and functional questions have many times in mathematics proven themselves to be much easier to work with than in number fields. The former’s advantage is mainly ability for us to use analytic tools (and difficult words), while in functional setting we have an incredibely useful tool – differentiation.

You can see simplicity of working in functional setting e.g. in the proof of Riemann hypothesis. In the future I will probably make more posts showcasing the local methods like this one, possibly less difficult ones (or perhaps more).

]]>Throughout, by a “ring” we will mean an integral domain, i.e. commutative ring with unity without zero divisors

Let \( R\) be an arbitrary ring. Recall that we call an element \( r\in R\) *irreducible* if \( r\) is not zero, not a unit and whenever we write \( r=ab\) with \( a,b\in R\), then one of \( a,b\) is a unit. We say that \( R\) *has unique factorization*, or that it is a *unique factorization domain* (UFD) if every nonzero element of \( R\) can be written as a product of a unit and some number of irreducible elements, and this expression is unique up to ordering and unit multiples, i.e. whenever we have \( u_1r_1\dots r_n = u_2q_1\dots q_m\) with \( u_1,u_2\) units and \( r_1,\dots,r_n,q_1,\dots,q_m\) irreducibles, then \( n=m\) and there is a bijection between \( r_i\) and \( q_j\) which maps \( r_i\) to some its unit multiple.

In general, there is little to no reason to expect \( R\) is a UFD. A famous example of a ring which doesn’t have unique factorization is \( \mathbb Z[\sqrt{-5}]\) – \( 2\cdot 3=(1+\sqrt{-5})(1-\sqrt{-5})\) can be verified to be an example of nonunique factorization as defined above.

The unique factorization is a very useful tool. For example, in a UFD, if a product \( ab\) of relatively prime elements is a perfect \( n\)th power, then, up to unit multiples, both \( a\) and \( b\) are \( m\)th powers as well. Hence we would like to have something in the spirit of unique factorization available in a greater range of rings. Is that possible?

An idea to salvage rings which are not UFDs is to somehow *embed* the elements of the ring in some larger structure in which unique factorization does hold. At the same, it would be desirable for it to have as little redundancy as possible.

Because at this point we are interested only in unique factorization, which is purely multiplicative property of a ring, we will only require this larger structure to have multiplication. Also, for convenience purposes, we will ignore the zero element – its multiplicative behaviour is prefectly well understood anyways.

Our “dream structure” would then be a so called *commutative s**emigroup* (which differs from a (commutative) group in that we don’t require inverses) \( \mathcal R\), into which the semigroup \( R\setminus\{0\}\) would be mapped. There is an obvious way in which we can define divisibility in \( \mathcal R\), and we can speak of elements of \( \mathcal R\) dividing elements of \( R\). Because of that, the elements of \( \mathcal R\) are called *divisors* of \( R\). We will denote the divisor corresponding to \( a\in R\setminus\{0\}\) by \( (a)\) and we will call such divisors *principal*.

There come two properties we will want this mapping to satisfy: first, we want multiplication to be preserved, i.e. \( (a)(b)=(ab)\) (that is, we require it to be a *homomorphism* of semigroups), and we will want the divisibility (and indivisibility) to be preserved, i.e. \( a\) divides \( b\) in \( R\) iff \( (a)\) divides \( (b)\) in \( \mathcal R\). The first of these properties implies \( (1)\) is a multiplicative identity when it comes to multiplying by \( (a)\). We want it to be multiplicative identity in the whole semigroup.

Any divisor \( \frak a\) of \( R\) induces a subset of \( R\setminus\{0\}\), namely the set of elements it divides, which we will denote by \( \overline{\frak a}\). In \( R\), if \( a\) and \( b\) are divisible by \( c\), then so are \( a+b\) and \( a-b\). With notation above, this can be phrased as: \( \overline{(c)}\) is closed under addition and subtraction. This property shall be required for all divisors: \( \overline{\frak a}\) is closed under addition and subtraction.

One more property is that we will want a divisor \( \frak a\) to be completely characterized by \( \overline{\frak a}\) (so that we don’t have any redundant divisors). That is, we want \( \frak a\neq\frak b\) to imply \( \overline{\frak a}\neq\overline{\frak b}\). This has one more effect – unit multiples in \( R\) are being ignored. Indeed, one can now verify that \( (a)=(b)\) iff \( a\) and \( b\) are unit multiples of each other. Thanks to this, it is particularly easy to state unique factorization, in a way akin to \( \mathbb Z\): first define a prime divisor to be a divisor \( \frak p\) such that, whenever represented as a product of two divisors, one of them is the unit \( (1)\). Then we can state unique factorization as: Every divisor \( \frak a\) can be represented as a product \( \frak p_1\dots\frak p_n\) in a unique way up to a permutation of factors. Using more difficult words, this means that \( \mathcal R\) is a free commutative semigroup generated by the prime divisors \( \frak p\).

To sum up, we will define a *theory of divisors* for a ring \( R\) to be a free commutative semigroup \( \mathcal R\) together with a semigroup homomorphism \( R\setminus\{0\}\rightarrow\mathcal R,a\mapsto (a)\) such that:

- for \( a,b\in R\setminus\{0\}\), \( a\) divides \( b\) in \( R\) iff \( (a)\) divides \( (b)\) in \( \mathcal R\),
- for \( a,b\in R\setminus\{0\}\) are divisible by divisor \( \frak a\), then so are \( a+b,a-b\) (provided they are in \( R\setminus\{0\}\)), and
- if \( \overline{\frak a}=\overline{\frak b}\), then \( \frak a=\frak b\) for all divisors \( \frak a,\frak b\).

It is far from clear whether a theory of divisors exists for a given ring or not, and if so, whether it is (“essentially”) unique. The latter of these questions turns out to be relatively easy to answer – a theory of divisors, if exists, is unique. More precisely, if we have two theories of divisors, \( \mathcal R_1\) together with a map \( a\mapsto (a)_1\) and \( \mathcal R_2\) together with a map \( a\mapsto (a)_2\), then there is an isomorphisms of these two semigroups sending \( (a)_1\) to \( (a)_2\). We now sketch the proof of this fact.

Let \( \frak p\in\mathcal R_1\) be prime. We shall show there is a prime divisor \( p’\in\mathcal R_2\) such that \( \overline{\frak p’}\subseteq\overline{\frak p}\) (the \( \overline{\frak p},\overline{\frak p’}\) are the sets of elements divisible by \( \frak p,\frak p’\) in respective theories of divisors). Suppose that there is no such prime divisor. Choose any \( \beta\) divisible by \( \frak p\). Factor \( \beta(=(\beta)_2)\) as \( \frak p_1^{k_1}\dots\frak p_r^{k_r}\) in \( \mathcal R_2\). Choose \( \beta_i\in\overline{\frak p_i}\setminus\overline{\frak p}\). Then \( \beta_1^{k_1}\dots\beta_r^{k_r}\) is divisible by \( \beta\), but not \( \frak p\), which is a contradiction.

Similarly, there is a prime \( \frak q\in\mathcal R_1\) such that \( \overline{\frak q}\subset\overline{\frak p’}\subseteq\overline{\frak p}\). We now claim \( \overline{\frak q}=\overline{\frak p}\). Otherwise, choosing \( \alpha\) divisible by \( \frak q\) but not \( \frak{pq}\), we would have \( \alpha\in\overline{\frak q}\setminus\overline{\frak p}\). Hence \( \overline{\frak p}=\overline{\frak p’}\).

Matching \( \frak p\in\mathcal R_1\) with \( \frak p’\in\mathcal R_2\) such that \( \overline{\frak p}=\overline{\frak p’}\) gives a bijection between prime divisors in both theories, which we easily extend multiplicatively to an isomorphism. We just need to check it preserves principal divisors. To avoid technical details, we omit this part of the proof.

Unique factorization in \( \mathcal R\) can be also stated in the following way: for any divisor \( \frak a\) there are uniquely defined integers \( \nu_{\frak p}(\frak a)\) for each prime divisor \( \frak p\) such that

\( \displaystyle\frak a=\prod_{\frak p}\frak p^{\nu_{\frak p}(\frak a)}\).

We can also define functions \(\nu_{\frak p}\) on \( R\setminus\{0\}\) by \( \nu_{\frak p}(a)=\nu_{\frak p}((a))\). By defining \( \nu_{\frak p}(a/b)=\nu_{\frak p}(a)-\nu_{\frak p}(b)\) and checking this function is well-defined, we can extend it to the field of fractions \( K\) of \( R\) with zero excluded. This function now has the following properties:

- the image of \( K\setminus\{0\}\) under \( \nu_{\frak p}\) is \( \mathbb Z\)
- \( \nu_{\frak p}(ab)=\nu_{\frak p}(a)+\nu_{\frak p}(b)\), and
- \( \nu_{\frak p}(a+b)\geq\min\{\nu_{\frak p}(a),\nu_{\frak p}(b)\}\) with equality if \( \nu_{\frak p}(a)=\nu_{\frak p}(b)\).

For properties 2, 3 it is easy to verify them for \( R\setminus\{0\}\), and then extend them to \( K\setminus\{0\}\). A function with these three properties is called a *valuation*. It is customary to additionally define \( \nu_{\frak p}(0)=\infty\), so that these properties still hold on all of \( K\).

No two valuations \( \nu_{\frak p},\nu_{\frak q}\) are the same for distinct \( \frak p,\frak q\). Hence the prime divisors can be identified with a subset \( V\) of the set of valuations on \( K\). The set of valuations corresponding to these divisors further satisfies the following properties:

- for a fixed \( a\in K\setminus\{0\}\), \( \nu(a)=0\) for all but finitely \( \nu\in V\),
- for \( a\in K\), \( a\in R\) iff \( \nu(a)\geq 0\) for all \( \nu\in V\), and
- for any \( \nu_1,\dots,\nu_m\in V\) and nonnegative integers \( k_1,\dots,k_m\) there is \( a\in R\) such that \( \nu_i(a)=k_i\).

Property 1 is clear. For property 2, write \( a=b/c, b,c\in R\setminus\{0\}\) and note that this property is then equivalent to \( \nu_{\frak p}(b)\geq\nu_{\frak p}(c)\) for all prime divisors \( \frak p\) iff \( c\mid b\), which is easy to see (recall property 1 in the definition of theory of divisors). For property 3, consider valuations corresponding to prime divisors \( \frak p_1,\dots,\frak p_m\). Consider \( a_i\in\overline{\frak p_1^{k_1+1}\dots\frak p_i^{k_i}\dots\frak p_m^{k_m+1}}\setminus\overline{\frak p_1^{k_1+1}\dots\frak p_i^{k_i+1}\dots\frak p_m^{k_m+1}}\). Then \( a=a_1+\dots+a_m\) has the desired properties.

It is not hard to show the converse: if the set \( V\) of valuations on a field \( K\) satisfies the mentioned three properties, then \( R\) has a theory of divisors which then gives rise to \( V\) when considering valuations corresponding to its prime divisors. For that reason, the search for theories of divisors is reduced to a search for certain sets of valuations. As it won’t cause confusion, we will call \( V\) a theory of divisors as well.

We give, somewhat belatedly, an example of theory of divisors. Suppose \( R\) is a UFD. Because of units, we can’t just take \( \mathcal R\) to be \( R\setminus\{0\}\). Instead, for \( a\in R\setminus\{0\}\), we define \( (a)\) to be the set of all its unit multiples, and take \( \mathcal R\) to be the set of all such sets. Already the notation suggests the mapping \( R\setminus\{0\}\rightarrow\mathcal R\). Since \( R\) is a UFD, it’s not difficult to see this gives us a theory of divisors.

We can also give an example of a ring which does *not* have a theory of divisors. This can be done because every ring with a theory of divisors must be *integrally closed* in its field of fractions \( K\), i.e. suppose \( a\in K\) is a root of a monic polynomial with coefficients in \( R\). Then \( a\in R\). To see why this is true, suppose

\( a^n+d_{n-1}a^{n-1}+\dots+d_1a+d_0=0\)

with \( d_i\in R\). If \( a\not\in R\), there is a valuation \( \nu\in V\) such that \( k=\nu(a)<0\). Then \( \nu(a^n)=kn\) and \( \nu(d_ia^i)\geq \nu(a^i)=ki>kn\). Then, by property 3 in the definition of valuation, it follows that

\( \nu(0)=\nu(a^n+d_{n-1}a^{n-1}+\dots+d_1a+d_0)=\min\{\nu(a^n),\nu(d_{n-1}a^{n-1}),\dots,\nu(d_1a),\nu(d_0)\}=kn\),

which is clearly wrong. This proves \( R\) is integrally closed.

An example of non-integrally closed ring is \( \mathbb Z[\sqrt{-3}]\), since \( \frac{1}{2}+\frac{1}{2}\sqrt{-3}\) is a root of \( x^2-x+1\).

One last useful fact is somewhat of a converse to the first example – we can show that if a ring has a theory of divisors, then it is a UFD, provided the theory of divisors has finitely many prime divisors \( \frak p_1,\dots,\frak p_m\). To see why, just note that there is an element \( \pi_i\in R\) which is divisible by \( \frak p_i\) but not any other \( \frak p_j\), essentially thanks to property 3 of valuations forming a theory of divisors. Using these elements we can replace a factorization into prime divisors by a factorization into \( \pi_i\).

In the next blog post we will establish a number of results regarding extending valuations and theories of divisors to finite field extensions. In particular, we will show any ring of algebraic integers in a number field has a theory of divisors.

]]>The idea behind a language \( L\) lying in the IP complexity class is that if we have two parties in a conversation: one of them, the *verifier*, has limited resources, and the other, the *prover*, is all-knowing and not contrained by the resources in any way. In their dialogue, the prover tries to convince the verifier that some string \( w\) lies in \( L\). Afterwards, the verifier declares whether they accept or reject the computation, which means that they did or didn’t get convinced that \( w\in L\).

The first idea to define a complexity class out of it is as the class of languages such that some prover is able to convince the verifier iff the string truly is in the language, where we require the verifier to be a polynomial-time machine. However, if the verifier is deterministic, this gives us precisely the class NP: since the prover knows precisely what the verifier is going to do with their responses, they could’ve just as well gave all their responses beforehand, from which we infer this class is contained in NP.

Instead, we let the verifier to be *probabilistic* – in the course of the proof, we allow them to get some perfectly random bits and the course of computation may proceed differently depending on what they are. Also, to account from probabilistic nature, we will allow the verifier to make to make errors, but with small probability. IP is defined as the class of the languages \( L\) such that, for some (polynomial-time) verifier and any string \( w\):

- if \( w\in L\), then some prover makes the verifier accept with probability at least \( 2/3\), and
- if \( w\not\in L\), then there is no prover which makes the verifier accept with probability higher than \( 1/3\).

The exact value of the constants \( 2/3,1/3\) is not important here, as long as they are, respectively, larger than and smaller than \( 1/2\): repeating the calculation a number of times and accepting iff the original verifier would’ve accepted majority of times can put these probabilities at something of order \( 1-2^{-|w|},2^{-|w|}\) or better, which, in practice, would be negligible.

A famous example of a problem which is not known to be in NP, but known to have an interactive proof protocol, is the *graph nonisomorphism*: given two graphs \( G_1,G_2\), decide whether they are *not* isomorphic (note that graph *isomorphism* problem is rather trivially in NP). One way to convince a verifier they are not isomorphic is as follows: first, we ask them to randomly (and secretly – the prover won’t know the result!) choose one of the graphs \( G_i\), randomly permute its vertices getting an isomorphic graph \( H\), and then present \( H\) to the prover to see whether they can figure out what the \( i\) is. If \( G_1\) and \( G_2\) are not isomorphic, then \( H\) is isomorphic to only one of them, so the prover can easily tell which one it’s isomorphic to. On the other hand, if \( G_1\) *is* isomorphic to \( G_2\), the best the prover can do is guess whether \( H\) is a permutation of what \( i\) the verifier chose, which will be right with only 50% probability, so repeating will make it really unlikely for the prover to be right all the time.

The result which we are going to prove, that IP is the same as PSPACE, is surprising because it shows that in the context of interactive proofs, adding randomness significantly increases the capabilities of a system (since, at least conjecturally, PSPACE is much larger than NP). This is in contrary to the more standard complexity classes, since probabilistic analogue of P, called BPP, is conjectured to be equal to P.

We shall now begin the proof of Shamir’s theorem.

One of the most important decision problems in PSPACE is the following problem:

**TQBF:** Given a quantified Boolean formula

\( \displaystyle\forall x_1\exists x_2\dots\mathsf{Q} x_n:\varphi(x_1,\dots,x_n)\)

where \( \mathsf Q\) is \( \exists\) or \( \forall\) and \( \varphi\) is an unquantified Boolean formula, decide whether it’s true.

This is the most well-known example of a PSPACE-complete problem. Verifying that it is contained in PSPACE is routine, and amounts to checking that the obvious “brute-force” algorithm works in space polynomial in the size of the input. Its PSPACE-hardness procees by a standard argument, which we include for completeness (pun not intended).

Suppose M is a Turing machine which works in polynomial space, say in space bounded by \( p(n)\), where throughout \( n\) is the length of the input. Every configuration of the machine can be described using a sequence of bits of polynomial length, for example by using \( p(n)\) to store the contents of the tape, another \( p(n)\) to indicate which cell the machine is currently reading, and a constant number of bits to store which state machine is in. Until the end of this section, capital letters apart from M will denote configurations of M, and also strings of bits encoding them. This encoding shows that M has at most \( 2^{g(n)}\) configurations for \( g(n)\) polynomial.

We may redesign M slightly so that, once it accepts, it moves to a state we know in advance, e.g. it clears everything on the tape and enters special state while sitting on the leftmost cell. From this and the above we see there are fixed configurations \( X,Y\) such that M accepts iff M gets from configuration \( X\) to \( Y\) in at mosy \( 2^{g(n)}\) steps. We shall recursively construct a quantified Boolean formula \( \varphi_i(A,B)\) which is equivalent to “M gets from configuration \( A\) to configuration \( B\) in at most \( 2^i\) steps”.

For \( i=0\), the formula states that \( A=B\) or \( B\) is one computation step ahead of \( A\). It is more tedious than enlightening to show that formula stating that can be constructed in polynomial time, so we will skip that. For the recursion step, we note that if we can reach configuration \( B\) from \( A\) in at most \( 2^{i+1}\) steps iff we can find a midpoint configuration \( C\) such that we can get from \( A\) to \( C\) in \( 2^i\) steps, and the same for \( C\) and \( B\). Hence a natural idea is to define

\( \displaystyle\varphi_{i+1}(A,B)=\exists C:\varphi_i(A,C)\land\varphi(C,B)\)

(recall \( C\) is treated as a sequence of \( g(n)\) bits, so \( \exists C\) is actually a sequence of \( g(n)\) quantifiers). However, with this idea the length of formulas grows exponentially fast with \( i\), which is bad for us. Instead, we use the following construction:

\( \displaystyle\varphi_{i+1}(A,B)=\exists C\forall P,Q:((P=A\land Q=C)\lor(P=C\land Q=B))\Rightarrow\varphi_i(P,Q)\).

It is straightforward this construction can be done in polynomial time. Transforming the formula into PNF (prenex normal form, i.e. all quantifiers come before a formula) is routine. This establishishes PSPACE-completeness.

This is the central idea of the proof. We transform the quantified Boolean formula to a polynomial function, which on Boolean inputs (\( 0,1\)) gives us its Boolean truth value. For the innermost, unquantified formula \( \varphi(x_1,\dots,x_n)\), we first use repeatedly de Morgan rules and other reduction rules, we are left with a formula involving only \( \neg,\land\). Then we note that if formulas \( \varphi_1,\varphi_2\) give polynomials \( f,g\), then \( \varphi_1\land\varphi_2,\neg\varphi_2\) can be represnted by \( fg,1-f\) respectively. Applying quantifiers is not difficult either: if \( f\) corresponds to \( \varphi(x_1,\dots,x_n)\), for \( \forall x_n:\varphi(x_1,\dots,x_n)\) we take \( f(x_1,\dots,x_{n-1},0)f(x_1,\dots,x_{n-1},1)\), and for \( \exists x_n:\varphi(x_1,\dots,x_n)\), using de Morgan laws, \( 1-(1-f(x_1,\dots,x_{n-1},0))(1-f(x_1,\dots,x_{n-1},1))\). This process is known as the *arithmetization* of the Boolean formula. After arithmetizing a formula with each variable quantified, we get a constant polynomial, and the formula is true iff this constant value is 1.

Unfortunately, because of the quantifiers, this construction leaves us with a polynomial with degree exponential in length of the formula. To fix this, we can *linearize* the polynomial. The idea is simple: polynomials \( f(x_1,\dots,x_i,\dots,x_n)\) and \( (1-x_i)f(x_1,\dots,0,\dots,x_n)+x_if(x_1,\dots,1,\dots,x_n)\) takes the same values on Boolean inputs, while the latter polynomial has the degree in every variable at most the same as in the former, and additionaly the degree in \( x_i\) is equal to \( 1\). Thus linearizing in every variable will get all degrees to be \( 1\). We will denote the operator linearizing in variable \( x_i\) by \( L_i\). Denoting also by \( \forall_i,\exists_i\) the operators on polynomials corresponding to applying quantifiers, solving TQBF essentially amounts to finding the value of

\( \forall_1L_1\exists_2L_1L_2\dots \mathsf{Q}_nL_1\dots L_n f(x_1,\dots,x_n)\),

where \( f(x_1,\dots,x_n)\) is a polynomial corresponding to the unquantified part of the formula. Importantly, as can be seen from the construction, it is very easy to find its values on integer inputs.

We define the following sequence of polynomials:

\( \displaystyle f_0()=\forall_1L_1\exists_2L_1L_2\dots \mathsf{Q}_nL_1\dots L_n f(x_1,\dots,x_n)\\

f_1(x_1)=L_1\exists_2L_1L_2\dots \mathsf{Q}_nL_1\dots L_n f(x_1,\dots,x_n)\\

f_2(x_1)=\exists_2L_1L_2\dots \mathsf{Q}_nL_1\dots L_n f(x_1,\dots,x_n)\\

f_3(x_1,x_2)=L_1L_2\dots \mathsf{Q}_nL_1\dots L_n f(x_1,\dots,x_n)\\

\dots\\

f_m(x_1,\dots,x_n)=f(x_1,\dots,x_n)\)

(the empty brackets by \( f_0\) emphasize that it’s a function of zero variables). We want a prover to convince the verifier that \( f_0()=1\), and we can easily compute \( f_m\). Also, note that there is an easy polynomial upper bound on the total degrees of all polynomials, namely the degree \( d\) of \( f_m\) (note that most of them will have degree \( 1\) or \( 2\) in each variable).

We are now ready to describe the procedure the verifier and prover will execute during the interactive proof. First of all, *all the computations will take place modulo a prime* \( p\) . This will reduce the size of numbers involved in a computation. \( p\) will have length polynomial in the length of the input, and we will also require it to be sufficiently large (such primes will necessarily exist, e.g. by Bertrand’s postulate, but more elementary arguments can be given as well). The prover shall start by sending a prime \( p\), and they will either provide a primality certificate which the verifier can quickly check, or the verifier will have to check primality of \( p\) using a primality test.

Recall that the verifier wants to challenge prover’s claim that \( f_0()=1\). We will indicate these sort of claims by \( f_0^P()=1\) (the superscript indicates that this relation is what the prover *claims* is true). The remainder of the protocol proceeds as follows:

- The prover sends a polynomial \( f_1^P(x)\), which they claim to be equal to \( f_1(x_1)\).
- The verifier checks that provers two claims are
*consistent*: in this case, since \( f_0()=\forall_1 f_1(x)=f_1(0)f_1(1)\), the verifier ought to check that \( f_1^P(0)f_1^P(1)=f_0^P()\). If this is the case, then they choose a random number \( r_1\) modulo \( p\) and sends it to the prover. If prover’s claim that \( f_1^P(x)=f_1(x)\) was true, then in particular we must have \( f_1^P(r_1)=f_1(r_1)\). This is a new claim which the verifier is challenging. - The prover now sends a polynomial \( f_2^P(x)\), which they claim to be \( f_2(x)\).
- The verifier again checks consistency: we should have \( f_1^P(r_1)=(1-r_1)f_2(0)+r_1f_2(1)\). They choose a random \( r_2\), send it to the prover and challenge the equality \( f_2^P(r_2)=f_2(r_2)\).
- This time the prover sends \( f_3^P(r_2,x)\), claiming it’s \( f_3(r_2,x)\).
- They proceed in this manner total of \( m\) times: depending on the operator at the end of definition of \( f_i\), the prover sends a polynomial \( f_{i+1}^P\) with one free variable. The verifier makes a consistency check, chooses a random number and sets this as the free variable in the polynomial, and challenges the prover with the value they get.
- After all these turns, the verifier is now left with prover’s claim that \( f_m^P(q_1,\dots,q_n)=f_m(q_1,\dots,q_n)\). But at this point the verifier can check this claim by themself: we have earlier noted that the values of \( f_m\) can be easily computed. This is one of the two final checks; the other one will be to check that all polynomials given by the prover have degree \( d\).
- If all of the consistency checks were successful and the final claim was verified to be true, the verifier accepts. If at any point the check failed or the last claim turned out to be false, they reject.

It is clear that if the formula is true, then the prover can convince the verifier of its truth using this protocol 100% of the time: if they send the true values of \( f_i\) as \( f_i^P\), the verifier will not find any inconsistencies, so will accept. This is refered to as *completeness* of the protocol – that in true cases verifier can be convinced with high probability (in general, not necessarily 100%, but in this case we can do that good). We now must verify its *soundness* – that it is not possible for a prover to fool the verifier into believing a false formula is true.

The fundamental fact of use here is the following fundamental fact about polynomials over fields (integers modulo a prime form a field, so it is applicable):

**Lagrange’s theorem:** If two polynomials \( f,g\) defined over a field have degree at most \( d\) and agree on more than \( d\) values, then they are equal.

We will upper bound the probability of fooling the verifier. If the deceitful prover wants to have at least some chance, they need to send \( p\) which is really a prime of desired size and all the polynomials on the way have to have the degree at most \( d\).

For the verifier to accept the final check, we need the two polynomials \( f_m,f_m^P\), seen as polynomials in one variable, to agree on the input \( x=q_n\) (recall that the prover sends the polynomials with all but one variable fixed). By Lagrange’s theorem, unless the polynomials are equal, this only can be for at most \( d\) values of \( x\). Since \( q_n\) was chosen randomly, if the polynomials are not equal, then the equality holds with probability smaller than \( \frac{d}{p}\).

If the formula is not true, then the prover must have lied in the first step – it cannot be that \( f_0^P=f_0\). We can now proceed inductively to see that most likely the prover will have to continue providing false claims – if they have falsely claimed that \( f_i^P=f_i\) (here evaluated at certain values of \( r_i\)), then they must provide a polynomial \( f_{i+1}^P(x)\) which isn’t equal to \( f_{i+1}(x)\) – after all, \( f_i^P\) and \( f_i\) involve their evaluations on certain values – so the claim \( f_{i+1}^P(r_{i+1})=f_{i+1}(r_{i+1})\) will be true only on places where the two distinct polynomials agree, which happens with probability at most \( \frac{d}{p}\).

Summing up these probabilities, we see that the probability of the prover getting away with their initial lie is at most \( \frac{(m+1)d}{p}\), where \( (m+1)d\) is polynomial in the length of the formula \( l\). If we now let \( p\) be between \( 2^l,2^{l+1}\) (invoking Bertrand’s postulate), then the probability of the verifier accepting a false formula will be made exponentially small. It’s easy to convince oneself with some technical calculations that this confirms soundness of the protocol.

Therefore, IP=PSPACE. \( \square\)

I hope to eventually make a blog post describing a proof of a similat, but perhaps even more surprising, result, what MIP, the class of problems with interactive proof protocols involving multiple provers, is equal to the class NEXP, which is *known* to be much larger than NP, thus showing that probability can provably enlarge a complexity class.

However, even then a reader might want to refer some external source in order to see how the exercise can be solved, because otherwise it might be difficult to proceed any further (I myself would appreciate such a source at times). And, as they say, if you want something done right, do that yourself.

I’ve been thinking about this project for a short while already, and recently I have finally decided to start working on it. At the time of publishing this post I have finished writing up solutions to exercises from chapter 1. More info, including a link to the actual file, can be found here (a link to that page can be also found on the sidebar). Please put all feedback under that page. With each further chapter completed that page will be completed, and I don’t plan on making posts like this one until the project is completed.

Since the post title promised some info, I’d like to mention that for three reasons the amount of content appearing on the blog in the near future will not be as large as it was over past two weeks (I am not putting this on hiatus though). First is this project, since I want to have it done at some point in the future, which means I will have to invest some time into it. Second is a trip I am going to next week. I might or might not work on some post while I’m there, we will see. Third, university starts at the beginning of October, but I still should be able to work on the blog, at least during weekends, but most likely also during the week.

]]>Recall the definition of the intertia group of a prime \(\frak P\) in \(\mathcal O_L\) lying over a prime \(\frak p\) in \(\mathcal O_K\) (\(L/K\) is a Galois extension of number fields) – it’s the set of all \(\sigma\in G=\mathrm{Gal}(L/K)\) such that, for all \(\alpha\in L\), we have \(\sigma(\alpha)\equiv\alpha\pmod{\frak P}\). We now generalize this group.

**Definition:** In setting as above, we define the \(n\)*th ramification group* \(E_n\) to be the set of all \(\sigma\in G\) such that \(\sigma(\alpha)\equiv\alpha\pmod{\frak P^{n+1}}\). The groups \(E_n,n>1\) are called the *higher ramification groups*.

It is straightforward to see that \(D\geq E=E_0\geq E_1\geq\dots\), all the subgroups are normal in \(D\) and their intersection is trivial. The structure of groups \(E_n\) can be somewhat complicated, but the groups \(E_{n-1}/E_n\) are particularly simple:

**Proposition 1:** \(E/E_1\) is isomorphic to a subgroup of \((\mathcal O_L/\frak P)^\times\).

**Proof:** Fix \(\pi\in\frak P\setminus\frak P^2\). We can then factor \((\pi)\) as \(\frak P I\) with \(\frak P,I\) relatively prime. Taking any \(\sigma\in E\) we can find, by Chinese remainder theorem, a solution to \(x\equiv\sigma(\pi)\pmod{\frak P^2},x\equiv 0\pmod I\). Because \(\sigma\in E,\sigma(\pi)\in\frak P\), so \(x\in\frak P I=\pi\mathcal O_L\), so \(x=\alpha_\sigma\pi\) for some \(\alpha_\sigma\in\mathcal O_L\). In particular, \(\sigma(\pi)\equiv\alpha_\sigma\pi\pmod{\frak P^2}\). Also, \(\alpha_\sigma\) is well-defined modulo \(\frak P\): If \(\alpha_\sigma\pi\equiv\sigma(\pi)\equiv \alpha’\pi\pmod{\frak P^2}\), then \(\frak P^2\mid (\alpha_\sigma-\alpha’)\pi\), so \(\alpha_\sigma\equiv\alpha’\pmod{\frak P}\).

Thus we have defined a mapping \(\sigma\mapsto\alpha_\sigma\), and clearly \(\alpha_{\sigma\tau}\equiv\alpha_\sigma\alpha_\tau,\alpha_{\mathrm{id}}\equiv 1\pmod{\frak P}\), in particular – this map is a homomorphism into \(\alpha_\sigma\in(\mathcal O_L/\frak P)^\times\). To show that this it induces the desired isomorphism we need to show that its kernel is \(E_1\), which will easily follow if we show that if \(\sigma(\pi)\equiv \pi\pmod{\frak P^2}\), then \(\sigma(\alpha)\equiv\alpha\pmod{\frak P^2}\), i.e. \(\sigma\in E_1\). We will prove something more general:

**Lemma 1:** For \(\sigma\in E\) and \(\pi\in\frak P\setminus\frak P^2\), if \(\sigma(\pi)\equiv\pi\pmod{\frak P^{n+1}}\), then \(\sigma\in E_n\).

**Proof of the lemma:** We will proceed by induction on \(n\). This is immediate for \(n=0\). Suppose now \(\sigma(\pi)\equiv\pi\pmod{\frak P^{n+1}},n>0\). In particular, \(\sigma(\pi)\equiv\pi\pmod{\frak P^n}\), so \(\sigma\in E_{n-1}\). Therefore \(\sigma(\alpha)\equiv\alpha\pmod{\frak P^n}\) for all \(\alpha\in\mathcal O_L\), so \(\sigma(\pi\alpha)\equiv\sigma(\pi)\sigma(\alpha)\equiv\pi\sigma(\alpha)\equiv\pi\alpha\pmod{\frak P^{n+1}}\) (for last congruence, recall \(\pi\in\frak P\)). So \(\sigma(\alpha)\equiv\alpha\pmod{\frak P^{n+1}}\) for all \(\alpha\in(\pi)\).

Now we show the congruence for \(\alpha\in\frak P\). Let \((\pi)=\frak P I\) (as in the proof of the proposition). Choose \(\beta\equiv 1\pmod P,\beta\equiv 0\pmod I\). Then \(\alpha\beta\in(\pi)\), so \(\alpha\beta\equiv\sigma(\alpha\beta)\equiv\sigma(\alpha)\sigma(\beta)\equiv\sigma(\alpha)\beta\pmod{\frak P^{n+1}}\) by above and since \(\sigma(\beta)\equiv\beta\pmod{\frak P^n}\). But \(\beta\) is a unit modulo \(\frak P\), hence modulo \(\frak P^{n+1}\), so \(\sigma(\alpha)\equiv\alpha\pmod{\frak P^{n+1}}\).

At the same time, every conguence class modulo \(\frak P\) has an element which is fixed by \(\sigma\), and indeed, by every element of \(E\). By result from my previous post, \(\mathcal O_L/\frak P\) is a trivial extension of \(\mathcal O_{L_E}/\frak P_E\), so every congruence class modulo \(\frak P\) has a representative in \(\mathcal O_{L_E}\), and by definition these are fixed by elements of \(E\). So every \(\alpha\in\mathcal O_L\) can be written as \(\beta+\gamma,\beta\in L_E,\gamma\in\frak P\), so that \(\sigma(\alpha)=\sigma(\beta)+\sigma(\gamma)=\beta+\sigma(\gamma)\equiv\beta+\gamma\equiv\alpha\pmod{\frak P^{n+1}}\). Therefore \(\sigma\in E_n\). \(\square\)

Hence, as we said, \(E_1\) is the kernel of constructed homomorphism, which therefore is an isomorphism of \(E/E_1\) onto its image, which is a subgroup of \((\mathcal O_L/\frak P)^\times\). \(\square\)

In a quite similar way we can prove the following result:

**Proposition 2:** \(E_{n-1}/E_n,n>1\) is isomorphic to a subgroup of the additive group \(\mathcal O_L/\frak P\).

**Proof:** Let, as before, \(\pi\in\frak P\setminus\frak P^2\). Take any \(\sigma\in E_{n-1}\). Writing (again) \((\pi)=\frak P I\), choose \(x\equiv\pi\equiv\sigma(\pi)\pmod{\frak P^n}, x\equiv\pi\pmod{I^n}\). Then \(x-\pi\in \frak P^n I^n=(\pi^n)\), so \(\sigma(\pi)\equiv\pi+x\equiv\pi+\alpha_\sigma\pi^n\pmod{\frak P^{n+1}}\) for some \(\alpha_\sigma\in\mathcal O_L\). Like in the previous proposition, we easily see that \(\alpha_\sigma\) is uniquely defined modulo \(\frak P\) and \(\alpha_{\sigma\tau}\equiv\alpha_\sigma+\alpha_\tau\pmod{\frak P}\). This gives us a homomorphism, and from the lemma we easily find that its homomorphism is \(E_n\), so that we get the desired isomorphism from \(E_{n-1}/E_n\) to a subgroup of \(\mathcal O_L/\frak P\). \(\square\)

A quite immediate corollary is the following.

**Theorem 1:** Groups \(D,E,E_n\) are solvable.

**Proof:** We consider the chain of normal subgroups \(D\trianglerighteq E\trianglerighteq E_1\trianglerighteq\dots\). \(D/E\) is isomorphic to the Galois group of the finite field \((\mathcal O_L/\frak P)^\times\), \(E/E_1\) is isomorphic to a subgroup of the multiplicative group of this field and \(E_{n-1}/E_n\) is isomorphic to a subgroup of its additive group. All of these are abelian, and the chain eventually terminates (eventually \(E_n\) are trivial), so all the groups in the chain are solvable. \(\square\)

**Definition:** Suppose a prime \(\frak p\) in \(\mathcal O_K\) ramifies in \(\mathcal O_L\) and let \(e=e(\frak P/\frak p)\) and \(p\) be a prime in \(\mathbb Z\) lying under \(\frak p\). We say that \(\frak p\) *wildly ramifies* if \(p\mid e\), and we say that it *tamely rafimites* otherwise.

The terminology above might seem unmotivated, but hopefully it is at least in part clarified by the following theorem.

**Theorem 2:** If a prime is ramified, then it’s tamely ramified iff all the higher ramification groups are trivial. Moreover, \(E_1\) is a Sylow \(p\)-subgroup of \(E\).

**Proof:** Since \(E_1/E_2,E_2/E_3,\dots\) are isomorphic to subgroups of \(\mathcal O_L/\frak P\), which is a \(p\)-group, their sizes are powers of \(p\). Hence \(|E_1|=|E_1/E_2|\cdot|E_2/E_3|\cdot\dots\) is a power of \(p\), i.e. \(E_1\) is a \(p\)-group. On the other hand, \(|E/E_1|\mid|(\mathcal O_L/\frak P)^\times|\) is indivisible by \(p\), so \(E_1\) must be the Sylow \(p\)-subgroup of \(E\). In particular, it’s nontrivial iff \(p\mid |E|=e\). \(\square\)

The next result will turn out to be rather useful later.

**Proposition 3:** Suppose \(D/E_1\) is abelian. The embedding from the proof of proposition 1 actually sends \(E/E_1\) into \(\mathcal O_K/\frak p\).

**Proof:** Suppose \(\sigma\in E\) and \(\sigma(\pi)=\alpha_\sigma\pi\pmod{\frak P^2}\). First we note that this implies, in a way similar to the first two paragraphs of the proof of lemma 1, that \(\sigma(\beta)\equiv\alpha_\sigma\beta\pmod{\frak P^2}\) for all \(\beta\in\frak P\).

Abelianness of \(D/E_1\) implies that, for any other \(\tau\in D\), \(\sigma^{-1}\tau\sigma\tau^{-1}\in E_1\), so \(\tau\sigma\tau^{-1}(\alpha)\equiv\sigma(\alpha)\pmod{\frak P^2}\) for all \(\alpha\in\mathcal O_L\). Taking \(\alpha=\pi\) and noting \(\tau^{-1}(\pi)\in\frak P\) this gives \(\alpha_\sigma\pi\equiv\sigma(\pi)\equiv\tau\sigma(\tau^{-1}(\pi))\equiv\tau(\alpha_\sigma\tau^{-1}(\pi))\equiv\tau(\alpha_\sigma)\pi\pmod{\frak P^2}\), therefore \(\alpha_\sigma\equiv\tau(\alpha_\sigma)\pmod{\frak P}\). Since \(D\) maps surjectively onto Galois group of \((\mathcal O_L/\frak P)/(\mathcal O_K/\frak p)\), this group acts trivially on \(\alpha\pmod{\frak P}\), so \(\alpha\in\mathcal O_K \frak p\). \(\square\).

Higher ramification groups, especially the last proposition, will turn out to be very useful in a proof of Kronecker-Weber theorem, which will be the subject of an upcoming blog post.

]]>Let \( K\) be a number field of degree \( n\) over \( \mathbb Q\). By standard results of field theory there are precisely \( n\) embeddings of \( K\) into \( \mathbb C\), call them \( \sigma_1,\dots,\sigma_n\). We recall a standard definition:

**Definition:** For any \( n\) elements \( \alpha_1,\dots,\alpha_n\in K\) we define the *discriminant* of these elements to be the square of the determinant of \( M=(\sigma_j(\alpha_i))_{i,j}\). We denote it by \( \mathrm{disc}(\alpha_1,\dots,\alpha_n)\).

It’s easy to see \( \mathrm{disc}(\alpha_1,\dots,\alpha_n)\) doesn’t depend on the order of \( \alpha_i\) nor the order of \( \sigma_j\). Also, \( \det(M)^2=\det(MM^T)=\det((T(\alpha_i\alpha_j)_{i,j})\), where \( T\) denotes the trace. From there it’s straightforward that the discriminant lies in \( \mathbb Q\) , and we can also deduce that \( \mathrm{disc}(\alpha_1,\dots,\alpha_n)\neq 0\) iff \( \alpha_1,\dots,\alpha_n\) are linearly independent over \( K\). Lastly, if \( \beta_1,\dots,\beta_n\) are elements which are \( K\)-linear combinations of \( \alpha_i\) represented by a matrix \( V\), then we easily see \( \mathrm{disc}(\beta_1,\dots,\beta_n)=(\det V)^2\mathrm{disc}(\alpha_1,\dots,\alpha_n)\). In particular, if \( \alpha_1,\dots,\alpha_n\) and \( \beta_1,\dots,\beta_n\) are two bases of the same additive group, then they have the same discriminant. Therefore, it makes sense to speak of the discriminant of an additive subgroup \( \mathrm{disc}(A)\) to be the discriminant of any of its bases.

The most important additive subgroup of a number field is its ring of integers \( \mathcal O_K\). The discriminant of this ring will also be sometimes called the discriminant of the field \( K\) and denoted by \( \mathrm{disc}(K)\).

Consider an additive subgroup \( A\) generated by a basis \( \alpha_1,\dots,\alpha_n\) of \( K\). Then the matrix \( (T(\alpha_i\alpha_j))_{i,j}\) is invertible (since its determinant is nonzero discriminant). Considering the columns of its inverse as coefficients of a linear combination of \( \alpha_j\), so constructed elements, call them \( \alpha_1^*,\dots,\alpha_n^*\), satisfy \( T(\alpha_i\alpha_j^*)=\begin{cases}

1 & \text{if }i=j\\

0 & \text{otherwise}

\end{cases}\). Moreover, by uniqueness of matrix inverse, these elements are defined uniquely. We verify that the are linearly independent, hence form a basis: if \( a_1\alpha_1^*+\dots+a_n\alpha_n^*=0\), then \( 0=T(0)=T(\alpha_j*(a_1\alpha_1^*+\dots+a_n\alpha_n^*))=a_1T(\alpha_j^*\alpha_1)+\dots+a_nT(\alpha_j^*\alpha_n)=a_j\), so the linear combination is trivial.

**Definition:** Given a basis \( \alpha_1,\dots,\alpha_n\), we call the basis \( \alpha_1^*,\dots,\alpha_n^*\) its *dual basis*. We call the additive group generated by them the *dual group* and is denoted by \( A^*\).

Note it’s not immediately clear that this definition is independent of the basis of \( A\) we choose. The first result which we properly state and prove will imply this.

**Proposition 1:** \( A^*\) is precisely the set of \( \alpha\in K\) such that \( T(\alpha A)\subseteq\mathbb Z\).

**Proof:** Let \( \alpha\in K\). Since dual basis is a basis, we can write \( \alpha=a_1\alpha_1^*+\dots+a_n\alpha_n^*\), and \( \alpha\in A^*\) iff \( a_1,\dots,a_n\in\mathbb Z\). At the same time, \( a_i=T(\alpha\alpha_i)\). It clearly follows that if \( T(\alpha A)\subseteq\mathbb Z\), then \( a_i\in\mathbb Z\). Conversely, if \( a_1,\dots,a_n\in\mathbb Z\), then for any \( \beta=b_1\alpha_1+\dots+b_n\alpha_n\in A,b_1,\dots,b_n\in\mathbb Z\) we have \( T(\alpha\beta)=a_1b_1+\dots+a_nb_n\in\mathbb Z\), so \( T(\alpha A)\subseteq\mathbb Z\). \(\square\)

It is possible to explicitly give the dual basis if the basis is of the form \( 1,\alpha,\dots,\alpha^{n-1}\) with \( \alpha\in\mathcal O_K\), i.e. its minimal polynomial over \( \mathbb Q\) has integer coefficients.

**Proposition 2:** Let \( f(x)=(x-\alpha)(c_{n-1}x^{n-1}+\dots+c_1x+c_0)\) be the minimal polynomial of \( \alpha\). Then \( \frac{c_0}{f'(\alpha)},\dots,\frac{c_{n-1}}{f'(\alpha)}\) is the dual basis of \( 1,\alpha,\dots,\alpha^{n-1}\). Moreover, \( (\mathbb Z[\alpha])^*=\frac{1}{f'(\alpha)}\mathbb Z[\alpha]\).

**Proof:** Let \( \alpha_1=\alpha,\alpha_2,\dots,\alpha_n\) be the conjugates of \( \alpha\) in \( \mathbb C\). It’s easy to see \( c_i=c_i(\alpha)\) is a monic polynomial in \( \alpha\) of degree \( i\), and if we divided \( f(x)\) by \( x-\alpha_j\), the coefficients would be \( c_i(\alpha_j)\). For \( k=0,\dots,n-1\) consider the polynomial

\( \displaystyle\sum_{i=1}^n\frac{\alpha_i^k}{f'(\alpha_i)}\frac{f(x)}{x-\alpha_i}\).

It’s easy to see that each term is \( 1\) for \( x=\alpha_i^k\) and \( 0\) for \( x=\alpha_j,j\neq i\). Hence this polynomial of degree smaller than \( n\) agrees with polynomial \( x^k\) at \( n\) places, so the polynomials must be equal. Comparing coefficient of \( x^j\) we get

\( \displaystyle\sum_{i=1}^n\frac{\alpha_i^k}{f'(\alpha_i)}c_j(\alpha_i)=\begin{cases}

1 & \text{if }j=k\\

0 & \text{otherwise}

\end{cases}\),

but the left hand side is precisely \( T\alpha_k\frac{c_j(\alpha)}{f'(\alpha)})\), showing the first claim. To see the second claim, recall that \( c_j\) are monic polynomials of degree \( j\), so we can show by induction that \( \frac{\alpha^j}{f'(\alpha)}\in(\mathbb Z[\alpha])^*\). We omit the details. \(\square\)

The construction of dual additive group also preserves the property of being a fractional ideal. More precisely:

**Proposition 3:** Let \( \frak a\) be a fractional ideal. Then \( \frak a^*\) (considered as the dual of the additive group) is also a fractional ideal. Moreover, \( \frak a^*=\frak a^{-1}\mathcal O_K^*\). [recall that \( \frak a^{-1}\) is defined as the set of these \( \alpha\in K\) for which \( \alpha\frak a\subseteq\mathcal O_K\). In this post we establish that \( \frak a\frak a^{-1}=\mathcal O_K\)]

**Proof:** Fix any any \( \beta\mathcal O_K\). For \( \alpha\in\frak a^*\) we have \( T(\alpha\frak a)\subseteq\mathbb Z\). But, since \( \frak a\) is a fractional ideal, \( \beta\frak a\subseteq\frak a\), so \( T(\beta\alpha\frak a)=T(\alpha(\beta\frak a))\subseteq T(\alpha\frak a)\subseteq\mathbb Z\), so \( \beta\alpha\in\frak a^*\). This shows \( \frak a^*\) is a fractiona ideal.

For the second part, suppose first \( \alpha\in\frak a^*\). For any \( \beta\in\frak a\) we have \( \beta\mathcal O_K\subseteq\frak a\), so \( T(\alpha\beta\mathcal O_K)\subseteq T(\alpha\frak a)\subseteq\mathbb Z\), so \( \alpha\beta\in\mathcal O_K^*\). Hence, \( \alpha\frak a\subseteq\mathcal O_K^*\). Hence \( \alpha\in\alpha\frak a\frak a^{-1}\subseteq\frak a^{-1}\mathcal O_K^*\). For the converse, pretty much this argument in reverse works. \(\square\)

Previous proposition shows that duals work a bit like inverses. By taking duals inverse, we get another important ideal.

**Definition:** Let \( \frak a\) be a fractional ideal. We define the *different* of \( \frak a\) to be \( \mathrm{diff}\frak a=(\frak a^*)^{-1}\). In particular, we call the different of \( \mathcal O_K\) the *different of *\( K\) \( \mathrm{diff} K\).

Note that \( \mathcal O_K\subseteq\mathcal O_K^*\), so \( \mathrm{diff} K\) is an ideal in \( \mathcal O_K\). From proposition 3 we immediately have \( \mathrm{diff} \frak a=\frak a\mathrm{diff} K\), hence for the most part we only have to focus our attention of \( \mathrm{diff} K\). It takes particularly simple form when \( \mathcal O_K=\mathbb Z[\alpha]\) – by proposition 2 we then have \( \mathrm{diff} K=(f'(\alpha))\), \( f\) being the minimal polynomial of \( \alpha\).

Recall the definition of the norm of an ideal: \( N(\frak a)=[\mathcal O_K:\frak a]=|\mathcal O_K/\frak a|\).

**Theorem 1:** \( N(\mathrm{diff} K)=|\mathrm{disc} K|\)

**Proof:** First we note that for fractional ideals \( \frak a\supseteq\frak b\) and \( \frak c\) we have an isomorphism of rings \( \frak{ac}/\frac{bc} \cong \frak a/\frak b\) (this is quite straightforward to establish). In particular, taking \( \frak a=\mathcal O_K^*=(\mathrm{diff} K)^{-1},\frak b=\mathcal O_K,\frak c=\mathrm{diff} K\) this gives \( \mathcal O_K/\mathrm{diff} K\cong\mathcal O_K^*/\mathcal O_K\). In particular, \( N(\mathrm{diff} K)=[\mathcal O_K:\mathrm{diff}K]=[\mathcal O_K^*:\mathcal O_K]\). It is well-known that for two free abelian groups \( A\supseteq B\) of the same rank, \( [A:B]\) is the absolute value of the determinant of a transformation taking basis of \( A\) to the basis of \( B\). In our case, take \( \alpha_1,\dots,\alpha_n\) an integral basis of \( \mathcal O_K\) and \( \alpha_1^*,\dots,\alpha_n^*\) its dual basis. We write \( \alpha_i=a_{i1}\alpha_1^*+\dots+a_{in}\alpha_n^*\). Then \( a_{ij}=T((a_{i1}\alpha_1^*+\dots+a_{in}\alpha_n^*)\alpha_j)=T(\alpha_i\alpha_j)\). In other words, the transformation matrix is precisely the matrix \( (T(\alpha_i\alpha_j)_{ij}\), whose determinant is \( \mathrm{disc} K\). This establishes the theorem. \(\square\)

The different is important when working with ramification of primes in a number field. As will be proven in the future post, different ideal is divisible precisely by prime ideals which which are ramified in \( K\). In the next blog post we shall establish, among other things, this result in normal extensions, together with precise formula for the exponent of this prime.

As a closing remark, it is worth poining out that the whole theory of discriminants and differents can be built in extensions \( L/K\) for \( K\) different from the field of rational numbers, although things get a lot more technical, since, for example, discriminant has to be considered as an ideal and not a single element. I hope to one day cover the theory of general discriminants and different ideals in another blog post or two.

]]>Consider the following infinite series, which depends on the number \(s\), which, at first, we take to be real:

\(\displaystyle\sum_{n=1}^\infty\frac{1}{n^s}=\frac{1}{1^s}+\frac{1}{2^s}+\frac{1}{3^s}+\dots\).

After writing this down, the first question which should be asked whether this makes sense, and the answer (rather clearly) depends on \(s\). It’s easy to see, thanks to Cauchy condensation test, that this series converges precisely for \(s>1\). We denote the sum of this series by \(\zeta(s)\) and call it the *Riemann zeta function*.

Now let’s remove the constraint that \(s\) should be real. It’s not obvious what \(n^s\) should mean when \(s\) is a complex number, but there is a way to define it consistent with exponentiation of real numbers and satisfies desired properties. Writing \(s=x+iy,x,y\in\mathbb R\), it is then true that \(\left|\frac{1}{n^s}\right|=\frac{1}{n^x}\). Therefore, for \(x>1\), this series converges absolutely. Thus we can define \(\zeta(s)\) for all complex numbers \(s\) with real part above \(1\).

Just like it is possible to extend exponentiation, initially defined only for real numbers, to all complex numbers, it is reasonable to ask whether we can do the same for \(\zeta(s)\) – is there a “reasonable” way to extend it to whole complex plane? Unfortunately, \(\zeta(s)\) tends to infinity as \(s\) tends to \(1\), so we shouldn’t expect there to be a “nice” way to define \(\zeta(s)\). However, there *is* a way to define \(\zeta(s)\) for all complex numbers *other than* \(1\). This extension is uniquely characterized by being differentiable at every point where it’s defined, which, for complex numbers, turns out to be a very stringent property. This unique extension is called the *analytic continuation* of \(\zeta(s)\).

So defined \(\zeta(s)\) is a function which is very well-understood for all \(s\) with real part greater than \(1\) or smaller than \(0\). For example, it is true (and not hard to show with proper tools) that in these parts of the complex plane the only solutions of \(\zeta(s)=0\) are negative even integers. These zeros of \(\zeta(s)\) are called *trivial*, not because it’s obvious that they are there, but because it is very easy to work with them.

Behaviour for \(s\) with real part between \(0\) and \(1\) (the region called the *critical strip*) is much more complicated. It is known that there are infinitely many more zeros here, and all of these are called *nontrivial*. The first 10 trillion (!) nontrivial zeros are known to all have real part equal to \(\frac{1}{2}\) – they lie right in the middle of the critical strip, on the *critical line*. This overwhelming computational evidence suggests the following conjecture:

**Riemann hypothesis:** All nontrivial zeros of Riemann zeta function lie on the critical line.

Of course, this conjecture might seem like some random statement about some random function, so why all the fuss about it? It turns out that the Riemann zeta function is very closely connected to the multiplicative structure of natural numbers and its zeros “control”, in a very specific meaning of this word, the distribution of prime numbers. Even trying to explain *why* Riemann zeta function should have anything to do with the distribution requires a large amount of complex analysis. Just to illustrate the importance of this theorem, I will leave here an equivalent statement of Riemann hypothesis.

**Riemann hypothesis:** Let \(\pi(x)\) denote the number of primes smaller than \(x\), and let \(\displaystyle\mathrm{Li}(x)=\int_2^x\frac{dt}{\ln t}\) (this function is approximately \(\frac{x}{\ln x}\)). Then, \(\pi(x)\) is very well-approximated by \(\mathrm{Li}(x)\). More precisely, for \(x\geq 2657\),

\(\displaystyle|\pi(x)-\mathrm{Li}(x)|<\frac{1}{8\pi}\sqrt{x}\ln x\)

The idea we want to pursuit now is replacing the natural numbers with polynomials. It has turned out to be quite a fruitful idea in number theory, as polynomials over a finite field appear to have a similar structure as the integers. We will focus our attention on a single finite field, say with \(q\) elements. We will denote it by \(\mathbb F_q\).

First thing to realize is that \(\mathbb F_q[x]\) is more analoguous to \(\mathbb Z\) than to \(\mathbb N\). Hence we would like to pick out some elements of \(F_q[x]\) to represent the “natural numbers”. The correct way of doing this is with the help of *units* – the elements which have multiplicative inverses. In case of \(\mathbb Z\), the units are precisely \(\pm 1\) (note that, for example, \(\frac{1}{2}\not\in\mathbb Z\), so \(2\) is not a unit). We call a pair of elements which differ by a unit factor *associates*. So now we would like to somehow choose one element of associates pair \(\{n,-n\}\) for nonzero integers \(n\). There are two ways to proceed now. First of all is to make use of the fact that integers posses an ordering, so that we can speak of positive elements, and from each pair we choose a positive element.

In the polynomials over a finite field the units are precisely the nonzero constant polynomials, and there are \(q-1\) of them. So now the associate classes have \(q-1\) elements each. There happens to be quite a natural choice of an element from each class – the monic polynomial, i.e. the polynomial with the coefficient of the highest power of \(x\) equal to \(1\). The monic polynomials are closed under multiplication, though not under addition, so they don’t share all properties of \(\mathbb N\), but we can’t do any better.

But even at this point we realize that polynomials over finite fields live in a world very different from the world of real numbers (they are somewhat “incompatible”, for example, adding an element to itself a number of times gives us zero in \(\mathbb F_q[x]\)), so it’s difficult to imagine a way to take such a polynomial to a real or, better yet, complex power. We will return to this problem in a minute.

I’ve promised the second way to “choose” an element out of a group of associates. Here comes the best part – we don’t have to choose at all! Instead, we note that in each pair of associate integers both elements have the same absolute value, so instead of summing over natural numbers *per se*, we can sum over all these pairs and taking the absolute values of their elements. In order to apply this to polynomials, we have to make up the notion of absolute value which agrees over all associates. A first good guess is the degree \(\deg f\), but it lacks the multiplicative property which we would desire (instead, \(\deg fg=\deg f+\deg g\)). A better idea is to take \(q^{\deg f}\), so called *norm* of the polynomial. This is now a multiplicative function, and it’s a natural choice for one more reason – this is the number of congrunce classes modulo \(f\), which happens to agree with with the fact that \(|n|\) is the number of congruence classes modulo \(n\neq 0\). This idea can now be generalized in many directions, but we don’t pursuit that here.

Our problem of having to exponentiate polynomials solves itself with the second approach – instead of exponentiating a polynomial itself, we exponentiate its norm, which is a natural number. We can now (finally!) define the polynomial zeta function (for simplicity, we index the sum with monic polynomials instead of associate classes as discussed before):

\(\displaystyle\zeta_q(s)=\sum_{f\text{ monic}}\frac{1}{(q^{\deg f})^s}\)

This series needn’t be convergent for all values of \(s\), so we have to hope that it can be analytically continued to all or almost all complex numbers \(s\) like it is possible with \(\zeta(s)\). As with \(\zeta(s)\), we know that this extension, if it exists, will be unique, so (although technically we don’t know if the statement makes real sense) we can state the conjecture:

**Polynomial Riemann hypothesis:** All nontrivial (i.e. lying in the critical strip) zeros of \(\zeta_q(s)\) lie on the critical line.

There is one more technical detail regarding the definition of \(\zeta_q(s)\) – we have not specified the order in which the terms are being summed, and for infinite series the order of terms might make the result vary. To deal with this, we group the terms coming out of polynomials of the same norm. To be precise, let \(a_n\) be the number of polynomials having the norm \(n\). Then we can precisely define the zeta function to be

\(\displaystyle\zeta_q(s)=\sum_{n=1}^\infty\frac{a_n}{n^s}\)

Of course \(a_n=0\) for \(n\) not a power of \(q\) (because of how the norm is defined), and \(a_{q^d}\) is the number of monic polynomials of degree \(d\). To see what this is equal to, write a generic monic polynomial of degree \(d\) as \(x^d+c_{d-1}x^{d-1}+\dots+c_1x+c_0\). We have precisely \(q\) choices for each of \(d\) coefficients \(c_i\), so we see that there are \(q^d\) such polynomials, that is, \(a_{q^d}=q^d\). Therefore we can write

\(\displaystyle\zeta_q(s)=\sum_{d=0}^\infty\frac{q^d}{(q^d)^s}=\sum_{d=0}^\infty (q^{1-s})^d\)

This is a geometric series, and we know that it converges precisely when \(|q^{1-s}|<1\). Writing \(s=x+iy,x,y\in\mathbb R\) as on the beginning, \(|q^{1-s}|=q^{1-x}\), which is less than \(1\) iff \(x>1\). So for \(s\) with real part above \(1\) this series converges, and from well-known formula for the sum of a geometric series, we have

\(\displaystyle\zeta_q(s)=\frac{1}{1-q^{1-s}}\)

But the formula on the right hand side makes sense for greater range for values \(s\). Indeed, it is defined for almost all complex numbers \(s\) (the only points where it’s not defined is when \(q^{1-s}=1\); with complex exponentiation there are infinitely many such points, but they are quite sparse), and it is differentiable at these points, so we know that this is exactly the analytic continuation of \(\zeta_q(s)\)!

So now we simply want to study the zeros of this later function. But a reciprocal of a complex number \(1-q^{1-s}\) can never be zero! This means that the polynomial zeta function *has no zeros at all*. In particular, there are no zeros in the critical strip, so the polynomial Riemann hypothesis becomes vacuously true. \(\square\)

We see that the Riemann hypothesis for polynomials over a finite field is quite a trivial statement – we have spent more time trying to define it than to prove it, and the proof pretty much involved just working through the definitions. One might also question a number of choices we have made when defining this function. However, it can be shown that \(\zeta_q(s)\) is intimately connected to the multiplicative structure of \(\mathbb F_q[x]\), in particular – to the distribution of irreducible polynomials. To give a sense of it, define the von Mangoldt function \(\Lambda(n)\), defined for natural number \(n\), to be \(\ln p\) if \(n\) is a power of a prime \(p\) and \(\Lambda(n)=0\) otherwise. The idea behind this function is that it is the “weighted” indicator function of primes, taking into account the “average density” of primes of given order of size (the reasons we also allow prime powers are technical). Defining \(\displaystyle\psi(x)=\sum_{n\leq x}\Lambda(x)\) we then have \(\psi(x)\approx x\). The standard Riemann hypothesis, in particular lack of zeros with real part above \(\frac{1}{2}\), gives us an upper bound on the difference between the two terms similar to the bound we’ve stated in the equivalent version of Riemann hypothesis. We can try to do the same in \(\mathbb F_q[x]\). We define \(\Lambda(f)=\deg g\) for \(f\) a power of irreducible polynomial \(g\) (recall that we defined \(q^{\deg g}\) to be the “size” of \(g\), then \(\deg g\) is logarithm of the size). Since \(\zeta_q(s)\) has no zeroes at all, we expect it to give us a very good bound on the approximation of \(\displaystyle\psi_q(d)=\sum_{f\text{ monic},\deg f\leq q}\Lambda_q(f)\) and the number of monic polynomials of degree at most \(d\). Indeed, these two numbers are *equal*, and this fact can be deduced from \(\zeta_q(s)\) lacking zeros (though it can be also proven directly).

I will also mention the generalizations of Riemann hypothesis – there are two main extensions of the conjecture, called respectively generalized and extended Riemann hypothesis, which both state that certain functions analoguous to Riemann zeta, namely Dirichlet L-functions and Dedekind zeta functions (both discussed in another blog post of mine) have their nontrivial zeros on critical line. These conjectures also have analogues for polynomials over finite fields which are known to be true, although they are quite a bit more difficult to establish.

There are many more similarities between the world of polynomials over finite fields and (at least under standard conjectures) the world of integers. Probably the most significant difference between the two is how much easier it is to work with the former one, which hopefully this post illustrates.

]]>\(x_1^2+\dots+x_q^2\equiv 0\pmod p\).

**A:** Congruences are always nicer with prime number modulus… can we assume that the number which we have conveniently happened to call \(p\) is a prime?

**B:** Sure, let’s even say it’s an odd prime. But still, how could we approach this?

**A:** Let’s try induction. Everything can be proven by induction, right?

**B:** We’ll see… Base case seems easy, so let’s get to the induction step right away.

**A:** Say I have chosen some number \(x_1\). Number of solutions with this \(x_1\) is the same as the number of solutions of

\(x_2^2+\dots+x_q^2\equiv -x_1^2\pmod p\),

but this congruence has something else on the right hand side than zero…

**B:** True. I’m afraid we will have to deal with a more general problem if we want induction to work. So I think we should consider the number of solutions to the congruence

\(x_1^2+\dots+x_q^2\equiv a\pmod p\).

**A:** Let’s give it a name, say we will call it \(N_q(a)\). But then even the case with one variable seems less trivial…

**B:** Yeah, there probably won’t be any simple expression which is \(1\) on zero, \(2\) on all other squares modulo \(p\) and \(0\) on nonsquares.

**A:** Wait, actually, if you were to subtract \(1\) from each of these numbers, we get expression which is \(0\) on zero, \(1\) on squares and \(-1\) on nonsquares. This is precisely the Legendre symbol!

**B:** Ah! So we can say that \(N_1(a)=1+\left(\dfrac{a}{p}\right)\).

**A:** This gave me an idea. To find \(N_q(a)\) we can consider all tuples satisfying \(t_1+\dots+t_q=a\), and then consider in how many ways these \(t_i\) can be replaced with squares.

**B:** If I understand correctly, what you are saying can be expressed as

\(N_q(a)=\displaystyle\sum_{t_1+\dots+t_q=a}N_1(t_1)\dots N_1(t_q)=\sum_{t_1+\dots+t_q=a}\left(1+\left(\dfrac{t_1}{p}\right)\right)\dots\left(1+\left(\dfrac{t_q}{p}\right)\right)\),

the \(t_i\) being taken modulo \(p\), of course.

**A:** This gives us some expression for this number, but I suppose we both want something more “closed form”. This mess would be horrible to compute. Just imagine expanding this product!

**B:** Yeah, it would probably… actually, wait a moment. There will be a lot of cancellation in that sum. For example, consider the term \(\left(\dfrac{t_1}{p}\right)\dots\left(\dfrac{t_{q-1}}{p}\right)\) in the expanded product. In the sum, we can choose \(t_1,\dots,t_{q-1}\) independently and then we have unique choice of \(t_q\). So when summing, this term contributes

\(\displaystyle \sum_{t_1,\dots,t_{q-1}}\left(\dfrac{t_1}{p}\right)\dots\left(\dfrac{t_{q-1}}{p}\right)=\left(\sum_{t_1}\left(\dfrac{t_1}{p}\right)\right)\left(\sum_{t_2,\dots,t_{q-1}}\left(\dfrac{t_1}{p}\right)\dots\left(\dfrac{t_{q-1}}{p}\right)\right)=0\)

since there is the same number of quadratic residues as nonresidues modulo \(p\), so the first sum is zero.

**A:** That’s excellent! So we are only left with sums over \(1\) and over product of all the Legendre symbols. The ones are easy to count, so we are left with

\(N_q(a)=p^{q-1}+\displaystyle\sum_{t_1+\dots+t_q=a}\left(\dfrac{t_1}{p}\right)\dots\left(\dfrac{t_q}{p}\right)=p^{q-1}+\sum_{t_1+\dots+t_q=a}\left(\dfrac{t_1\dots t_q}{p}\right)\).

**B:** Multiplicativity of Legendre’s symbol is very useful; at the very least it reduces the number of brackets. Do you think there will be such a cancellation in the last sum as well?

**A:** I guess so; the \(p^{q-1}\) term is probably dominating. We can try grouping the terms in which the \(t_i\) are the same, just permuted. For example if we group the \(q\) terms corresponding to a cyclic permutation of \(t_1,\dots,t_q\)…

**B:** Wait, there might be less than \(q\) of them if some of the \(t_i\) are equal.

**A:** Oops, true. But the number of such terms will certainly divide \(q\). So if \(q\) happened to be prime, then there would be either one such term, which means that all \(t_i\) are equal, or exactly \(q\) of them… if we were to look modulo \(q\), the latter terms would cancel out, so we can say

\(N_q(a)\equiv p^{q-1}+\displaystyle\sum_{qt\equiv a\pmod p}\left(\frac{t^q}{p}\right)\pmod q\).

If \(p,q\) are distinct odd primes, then \(qt\equiv a\pmod p\) has a unique solution modulo \(p\), so then

\(N_q(a)\displaystyle\equiv 1+\left(\frac{t^q}{p}\right)\equiv 1+\left(\frac{t^qq^{q+1}}{p}\right)\equiv 1+\left(\frac{a^qq}{p}\right)\equiv 1+\left(\frac{a}{p}\right)\left(\frac{q}{p}\right)\pmod q\).

Isn’t that cool?

**B:** I suppose it is, but we want to find exact value of \(N_q(a)\), so working modulo \(q\) won’t help us, especially for when \(q\) is not prime. Maybe we should try to go back to induction?

**A:** Alright. But I still think that it’s cool to consider the number of solutions of an equation modulo \(p\) modulo \(q\).

**B:** For \(q=1\) the number of solutions clearly only depends only on whether \(a\) is zero, a quadratic residue or a nonresidue. I think the same should be true for larger \(q\): if we have two nonzero squares \(b^2,c^2\), then from a solution

\(x_1^2+\dots+x_q^2\equiv b^2\pmod p\)

of one equation to a solution

\(\displaystyle\left(\frac{x_1c}{b}\right)^2+\dots+\left(\frac{x_qc}{b}\right)^2\equiv c^2\pmod p\)

of another equation.

**A:** This gives a bijection! So we can say that numbers \(N_q(a)\) are the same for all nonzero squares! Also, a ratio of nonresidues is a residue, so we can do pretty much the same thing for nonsquares!

**B:** So it might be useful to somewhat forget about the number \(a\) and just think about whether it is or not a square. So we can let \(\square\) be a placeholder for a squares, so that \(N_q(\square)\) is a well-defined number…

**A:** …and we can also have \(N_q(\triangle)\) for nonsquares!

**B:** Wait, why a triangle?

**A:** Because it’s not a square.

**B:** …fair enough.

**A:** Oh! We can also have…

**B:** We are *not* using \(\bigcirc\) in place of \(0\).

**A:** …fine. Anyways, let’s try to find out something about \(N_{q+1}(0)\). First of all, \(x_1\) might be zero.

**B:** In this case, \(x_2^2+\dots+x_{q+1}^2\equiv 0\pmod p\). We know how many solutions this has – it’s \(N_q(0)\).

**A:** Good, now let’s see what happens if \(x_1\) is nonzero. For equality to hold, \(x_2^2+\dots+x_{q+1}^2\) must be \(-x_1^2\). Is this a quadratic residue or a nonresidue?

**B:** It depends on whether \(-1\) is a square or not. Thankfully we have the Euler’s criterion, which tells us that it’s a square precisely when \(p\equiv 1\pmod 4\).

**A:** Oh god, we split into cases. Wonderful.

**B:** So if \(p\equiv 1\pmod 4\), then for any nonzero \(x_1\) we want \(x_2^2+\dots+x_{q+1}^2\equiv\square\pmod p\), so we get \(N_{q+1}(0)=N_q(0)+(p-1)N_q(\square)\).

**A:** For \(p\equiv 3\pmod 4\) we get \(N_{q+1}(0)=N_q(0)+(p-1)N_q(\triangle)\). So we are done with \(N_{q+1}(0)\) for now.

**B:** I think we are, though I have a feeling this was the easy part. So now let’s take a look at \(N_{q+1}(\square)\). If \(x_1=0\), then we easily see that there are \(N_q(\square)\) solutions, so let \(x_1\neq 0\).

**A:** Now we have \(x_1^2+(x_2^2+\dots+x_{q+1}^2)\equiv\square\pmod p\), so we want \(x_2^2+\dots+x_{q+1}^2\equiv\square-x_1^2\pmod p\). But we don’t know whether \(\square-x_1^2\) is a square or not!

**B:** It sometimes is and sometimes isn’t, I’m afraid, and sometimes it’s zero. We should figure out how many times \(\square-x_1^2\) is zero, square and nonsquare.

**A:** Clearly it’s zero for two values of \(x_1\). So now how often is a difference of squares a square or nonsquare… I think we might quickly get lost with all these squares; we should give some names to these numbers.

**B:** You have defined last piece of notation, so now it’s my turn. Let’s say \(X_{1,1;a}\) is the number of solutons modulo \(p\) to \(b+c=a\) with \(b\) and \(c\) both quadratic residues, \(X_{1,-1;a}\) the number…

**A:** Why don’t you use squares and triangles?

**B:** Fine. \(X_{\square,\square;a}\) is what I’ve said, \(X_{\square,\triangle;a}\) is the same thing with \(b\) residue and \(c\) nonresidue and so on.

**A:** Now this is some notation I like!

**B:** *Anyways*, like we had with \(N_q(a)\), this quite clearly only depends on \(a\) being zero, a square or a nonsquare, so we can define \(X_{\square,\triangle;\square}\) and what not.

**A:** So now we have to figure out values of these numbers. Counting in \(X_{\square,\square;0}\) and others we have 12 unknowns. There are some obvious relations between these numbers, like

\(\displaystyle X_{\square,\triangle;a}=X_{\triangle,\square;a}\).

**B:** Ones with \(a=0\) should be easy to find. If we have \(b+c=0\), so \(b=-c\), we see that, depending on \(p\) modulo \(4\)…

**A:** Can we please focus on just one case modulo \(4\) for now? There are already enough numbers laying around.

**B:** Alright, for \(p\equiv 1\pmod 4\) we see that \(b\) is quadratic residue iff \(c\) is, so from that we get

\(\displaystyle X_{\square,\square;0}=X_{\triangle,\triangle;0}=\frac{p-1}{2},X_{\square,\triangle;0}=0\).

**A:** Also, if we consider all possible sums of \(b,c\) quadratic residues, and on the other hand we count \(X_{\square,\square;a}\) for all \(a\), we will find

\(\displaystyle\frac{p-1}{2}X_{\square,\triangle;\square}+\frac{p-1}{2}X_{\square,\triangle;\triangle}+X_{\square,\triangle;0}=\left(\frac{p-1}{2}\right)^2\),

so, as \(X_{\square,\square;0}=0\), dividing by \(\frac{p-1}{2}\) we get

\(\displaystyle X_{\square,\triangle;\square}+X_{\square,\triangle;\triangle}=\frac{p-1}{2}\).

**B:** Also, similarly,

\(\displaystyle X_{\square,\square;\square}+X_{\square,\square;\triangle}+1=\frac{p-1}{2}\).

This looks like we’re getting somewhere. Hmm, when we were multiplying formulas by ratio of two squares or nonsquares, we could show that \(X_{\cdot,\cdot;a}\) is the same for all squares or for all nonsquares \(a\). What if we tried to multiply by a ratio of a square and a nonsquare?

**A:** The result would be a nonsquare, so it’d flip the character of all terms… so this gives us another bijection! We have from this that swapping squares and triangles gives the same number! So for example, \(X_{\square,\triangle;\triangle}=X_{\triangle,\square;\square}=X_{\square,\triangle;\square}\). But wait, plugging that into my last equation, we can see

\(\displaystyle X_{\square,\triangle;\square}=\frac{p-1}{4}\)!

**B:** Now this is real progress! So we can figure out all of \(X_{\square,\triangle;a}\). Now we have to relate these to other variables. Counting the solutions to equation \(a=b+c\) with constrained \(b,c\) worked before, so we can try restricting \(a\) to be a square as well. If we take, say, \(b\) to also be a residue and \(c\) to be a nonresidue, then we easily get \(\frac{p-1}{2}X_{\square,\triangle;\square}\).

**A:** Note that we can rewrite \(a=b+c\) as \(a+(-c)=b\). But \(-c\) is a quadratic residue whenever \(c\) is, so we can in essentially the same way see that the number of solutions is \(\frac{p-1}{2}X_{\square,\square;\triangle}\). So we must have

\(\displaystyle X_{\square,\triangle;\square}=X_{\square,\square;\triangle}\).

**B:** This is just what we needed! We can now figure out all the variables:

\(\displaystyle X_{\square,\square;\square}=\frac{p-5}{4},X_{\square,\triangle;\square}=X_{\square,\square;\triangle}=\frac{p-1}{4},X_{\square,\triangle;0}=0;X_{\square,\square;0}=\frac{p-1}{2}\)

and the rest can be easily figured out by swapping squares and triangles.

**A:** We get quite similar results for \(p\equiv 3\pmod 4\):

\(\displaystyle X_{\square,\square;\square}=X_{\square,\triangle;\square}=\frac{p-3}{4},X_{\square,\square;\triangle}=\frac{p+1}{4},X_{\square,\triangle;0}=\frac{p-1}{2};X_{\square,\square;0}=0\).

**B:** You are incredibly fast at mental algebra I see.

**A:** Now that we have figured out these values, we can finally… what did we need these values for again?

**B:** We are given a square \(\square\) and we need to figure out for how many \(x_1\), in the equation \(x_1^2+(x_2^2+\dots+x_{q+1}^2)=\square\) the second summand is square or a nonsquare.

**A:** Ah, right. If \(p\equiv 1\pmod 4\), exactly for \(X_{\square,\square;\square}=\frac{p-5}{4}\) values of \(x_1^2\), so for \(\frac{p-5}{2}\) values of \(x_1\), that summand has to be a square, which it can be in \(N_q(\square)\) ways.

**B:** And for \(2X_{\square,\triangle;\square}=\frac{p-1}{2}\) values of \(x_1\) it has to be a nonsquare, which it can be in \(N_q(\triangle)\) ways. So this gives…

**A:** Remember that also \(x_1\) can be zero, and for two choices of \(x_1\) we need \(x_2^2+\dots+x_{q+1}^2\equiv 0\pmod p\)!

**B:** Good point. In total, we get

\(\displaystyle N_{q+1}(\square)=\frac{p-5}{2}N_q(\square)+\frac{p-1}{2}N_q(\triangle)+N_q(\square)+2N_q(0)=\frac{p-3}{2}N_q(\square)+\frac{p-1}{2}N_q(\triangle)+2N_q(0)\).

**A:** We can deal with \(N_{q+1}(\triangle)\) similarly, the only difference being that now \(x_1^2\) can’t be \(\triangle\), so we don’t get \(N_q(0)\) term. All in all,

\(\displaystyle N_{q+1}(\triangle)=\frac{p-1}{2}N_q(\square)+\frac{p+1}{2}N_q(\triangle)\).

**B:** Also, to recap, in this case we have

\(\displaystyle N_{q+1}(0)=(p-1)N_q(\square)+N_q(0)\).

So we have a simultaneous recurrence involving three functions. How could we get around solving it?

**A:** Well, of course the hard part is actually figuring out what the answer possibly could be, since once we know the formula we will most likely be able to prove it inductively. One way to find the formula is to note that, if we denote by \(\mathbf x_q\) a vertical vector with entries \(N_q(\square),N_q(\triangle),N_q(0)\), then above system of recurrences can be written as \(\mathbf x_{q+1}=M\mathbf x_q\) for certain matrix \(M\), so that \(\mathbf x_q=M^{q-1}\mathbf x_1\). Hence we would like to find explicit formulas for the coefficients of the power of the matrix \(M\). Standard method for doing that in linear algebra is via diagonalization: we find an invertible matrix \(C\) and a diagonal matrix \(D\) such that \(M=C^{-1}DC\). It is not always possible, but using eigenvalues and eigenvectors we can rather straightforwardly figure out that it is possible for \(M\), and indeed we can explicitly find \(C,D\). Usefulness of this approach is that now \(M^{q-1}=(C^{-1}DC)^{q-1}=C^{-1}D^{q-1}C\) and taking powers of diagonal matrices is simple – you just take powers of the diagonal entries. This method is a very effective in practice, and in general it can…

**B:** Alright, enough of that rambling, what is the formula?

**A:** …as I was about to say, it gives us, for odd \(q\),

\(N_q(\square)=p^{q-1}+p^{(q-1)/2},N_q(\triangle)=p^{q-1}-p^{(q-1)/2},N_q(0)=p^{q-1}\)

and for even \(q\) we have

\(N_q(\square)=p^{q-1}-p^{(q-2)/2},N_q(\triangle)=p^{q-1}-p^{(q-2)/2},N_q(0)=p^{q-1}+p^{q/2}-p^{(q-2)/2}\).

**B:** That’s great! I suppose at this point we have achieved what we tried to achieve.

**A:** Not quite yet – we still have \(p\equiv 3\pmod 4\) to work out. Thankfully, exactly the method works here, except now the sign changes for different values modulo \(4\). For \(q\) respectively \(0,1,2,3\pmod 4\) we have

\(N_q(\square)=p^{q-1}-p^{(q-2)/2},N_q(\triangle)=p^{q-1}-p^{(q-2)/2},N_q(0)=p^{q-1}+p^{q/2}-p^{(q-2)/2}\),

\(N_q(\square)=p^{q-1}+p^{(q-1)/2},N_q(\triangle)=p^{q-1}-p^{(q-1)/2},N_q(0)=p^{q-1}\),

\(N_q(\square)=p^{q-1}+p^{(q-2)/2},N_q(\triangle)=p^{q-1}+p^{(q-2)/2},N_q(0)=p^{q-1}-p^{q/2}+p^{(q-2)/2}\),

\(N_q(\square)=p^{q-1}-p^{(q-1)/2},N_q(\triangle)=p^{q-1}+p^{(q-1)/2},N_q(0)=p^{q-1}\).

**B:** I have no idea how you are doing these things in your head, but I’ll trust you it’s correct. This seems like a complete answer to our problem, at least modulo a prime.

**A:** You have reminded me – I’ve earlier found this one congruence for \(N_q(a)\). I wonder how this big formula will look like reduced modulo \(q\): since we only deal with odd \(q\), the formula will simplify a bit. Also, we can use the Legendre symbol here – we can write \(N_q(a)=p^{q-1}\pm\left(\frac{a}{p}\right)p^{(q-1)/2}\), with \(-\) sign iff \(p\equiv q\equiv 3\pmod 4\).

**B:** Reducing this modulo \(q\), using Euler’s criterion we have

\(N_q(a)\equiv 1\pm\left(\frac{a}{p}\right)\left(\frac{p}{q}\right)\pmod q\)

so, comparing with the earlier formula…

**A:** …we get

\(1+\left(\frac{a}{p}\right)\left(\frac{q}{p}\right)\equiv 1\pm\left(\frac{a}{p}\right)\left(\frac{p}{q}\right)\pmod q\),

so setting, for example, \(a=1\)…

**B:** …we find

\(\left(\frac{q}{p}\right)=\pm\left(\frac{p}{q}\right)\)

with \(-\) sign iff \(p\equiv q\equiv 3\pmod 4\).

**A:** …so, we have just proven quadratic reciprocity. By playing around with your dumb game.

**B:** Please, let that be at the very least a proof that this game is not dumb. Alright, if you really don’t want to deal with it anymore then we can go do some public key exchange. What do you think?

**A:** Sounds great. I’ll go grab Eve, she really likes listening to our encrypted messages for some reason.

**B:** Alright. Catch you later.

The above proof is due to V.A. Lebesgue. I follow exposition from “The Quadratic Equation in Fp and the Quadratic Reciprocity Law” by R. Jakimczuk.

Originally I couldn’t make up my mind on whether I should follow this proof or the variation apparently due to W. Castryck (see his “A shortened classical proof of the quadratic reciprocity law”) which, instead of counting solutions to \(x_1^2+x_2^2+\dots+x_q^2\equiv a\pmod p\), counts solutions to the alternating sum equation \(x_1^2-x_2^2+\dots+x_q^2\equiv a\pmod p\) for odd \(q\). Castryck’s proof is in pretty much every aspect simpler than Lebesgue’s, but has one drawback which would definitely discourage Bob from presenting it to Alice – the corresponding game is nearly trivial. The game which Bob has designed is definitely much more interesting and I encourage everyone reading this article to do what Alice didn’t want to do, namely figure out the winning strategy, possibly with the winning condition replaced by “the sum of squares is \(a\pmod p\)” for some fixed \(a\), or even something more complex. Feel free to explore this game to your heart’s desire, generalizing to composite moduli, more complicated equations and what not. I don’t know if the gaming aspect of this theory has been explored before, but there is a beautiful and deep theory regarding the number of solutions of a given equation modulo various integers.

Last note: I am aware of the fact that the title of this post might be considered to be somewhat false advertisement, because throughout this article the only point at which we have used the game aspect is to motivate the question. I did try to find a proof of this theorem which would in more essential way use the game structure, for example encoding the Legendre symbol as the winning player, unfortunately to no avail. If anyone has any ideas on how to make this proof, or possibly some other proof of QR (I was thinking of Zolotarev’s proof, neatly explained in this article), more game-y, I’d certainly love to hear about that!

Post-last note: the form of this post might or might not have been subconciously inspired by this blog post by Adam P. Goucher, in which he explains Poncelet’s porism in the form of a Socratic dialogue.

]]>