This is a topic I have been fascinated by for years now and I have been seeking an opportunity/excuse to read more into it. Around a year ago I have given a 30-minute talk on this topic during a student conference I was attending, but due to time constraints I couldn’t get far into the topic nor did I get deep into it myself. My talk during PROMYS Europe was different – I would like to thank all counsellors for having patience to sit through my 2.5 hour long (!) talk, despite my promises I will keep it reasonably short. I have greatly enjoyed reading up on the topic and then preparing to present it to others.

I must admit I am quite proud of the write-up for this talk, which is why I would like to share it with everyone. Except for some minor fixes, this is a version which ended up in our yearbook, but I hope some people find some benefit in this, perhaps even find this topic as interesting as I do!

]]>All background necessary for this post is some basic knowledge about ordinals, in particular cofinalities.

The question above can be asked for arbitrary partial order – what is the supremum of lengths of well-ordered chains in a given poset? Before we tackle \(\N^\N\), let’s look at a few simpler ones, the ideas from resolution of which will be useful later.

If we consider the set of rational numbers with their standard ordering, the resolution is not too difficult – clearly no uncountable ordinal can be embedded in this order, so we get an upper bound \(\omega_1\) (it’s a nice exercise to show the same is true for the set of real numbers). This turns out to be the right answer, and to see that we have to show that any countable ordinal can be embedded in \(\mathbb Q\).

We proceed by transfinite induction, and we prove the following statement: For any countable ordinal \(\alpha\) and rational numbers \(a<b\), there is a subset of an open interval \((a,b)\) of length \(\alpha\).

**Proof:** This is obvious for \(\alpha=0\). Given a successor ordinal \(\alpha=\beta+1\), take some \(c\in (a,b)\) and a subset \(A\subseteq(a,c)\) of length \(\beta\), then \(A\cup\left\{c\right\}\subseteq(a,b)\) has length \(\alpha\).

If \(\alpha\) is a limit ordinal, it can be written as a countable sum \(\alpha_0+\alpha_1+\alpha_2+\dots\). Pick a sequence of rationals \(a=a_0<a_1<a_2<\dots<b\) (for example by taking successive midpoints) and subsets \(A_i\subseteq (a_i,a_{i+1})\) of length \(\alpha_i\). The union of these sets will have length \(\alpha\). Hence such a subset exists for all countable ordinals. \(\square\)

Mentioning the intervals in the statement might look a bit artificial, but it helps in the last step when “gluing together” the subsets; note that if we talked about arbitrary subsets, it would not be so clear how to add them.

We now introduce the terminology properly. Consider two functions \(f,g:\N\to\N\). We say that \(f\) *eventually dominates* \(g\), denoted \(f>^*g\), if there is an \(n_0\) such that \(f(n)>g(n)\) for \(n\geq n_0\). This is a (strict) partial order on \(\N^\N\). In this poset we consider well-ordered chains, i.e. subsets of the form \(\{f_\beta:\beta<\alpha\}\) for some ordinal \(\alpha\) such that if \(\beta<\gamma\), then \(f_\beta<^*f_\gamma\). We call \(\alpha\) the *length* of this chain. The question is, what is the supremum of lengths of well-ordered chains?

The question which sparked these considerations dealt with *computable* functions, relating to the fast-growing hierarchy (FGH). Using FGH (or rather some variant which guarantees we get a chain) it’s not hard to show there are chains of length being any recursive ordinal, so the supremum is at least \(\omega_1^\mathrm{CK}\), the Church-Kleene ordinal. Given the context it’s a natural guess that this ordinal is the right answer, but it turns out that it’s not.

Indeed, the answer is the same as in the case of rationals, and for a good reason: we can find a subset of computable functions which is order-isomorphic to positive rationals. The embedding is simple: given a rational number \(q>0\), we take the function \(f_q(n)=\lfloor qn\rfloor\). Using the results of the previous section, we can find chains of any countable ordinal length. Since there are countably many computable functions, we can’t do any better, so \(\omega_1\) is the desired supremum.

Using above arguments we can show that there are chains of any countable ordinal length in \(\N^\N\). However, for the first time we are are not constrained by the cardinality issues. Indeed, it is possible to embed all of \(\omega_1\) into this poset, for example using the fast-growing hierarchy (note that we need to agree on fundamental sequences for all countable limit ordinals, which will require some amount of choice, which is unfortunately unavoidable).

It’s not clear, however, how to continue. In order to embed \(\omega_1+1\), we need to construct a hierarchy like above, but making sure that there is another function which will eventually dominate the whole hierarchy, i.e. we need to construct a *bounded* hierarchy (note: here and below we require all bounds to be strict). While I’m not sure if this can be done with FGH itself, using a similar, just more careful, diagonalization it can be achieved.

When we construct a chain, going from one function to its successor is most easily achieved by simply adding \(1\). We wouldn’t like the new function to exceed the bound we have put on our hierarchy. For this reason we introduce a stricter relation between functions: we say that \(f\) *properly dominates* \(g\), denoted \(f>^pg\), if \(f\) eventually dominates \(g+k\) for any \(k\in\N\) (equivalently, \(f-g\) tends to infinity). It’s easy show that \(f>^pg\) is a necessary condition for existence of an infinite chain between \(f\) and \(g\), and it turns out to be sufficient for existence of not only infinite, but even uncountable chains.

The following result is a key to constructing bounded hierarchies:

**Lemma:** Let \(f_1<^*f_2<^*\dots\) be a countable chain of functions, all properly dominated by some function \(F\). There is a function \(g\) eventually dominating every \(f_k\) and properly dominated by \(F\).

**Proof:** By assumption, we can take, for every \(k\), an integer \(n_k\) such that, for \(n\geq n_k\), \(f_k(n)>f_i(n)\) for all \(i\leq k\) and \(f_k(n)+k< F(n)\). We may take \(\dots\). Define
\[g(n)=\begin{cases}
0 & \text{for}\,n < n_1,\\
f_k(n) & \text{for}\,n_k\leq n<n_{k+1}.\end{cases}\]
Now, if \(n\geq n_k\), then \(n_l\leq n<n_{l+1}\) for some \(l\geq k\), so we have \(g(n)=f_l(n)>f_k(n)\), so \(g>^*f_k\), and \(g(n)=f_l(n)< F(n)-l\leq F(n)-k\), so \(g+k<^*F\), hence \(F>^pg\). Thus \(g\) is our desired function. \(\square\)

We can now show not only that there are bounded chains of length \(\omega_1\), but there are such chains below any (sensible) such bound:

**Proposition:** If \(F>^p0\), then there is a chain under eventual domination of length \(\omega_1\) bounded by \(F\). Indeed, we can take this chain to be a chain under proper domination.

**Proof:** We construct this chain by transfinite recursion on \(\alpha<\omega_1\). Take \(f_0=0\). Given \(\alpha=\beta+1\), if we already have \(f_\beta\), let \(f_\alpha=f_\beta+1\). For \(\alpha\) a limit ordinal, take a sequence \(\alpha_1<\alpha_2<\dots\) converging to \(\alpha\) and apply the previous lemma to the sequence \(f_{\alpha_1}<^*f_{\alpha_2}<^*\dots\). We let \(f_\alpha\) be the resulting function \(g\). It follows immediately that this gives a chain of length \(\omega_1\) under eventual domination properly dominated by \(F\).
For proper domination, take the above chain and consider \(f_{\omega\alpha},\alpha<\omega_1\). If \(\alpha>\beta\), then \(\alpha\geq \beta+1\), so \(\omega\alpha>\omega\beta+k\) for all \(k\in\N\), hence \(f_{\omega\alpha}>^*f_{\omega\beta+k}=f_{\omega\beta}+k\). This means \(f_{\omega\alpha}>^pf_{\omega\beta}\), so we get a chain under proper domination. \(\square\)
Given \(f>^pg\), applying the proposition to the function \(f-g\) (let's say we take it equal to zero if the result would've been negative, which happens only finitely many times anyways), or just using a similar argument, we get:
**Corollary:** If \(f>^pg\), there is a chain of length \(\omega_1\) under proper domination bounded between \(f\) and \(g\).

In this section we give the proof of the main result. The method bears a lot of resemblance to the construction of chains in the rationals.

**Proposition:** For any functions \(f<^pg\) and an ordinal \(\alpha<\omega_2\) there is a chain under eventual domination of length \(\alpha\) bounded between \(f\) and \(g\).

**Proof:** As usual, we proceed by induction on \(\alpha\). We note that every ordinal below \(\omega_2\) is either \(0\), a successor, or is limit of cofinality at most \(\omega_1\). The case \(\alpha=0\) is trivial. If \(\alpha=\beta+1\), then take a function \(h\) such that \(f<^ph<^pg\) (for example, \(h=\left\lfloor\frac{f+g}{2}\right\rfloor\)). There is a chain between \(f\) and \(h\) of length \(\beta\), and taking its union with \(\{h\}\) gives a desired chain of length \(\alpha\).

If \(\alpha\) is a limit ordinal, it can be written as a sum of \(\omega_1\) summands smaller than \(\alpha\) (we allow them to be zero, to account for cofinality \(\omega\)), say \(\alpha=\sum_{\gamma<\omega_1}\alpha_\gamma\). Using previous proposition, there is a chain \(\{f_\gamma:\gamma<\omega_1\}\) under proper domination bounded between \(f\) and \(g\). There is a chain \(A_\gamma\) of length \(\alpha_\gamma\) bounded between \(f_\gamma\) and \(f_{\gamma+1}\). Their union, \(A=\bigcup_{\gamma<\omega_1}A_\gamma\), is a chain bounded between \(f\) and \(g\) of length \(\alpha\). \(\square\)

Hence the supremum of lengths of well-ordered chains of functions is at least \(\omega_2\).

\(\omega_2\) shown above is only a lower bound for this supremum, I do not claim it’s the precise value. However, we can say with certainty that it sometimes is tight – namely, when the continuum hypothesis holds. For under CH there clearly can’t be a chain of length \(\omega_2\) or longer, so the supremum must be exactly \(\omega_2\).

On the flipside, there are instances where this bound is *not* tight, for example if the bounding number is sufficiently large. Indeed, if \(\frak b>\aleph_2\) (which is consistent with ZFC, as \(\frak b\) can be any uncountable, regular cardinal), then any chain of length smaller than \(\omega_3\) can be extended.

The same argument shows that we can always find a chain of length \(\frak b\). This bound, however, is quite trivial. A friend of mine has suggested that it might be possible to reach \(\frak b^+\) (the next initial ordinal), i.e. every ordinal of cardinality \(\frak b\) is a length of a chain in \(\N^\N\). While we did not succeed at proving that (it’s not even clear how to reach \(\frak{b}+1\)!), I propose the following conjecture, which implies the supremum is at least \(\frak b^+\) by the reasoning similar to what I’ve described in this post:

**Conjecture:** If \(f>^p0\), then there is a chain bounded by \(f\) of length \(\frak b\).

Regarding upper bounds, the only one I know is a trivial one, namely \(\frak c^+\) (by cardinality reasons), and to the best of my knowledge this could always be the right answer. With this in mind, let me end the blog post with a

**Question:** Is it consistent that the supremum of well-ordered chains is *smaller* than \(\frak c^+\)?

Levi van de Pol has recently contacted me claiming to have solved the above conjecture. While I haven’t yet verified all the details, it does seem that the proof he has shared with me is correct. The idea is as follows:

We say that \(f\) *increasingly dominates* \(g\) if the difference \(f-g\) is eventually nondecreasing and tends to infinity, denoted \(f\succ g\). If \(f\succ 0\), we can define \(f^{-1}(m)\) to be the least \(n\) such that \(f(n)\geq m\) (so it’s sort of an approximate inverse of \(f\)).

Given a family \(\mathcal F\) of functions increasingly dominated by some \(F\) of size below \(\frak b\), we consider the family of functions \(\{(F-f)^{-1}:f\in\mathcal F\}\). There must be a function \(g\) dominating all of them, and then \(F-g^{-1}\) then dominates all elements of \(\mathcal F\) and is increasingly dominated by \(F\).

The whole idea revolves around the mapping \(f\mapsto(F-f)^{-1}\) and its inverse, which serve, very roughly, the role of an order-preserving bijection between \(\N^\N\) and its elements bounded by \(F\). This also lets us answer some other questions, for example the analogue of the bounding number for functions bounded by \(F\) is equal to \(\frak b\), at least provided \(F>_p 0\).

I am satisfied by this lower bound, though there might still be some room for improvement. The last question, however, stays unanswered, and we do believe it to be much harder, likely requiring set-theoretic methods like forcing.

]]>The proof is based on the exposition in Davenport’s *Multiplicative Number Theory* and requires some understanding of complex analysis.

\(\newcommand{\re}{\operatorname{Re}}\newcommand{\im}{\operatorname{Im}}\)

Fix a finite field \(\mathbb F_q\) with \(q\) elements. Throughout we are only interested in monic polynomials in \(\mathbb F_q[x]\). For such a polynomial \(f\), we define its *norm* to be \(Nf=|\mathbb F_q[x]/(f)|=q^{\deg f}\). We define the *zeta function* for \(\re s>1\) by

\[\zeta_q(s)=\sum_f(Nf)^{-s}\]

(this and the following sums range over monic polynomials). Using multiplicativity of the norm and uniqueness of factorization in \(\mathbb F_q[x]\) we can establish and alternative expression for this zeta, known as the *Euler product*:

\[\zeta_q(s)=\prod_{p\text{ prime}}(1-(Np)^{-s})^{-1}.\]

It’s easy to give an explicit formula for \(\zeta_q\) (unlike for standard zeta function or many of its variants), but in order to show off analytic techniques, we will only use the following few facts:

- \(\zeta_q\) can be extended to a meromorphic function on the whole complex plane,
- \(\zeta_q\) is nonzero everywhere and has only simple poles at points \(1+2\pi in/\log q,n\in\mathbb Z\),
- \(\frac{\zeta_q’}{\zeta_q}\) has simple poles with residue \(-1\) at points \(1+2\pi in/\log q,n\in\mathbb Z\) and is holomorphic elsewhere (this follows from the previous two points),
- \(\left|\frac{\zeta_q'(s)}{\zeta_q(s)}\right|\) is bounded when \(|s-\rho|>\varepsilon\) for all poles \(\rho\) of \(\zeta_q\) and any fixed \(\varepsilon\).

For \(\re s>1\) we have can find the expression for \(\frac{\zeta_q’}{\zeta_q}\) by taking natural logarithm (denoted below by \(\log\)) of \(\zeta_q\) and differentiating (for this reason we call \(\frac{\zeta_q’}{\zeta_q}\) the *logarithmic derivative* of \(\zeta_q\)). Skipping the intermediate steps, we get

\[-\frac{\zeta_q'(s)}{\zeta_q(s)}=\sum_{p\text{ prime}}\log Np\cdot\sum_{k=1}^\infty (N(p^k))^{-s}.\]

If we introduce the von Mangoldt functions for polynomials, which is defined by \(\Lambda_q(f)=\log Np\) if \(f=p^k\) for some irreducible \(p\) and \(k\geq 1\), and \(\Lambda_q(f)=0\) otherwise, then we find

\[-\frac{\zeta_q'(s)}{\zeta_q(s)}=\sum_f\Lambda_q(f)(Nf)^{-1}\qquad(*)\]

(note: in my blog post on the Riemann hypothesis I define \(\Lambda_q\) using logarithm to the base \(q\). This only makes a difference of a factor \(\log q\) and the convention used here makes formulas simpler. In the last section we d get rid of it, though). This formula is the starting point for the analytic arguments which will establish an explicit formula for the partial sums \(\psi_q(x)=\sum_{Nf\leq x}\Lambda_q(f)\), meaning the sum over all polynomials with norm at most \(x\). In fact, it will be more convenient to deal with the modified summatory function \(\widetilde\psi_q(x)=\sum_{Nf\leq x}’\Lambda_q(f)\), where \(\sum’\) indicates that if \(Nf=x\), then we count in only *half* of the \(\Lambda_q(f)\) term.

\(\newcommand{\Res}{\operatorname{Res}}\)

There is a rather simple heuristic argument which works for many Dirichlet series and which shows how the partial sums of an arithmetic function “should” behave asymptotically. We start of with the following integral: for \(c,y\) positive and real we have

\[\frac{1}{2\pi i}\int_{c-i\infty}^{c+i\infty}\frac{y^s}{s}\mathrm ds=\begin{cases}

1 & \text{for }y>1,\\

\frac{1}{2} & \text{for }y=1,\\

0 & \text{for }y<1,

\end{cases}\]

where \(\int_{c-i\infty}^{c+i\infty}\) means the limit of line integrals \(\int_{c-iT}^{c+iT}\) as \(T\) goes to infinity. Therefore if we multiply \((*)\) by \(\frac{x^s}{s}\) and integrate from \(2-i\infty\) to \(2+i\infty\), we get (heuristically! we ignore issues with swapping the integral and the sum)

\[\frac{1}{2\pi i}\int_{2-i\infty}^{2+i\infty}-\frac{\zeta_q'(s)}{\zeta_q(s)}\frac{x^s}{s}\mathrm ds=\sum_f\Lambda_q(f)\frac{1}{2\pi i}\int_{2-i\infty}^{2+i\infty}\frac{(x/Nf)^s}{s}\mathrm ds=\widetilde\psi_q(x).\]

Now we move the integration contour — we continuously deform the line \((c-i\infty,c+i\infty)\) from \(c=2\) to \(-\infty\). Right now we use (heuristically) the residue theorem, which says that the only change in the value of the integral is due to the contour passing through a pole of the integrand. If the integral vanishes as \(c\rightarrow-\infty\), this will give us

\[\frac{1}{2\pi i}\int_{2-i\infty}^{2+i\infty}-\frac{\zeta_q'(s)}{\zeta_q(s)}\frac{x^s}{s}\mathrm ds=\sum_z\Res\left(-\frac{\zeta_q’}{\zeta_q}\frac{x^s}{s},z\right).\]

The poles of this function appear exactly at \(s=0\), where the residue is equal to \(-\frac{\zeta_q'(0)}{\zeta_q(0)}\), and at poles of \(\frac{\zeta_q’}{\zeta_q}\). The residue of \(-\frac{\zeta_q’}{\zeta_q}\) itself at each pole \(\rho\) is \(1\), but given that we multiply by \(\frac{x^s}{s}\), the residue is \(\frac{x^\rho}{\rho}\). In the end, taking into account the formula for poles of \(\zeta_q\), we obtain

\[\widetilde\psi_q(x)=-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{k=-\infty}^\infty\frac{x^{1+2\pi ik/\log q}}{1+2\pi ik/\log q}.\]

While the argumentation above is not enough to call it a proof, this formula turns out to be fully correct. The following section contains a more formal argument.

Formally deriving the above formula is a bit more work, but still doesn’t require anything beyond basic complex analysis. If someone is satisfied with the above heuristic and is more interested in consequences of this explicit formula, I recommend checking out the next section and returning to this one later.

For any \(x,T\) real positive we consider the integral \(J(x,T)=\frac{1}{2\pi i}\int_{2-iT}^{2+iT}-\frac{\zeta_q'(s)}{\zeta_q(s)}\frac{x^s}{s}\mathrm ds\). If \(T\) doesn’t coincide with an imaginary part of a pole, for any \(U>0\) we can apply the residue theorem to the rectangular contour with vertices \(2-iT,2+iT,-U+iT,-U-iT\) to get that \(J(x,T)\) is equal to the sum of residues, \(-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{|\im\rho|\leq T}\frac{x^\rho}{\rho}\), \(\rho\) ranging over poles, plus the sum of three integrals along line segments going through \(2-iT,-U-iT,-U+iT,2+iT\). Perturbing \(T\) by a bounded amount (which won’t affect the value as \(T\) goes to infinity, as the integrand goes to zero) we can make it so that the contour is not close to any of the poles (moving, for example, \(T\) to some \((2k+1)\pi/\log q\)). By one of the properties above, \(\left|\frac{\zeta_q’}{\zeta_q}\right|\) is bounded on that contour by some constant \(A\). For \(U\geq T\), we have \(|s|\geq T\) on this contour and \(|x^s|=x^{\re s}\). On the vertical line segment we have \(\re s=-U\), so the integral over this segment can be estimated by

\[\int_{-T}^T A\frac{x^{-U}}{T}\mathrm dt=2Ax^{-U},\]

which goes to zero as \(U\rightarrow\infty\) *provided \(x>1\)* (this is the first and last place where we need that assumption!) and on each of the horizontal segments the integral can be estimated by

\[\int_{-U}^2 A\frac{x^t}{T}\mathrm dt\leq\frac{A}{T}\int_{-\infty}^2x^t\mathrm dt=\frac{A}{T}\frac{x^2}{\log x}.\]

Hence we find \(J(x,T)=-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{|\im\rho|\leq T}\frac{x^\rho}{\rho}+O(T^{-1}x^2(\log x)^{-1})\) (the error term could be improved by a factor \(x\) if we took, say, \(1+(\log x)^{-1}\) in place of \(2\)).

Now let’s estimate the difference between \(J(x,T)\) and \(\widetilde\psi_q(x)\). For this, we again use the integral \(\frac{1}{2\pi i}\int_{c-i\infty}^{c+i\infty}\frac{y^s}{s}\mathrm ds\) used in the heuristic, but this time we need to know how quickly the integral converges in order to justify uniform convergence. Let

\[I(y,T)=\frac{1}{2\pi i}\int_{c-iT}^{c+iT}\frac{y^s}{s}\mathrm ds\\

\delta(y)=\begin{cases}

1 &\text{for }y>1,\\

\frac{1}{2} &\text{for }y=1,\\

0 &\text{for }y<1.

\end{cases}\]

Then the following estimate holds, which is proven in Davenport’s book and which I don’t reprove here:

\[|I(y,T)-\delta(y)|<\begin{cases} y^c\min\{1,T^{-1}|\log y|^{-1}\} &\text{for }y\neq 1,\\ cT^{-1} &\text{for }y=1. \end{cases}\] Note that we have \(\widetilde\psi_q(x)=\sum_f\Lambda_q(f)\delta\left(\frac{Nf}{x}\right)\) and, appealing to uniform convergence for \(\re s>1+\varepsilon\),

\[J(x,T)\stackrel{(*)}{=}\frac{1}{2\pi i}\int_{2-iT}^{2+iT}\left(\sum_f\Lambda_q(f)(Nf)^{-s}\right)\frac{x^s}{s}\mathrm ds=\sum_f\Lambda_q(f)I\left(\frac{Nf}{x},T\right),\]

therefore our goal is to estimate the difference

\[R(x,T)=J(x,T)-\widetilde\psi_q(x)=\sum_f\Lambda_q(f)\left(I\left(\frac{Nf}{x},T\right)-\delta\left(\frac{Nf}{x}\right)\right)\]

and show it goes to zero with \(T\) going to infinity. We have (since \(c=2\) here)

\[|R(x,T)|\leq\sum_{Nf\neq x}\Lambda_q(f)\left(\frac{x}{Nf}\right)^2\min\left\{1,T^{-1}\left|\log\frac{x}{Nf}\right|^{-1}\right\}+2T^{-1}\sum_{Nf=x}\Lambda_q(f).\]

In the last sum, note that \(\Lambda_q(f)\leq\log Nf=\log x\) and, if \(x=q^d\) (so that there even are nonzero terms), the number of terms is at most the number of degree \(d\) polynomials, \(q^d=Nf=x\), hence this last sum is \(O(T^{-1}x\log x)\).

For \(Nf\) smaller than \(\frac{3}{4}x\) or larger than \(\frac{5}{4}x\), \(\left|\log\frac{x}{Nf}\right|^{-1}=O(1)\), hence the sum over these terms is \(O\left(x^2T^{-1}\sum_f\Lambda_q(f)(Nf)^{-2}\right)=O(x^2T^{-1})\).

Let \(\langle x\rangle\) be the distance between \(x\) and the closest power of \(q\) (distinct from \(x\) if \(x\) happens to be one). Then for any \(f\) with \(Nf\neq x\) we have \(|Nf-x|\geq\langle x\rangle\). Hence we have

\[\left|\log\frac{x}{Nf}\right|=\left|\log\frac{Nf}{x}\right|\geq\left|\log\left(1\pm\frac{\langle x\rangle}{x}\right)\right|\geq\frac{\langle x\rangle}{x},\]

hence the contribution of any \(f\) with \(\frac{3}{4}x\leq Nf\leq\frac{5}{4}x\) into the first sum is, up to a constant, \(\Lambda_q(f)\frac{x}{T\langle x\rangle}=O\left(\frac{x\log x}{T\langle x\rangle}\right)\). There are \(O(x)\) polynomials of such norm, so they contribute \(O\left(\frac{x^2\log x}{T\langle x\rangle}\right)\). In the end, this gives

\[R(x,T)=O\left(\frac{x\log x}{T}\right)+O\left(\frac{x^2}{T}\right)+O\left(\frac{x^2\log x}{T\langle x\rangle}\right)=O\left(\frac{x^2}{T}\max\left\{1,\frac{\log x}{\langle x\rangle}\right\}\right).\]

Finally, we arrive at the equality

\[\widetilde\psi_q(x)=-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{|\im\rho|\leq T}\frac{x^\rho}{\rho}+O\left(\frac{x^2}{T}\max\left\{1,\frac{\log x}{\langle x\rangle}\right\}\right)\]

for \(x>1\), the sum being over the poles \(\rho\) of \(\zeta_q\). In particular, for a fixed \(x>1\), letting \(T\rightarrow\infty\) we get

\[\widetilde\psi_q(x)=-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{\rho}\frac{x^\rho}{\rho}=-\frac{\zeta_q'(0)}{\zeta_q(0)}+\sum_{k=-\infty}^\infty\frac{x^{1+2\pi ik/\log q}}{1+2\pi ik/\log q}.\]

*phew.*

There are two main reasons why we can’t derive the prime number theorem for polynomials (which one perhaps should call the irreducible polynomial theorem, but it doesn’t have a ring to it) in a manner similar to how one derives the standard PNT from the standard explicit formula (or, more precisely, uniform bounds on its rate of convergence):

- The error bound is horrible, since now we need \(T\) to be noticeably larger than \(x\) to make the error term smaller than the main term, and for \(T\) so large it’s becomes difficult to estimate the main term. Also, the error term cannot be easily improved, because the terms clutter at norms equal to powers of \(q\).
- The poles lie on the line \(\re s=1\), so \(\left|\frac{x^\rho}{\rho}\right|=\frac{x^{\re\rho}}{|\rho|}=\frac{x}{|\rho|}\), which has the same order of magnitude as the “intended” main term \(x\).

In fact, there have to be some problems here. The reason is that *PNT doesn’t hold in the expected way* — we do *not* have \(\widetilde\psi_q(x)\sim x\). This comes from the fact that the only possible norms are powers of \(q\), so \(\widetilde\psi_q\) is constant between them and the gaps are quite large. However, we can still derive a form of PNT, when we restrict \(x\) to only have the form \(q^n\) for \(n>0\). Indeed, for these \(x\) we have, for a pole \(\rho=1+2\pi ik/\log q\),\[x^\rho=(q^n)^{1+2\pi ik/\log q}=q^ne^{n\log q\cdot 2\pi ik/\log q}=q^ne^{2\pi ink}=q^n,\]

hence the explicit formula takes the form

\[\widetilde\psi_q(q^n)=-\frac{\zeta_q'(0)}{\zeta_q(0)}+q^n\sum_{k=-\infty}^\infty\frac{1}{1+2\pi ik/\log q}.\]

We can find the sum of the inner series — first we note that, if we pair up terms for \(k\) and \(-k\), we get

\[\frac{1}{1+2\pi ik/\log q}+\frac{1}{1-2\pi ik/\log q}=\frac{2}{1+(2\pi k/\log q)^2},\]

hence this sum is equal to \(1+2\sum_{k=1}^\infty\frac{1}{1+(\pi k/z)^2}\) for \(z=\frac{\log q}{2}\). This series is (equivalent to) a well-known partial fraction formula for hyperbolic cotangent:

\[1+2\sum_{k=1}^\infty\frac{1}{1+(\pi k/z)^2}=z\coth z=z\frac{e^{2z}+1}{e^{2z}-1}=\frac{\log q}{2}\frac{q+1}{q-1}.\]

We can also find the value of the logarithmic derivative at \(0\), which is most easily done using the explicit form of \(\zeta_q\) — omitting the calculations, we find \(\frac{\zeta_q'(0)}{\zeta_q(0)}=\frac{q\log q}{q-1}\). The explicit formula now says

\[\widetilde\psi_q(q^n)=\left(-\frac{q}{q-1}+\frac{q^n}{2}\frac{q+1}{q-1}\right)\log q.\]

Now we translate this to knowledge about the unmodified \(\psi_q\), using the fact \(\widetilde\psi_q(q^n)=\frac{1}{2}(\psi_q(q^{n-1})+\psi_q(q^n))\) for \(n\geq 1\). Note that \(\psi_q(q^0)=\psi_q(1)=0\). For \(n=1\), the explicit formula gives \(\widetilde\psi_q(q)=\frac{q}{2}\log q\), so clearly \(\psi_q(q)=q\log q\). For \(n=2\), we find \(\widetilde\psi_q(q^2)=\left(q+\frac{q^2}{2}\right)\log q\), so \(\psi_q(q^2)=\left(q+q^2\right)\log q\). A pattern slowly emerges — we have, for \(n\geq 0\),

\[\psi_q(q^n)=\log q\sum_{i=1}^nq^i,\]

which is most easily seen by rewriting the explicit formula as

\[\widetilde\psi_q(q^n)=\left(-\frac{q}{q-1}+\frac{q^n}{2}\frac{q+1}{q-1}\right)\log q=\frac{\log q}{2}\left(\frac{q^{n+1}-q}{q-1}+\frac{q^n-q}{q-1}\right)\\

=\frac{\log q}{2}(2q+2q^2+\dots+2q^{n-1}+q^n=\frac{\log q}{2}\left(\sum_{i=1}^nq^i+\sum_{i=1}^{n-1}q^i\right)\]

and using induction. From there, it is clear that we have

\[\sum_{\deg f=n}\Lambda_q(f)=\sum_{Nf=q^n}\Lambda_q(f)=q^n\log q.\]

(If we were to use base \(q\) logarithm in the definition of \(\Lambda_q\), we could write this in a very PNT-esque way — for \(x\) a power of \(q\), we would have \(\sum_{Nf=x}\Lambda_q(f)=x\).)

Let’s quickly rethink what this sum really counts — for every irreducible polynomial power \(p^d\) of degree \(n\), i.e. for every irreducible polynomial \(p\) of degree \(\frac{n}{d}\), for any divisor \(d\) of \(n\), we have a term \(\Lambda_q(p^d)=\log Np=\log q^{\deg p}=\log q\deg p\). Putting this into the formula above and getting rid of the \(\log q\) factor, we find

\[\sum_{d\mid n}\sum_{p\text{ prime},\deg p=d}d=q^n.\]

Writing \(c(d)\) for the number of irreducible polynomials of degree \(d\), we get the formula

\[\sum_{d\mid n}dc(d)=q^n.\]

Using Möbius inversion we can get an explicit formula for \(c(n)\) and from there find

\[c(n)=\frac{q^n}{n}+O(q^{n/2}),\]

or, in more PNT-esque way, when \(x\) is a power of \(q\),

\[\sum_{p\text{ prime},Np=x}1=\frac{x}{\log_qx}+O(\sqrt{x}).\]

Note that we have this nonzero error term, which one might find somewhat worrying, given that formulas up to now have been exact. This is because only counting irreducible polynomials is somewhat “wrong” — what one should do is count powers of these as well, properly weighted. More precisely, a power \(p^k\) should be counted as \(\frac{1}{k}\)-th of an irreducible polynomial. Then the “correct” prime-counting function would be

\[\sum_{k=1}^\infty\sum_{\deg p^k=n}\frac{1}{k}=\sum_{k=1}^\infty\frac{1}{k}c\left(\frac{n}{k}\right).\]

This turns out to be exactly equal to \(\frac{q^n}{n}\), and indeed is just the formula for \(\sum_{d\mid n}dc(d)\) divided by \(n\). Noteworthily, this formula is an analogue of Riemann’s explicit formula. It is possible, but is a bit more technically challenging, to derive Riemann’s formula directly, but in the polynomial setting we can derive it from the other explicit formula. To the best of my knowledge, it is not possible directly in the standard setting of natural numbers.

And we would have gotten away with it, too, if it wasn’t for you meddling nontrivial zeros!

]]>**Proposition:** Let \(A\) be a finite set and let \(B\) be a subset of \(A\). Then \(B\) is finite.

**Proof:** Suppose otherwise, that \(B\) is an infinite subset of \(A\). This means precisely that the complement of \(B\) is not an element of the Fréchet filter \(\mathcal F\) in \(A\), hence \(\mathcal F\) is a proper filter on \(A\). Since it’s a proper filter, we can apply the ultrafilter lemma to show that it is contained in some ultrafilter \(\mathcal U\). A standard result states that any ultrafilter containing Fréchet filter is nonprincipal. So \(U\) is a nonprincipal ultrafilter on \(A\). This implies that the Stone-Čech compactification \(\beta A\) is a proper superset of \(A\) (under the standard identification of elements of \(A\) as principal ultrafilters in \(A\)). In particular, by pigeonhole principle, \(\beta A\) and \(A\) are not bijective.

Now note that \(\beta A\), as a topological space, is the Stone-Čech compactification of \(A\) considered as a topological space with discrete topology. Since \(A,\beta A\) are not bijective, they are surely not homeomorphic as topological spaces. We will reach a contradiction as soon as we show that \(A\) is homeomorphic to its own Stone-Čech compactification.

To show that, we will use the characterization of Stone-Čech compactification as the unique, up to homeomorphism, compact Hausdorff topological space \(X\) containing \(A\) as a subspace and satisfying the universal property: any continuous function \(f:A\rightarrow Y\), where \(Y\) is some compact Hausdorff space, can be uniquely extended to a continuous function \(\widetilde f:X\rightarrow Y\) such that, for all \(a\in A,f(a)=\widetilde f(a)\). We need to verify all these properties.

Compactness: Let \(\displaystyle A\subseteq \bigcup_{i\in I}U_i\), where \(U_i\) are all open. Then for any \(a\in A\) there is an \(i_a\in I\) such that \(a\in U_{i_a}\). Since \(A\) is finite, this gives us a finite set of indices \(i_a,a\in A\) such that \(\displaystyle A\subseteq\bigcup_{a\in A} U_{i_a}\). This gives us a finite subcover of any open cover of \(A\). This means that \(A\) is compact.

Hausdorffness: Let \(a,b\in A\) be two distinct elements. Then \(\{a\},\{b\}\) are open, because we consider \(A\) with the discrete topology. Moreover, these two sets are disjoint, because every element in their intersection would be both \(a\) and \(b\), and these are different. This means precisely that \(A\) is Hausdorff.

Universal property: Let \(f:A\rightarrow Y\) be any continuous function, where \(Y\) is compact and Hausdorff. We define \(\widetilde f:A\rightarrow Y\) by \(\widetilde f(a)=f(a)\) for every \(a\in A\). Then for every \(a\in A\) we have \(f(a)=\widetilde f(a)\). Moreover, for any open set \(U\subseteq Y\) we have \(\widetilde f^{-1}(U)=f^{-1}(U)\), which is open, since \(f\) is continuous by assumption, so \(\widetilde f\) is continuous. We have shown existence, so we only need to confirm uniqueness. Suppose \(\widetilde{\widetilde f}\) is another such function. In particular, for all \(a\in A, \widetilde{\widetilde f}(a)=f(a)=\widetilde f(a)\). This means that \(\widetilde{\widetilde f}=\widetilde f\), as we wanted.

So we have a contradiction. Hence \(B\) is finite. \(\square\)

]]>**Thue’s theorem:** Suppose \(f(x,y)=a_0x^n+a_1x^{n-1}y+\dots+a_ny^n\) is a binary form which has degree \(n\geq 3\), is irreducible (i.e. \(f(x,1)\) is an irreducible polynomial in \(x\)) and \(f(x,1)\) has at least one nonreal root in \(\mathbb C\). Then for any nonzero integer \(c\) the equation \(f(x,y)=c\) has only finitely many integral solutions.

**Proof:** Suppose otherwise…

First of all, we may suppose \(a_0=1\), for otherwise, we replace \(f(x,y)\) with \(a_0^{n-1}f(\frac{1}{a_0}x,y)\), which still has integer coefficients. Write

\(f(x,1)=(x+\theta_1)(x+\theta_2)\dots(x+\theta_n)\).

The numbers \(\theta_1,\dots,\theta_n\) are all conjugates of \(\theta=\theta_1\), since we assumed \(f(x,1)\) is irreducible. It’s then easy to see

\(f(x,y)=(x+y\theta_1)(x+y\theta_2)\dots(x+y\theta_n)=N(x+y\theta) \qquad (1)\)

where \(N\) is the norm of the field \(k=\mathbb Q(\theta)\). Also put \(K=\mathbb Q(\theta_1,\dots,\theta_n)\). Hence we are interested in the solutions of \(N(\alpha)=c\), where \(\alpha\) is in the module (i.e. the additive subgroup) \(M\) generated by \(1,\theta\). Extend this two-element set to a basis of \(k\) \(\mu_1=1,\mu_2=\theta,\mu_3,\dots,\mu_n\) and denote by \(\overline{M}\) the module generated by these. To recover elements of \(M\) among these, we use the dual basis, i.e. elements \(\mu_1^*,\dots,\mu_n^*\) such that \(T(\mu_i\mu_j^*)=0\) for \(i\neq j\) and \(T(\mu_i\mu_i^*)=1\). Trace of \(\alpha\mu_i^*\) recovers then the coefficient of \(\mu_i\) in \(\alpha\), hence we want

\(T(\alpha\mu_i^*)=0\) for \(i=3,\dots,n\).

A general result (Theorem 1, Section 5.2, Chapter 2 in Borevich-Shafarevich, slightly rephrased) about elements of fixed norm in a module states the following.

**Theorem 1:** For a module \(\overline{M}\) of rank \(n\) in a field \(k\) of degree \(n\) there are elements \(\gamma_1,\dots,\gamma_k\in\overline{M}\) and \(\varepsilon_1,\dots,\varepsilon_r\in k\) such that every solution of \(N(\alpha)=c,\alpha\in\overline{M}\) can be uniquely written as

\(\alpha=\gamma_b\varepsilon_1^{u_1}\dots\varepsilon_r^{u_r}\).

Moreover, \(r=s+t-1\), where \(s\) is the number of real embeddings of \(k\) into \(\mathbb C\) and \(2t\) is the number of complex embeddings.

Therefore \(\alpha\) as above is in \(M\) if it satisfies the system of equations

\(T(\gamma_a\mu_i^*\varepsilon_1^{u_1}\dots\varepsilon_r^{u_r})=0\) for \(i=3,\dots,n\).

Since we assume there are infinitely many \(\alpha\) solving the above system, and \(\gamma_a\) ranges over a finite set, we can choose one of the \(\gamma\) such that infinitely many solutions of the above have \(\gamma_a=\gamma\). We can now write this system as

\(\displaystyle\sum_{j=1}^n\sigma_j(\gamma\mu_i^*)\sigma_j(\varepsilon_1)^{u_1}\dots\sigma_j(\varepsilon_r)^{u_r}=0\) for \(i=3,\dots,n\qquad (2)\),

where \(\sigma_j\) are embeddings of \(k\) into \(K\) ordered so that \(\sigma_j(\theta)=\theta_j\).

So now we want to derieve a contradiction from the assumption that \((2)\) has infinitely many solutions in integers \(a_1,\dots, a_r\).

The idea now is to prove that \((2)\) not only has finitely many integral solutions, but it has finitely many solutions in \(\frak P\)-adic integers, where \(\frak P\) is some prime of \(K\). More precisely, we take any prime (= prime ideal in the ring of integers) \(\frak P\) and the corresponding valuation \(\nu=\nu_{\frak P}\). Then we construct the completion \(K_{\frak P}\) of \(K\) with respect to this valuation. By a “\(\frak P\)-adic number” we mean any element of \(K_{\frak P}\), and ones with nonnegative valuations are going to be called “\(\frak P\)-adic integers”.

We now want to make sense of equations \((2)\) for \(a_i\) not necessarily integers, but also \(\frak P\)-adic integers. The problem reduces to making sense of \(a^b\) for \(a\) a fixed \(\frak P\)-adic number and \(b\) a \(\frak P\)-adic integer, which is meant to vary. For this, we employ exponential and logarithmic functions: we will write \(a^b=\exp(b\log a)\). \(\exp\) and \(\log\) are defined using their power series:

\(\displaystyle\exp x=\sum_{n=0}^\infty\frac{x^n}{n!}\),

\(\displaystyle\log(1+x)=\sum_{n=1}^\infty(-1)^{n+1}\frac{x^n}{n}\).

These two functions are each other’s inverses, that is,

\(\exp\log(1+x)=1+x,\log\exp x=x\).

There are many ways to justify this, the most straightforward one being that we know these equalities hold for complex numbers, hence they are formal equalities of power series, hence they must also hold for \(\frak P\)-adic numbers. However, these functions are not defined everywhere. Nevertheless, they can be shown to have positive radius of convergence. More precisely:

**Lemma 1:** There is a rational integer \(\kappa\) such that both \(\exp x\) and \(\log(1+x)\) are defined for \(\nu(x)\geq\kappa\). Moreover, \(\nu(\log(1+x))\geq\kappa\), so \((1+x)^b=\exp(b\log(1+x))\) is defined for any \(\frak P\)-adic integer \(b\).

Unfortunately, there is no reason to expect numbers \(\varepsilon_i\) suit our purposes. However, we can change them so that this is the case. First of all, we may suppose that \(\frak P\) is such that all of \(\sigma_j(\varepsilon_i)\) have valuation zero (there are finitely many of these numbers, and they have nonzero valuation only with respect to finitely many prime ideals). Now we look at reduction modulo \(\frak P^\kappa\) (or, more precisely, modulo any element with valuation \(\kappa\)). The quotient ring is finite, say it’s of size \(d\). Then \(\varepsilon_i^d\) always is congruent to \(1\) modulo \(\frak P^\kappa\), i.e. \(\varepsilon_i=1+x\) for \(x\) of valuation at least \(\kappa\).

Moreover, we can replace the set of \(\gamma_i\) by products of \(\gamma_i\) and suitable powers of \(\varepsilon_i\). we only need to multiply by powers between \(0\) and \(d-1\). To avoid introducing more notation, we will just assume that \(\varepsilon_i\), and hence also \(\sigma_j(\varepsilon_i)\), are of the form which allows us to speak of their exponential functions.

The exponential function on \(\frak P\)-adic numbers satisfies all the familiar properties. Thanks to this, equations \((2)\) can be rewritten as

\(\displaystyle\sum_{j=1}^nA_{ij}\exp L_j(u_1,\dots,u_r)=0\) for \(i=3,\dots,n,\qquad (3)\)

where \(A_{ij}=\sigma_j(\gamma\mu_i^*)\) and \(L_j(u_1,\dots,u_r)=\displaystyle\sum_{k=1}^ru_k\log\sigma_j(\varepsilon_k)\). Note that the involved functions are all continuous functions of \(u_k\).

Now we use the fact that \(\frak P\)-adic integers are compact (under the topology induced by the valuation). Since we assumed \((3)\) has infinitely many (\(\frak P\)-adic) integral solutions, there must be a subsequence of these solutions which converges to some tuple \((u_1^*,\dots,u_r^*)\). By continuity, this tuple constitutes another solution to \((3)\). By a change of variables \(v_i=u_i-u_i^*\), we get a system of equations

\(\displaystyle\sum_{j=1}^nA_{ij}^*\exp L_j(v_1,\dots,v_r)=0\) for \(i=3,\dots,n,\qquad (4)\)

where \(A_{ij}^*=A_{ij}\exp L_j(u_1^*,\dots,u_r^*)\), which by above has a sequence of solutions converging to the origin. We point out at this point that the equations in \((4)\) are linearly independent, i.e. the matrix \((A_{ij}^*)\) of coefficients has rank \(n-2\). This is because \(A_{ij}\) is the product of \(\exp L_j(u_1^*,\dots,u_r^*)\sigma_j(\gamma)\) and \(\sigma_j(\mu_i^*)\), and the matrix of all \(\sigma_j(\mu_i^*)\) is invertible, as square of its determinant is discriminant of linearly independent tuple, hence is nonzero.

We consider the *local analytic manifold* \(V\) of \((4)\), i.e. the set of solutions of this system in some small neighbourhood of the origin. By assumption on the sequence of solutions converging to the origin, this manifold consists of more than one point. Hence, by a general theorem, it must contain an *analytic curve* – there is a system of \(r\) (formal) power series \(\omega_1(t),\dots,\omega_r(t)\), not all identically zero and all with no constant term, which plugged in for \(v_k\) in \((4)\). Equivalently, if we put \(P_j(t)=L_j(\omega_1(t),\dots,\omega_r(t))\), we get

\(\displaystyle\sum_{j=1}^nA_{ij}^*P_j(t)=0\) for \(i=3,\dots,n. \qquad (5)\)

where \(P_j(t)\) are power series with no constant terms.

We have the system \((5)\) of equations involving (exponentials of) \(P_j(t)\). However, \(P_j(t)\) are also linear combinations of \(r\) power series. Therefore, by linear algebra, we can find a system of \(n-r\) independent linear equations

\(\displaystyle\sum_{j=1}^nP_j(t)=0\) for \(i=1,\dots,n-r\qquad (6)\)

satisfied by these power series. We will now use the assumption we haven’t used yet: that \(f(x,1)\) has a complex root. Recall this implies the field \(k\) has at least one complex embedding, i.e. \(t\geq 1\) (see statement of theorem 1). Therefore \(n-r=s+2t-s-t+1=t+1\geq 2\). Using \((5)\) and \((6)\) we can therefore use the following lemma:

**Lemma 2:** Suppose formal power series (over some field of characteristic zero) \(P_1(t),\dots,P_n(t)\) with no constant term satisfy a system of \(n-2\) equations of the form

\(\displaystyle\sum_{j=1}^nA_{ij}^*\exp P_j(t)=0\)

and also a system of two equations of the form

\(\displaystyle\sum_{j=1}^nB_{ij}P_j(t)=0\).

Then \(P_j(t)=P_k(t)\) for some \(j\neq k\).

Before we provide a proof of this lemma, we will show why it helps us complete the proof. Recalling the definition of \(P_j(t)\), this implies that any analytic curve contained in the manifold \(V\) is also contained in the manifold \(W\) defined by the equation

\(\displaystyle\prod_{1\leq j<k\leq n}(L_j(v_1,\dots,v_r)-L_k(v_1,\dots,v_r))\).

It follows (though not immediately) that \(V\subseteq W\). We will obtain a contradiction as soon as we deduce \(W\) contains only finitely many points \((v_1,\dots,v_r)\) corresponding to the solutions of \((3)\), since we assumed that \(V\) contains infinitely many such points. Equivalently, since product in the definition of \(W\) consists of finitely many terms, we need to show only finitely many tuples can satisfy

\(L_j(v_1,\dots,v_r)=L_k(v_1,\dots,v_r)\)

for \(j\neq k\).

Let \((u_1,\dots,u_r)\) be a solution of \((3)\) coming from \(\alpha=x+y\theta,x,y\in\mathbb Q\), and \(u_i=u_i^*+v_i\). We have

\(\sigma_j(\alpha)=\sigma_j(\gamma)\sigma_j(\varepsilon_1)^{u_1}\dots\sigma_j(\varepsilon_r)^{u_r}=\sigma_j(\gamma)\sigma_j(\varepsilon_1)^{u_1*}\dots\sigma_j(\varepsilon_r)^{u_r*}\sigma_j(\varepsilon_1)^{v_1}\dots\sigma_j(\varepsilon_r)^{v_r}\)

\(=c_j\exp L_j(v_1,\dots,v_r)\)

where \(c_j\) is a constant independent of \(\alpha\). Similarly,

\(\sigma_k(\alpha)=c_k\exp L_k(v_1,\dots,v_r)\).

Assuming \(L_j(v_1,\dots,v_r)=L_k(v_1,\dots,v_r)\), this implies

\(\displaystyle\frac{\sigma_j(\alpha)}{c_j}=\frac{\sigma_k(\alpha)}{c_k},\frac{\sigma_j(\alpha)}{\sigma_k(\alpha)}=\frac{c_j}{c_k}\).

Taking \(\alpha’=x’+y’\theta\) to be a different such solution, this implies

\(\displaystyle\frac{\sigma_j(\alpha)}{\sigma_k(\alpha)}=\frac{\sigma_j(\alpha’)}{\sigma_k(\alpha’)},\frac{x+y\theta_j}{x+y\theta_k}=\frac{x’+y’\theta_j}{x’+y’\theta_k}\)

and hence \((xy’-x’y)(\theta_j-\theta_k)=0\) and \(xy’=x’y,\frac{x}{x’}=\frac{y}{y’}\) (\(x’,y’\) can’t be both zero, so neither can be). It follows that \(\alpha’\) is a rational multiple of \(\alpha\), say \(\alpha’=d\alpha\). But recall that \(\alpha,\alpha’\) have the same norm, so \(d\) has norm \(1\), hence it is \(\pm 1\). Therefore \(\alpha,\alpha’\) are equal or opposite. Hence there are only two possible values of \(\alpha\), which is certainly a finite amount! As explained above, this gives us a contradiction. \(\square\)

Since \(n\) power series \(\exp P_j\) satisfy \(n-2\) independent linear equations, we can express all of them in terms of just two, say \(\exp P_{n-1}\) and \(P_n\). Put

\(\exp P_i=a_i\exp P_{n-1}+b_i\exp P_n\qquad (7)\).

Suppose \(a_i=0\). Then \(\exp P_i\) and \(b_i\exp P_n\) are equal. They have constant terms equal to, respectively, \(1,b_i\) since \(P_i\) have no constant term, so \(\exp P_i=\exp P_n\) and we can deduce from this (computing coefficients one-by-one) that \(P_i=P_n\). Hence we may assume \(a_i\neq 0\) (as otherwise we are already done). Putting \(Q_i=P_i-P_n\) we then have

\(\exp Q_i=a_i\exp Q_{n-1}+b_i\)

and we may also assume \(Q_i\) are nonzero. Differentiation gives

\(Q_i’\exp Q_i=a_iQ_{n-1}’\exp Q_{n-1}\).

Previous two equations combined give

\(\displaystyle Q_i’=Q_{n-1}’\exp Q_{n-1}\frac{1}{c_i+\exp Q_{n-1}}\qquad (8)\)

with \(c_i=\frac{b_i}{a_i}\) for \(i=1,\dots,n-2\). We now use the other pair of assumed equations. By subtracting suitable multiples of \(P_n\) from them we find

\(\displaystyle\sum_{j=1}^{n-1} B_{ij}Q_j=k_iP_n\) dla \(i=1,2\).

If either \(k_i\) is zero, this gives us a nontrivial linear relation between \(Q_j\). Otherwise, subtracting suitable multiples and using independence we again get a nontrivial linear relation. In either case, we get

\(\displaystyle\sum_{j=1}^{n-1}d_jQ_j=0\)

for \(d_i\) not all zero. Differentiation and \((8)\) give us

\(Q_{n-1}’\exp Q_{n-1}\left(\displaystyle\sum_{i=1}^{n-2}\frac{d_i}{c_i+\exp Q_{n-1}}+\frac{d_i}{\exp Q_{n-1}}\right)=Q_{n-1}’\exp Q_{n-1}\left(\sum_{i=1}^{n-1}\frac{d_i}{c_i+\exp Q_{n-1}}\right)=0\)

(setting \(c_{n-1}=0\)). As \(Q_{n-1}’,\exp Q_{n-1}\neq 0\) we deduce

\(\displaystyle\sum_{i=1}^{n-1}\frac{d_i}{c_i+\exp Q_{n-1}}=0\).

Hence we get that the rational function

\(\displaystyle\sum_{i=1}^{n-1}\frac{d_i}{c_i+z}\)

vanishes when we put \(z=\exp Q_{n-1}\). But unless this function vanishes identically, this would imply \(\exp Q_{n-1}\) is algebraic overits field of coefficients. But no nonconstant power series over a field is algebraic, so this can’t be as \(Q_{n-1}\neq 0\). Thus this rational function is identically zero. This means that some two \(c_i\) are equal (otherwise this function would have a pole as \(z\rightarrow -c_i\) for any \(c_i\) with \(d_i\neq 0\). Therefore \(c_j=c_k\) for some \(j\neq k\).

Since \(\frac{b_j}{a_j}=c_j=c_k=\frac{b_k}{a_k}\), \((7)\) gives us

\(\frac{1}{a_k}\exp P_j=\frac{1}{a_k}\exp P_k\).

Comparing constant coefficients and then other coefficients, we get \(P_j=P_k\) with \(j\neq k\). \(\square\)

The proof goes roughly as follows:

- Suppose otherwise.
- Using (a variation of) Dirichlet’s unit theorem and general results on modules, reduce the problem to showing finiteness of certain exponential equation in many variables.
- Generalize the context of the question to \(\frak P\)-adic-analytic setting so that we can speak of exponentials of (some) non-rational-integers.
- Using some difficult words like “local analytic manifold” reduce (a big part of) the problem to (essentially) showing it cannot contain an analytic curve.
- Use a fancy lemma to deduce the manifold is too algebraically constrained to contain infinitely many integral points.
- Write an ultrabrief summary.

Clearly two of these steps are (arguably) the most ingenious and crucial ones: passing from a number field to its completion and then reducing the problem to analoguous problem in functional setting (i.e. there is no formal power series blah blah). Both the complete fields (called more precisely *local fields*) and functional questions have many times in mathematics proven themselves to be much easier to work with than in number fields. The former’s advantage is mainly ability for us to use analytic tools (and difficult words), while in functional setting we have an incredibely useful tool – differentiation.

You can see simplicity of working in functional setting e.g. in the proof of Riemann hypothesis. In the future I will probably make more posts showcasing the local methods like this one, possibly less difficult ones (or perhaps more).

]]>Throughout, by a “ring” we will mean an integral domain, i.e. commutative ring with unity without zero divisors

Let \( R\) be an arbitrary ring. Recall that we call an element \( r\in R\) *irreducible* if \( r\) is not zero, not a unit and whenever we write \( r=ab\) with \( a,b\in R\), then one of \( a,b\) is a unit. We say that \( R\) *has unique factorization*, or that it is a *unique factorization domain* (UFD) if every nonzero element of \( R\) can be written as a product of a unit and some number of irreducible elements, and this expression is unique up to ordering and unit multiples, i.e. whenever we have \( u_1r_1\dots r_n = u_2q_1\dots q_m\) with \( u_1,u_2\) units and \( r_1,\dots,r_n,q_1,\dots,q_m\) irreducibles, then \( n=m\) and there is a bijection between \( r_i\) and \( q_j\) which maps \( r_i\) to some its unit multiple.

In general, there is little to no reason to expect \( R\) is a UFD. A famous example of a ring which doesn’t have unique factorization is \( \mathbb Z[\sqrt{-5}]\) – \( 2\cdot 3=(1+\sqrt{-5})(1-\sqrt{-5})\) can be verified to be an example of nonunique factorization as defined above.

The unique factorization is a very useful tool. For example, in a UFD, if a product \( ab\) of relatively prime elements is a perfect \( n\)th power, then, up to unit multiples, both \( a\) and \( b\) are \( m\)th powers as well. Hence we would like to have something in the spirit of unique factorization available in a greater range of rings. Is that possible?

An idea to salvage rings which are not UFDs is to somehow *embed* the elements of the ring in some larger structure in which unique factorization does hold. At the same, it would be desirable for it to have as little redundancy as possible.

Because at this point we are interested only in unique factorization, which is purely multiplicative property of a ring, we will only require this larger structure to have multiplication. Also, for convenience purposes, we will ignore the zero element – its multiplicative behaviour is prefectly well understood anyways.

Our “dream structure” would then be a so called *commutative s**emigroup* (which differs from a (commutative) group in that we don’t require inverses) \( \mathcal R\), into which the semigroup \( R\setminus\{0\}\) would be mapped. There is an obvious way in which we can define divisibility in \( \mathcal R\), and we can speak of elements of \( \mathcal R\) dividing elements of \( R\). Because of that, the elements of \( \mathcal R\) are called *divisors* of \( R\). We will denote the divisor corresponding to \( a\in R\setminus\{0\}\) by \( (a)\) and we will call such divisors *principal*.

There come two properties we will want this mapping to satisfy: first, we want multiplication to be preserved, i.e. \( (a)(b)=(ab)\) (that is, we require it to be a *homomorphism* of semigroups), and we will want the divisibility (and indivisibility) to be preserved, i.e. \( a\) divides \( b\) in \( R\) iff \( (a)\) divides \( (b)\) in \( \mathcal R\). The first of these properties implies \( (1)\) is a multiplicative identity when it comes to multiplying by \( (a)\). We want it to be multiplicative identity in the whole semigroup.

Any divisor \( \frak a\) of \( R\) induces a subset of \( R\setminus\{0\}\), namely the set of elements it divides, which we will denote by \( \overline{\frak a}\). In \( R\), if \( a\) and \( b\) are divisible by \( c\), then so are \( a+b\) and \( a-b\). With notation above, this can be phrased as: \( \overline{(c)}\) is closed under addition and subtraction. This property shall be required for all divisors: \( \overline{\frak a}\) is closed under addition and subtraction.

One more property is that we will want a divisor \( \frak a\) to be completely characterized by \( \overline{\frak a}\) (so that we don’t have any redundant divisors). That is, we want \( \frak a\neq\frak b\) to imply \( \overline{\frak a}\neq\overline{\frak b}\). This has one more effect – unit multiples in \( R\) are being ignored. Indeed, one can now verify that \( (a)=(b)\) iff \( a\) and \( b\) are unit multiples of each other. Thanks to this, it is particularly easy to state unique factorization, in a way akin to \( \mathbb Z\): first define a prime divisor to be a divisor \( \frak p\) such that, whenever represented as a product of two divisors, one of them is the unit \( (1)\). Then we can state unique factorization as: Every divisor \( \frak a\) can be represented as a product \( \frak p_1\dots\frak p_n\) in a unique way up to a permutation of factors. Using more difficult words, this means that \( \mathcal R\) is a free commutative semigroup generated by the prime divisors \( \frak p\).

To sum up, we will define a *theory of divisors* for a ring \( R\) to be a free commutative semigroup \( \mathcal R\) together with a semigroup homomorphism \( R\setminus\{0\}\rightarrow\mathcal R,a\mapsto (a)\) such that:

- for \( a,b\in R\setminus\{0\}\), \( a\) divides \( b\) in \( R\) iff \( (a)\) divides \( (b)\) in \( \mathcal R\),
- for \( a,b\in R\setminus\{0\}\) are divisible by divisor \( \frak a\), then so are \( a+b,a-b\) (provided they are in \( R\setminus\{0\}\)), and
- if \( \overline{\frak a}=\overline{\frak b}\), then \( \frak a=\frak b\) for all divisors \( \frak a,\frak b\).

It is far from clear whether a theory of divisors exists for a given ring or not, and if so, whether it is (“essentially”) unique. The latter of these questions turns out to be relatively easy to answer – a theory of divisors, if exists, is unique. More precisely, if we have two theories of divisors, \( \mathcal R_1\) together with a map \( a\mapsto (a)_1\) and \( \mathcal R_2\) together with a map \( a\mapsto (a)_2\), then there is an isomorphisms of these two semigroups sending \( (a)_1\) to \( (a)_2\). We now sketch the proof of this fact.

Let \( \frak p\in\mathcal R_1\) be prime. We shall show there is a prime divisor \( p’\in\mathcal R_2\) such that \( \overline{\frak p’}\subseteq\overline{\frak p}\) (the \( \overline{\frak p},\overline{\frak p’}\) are the sets of elements divisible by \( \frak p,\frak p’\) in respective theories of divisors). Suppose that there is no such prime divisor. Choose any \( \beta\) divisible by \( \frak p\). Factor \( \beta(=(\beta)_2)\) as \( \frak p_1^{k_1}\dots\frak p_r^{k_r}\) in \( \mathcal R_2\). Choose \( \beta_i\in\overline{\frak p_i}\setminus\overline{\frak p}\). Then \( \beta_1^{k_1}\dots\beta_r^{k_r}\) is divisible by \( \beta\), but not \( \frak p\), which is a contradiction.

Similarly, there is a prime \( \frak q\in\mathcal R_1\) such that \( \overline{\frak q}\subset\overline{\frak p’}\subseteq\overline{\frak p}\). We now claim \( \overline{\frak q}=\overline{\frak p}\). Otherwise, choosing \( \alpha\) divisible by \( \frak q\) but not \( \frak{pq}\), we would have \( \alpha\in\overline{\frak q}\setminus\overline{\frak p}\). Hence \( \overline{\frak p}=\overline{\frak p’}\).

Matching \( \frak p\in\mathcal R_1\) with \( \frak p’\in\mathcal R_2\) such that \( \overline{\frak p}=\overline{\frak p’}\) gives a bijection between prime divisors in both theories, which we easily extend multiplicatively to an isomorphism. We just need to check it preserves principal divisors. To avoid technical details, we omit this part of the proof.

Unique factorization in \( \mathcal R\) can be also stated in the following way: for any divisor \( \frak a\) there are uniquely defined integers \( \nu_{\frak p}(\frak a)\) for each prime divisor \( \frak p\) such that

\( \displaystyle\frak a=\prod_{\frak p}\frak p^{\nu_{\frak p}(\frak a)}\).

We can also define functions \(\nu_{\frak p}\) on \( R\setminus\{0\}\) by \( \nu_{\frak p}(a)=\nu_{\frak p}((a))\). By defining \( \nu_{\frak p}(a/b)=\nu_{\frak p}(a)-\nu_{\frak p}(b)\) and checking this function is well-defined, we can extend it to the field of fractions \( K\) of \( R\) with zero excluded. This function now has the following properties:

- the image of \( K\setminus\{0\}\) under \( \nu_{\frak p}\) is \( \mathbb Z\)
- \( \nu_{\frak p}(ab)=\nu_{\frak p}(a)+\nu_{\frak p}(b)\), and
- \( \nu_{\frak p}(a+b)\geq\min\{\nu_{\frak p}(a),\nu_{\frak p}(b)\}\) with equality if \( \nu_{\frak p}(a)=\nu_{\frak p}(b)\).

For properties 2, 3 it is easy to verify them for \( R\setminus\{0\}\), and then extend them to \( K\setminus\{0\}\). A function with these three properties is called a *valuation*. It is customary to additionally define \( \nu_{\frak p}(0)=\infty\), so that these properties still hold on all of \( K\).

No two valuations \( \nu_{\frak p},\nu_{\frak q}\) are the same for distinct \( \frak p,\frak q\). Hence the prime divisors can be identified with a subset \( V\) of the set of valuations on \( K\). The set of valuations corresponding to these divisors further satisfies the following properties:

- for a fixed \( a\in K\setminus\{0\}\), \( \nu(a)=0\) for all but finitely \( \nu\in V\),
- for \( a\in K\), \( a\in R\) iff \( \nu(a)\geq 0\) for all \( \nu\in V\), and
- for any \( \nu_1,\dots,\nu_m\in V\) and nonnegative integers \( k_1,\dots,k_m\) there is \( a\in R\) such that \( \nu_i(a)=k_i\).

Property 1 is clear. For property 2, write \( a=b/c, b,c\in R\setminus\{0\}\) and note that this property is then equivalent to \( \nu_{\frak p}(b)\geq\nu_{\frak p}(c)\) for all prime divisors \( \frak p\) iff \( c\mid b\), which is easy to see (recall property 1 in the definition of theory of divisors). For property 3, consider valuations corresponding to prime divisors \( \frak p_1,\dots,\frak p_m\). Consider \( a_i\in\overline{\frak p_1^{k_1+1}\dots\frak p_i^{k_i}\dots\frak p_m^{k_m+1}}\setminus\overline{\frak p_1^{k_1+1}\dots\frak p_i^{k_i+1}\dots\frak p_m^{k_m+1}}\). Then \( a=a_1+\dots+a_m\) has the desired properties.

It is not hard to show the converse: if the set \( V\) of valuations on a field \( K\) satisfies the mentioned three properties, then \( R\) has a theory of divisors which then gives rise to \( V\) when considering valuations corresponding to its prime divisors. For that reason, the search for theories of divisors is reduced to a search for certain sets of valuations. As it won’t cause confusion, we will call \( V\) a theory of divisors as well.

We give, somewhat belatedly, an example of theory of divisors. Suppose \( R\) is a UFD. Because of units, we can’t just take \( \mathcal R\) to be \( R\setminus\{0\}\). Instead, for \( a\in R\setminus\{0\}\), we define \( (a)\) to be the set of all its unit multiples, and take \( \mathcal R\) to be the set of all such sets. Already the notation suggests the mapping \( R\setminus\{0\}\rightarrow\mathcal R\). Since \( R\) is a UFD, it’s not difficult to see this gives us a theory of divisors.

We can also give an example of a ring which does *not* have a theory of divisors. This can be done because every ring with a theory of divisors must be *integrally closed* in its field of fractions \( K\), i.e. suppose \( a\in K\) is a root of a monic polynomial with coefficients in \( R\). Then \( a\in R\). To see why this is true, suppose

\( a^n+d_{n-1}a^{n-1}+\dots+d_1a+d_0=0\)

with \( d_i\in R\). If \( a\not\in R\), there is a valuation \( \nu\in V\) such that \( k=\nu(a)<0\). Then \( \nu(a^n)=kn\) and \( \nu(d_ia^i)\geq \nu(a^i)=ki>kn\). Then, by property 3 in the definition of valuation, it follows that

\( \nu(0)=\nu(a^n+d_{n-1}a^{n-1}+\dots+d_1a+d_0)=\min\{\nu(a^n),\nu(d_{n-1}a^{n-1}),\dots,\nu(d_1a),\nu(d_0)\}=kn\),

which is clearly wrong. This proves \( R\) is integrally closed.

An example of non-integrally closed ring is \( \mathbb Z[\sqrt{-3}]\), since \( \frac{1}{2}+\frac{1}{2}\sqrt{-3}\) is a root of \( x^2-x+1\).

One last useful fact is somewhat of a converse to the first example – we can show that if a ring has a theory of divisors, then it is a UFD, provided the theory of divisors has finitely many prime divisors \( \frak p_1,\dots,\frak p_m\). To see why, just note that there is an element \( \pi_i\in R\) which is divisible by \( \frak p_i\) but not any other \( \frak p_j\), essentially thanks to property 3 of valuations forming a theory of divisors. Using these elements we can replace a factorization into prime divisors by a factorization into \( \pi_i\).

In the next blog post we will establish a number of results regarding extending valuations and theories of divisors to finite field extensions. In particular, we will show any ring of algebraic integers in a number field has a theory of divisors.

]]>The idea behind a language \( L\) lying in the IP complexity class is that if we have two parties in a conversation: one of them, the *verifier*, has limited resources, and the other, the *prover*, is all-knowing and not contrained by the resources in any way. In their dialogue, the prover tries to convince the verifier that some string \( w\) lies in \( L\). Afterwards, the verifier declares whether they accept or reject the computation, which means that they did or didn’t get convinced that \( w\in L\).

The first idea to define a complexity class out of it is as the class of languages such that some prover is able to convince the verifier iff the string truly is in the language, where we require the verifier to be a polynomial-time machine. However, if the verifier is deterministic, this gives us precisely the class NP: since the prover knows precisely what the verifier is going to do with their responses, they could’ve just as well gave all their responses beforehand, from which we infer this class is contained in NP.

Instead, we let the verifier to be *probabilistic* – in the course of the proof, we allow them to get some perfectly random bits and the course of computation may proceed differently depending on what they are. Also, to account from probabilistic nature, we will allow the verifier to make to make errors, but with small probability. IP is defined as the class of the languages \( L\) such that, for some (polynomial-time) verifier and any string \( w\):

- if \( w\in L\), then some prover makes the verifier accept with probability at least \( 2/3\), and
- if \( w\not\in L\), then there is no prover which makes the verifier accept with probability higher than \( 1/3\).

The exact value of the constants \( 2/3,1/3\) is not important here, as long as they are, respectively, larger than and smaller than \( 1/2\): repeating the calculation a number of times and accepting iff the original verifier would’ve accepted majority of times can put these probabilities at something of order \( 1-2^{-|w|},2^{-|w|}\) or better, which, in practice, would be negligible.

A famous example of a problem which is not known to be in NP, but known to have an interactive proof protocol, is the *graph nonisomorphism*: given two graphs \( G_1,G_2\), decide whether they are *not* isomorphic (note that graph *isomorphism* problem is rather trivially in NP). One way to convince a verifier they are not isomorphic is as follows: first, we ask them to randomly (and secretly – the prover won’t know the result!) choose one of the graphs \( G_i\), randomly permute its vertices getting an isomorphic graph \( H\), and then present \( H\) to the prover to see whether they can figure out what the \( i\) is. If \( G_1\) and \( G_2\) are not isomorphic, then \( H\) is isomorphic to only one of them, so the prover can easily tell which one it’s isomorphic to. On the other hand, if \( G_1\) *is* isomorphic to \( G_2\), the best the prover can do is guess whether \( H\) is a permutation of what \( i\) the verifier chose, which will be right with only 50% probability, so repeating will make it really unlikely for the prover to be right all the time.

The result which we are going to prove, that IP is the same as PSPACE, is surprising because it shows that in the context of interactive proofs, adding randomness significantly increases the capabilities of a system (since, at least conjecturally, PSPACE is much larger than NP). This is in contrary to the more standard complexity classes, since probabilistic analogue of P, called BPP, is conjectured to be equal to P.

We shall now begin the proof of Shamir’s theorem.

One of the most important decision problems in PSPACE is the following problem:

**TQBF:** Given a quantified Boolean formula

\( \displaystyle\forall x_1\exists x_2\dots\mathsf{Q} x_n:\varphi(x_1,\dots,x_n)\)

where \( \mathsf Q\) is \( \exists\) or \( \forall\) and \( \varphi\) is an unquantified Boolean formula, decide whether it’s true.

This is the most well-known example of a PSPACE-complete problem. Verifying that it is contained in PSPACE is routine, and amounts to checking that the obvious “brute-force” algorithm works in space polynomial in the size of the input. Its PSPACE-hardness procees by a standard argument, which we include for completeness (pun not intended).

Suppose M is a Turing machine which works in polynomial space, say in space bounded by \( p(n)\), where throughout \( n\) is the length of the input. Every configuration of the machine can be described using a sequence of bits of polynomial length, for example by using \( p(n)\) to store the contents of the tape, another \( p(n)\) to indicate which cell the machine is currently reading, and a constant number of bits to store which state machine is in. Until the end of this section, capital letters apart from M will denote configurations of M, and also strings of bits encoding them. This encoding shows that M has at most \( 2^{g(n)}\) configurations for \( g(n)\) polynomial.

We may redesign M slightly so that, once it accepts, it moves to a state we know in advance, e.g. it clears everything on the tape and enters special state while sitting on the leftmost cell. From this and the above we see there are fixed configurations \( X,Y\) such that M accepts iff M gets from configuration \( X\) to \( Y\) in at mosy \( 2^{g(n)}\) steps. We shall recursively construct a quantified Boolean formula \( \varphi_i(A,B)\) which is equivalent to “M gets from configuration \( A\) to configuration \( B\) in at most \( 2^i\) steps”.

For \( i=0\), the formula states that \( A=B\) or \( B\) is one computation step ahead of \( A\). It is more tedious than enlightening to show that formula stating that can be constructed in polynomial time, so we will skip that. For the recursion step, we note that if we can reach configuration \( B\) from \( A\) in at most \( 2^{i+1}\) steps iff we can find a midpoint configuration \( C\) such that we can get from \( A\) to \( C\) in \( 2^i\) steps, and the same for \( C\) and \( B\). Hence a natural idea is to define

\( \displaystyle\varphi_{i+1}(A,B)=\exists C:\varphi_i(A,C)\land\varphi(C,B)\)

(recall \( C\) is treated as a sequence of \( g(n)\) bits, so \( \exists C\) is actually a sequence of \( g(n)\) quantifiers). However, with this idea the length of formulas grows exponentially fast with \( i\), which is bad for us. Instead, we use the following construction:

\( \displaystyle\varphi_{i+1}(A,B)=\exists C\forall P,Q:((P=A\land Q=C)\lor(P=C\land Q=B))\Rightarrow\varphi_i(P,Q)\).

It is straightforward this construction can be done in polynomial time. Transforming the formula into PNF (prenex normal form, i.e. all quantifiers come before a formula) is routine. This establishishes PSPACE-completeness.

This is the central idea of the proof. We transform the quantified Boolean formula to a polynomial function, which on Boolean inputs (\( 0,1\)) gives us its Boolean truth value. For the innermost, unquantified formula \( \varphi(x_1,\dots,x_n)\), we first use repeatedly de Morgan rules and other reduction rules, we are left with a formula involving only \( \neg,\land\). Then we note that if formulas \( \varphi_1,\varphi_2\) give polynomials \( f,g\), then \( \varphi_1\land\varphi_2,\neg\varphi_2\) can be represnted by \( fg,1-f\) respectively. Applying quantifiers is not difficult either: if \( f\) corresponds to \( \varphi(x_1,\dots,x_n)\), for \( \forall x_n:\varphi(x_1,\dots,x_n)\) we take \( f(x_1,\dots,x_{n-1},0)f(x_1,\dots,x_{n-1},1)\), and for \( \exists x_n:\varphi(x_1,\dots,x_n)\), using de Morgan laws, \( 1-(1-f(x_1,\dots,x_{n-1},0))(1-f(x_1,\dots,x_{n-1},1))\). This process is known as the *arithmetization* of the Boolean formula. After arithmetizing a formula with each variable quantified, we get a constant polynomial, and the formula is true iff this constant value is 1.

Unfortunately, because of the quantifiers, this construction leaves us with a polynomial with degree exponential in length of the formula. To fix this, we can *linearize* the polynomial. The idea is simple: polynomials \( f(x_1,\dots,x_i,\dots,x_n)\) and \( (1-x_i)f(x_1,\dots,0,\dots,x_n)+x_if(x_1,\dots,1,\dots,x_n)\) takes the same values on Boolean inputs, while the latter polynomial has the degree in every variable at most the same as in the former, and additionaly the degree in \( x_i\) is equal to \( 1\). Thus linearizing in every variable will get all degrees to be \( 1\). We will denote the operator linearizing in variable \( x_i\) by \( L_i\). Denoting also by \( \forall_i,\exists_i\) the operators on polynomials corresponding to applying quantifiers, solving TQBF essentially amounts to finding the value of

\( \forall_1L_1\exists_2L_1L_2\dots \mathsf{Q}_nL_1\dots L_n f(x_1,\dots,x_n)\),

where \( f(x_1,\dots,x_n)\) is a polynomial corresponding to the unquantified part of the formula. Importantly, as can be seen from the construction, it is very easy to find its values on integer inputs.

We define the following sequence of polynomials:

\( \displaystyle f_0()=\forall_1L_1\exists_2L_1L_2\dots \mathsf{Q}_nL_1\dots L_n f(x_1,\dots,x_n)\\

f_1(x_1)=L_1\exists_2L_1L_2\dots \mathsf{Q}_nL_1\dots L_n f(x_1,\dots,x_n)\\

f_2(x_1)=\exists_2L_1L_2\dots \mathsf{Q}_nL_1\dots L_n f(x_1,\dots,x_n)\\

f_3(x_1,x_2)=L_1L_2\dots \mathsf{Q}_nL_1\dots L_n f(x_1,\dots,x_n)\\

\dots\\

f_m(x_1,\dots,x_n)=f(x_1,\dots,x_n)\)

(the empty brackets by \( f_0\) emphasize that it’s a function of zero variables). We want a prover to convince the verifier that \( f_0()=1\), and we can easily compute \( f_m\). Also, note that there is an easy polynomial upper bound on the total degrees of all polynomials, namely the degree \( d\) of \( f_m\) (note that most of them will have degree \( 1\) or \( 2\) in each variable).

We are now ready to describe the procedure the verifier and prover will execute during the interactive proof. First of all, *all the computations will take place modulo a prime* \( p\) . This will reduce the size of numbers involved in a computation. \( p\) will have length polynomial in the length of the input, and we will also require it to be sufficiently large (such primes will necessarily exist, e.g. by Bertrand’s postulate, but more elementary arguments can be given as well). The prover shall start by sending a prime \( p\), and they will either provide a primality certificate which the verifier can quickly check, or the verifier will have to check primality of \( p\) using a primality test.

Recall that the verifier wants to challenge prover’s claim that \( f_0()=1\). We will indicate these sort of claims by \( f_0^P()=1\) (the superscript indicates that this relation is what the prover *claims* is true). The remainder of the protocol proceeds as follows:

- The prover sends a polynomial \( f_1^P(x)\), which they claim to be equal to \( f_1(x_1)\).
- The verifier checks that provers two claims are
*consistent*: in this case, since \( f_0()=\forall_1 f_1(x)=f_1(0)f_1(1)\), the verifier ought to check that \( f_1^P(0)f_1^P(1)=f_0^P()\). If this is the case, then they choose a random number \( r_1\) modulo \( p\) and sends it to the prover. If prover’s claim that \( f_1^P(x)=f_1(x)\) was true, then in particular we must have \( f_1^P(r_1)=f_1(r_1)\). This is a new claim which the verifier is challenging. - The prover now sends a polynomial \( f_2^P(x)\), which they claim to be \( f_2(x)\).
- The verifier again checks consistency: we should have \( f_1^P(r_1)=(1-r_1)f_2(0)+r_1f_2(1)\). They choose a random \( r_2\), send it to the prover and challenge the equality \( f_2^P(r_2)=f_2(r_2)\).
- This time the prover sends \( f_3^P(r_2,x)\), claiming it’s \( f_3(r_2,x)\).
- They proceed in this manner total of \( m\) times: depending on the operator at the end of definition of \( f_i\), the prover sends a polynomial \( f_{i+1}^P\) with one free variable. The verifier makes a consistency check, chooses a random number and sets this as the free variable in the polynomial, and challenges the prover with the value they get.
- After all these turns, the verifier is now left with prover’s claim that \( f_m^P(q_1,\dots,q_n)=f_m(q_1,\dots,q_n)\). But at this point the verifier can check this claim by themself: we have earlier noted that the values of \( f_m\) can be easily computed. This is one of the two final checks; the other one will be to check that all polynomials given by the prover have degree \( d\).
- If all of the consistency checks were successful and the final claim was verified to be true, the verifier accepts. If at any point the check failed or the last claim turned out to be false, they reject.

It is clear that if the formula is true, then the prover can convince the verifier of its truth using this protocol 100% of the time: if they send the true values of \( f_i\) as \( f_i^P\), the verifier will not find any inconsistencies, so will accept. This is refered to as *completeness* of the protocol – that in true cases verifier can be convinced with high probability (in general, not necessarily 100%, but in this case we can do that good). We now must verify its *soundness* – that it is not possible for a prover to fool the verifier into believing a false formula is true.

The fundamental fact of use here is the following fundamental fact about polynomials over fields (integers modulo a prime form a field, so it is applicable):

**Lagrange’s theorem:** If two polynomials \( f,g\) defined over a field have degree at most \( d\) and agree on more than \( d\) values, then they are equal.

We will upper bound the probability of fooling the verifier. If the deceitful prover wants to have at least some chance, they need to send \( p\) which is really a prime of desired size and all the polynomials on the way have to have the degree at most \( d\).

For the verifier to accept the final check, we need the two polynomials \( f_m,f_m^P\), seen as polynomials in one variable, to agree on the input \( x=q_n\) (recall that the prover sends the polynomials with all but one variable fixed). By Lagrange’s theorem, unless the polynomials are equal, this only can be for at most \( d\) values of \( x\). Since \( q_n\) was chosen randomly, if the polynomials are not equal, then the equality holds with probability smaller than \( \frac{d}{p}\).

If the formula is not true, then the prover must have lied in the first step – it cannot be that \( f_0^P=f_0\). We can now proceed inductively to see that most likely the prover will have to continue providing false claims – if they have falsely claimed that \( f_i^P=f_i\) (here evaluated at certain values of \( r_i\)), then they must provide a polynomial \( f_{i+1}^P(x)\) which isn’t equal to \( f_{i+1}(x)\) – after all, \( f_i^P\) and \( f_i\) involve their evaluations on certain values – so the claim \( f_{i+1}^P(r_{i+1})=f_{i+1}(r_{i+1})\) will be true only on places where the two distinct polynomials agree, which happens with probability at most \( \frac{d}{p}\).

Summing up these probabilities, we see that the probability of the prover getting away with their initial lie is at most \( \frac{(m+1)d}{p}\), where \( (m+1)d\) is polynomial in the length of the formula \( l\). If we now let \( p\) be between \( 2^l,2^{l+1}\) (invoking Bertrand’s postulate), then the probability of the verifier accepting a false formula will be made exponentially small. It’s easy to convince oneself with some technical calculations that this confirms soundness of the protocol.

Therefore, IP=PSPACE. \( \square\)

I hope to eventually make a blog post describing a proof of a similat, but perhaps even more surprising, result, what MIP, the class of problems with interactive proof protocols involving multiple provers, is equal to the class NEXP, which is *known* to be much larger than NP, thus showing that probability can provably enlarge a complexity class.

However, even then a reader might want to refer some external source in order to see how the exercise can be solved, because otherwise it might be difficult to proceed any further (I myself would appreciate such a source at times). And, as they say, if you want something done right, do that yourself.

I’ve been thinking about this project for a short while already, and recently I have finally decided to start working on it. At the time of publishing this post I have finished writing up solutions to exercises from chapter 1. More info, including a link to the actual file, can be found here (a link to that page can be also found on the sidebar). Please put all feedback under that page. With each further chapter completed that page will be completed, and I don’t plan on making posts like this one until the project is completed.

Since the post title promised some info, I’d like to mention that for three reasons the amount of content appearing on the blog in the near future will not be as large as it was over past two weeks (I am not putting this on hiatus though). First is this project, since I want to have it done at some point in the future, which means I will have to invest some time into it. Second is a trip I am going to next week. I might or might not work on some post while I’m there, we will see. Third, university starts at the beginning of October, but I still should be able to work on the blog, at least during weekends, but most likely also during the week.

]]>Recall the definition of the intertia group of a prime \(\frak P\) in \(\mathcal O_L\) lying over a prime \(\frak p\) in \(\mathcal O_K\) (\(L/K\) is a Galois extension of number fields) – it’s the set of all \(\sigma\in G=\mathrm{Gal}(L/K)\) such that, for all \(\alpha\in L\), we have \(\sigma(\alpha)\equiv\alpha\pmod{\frak P}\). We now generalize this group.

**Definition:** In setting as above, we define the \(n\)*th ramification group* \(E_n\) to be the set of all \(\sigma\in G\) such that \(\sigma(\alpha)\equiv\alpha\pmod{\frak P^{n+1}}\). The groups \(E_n,n>1\) are called the *higher ramification groups*.

It is straightforward to see that \(D\geq E=E_0\geq E_1\geq\dots\), all the subgroups are normal in \(D\) and their intersection is trivial. The structure of groups \(E_n\) can be somewhat complicated, but the groups \(E_{n-1}/E_n\) are particularly simple:

**Proposition 1:** \(E/E_1\) is isomorphic to a subgroup of \((\mathcal O_L/\frak P)^\times\).

**Proof:** Fix \(\pi\in\frak P\setminus\frak P^2\). We can then factor \((\pi)\) as \(\frak P I\) with \(\frak P,I\) relatively prime. Taking any \(\sigma\in E\) we can find, by Chinese remainder theorem, a solution to \(x\equiv\sigma(\pi)\pmod{\frak P^2},x\equiv 0\pmod I\). Because \(\sigma\in E,\sigma(\pi)\in\frak P\), so \(x\in\frak P I=\pi\mathcal O_L\), so \(x=\alpha_\sigma\pi\) for some \(\alpha_\sigma\in\mathcal O_L\). In particular, \(\sigma(\pi)\equiv\alpha_\sigma\pi\pmod{\frak P^2}\). Also, \(\alpha_\sigma\) is well-defined modulo \(\frak P\): If \(\alpha_\sigma\pi\equiv\sigma(\pi)\equiv \alpha’\pi\pmod{\frak P^2}\), then \(\frak P^2\mid (\alpha_\sigma-\alpha’)\pi\), so \(\alpha_\sigma\equiv\alpha’\pmod{\frak P}\).

Thus we have defined a mapping \(\sigma\mapsto\alpha_\sigma\), and clearly \(\alpha_{\sigma\tau}\equiv\alpha_\sigma\alpha_\tau,\alpha_{\mathrm{id}}\equiv 1\pmod{\frak P}\), in particular – this map is a homomorphism into \(\alpha_\sigma\in(\mathcal O_L/\frak P)^\times\). To show that this it induces the desired isomorphism we need to show that its kernel is \(E_1\), which will easily follow if we show that if \(\sigma(\pi)\equiv \pi\pmod{\frak P^2}\), then \(\sigma(\alpha)\equiv\alpha\pmod{\frak P^2}\), i.e. \(\sigma\in E_1\). We will prove something more general:

**Lemma 1:** For \(\sigma\in E\) and \(\pi\in\frak P\setminus\frak P^2\), if \(\sigma(\pi)\equiv\pi\pmod{\frak P^{n+1}}\), then \(\sigma\in E_n\).

**Proof of the lemma:** We will proceed by induction on \(n\). This is immediate for \(n=0\). Suppose now \(\sigma(\pi)\equiv\pi\pmod{\frak P^{n+1}},n>0\). In particular, \(\sigma(\pi)\equiv\pi\pmod{\frak P^n}\), so \(\sigma\in E_{n-1}\). Therefore \(\sigma(\alpha)\equiv\alpha\pmod{\frak P^n}\) for all \(\alpha\in\mathcal O_L\), so \(\sigma(\pi\alpha)\equiv\sigma(\pi)\sigma(\alpha)\equiv\pi\sigma(\alpha)\equiv\pi\alpha\pmod{\frak P^{n+1}}\) (for last congruence, recall \(\pi\in\frak P\)). So \(\sigma(\alpha)\equiv\alpha\pmod{\frak P^{n+1}}\) for all \(\alpha\in(\pi)\).

Now we show the congruence for \(\alpha\in\frak P\). Let \((\pi)=\frak P I\) (as in the proof of the proposition). Choose \(\beta\equiv 1\pmod P,\beta\equiv 0\pmod I\). Then \(\alpha\beta\in(\pi)\), so \(\alpha\beta\equiv\sigma(\alpha\beta)\equiv\sigma(\alpha)\sigma(\beta)\equiv\sigma(\alpha)\beta\pmod{\frak P^{n+1}}\) by above and since \(\sigma(\beta)\equiv\beta\pmod{\frak P^n}\). But \(\beta\) is a unit modulo \(\frak P\), hence modulo \(\frak P^{n+1}\), so \(\sigma(\alpha)\equiv\alpha\pmod{\frak P^{n+1}}\).

At the same time, every conguence class modulo \(\frak P\) has an element which is fixed by \(\sigma\), and indeed, by every element of \(E\). By result from my previous post, \(\mathcal O_L/\frak P\) is a trivial extension of \(\mathcal O_{L_E}/\frak P_E\), so every congruence class modulo \(\frak P\) has a representative in \(\mathcal O_{L_E}\), and by definition these are fixed by elements of \(E\). So every \(\alpha\in\mathcal O_L\) can be written as \(\beta+\gamma,\beta\in L_E,\gamma\in\frak P\), so that \(\sigma(\alpha)=\sigma(\beta)+\sigma(\gamma)=\beta+\sigma(\gamma)\equiv\beta+\gamma\equiv\alpha\pmod{\frak P^{n+1}}\). Therefore \(\sigma\in E_n\). \(\square\)

Hence, as we said, \(E_1\) is the kernel of constructed homomorphism, which therefore is an isomorphism of \(E/E_1\) onto its image, which is a subgroup of \((\mathcal O_L/\frak P)^\times\). \(\square\)

In a quite similar way we can prove the following result:

**Proposition 2:** \(E_{n-1}/E_n,n>1\) is isomorphic to a subgroup of the additive group \(\mathcal O_L/\frak P\).

**Proof:** Let, as before, \(\pi\in\frak P\setminus\frak P^2\). Take any \(\sigma\in E_{n-1}\). Writing (again) \((\pi)=\frak P I\), choose \(x\equiv\pi\equiv\sigma(\pi)\pmod{\frak P^n}, x\equiv\pi\pmod{I^n}\). Then \(x-\pi\in \frak P^n I^n=(\pi^n)\), so \(\sigma(\pi)\equiv\pi+x\equiv\pi+\alpha_\sigma\pi^n\pmod{\frak P^{n+1}}\) for some \(\alpha_\sigma\in\mathcal O_L\). Like in the previous proposition, we easily see that \(\alpha_\sigma\) is uniquely defined modulo \(\frak P\) and \(\alpha_{\sigma\tau}\equiv\alpha_\sigma+\alpha_\tau\pmod{\frak P}\). This gives us a homomorphism, and from the lemma we easily find that its homomorphism is \(E_n\), so that we get the desired isomorphism from \(E_{n-1}/E_n\) to a subgroup of \(\mathcal O_L/\frak P\). \(\square\)

A quite immediate corollary is the following.

**Theorem 1:** Groups \(D,E,E_n\) are solvable.

**Proof:** We consider the chain of normal subgroups \(D\trianglerighteq E\trianglerighteq E_1\trianglerighteq\dots\). \(D/E\) is isomorphic to the Galois group of the finite field \((\mathcal O_L/\frak P)^\times\), \(E/E_1\) is isomorphic to a subgroup of the multiplicative group of this field and \(E_{n-1}/E_n\) is isomorphic to a subgroup of its additive group. All of these are abelian, and the chain eventually terminates (eventually \(E_n\) are trivial), so all the groups in the chain are solvable. \(\square\)

**Definition:** Suppose a prime \(\frak p\) in \(\mathcal O_K\) ramifies in \(\mathcal O_L\) and let \(e=e(\frak P/\frak p)\) and \(p\) be a prime in \(\mathbb Z\) lying under \(\frak p\). We say that \(\frak p\) *wildly ramifies* if \(p\mid e\), and we say that it *tamely rafimites* otherwise.

The terminology above might seem unmotivated, but hopefully it is at least in part clarified by the following theorem.

**Theorem 2:** If a prime is ramified, then it’s tamely ramified iff all the higher ramification groups are trivial. Moreover, \(E_1\) is a Sylow \(p\)-subgroup of \(E\).

**Proof:** Since \(E_1/E_2,E_2/E_3,\dots\) are isomorphic to subgroups of \(\mathcal O_L/\frak P\), which is a \(p\)-group, their sizes are powers of \(p\). Hence \(|E_1|=|E_1/E_2|\cdot|E_2/E_3|\cdot\dots\) is a power of \(p\), i.e. \(E_1\) is a \(p\)-group. On the other hand, \(|E/E_1|\mid|(\mathcal O_L/\frak P)^\times|\) is indivisible by \(p\), so \(E_1\) must be the Sylow \(p\)-subgroup of \(E\). In particular, it’s nontrivial iff \(p\mid |E|=e\). \(\square\)

The next result will turn out to be rather useful later.

**Proposition 3:** Suppose \(D/E_1\) is abelian. The embedding from the proof of proposition 1 actually sends \(E/E_1\) into \(\mathcal O_K/\frak p\).

**Proof:** Suppose \(\sigma\in E\) and \(\sigma(\pi)=\alpha_\sigma\pi\pmod{\frak P^2}\). First we note that this implies, in a way similar to the first two paragraphs of the proof of lemma 1, that \(\sigma(\beta)\equiv\alpha_\sigma\beta\pmod{\frak P^2}\) for all \(\beta\in\frak P\).

Abelianness of \(D/E_1\) implies that, for any other \(\tau\in D\), \(\sigma^{-1}\tau\sigma\tau^{-1}\in E_1\), so \(\tau\sigma\tau^{-1}(\alpha)\equiv\sigma(\alpha)\pmod{\frak P^2}\) for all \(\alpha\in\mathcal O_L\). Taking \(\alpha=\pi\) and noting \(\tau^{-1}(\pi)\in\frak P\) this gives \(\alpha_\sigma\pi\equiv\sigma(\pi)\equiv\tau\sigma(\tau^{-1}(\pi))\equiv\tau(\alpha_\sigma\tau^{-1}(\pi))\equiv\tau(\alpha_\sigma)\pi\pmod{\frak P^2}\), therefore \(\alpha_\sigma\equiv\tau(\alpha_\sigma)\pmod{\frak P}\). Since \(D\) maps surjectively onto Galois group of \((\mathcal O_L/\frak P)/(\mathcal O_K/\frak p)\), this group acts trivially on \(\alpha\pmod{\frak P}\), so \(\alpha\in\mathcal O_K \frak p\). \(\square\).

Higher ramification groups, especially the last proposition, will turn out to be very useful in a proof of Kronecker-Weber theorem, which will be the subject of an upcoming blog post.

]]>Let \( K\) be a number field of degree \( n\) over \( \mathbb Q\). By standard results of field theory there are precisely \( n\) embeddings of \( K\) into \( \mathbb C\), call them \( \sigma_1,\dots,\sigma_n\). We recall a standard definition:

**Definition:** For any \( n\) elements \( \alpha_1,\dots,\alpha_n\in K\) we define the *discriminant* of these elements to be the square of the determinant of \( M=(\sigma_j(\alpha_i))_{i,j}\). We denote it by \( \mathrm{disc}(\alpha_1,\dots,\alpha_n)\).

It’s easy to see \( \mathrm{disc}(\alpha_1,\dots,\alpha_n)\) doesn’t depend on the order of \( \alpha_i\) nor the order of \( \sigma_j\). Also, \( \det(M)^2=\det(MM^T)=\det((T(\alpha_i\alpha_j)_{i,j})\), where \( T\) denotes the trace. From there it’s straightforward that the discriminant lies in \( \mathbb Q\) , and we can also deduce that \( \mathrm{disc}(\alpha_1,\dots,\alpha_n)\neq 0\) iff \( \alpha_1,\dots,\alpha_n\) are linearly independent over \( K\). Lastly, if \( \beta_1,\dots,\beta_n\) are elements which are \( K\)-linear combinations of \( \alpha_i\) represented by a matrix \( V\), then we easily see \( \mathrm{disc}(\beta_1,\dots,\beta_n)=(\det V)^2\mathrm{disc}(\alpha_1,\dots,\alpha_n)\). In particular, if \( \alpha_1,\dots,\alpha_n\) and \( \beta_1,\dots,\beta_n\) are two bases of the same additive group, then they have the same discriminant. Therefore, it makes sense to speak of the discriminant of an additive subgroup \( \mathrm{disc}(A)\) to be the discriminant of any of its bases.

The most important additive subgroup of a number field is its ring of integers \( \mathcal O_K\). The discriminant of this ring will also be sometimes called the discriminant of the field \( K\) and denoted by \( \mathrm{disc}(K)\).

Consider an additive subgroup \( A\) generated by a basis \( \alpha_1,\dots,\alpha_n\) of \( K\). Then the matrix \( (T(\alpha_i\alpha_j))_{i,j}\) is invertible (since its determinant is nonzero discriminant). Considering the columns of its inverse as coefficients of a linear combination of \( \alpha_j\), so constructed elements, call them \( \alpha_1^*,\dots,\alpha_n^*\), satisfy \( T(\alpha_i\alpha_j^*)=\begin{cases}

1 & \text{if }i=j\\

0 & \text{otherwise}

\end{cases}\). Moreover, by uniqueness of matrix inverse, these elements are defined uniquely. We verify that the are linearly independent, hence form a basis: if \( a_1\alpha_1^*+\dots+a_n\alpha_n^*=0\), then \( 0=T(0)=T(\alpha_j*(a_1\alpha_1^*+\dots+a_n\alpha_n^*))=a_1T(\alpha_j^*\alpha_1)+\dots+a_nT(\alpha_j^*\alpha_n)=a_j\), so the linear combination is trivial.

**Definition:** Given a basis \( \alpha_1,\dots,\alpha_n\), we call the basis \( \alpha_1^*,\dots,\alpha_n^*\) its *dual basis*. We call the additive group generated by them the *dual group* and is denoted by \( A^*\).

Note it’s not immediately clear that this definition is independent of the basis of \( A\) we choose. The first result which we properly state and prove will imply this.

**Proposition 1:** \( A^*\) is precisely the set of \( \alpha\in K\) such that \( T(\alpha A)\subseteq\mathbb Z\).

**Proof:** Let \( \alpha\in K\). Since dual basis is a basis, we can write \( \alpha=a_1\alpha_1^*+\dots+a_n\alpha_n^*\), and \( \alpha\in A^*\) iff \( a_1,\dots,a_n\in\mathbb Z\). At the same time, \( a_i=T(\alpha\alpha_i)\). It clearly follows that if \( T(\alpha A)\subseteq\mathbb Z\), then \( a_i\in\mathbb Z\). Conversely, if \( a_1,\dots,a_n\in\mathbb Z\), then for any \( \beta=b_1\alpha_1+\dots+b_n\alpha_n\in A,b_1,\dots,b_n\in\mathbb Z\) we have \( T(\alpha\beta)=a_1b_1+\dots+a_nb_n\in\mathbb Z\), so \( T(\alpha A)\subseteq\mathbb Z\). \(\square\)

It is possible to explicitly give the dual basis if the basis is of the form \( 1,\alpha,\dots,\alpha^{n-1}\) with \( \alpha\in\mathcal O_K\), i.e. its minimal polynomial over \( \mathbb Q\) has integer coefficients.

**Proposition 2:** Let \( f(x)=(x-\alpha)(c_{n-1}x^{n-1}+\dots+c_1x+c_0)\) be the minimal polynomial of \( \alpha\). Then \( \frac{c_0}{f'(\alpha)},\dots,\frac{c_{n-1}}{f'(\alpha)}\) is the dual basis of \( 1,\alpha,\dots,\alpha^{n-1}\). Moreover, \( (\mathbb Z[\alpha])^*=\frac{1}{f'(\alpha)}\mathbb Z[\alpha]\).

**Proof:** Let \( \alpha_1=\alpha,\alpha_2,\dots,\alpha_n\) be the conjugates of \( \alpha\) in \( \mathbb C\). It’s easy to see \( c_i=c_i(\alpha)\) is a monic polynomial in \( \alpha\) of degree \( i\), and if we divided \( f(x)\) by \( x-\alpha_j\), the coefficients would be \( c_i(\alpha_j)\). For \( k=0,\dots,n-1\) consider the polynomial

\( \displaystyle\sum_{i=1}^n\frac{\alpha_i^k}{f'(\alpha_i)}\frac{f(x)}{x-\alpha_i}\).

It’s easy to see that each term is \( 1\) for \( x=\alpha_i^k\) and \( 0\) for \( x=\alpha_j,j\neq i\). Hence this polynomial of degree smaller than \( n\) agrees with polynomial \( x^k\) at \( n\) places, so the polynomials must be equal. Comparing coefficient of \( x^j\) we get

\( \displaystyle\sum_{i=1}^n\frac{\alpha_i^k}{f'(\alpha_i)}c_j(\alpha_i)=\begin{cases}

1 & \text{if }j=k\\

0 & \text{otherwise}

\end{cases}\),

but the left hand side is precisely \( T\alpha_k\frac{c_j(\alpha)}{f'(\alpha)})\), showing the first claim. To see the second claim, recall that \( c_j\) are monic polynomials of degree \( j\), so we can show by induction that \( \frac{\alpha^j}{f'(\alpha)}\in(\mathbb Z[\alpha])^*\). We omit the details. \(\square\)

The construction of dual additive group also preserves the property of being a fractional ideal. More precisely:

**Proposition 3:** Let \( \frak a\) be a fractional ideal. Then \( \frak a^*\) (considered as the dual of the additive group) is also a fractional ideal. Moreover, \( \frak a^*=\frak a^{-1}\mathcal O_K^*\). [recall that \( \frak a^{-1}\) is defined as the set of these \( \alpha\in K\) for which \( \alpha\frak a\subseteq\mathcal O_K\). In this post we establish that \( \frak a\frak a^{-1}=\mathcal O_K\)]

**Proof:** Fix any any \( \beta\mathcal O_K\). For \( \alpha\in\frak a^*\) we have \( T(\alpha\frak a)\subseteq\mathbb Z\). But, since \( \frak a\) is a fractional ideal, \( \beta\frak a\subseteq\frak a\), so \( T(\beta\alpha\frak a)=T(\alpha(\beta\frak a))\subseteq T(\alpha\frak a)\subseteq\mathbb Z\), so \( \beta\alpha\in\frak a^*\). This shows \( \frak a^*\) is a fractiona ideal.

For the second part, suppose first \( \alpha\in\frak a^*\). For any \( \beta\in\frak a\) we have \( \beta\mathcal O_K\subseteq\frak a\), so \( T(\alpha\beta\mathcal O_K)\subseteq T(\alpha\frak a)\subseteq\mathbb Z\), so \( \alpha\beta\in\mathcal O_K^*\). Hence, \( \alpha\frak a\subseteq\mathcal O_K^*\). Hence \( \alpha\in\alpha\frak a\frak a^{-1}\subseteq\frak a^{-1}\mathcal O_K^*\). For the converse, pretty much this argument in reverse works. \(\square\)

Previous proposition shows that duals work a bit like inverses. By taking duals inverse, we get another important ideal.

**Definition:** Let \( \frak a\) be a fractional ideal. We define the *different* of \( \frak a\) to be \( \mathrm{diff}\frak a=(\frak a^*)^{-1}\). In particular, we call the different of \( \mathcal O_K\) the *different of *\( K\) \( \mathrm{diff} K\).

Note that \( \mathcal O_K\subseteq\mathcal O_K^*\), so \( \mathrm{diff} K\) is an ideal in \( \mathcal O_K\). From proposition 3 we immediately have \( \mathrm{diff} \frak a=\frak a\mathrm{diff} K\), hence for the most part we only have to focus our attention of \( \mathrm{diff} K\). It takes particularly simple form when \( \mathcal O_K=\mathbb Z[\alpha]\) – by proposition 2 we then have \( \mathrm{diff} K=(f'(\alpha))\), \( f\) being the minimal polynomial of \( \alpha\).

Recall the definition of the norm of an ideal: \( N(\frak a)=[\mathcal O_K:\frak a]=|\mathcal O_K/\frak a|\).

**Theorem 1:** \( N(\mathrm{diff} K)=|\mathrm{disc} K|\)

**Proof:** First we note that for fractional ideals \( \frak a\supseteq\frak b\) and \( \frak c\) we have an isomorphism of rings \( \frak{ac}/\frac{bc} \cong \frak a/\frak b\) (this is quite straightforward to establish). In particular, taking \( \frak a=\mathcal O_K^*=(\mathrm{diff} K)^{-1},\frak b=\mathcal O_K,\frak c=\mathrm{diff} K\) this gives \( \mathcal O_K/\mathrm{diff} K\cong\mathcal O_K^*/\mathcal O_K\). In particular, \( N(\mathrm{diff} K)=[\mathcal O_K:\mathrm{diff}K]=[\mathcal O_K^*:\mathcal O_K]\). It is well-known that for two free abelian groups \( A\supseteq B\) of the same rank, \( [A:B]\) is the absolute value of the determinant of a transformation taking basis of \( A\) to the basis of \( B\). In our case, take \( \alpha_1,\dots,\alpha_n\) an integral basis of \( \mathcal O_K\) and \( \alpha_1^*,\dots,\alpha_n^*\) its dual basis. We write \( \alpha_i=a_{i1}\alpha_1^*+\dots+a_{in}\alpha_n^*\). Then \( a_{ij}=T((a_{i1}\alpha_1^*+\dots+a_{in}\alpha_n^*)\alpha_j)=T(\alpha_i\alpha_j)\). In other words, the transformation matrix is precisely the matrix \( (T(\alpha_i\alpha_j)_{ij}\), whose determinant is \( \mathrm{disc} K\). This establishes the theorem. \(\square\)

The different is important when working with ramification of primes in a number field. As will be proven in the future post, different ideal is divisible precisely by prime ideals which which are ramified in \( K\). In the next blog post we shall establish, among other things, this result in normal extensions, together with precise formula for the exponent of this prime.

As a closing remark, it is worth poining out that the whole theory of discriminants and differents can be built in extensions \( L/K\) for \( K\) different from the field of rational numbers, although things get a lot more technical, since, for example, discriminant has to be considered as an ideal and not a single element. I hope to one day cover the theory of general discriminants and different ideals in another blog post or two.

]]>