For (2), suppose \(a\) is irreducible and \(\langle a \rangle \subseteq \langle b \rangle\) for some non-zero \(b \in R\). Then \(b \mid a\), so \(a = bc\) for some \(c \in R\). Since \(a\) is irreducible, either \(b\) or \(c\) is a unit. If \(b\) is a unit, then \(\langle b \rangle = R\). If \(c\) is a unit, then \(a \sim b\) and \(\langle a \rangle = \langle b \rangle\). Conversely, if \(\langle a \rangle\) is maximal among non-zero principal ideals and \(a = bc\), then \(\langle a \rangle \subseteq \langle b \rangle\), so either \(\langle a \rangle = \langle b \rangle\) (meaning \(b \sim a\), so \(c\) is a unit) or \(\langle b \rangle = R\) (meaning \(b\) is a unit). ∎

Conversely, suppose \(R/P\) is an integral domain. Since \(1 + P \neq 0 + P\), we have \(1 \notin P\), so \(P \neq R\). Let \(a, b \in R\) with \(ab \in P\). Then \((a+P)(b+P) = ab + P = 0 + P\). Since \(R/P\) has no zero divisors, \(a + P = 0 + P\) or \(b + P = 0 + P\), so \(a \in P\) or \(b \in P\). ∎

Conversely, suppose \(R/M\) is a field. Since \(1 + M \neq 0 + M\), we have \(M \neq R\). Let \(I\) be an ideal with \(M \subseteq I \subseteq R\) and \(I \neq M\). Choose \(a \in I\) with \(a \notin M\). Then \(a + M \neq 0 + M\) in \(R/M\), so \(a + M\) has an inverse: \((a+M)(b+M) = 1 + M\) for some \(b\). Then \(1 - ab \in M \subseteq I\), and since \(a \in I\) we have \(ab \in I\), so \(1 \in I\), giving \(I = R\). ∎

Existence of an irreducible factor. If \(a\) is irreducible, we are done. Otherwise, \(a = a_1 b_1\) where \(a_1, b_1\) are non-units, and \(\langle a \rangle \subsetneq \langle a_1 \rangle\). If \(a_1\) is irreducible, we are done. Otherwise, \(a_1 = a_2 b_2\) with \(a_2, b_2\) non-units, and \(\langle a \rangle \subsetneq \langle a_1 \rangle \subsetneq \langle a_2 \rangle\). Continuing, this process must terminate since \(R\) is Noetherian (Theorem 1.16), yielding an irreducible factor \(a_n\) of \(a\).

Existence of a complete factorization. If \(a\) is irreducible, we are done. Otherwise, let \(a_1\) be an irreducible factor of \(a\), say \(a = a_1 b_1\). Then \(b_1\) is not a unit (since \(a\) is reducible while \(a_1\) is irreducible). If \(b_1\) is irreducible, we are done. Otherwise, let \(a_2\) be an irreducible factor of \(b_1\), say \(b_1 = a_2 b_2\). Continuing, we obtain \(\langle a \rangle \subsetneq \langle b_1 \rangle \subsetneq \langle b_2 \rangle \subsetneq \cdots\). By the Noetherian property, this chain must stabilize, so eventually some \(b_n\) is irreducible and \(a = a_1 a_2 \cdots a_n b_n\).

Uniqueness. Suppose \(a = a_1 a_2 \cdots a_\ell = b_1 b_2 \cdots b_m\) where each \(a_i\) and \(b_j\) is irreducible. Since \(a_1 \mid b_1 b_2 \cdots b_m\), and since \(a_1\) is irreducible in a PID, the ideal \(\langle a_1 \rangle\) is maximal among nonzero principal ideals (Theorem 1.7), hence is a nonzero maximal ideal (in a PID, maximal among principal ideals means maximal), hence prime (Corollary 1.10), so \(a_1\) is prime. Thus \(a_1 \mid b_k\) for some \(k\). After reindexing, we may assume \(a_1 \mid b_1\). Since \(b_1\) is irreducible and \(a_1\) is not a unit, \(a_1 \sim b_1\), say \(b_1 = a_1 u\) for some unit \(u\). Then \(a_1 a_2 \cdots a_\ell = a_1 u b_2 \cdots b_m\), and by cancellation \(a_2 \cdots a_\ell = u b_2 \cdots b_m\). By induction, \(\ell = m\) and \(a_i \sim b_i\) after a suitable permutation of \(b_2, \ldots, b_m\). ∎

Let \(\pi\) be a prime in \(\mathbb{Z}[i]\). Then \(\pi \mid \pi\bar{\pi} = N(\pi) \in \mathbb{Z}^+\), so \(\pi\) divides some rational prime \(p\). Write \(p = \pi \alpha\) in \(\mathbb{Z}[i]\), so \(p^2 = N(p) = N(\pi)N(\alpha)\). Since \(\pi\) is not a unit, \(N(\pi) > 1\), so \(N(\pi) = p\) or \(N(\pi) = p^2\).

Case 1: \(N(\pi) = p\). Then \(p = a^2 + b^2\) where \(\pi = a + bi\). This requires \(p = 2\) (giving \(\pi \sim 1+i\)) or \(p \equiv 1 \pmod{4}\) (by Fermat’s theorem on sums of two squares).

Case 2: \(N(\pi) = p^2\). Then \(N(\alpha) = 1\), so \(\alpha\) is a unit and \(\pi \sim p\). Taking norms, \(p^2 = N(\pi)\), so \(p\) is irreducible in \(\mathbb{Z}[i]\). If \(p \equiv 1 \pmod{4}\), then \(p = a^2 + b^2\) for some integers \(a, b\), giving \(p = (a+bi)(a-bi)\) with both factors non-units, contradicting irreducibility. If \(p = 2\), then \(2 = -i(1+i)^2\) is not irreducible. Thus \(p \equiv 3 \pmod{4}\).

Conversely, one verifies that each element listed is indeed prime. ∎

Uniqueness. Suppose \(f = qg + r = pg + s\) with \(\deg(r), \deg(s) < \deg(g)\). Then \((q-p)g = s - r\). Since the leading coefficient of \(g\) is a unit (hence not a zero divisor), \(\deg((q-p)g) = \deg(q-p) + \deg(g)\). If \(q - p \neq 0\), then \(\deg((q-p)g) \geq \deg(g)\), contradicting \(\deg(s-r) < \deg(g)\). Thus \(q = p\) and \(r = s\). ∎

Write \(h(x) = \sum_{i=0}^n a_i x^i\) and \(k(x) = \sum_{i=0}^m b_i x^i\). Suppose for contradiction that some prime \(p\) divides \(c(hk)\). Since \(c(h) = 1\), choose the smallest index \(r\) with \(p \nmid a_r\). Since \(c(k) = 1\), choose the smallest index \(s\) with \(p \nmid b_s\). The coefficient of \(x^{r+s}\) in \(hk\) is

Since \(p \mid c_{r+s}\) and \(p \mid a_i\) for \(i < r\) and \(p \mid b_j\) for \(j < s\), it follows that \(p \mid a_r b_s\). Since \(p\) is prime, \(p \mid a_r\) or \(p \mid b_s\), contradicting our choices.

Part (2). Let \(g(x) = \frac{1}{c(f)} f(x)\) so \(c(g) = 1\).

Suppose \(g\) is reducible in \(\mathbb{Z}[x]\), say \(g = hk\) with \(h, k\) non-units in \(\mathbb{Z}[x]\). Since \(c(h)c(k) = c(g) = 1\), both \(h\) and \(k\) are primitive, hence nonconstant. Then \(f = c(f)g = c(f) \cdot h \cdot k\), and since \(c(f)h\) and \(k\) are nonconstant in \(\mathbb{Q}[x]\), \(f\) is reducible in \(\mathbb{Q}[x]\).

Conversely, suppose \(f\) is reducible in \(\mathbb{Q}[x]\), say \(f = h \cdot k\) with \(h, k\) nonconstant in \(\mathbb{Q}[x]\). Clearing denominators and dividing out content, write \(h = \frac{c(ah)}{a} p\) and \(k = \frac{c(bk)}{b} q\) where \(p, q \in \mathbb{Z}[x]\) are primitive and nonconstant. Then \(f = c(ah)c(bk) \cdot pq / (ab)\), and comparing content yields \(g = pq\), a product of nonconstant polynomials in \(\mathbb{Z}[x]\). ∎

Thus \(r \mid c_0 s^n\). Since \(\gcd(r, s) = 1\), we have \(\gcd(r, s^n) = 1\), so \(r \mid c_0\). Similarly, \(s \mid c_n r^n\) and \(\gcd(s, r^n) = 1\) give \(s \mid c_n\). ∎

Since \(p \mid c_1 = a_0 b_1 + a_1 b_0\) and \(p \mid a_0\), we get \(p \mid a_1 b_0\), and since \(p \nmid b_0\), we get \(p \mid a_1\). Continuing inductively, \(p \mid c_j\) for \(j < n\) and \(p \mid a_i\) for \(i < j\) together imply \(p \mid a_j b_0\), hence \(p \mid a_j\). In particular, \(p \mid a_k\). But then \(p \mid a_k b_\ell = c_n\), contradicting \(p \nmid c_n\). ∎

Spanning. Let \(a \in L\). Since \(V\) spans \(L/K\), write \(a = \sum_j s_j v_j\) with \(s_j \in K\). Since \(U\) spans \(K/F\), write each \(s_j = \sum_i r_{ij} u_i\) with \(r_{ij} \in F\). Then \(a = \sum_{i,j} r_{ij} u_i v_j\), so \(W\) spans \(L/F\).

Linear independence. Suppose \(\sum_{i,j} r_{ij} u_i v_j = 0\) with \(r_{ij} \in F\). Then \(\sum_j \left(\sum_i r_{ij} u_i\right) v_j = 0\). Since each \(\sum_i r_{ij} u_i \in K\) and \(V\) is linearly independent over \(K\), we get \(\sum_i r_{ij} u_i = 0\) for each \(j\). Since \(U\) is linearly independent over \(F\), we get \(r_{ij} = 0\) for all \(i, j\). ∎

(1) If \(a\) is transcendental, then \(\ker(\phi) = \{0\}\), so \(\phi\) is injective and \(F[a] \cong F[x]\). Since \(F[x]\) is an integral domain, \(F(a)\) is its field of fractions, isomorphic to \(F(x)\).

(2) If \(a\) is algebraic, then \(\ker(\phi) \neq \{0\}\). Since \(F[x]\) is a PID, \(\ker(\phi) = \langle f \rangle\) for some monic polynomial \(f\). We claim \(f\) is irreducible. If \(f = gh\) with \(g, h\) nonconstant, then \(0 = f(a) = g(a)h(a)\). Since \(K\) is a field (hence an integral domain), \(g(a) = 0\) or \(h(a) = 0\), contradicting the minimality of \(\deg(f)\) among nonzero elements of \(\ker(\phi)\). By the first isomorphism theorem, \(F[a] \cong F[x]/\langle f \rangle\). Since \(f\) is irreducible in the PID \(F[x]\), \(\langle f \rangle\) is maximal, so \(F[x]/\langle f \rangle\) is a field, giving \(F[a] = F(a)\). The images of \(1, x, \ldots, x^{n-1}\) form a basis for \(F[x]/\langle f \rangle\), so \(\{1, a, \ldots, a^{n-1}\}\) is a basis for \(F(a)/F\). ∎

Each \(c_i\) is algebraic over \(F\), so each step \(F(c_0, \ldots, c_{i-1}) \subseteq F(c_0, \ldots, c_i)\) has finite degree. The final step also has finite degree since \(a\) is a root of \(f(x) \in F(c_0, \ldots, c_{n-1})[x]\). By the tower law, \([F(c_0, \ldots, c_{n-1}, a) : F]\) is finite, so \(a\) is algebraic over \(F\). ∎

Let \(\psi : K(a) \to \mathbb{C}\) be any embedding extending \(\phi\). Since \(\psi(c_i) = \phi(c_i)\), applying \(\psi\) to \(f(a) = 0\) gives \(g(\psi(a)) = 0\). Thus \(\psi(a)\) must be one of \(b_1, \ldots, b_n\).

Conversely, for each root \(b_k\), the formula

defines an embedding \(\psi_k : K(a) \to \mathbb{C}\) extending \(\phi\) with \(\psi_k(a) = b_k\). This is well-defined since \(\{1, a, \ldots, a^{n-1}\}\) is a basis for \(K(a)/K\), and one verifies it is an injective ring homomorphism. Thus there are exactly \(n\) extensions. ∎

Let \(u, v \in L\). Let \(f(x) \in K[x]\) be the minimal polynomial of \(u\) over \(K\) with roots \(a_1 = u, a_2, \ldots, a_k\) in \(\mathbb{C}\), and let \(g(x) \in K[x]\) be the minimal polynomial of \(v\) over \(K\) with roots \(b_1 = v, b_2, \ldots, b_\ell\) in \(\mathbb{C}\). Choose \(t \in K\) such that \(t \neq -\frac{u - a_i}{v - b_j}\) for any pair of indices \((i, j)\) with \((i,j) \neq (1,1)\). Such a choice is possible since \(K\) is infinite (as it contains \(\mathbb{Q}\)). Let \(w = u + tv\).

Clearly \(w \in K(u, v)\), so \(K(w) \subseteq K(u, v)\). We claim \(K(u, v) \subseteq K(w)\). Consider the polynomial \(h(x) = f(w - tx) \in K(w)[x]\). Note that \(h(v) = f(w - tv) = f(u) = 0\) and \(g(v) = 0\). If \(x \in \mathbb{C}\) is a common root of \(g\) and \(h\), then \(g(x) = 0\) implies \(x = b_j\) for some \(j\), and \(h(x) = 0\) implies \(f(w - tx) = 0\), so \(w - tb_j = a_i\) for some \(i\), giving \(t = \frac{w - a_i}{b_j} = \frac{u + tv - a_i}{b_j}\). If \(b_j \neq v\), then \(t = -\frac{u - a_i}{v - b_j}\) for some \((i, j) \neq (1,1)\), contradicting our choice of \(t\). Thus \(v\) is the only common root of \(g\) and \(h\).

Let \(d(x) = \gcd(g(x), h(x))\) in \(K(w)[x]\). Since \(v\) is the only common root and all roots are simple (by separability), \(d(x) = (x - v)\). Since \(d(x) \in K(w)[x]\), it follows that \(v \in K(w)\). Then \(u = w - tv \in K(w)\), so \(K(u, v) \subseteq K(w)\). ∎

(2) \(\Rightarrow\) (3): Suppose \(\operatorname{Hom}_K(L, \mathbb{C}) = \operatorname{Aut}_K(L)\). Let \(a \in L\) and let \(f(x) \in K[x]\) be the minimal polynomial of \(a\) over \(K\), with roots \(a_1 = a, a_2, \ldots, a_m\) in \(\mathbb{C}\). The identity embedding \(\operatorname{id} : K \hookrightarrow \mathbb{C}\) extends to \(m\) embeddings \(\phi_j : K(a) \to \mathbb{C}\) with \(\phi_j(a) = a_j\). Each \(\phi_j\) extends to at least one embedding \(\psi_j : L \to \mathbb{C}\). Since \(\psi_j\) fixes \(K\), we have \(\psi_j \in \operatorname{Hom}_K(L, \mathbb{C}) = \operatorname{Aut}_K(L)\). Therefore \(a_j = \psi_j(a) \in L\) for all \(j\), so \(f\) splits in \(L\).

(3) \(\Rightarrow\) (4): By the Primitive Element Theorem, choose \(a \in L\) with \(L = K(a)\). Let \(f(x)\) be the minimal polynomial of \(a\) with roots \(a_1, \ldots, a_n\). By hypothesis, each \(a_i \in L\), so \(L = K(a) = K(a_1, \ldots, a_n)\) is the splitting field of \(f\).

(4) \(\Rightarrow\) (1): Let \(L\) be the splitting field of \(f(x) \in K[x]\) with roots \(a_1, \ldots, a_n \in L\). We use an inductive construction. If \(f\) splits completely in \(K\), then \(L = K\) and \(|\operatorname{Aut}_K(L)| = 1 = [L:K]\). Otherwise, let \(g_1(x) \in K[x]\) be a nonlinear irreducible factor of \(f\) with roots \(a_{1,1}, \ldots, a_{1,\ell_1}\). The identity extends to \(\ell_1\) embeddings \(\phi_{j_1} : K(a_{1,1}) \to \mathbb{C}\) with \(\phi_{j_1}(a_{1,1}) = a_{1,j_1}\). Since all roots lie in \(L\), the image lands in \(L\). Continuing inductively through a tower \(K \subset K(a_{1,1}) \subset K(a_{1,1}, a_{2,1}) \subset \cdots = L\), we obtain \(\ell_1 \ell_2 \cdots \ell_m = [L:K]\) embeddings, each of which maps \(L\) into \(L\) (since images of roots of \(f\) are roots of \(f\), hence in \(L\)). By Proposition 2.12, these are all automorphisms, giving \(|\operatorname{Aut}_K(L)| = [L:K]\). ∎

so \([L^G : K] = 1\) and \(L^G = K\).

(2) Suppose \(L^H = K\). Write \(L = K(\alpha)\) by the Primitive Element Theorem and consider the polynomial

The coefficients of \(f\) are elementary symmetric polynomials in the \(\sigma(\alpha)\), and for any \(\tau \in H\), the map \(\sigma \mapsto \tau\sigma\) permutes \(H\), so \(\tau\) permutes the roots \(\{\sigma(\alpha)\}\) and fixes each coefficient. Thus the coefficients lie in \(L^H = K\), so \(f(x) \in K[x]\). Since \(\operatorname{id} \in H\), \(f(\alpha) = 0\), and \(\deg(f) = |H|\). The minimal polynomial of \(\alpha\) over \(K\) has degree at most \(|H|\), so

Therefore \(|H| = |G|\), and since \(H \leq G\), we conclude \(H = G\). ∎

(ii) Let \(H' = \operatorname{Gal}(L/L^H)\). By definition, \(H\) fixes \(L^H\), so \(H \leq H'\). Since \(L/L^H\) is normal (as it is a sub-extension of the normal extension \(L/K\)), and \(H \leq \operatorname{Gal}(L/L^H)\) has \(L^H\) as its fixed field, Theorem 2.25(2) gives \(H = H'\).

(iii) Let \(H = \operatorname{Gal}(L/F)\). For \(\sigma \in G\), the map \(\sigma|_F : F \to \sigma(F)\) is an isomorphism, and one computes \(\sigma H \sigma^{-1} = \operatorname{Gal}(L/\sigma(F))\). Therefore:

The condition \(\sigma(F) = F\) for all \(\sigma \in G\) means exactly that every \(K\)-fixing automorphism of \(L\) maps \(F\) into itself, which (since each such restriction \(\sigma|_F : F \to F\) is an automorphism) is equivalent to \(F/K\) being normal.

When \(H \trianglelefteq G\), the restriction map \(\operatorname{Gal}(L/K) \to \operatorname{Gal}(F/K)\) given by \(\sigma \mapsto \sigma|_F\) is a well-defined group homomorphism (since \(\sigma(F) = F\)). Its kernel is \(\{\sigma \in G : \sigma|_F = \operatorname{id}_F\} = \operatorname{Gal}(L/F) = H\). By the first isomorphism theorem, \(\operatorname{Gal}(F/K) \cong G/H\). ∎

so \(\alpha^n\) lies in the \(R\)-module \(M\) generated by \(\{1, \alpha, \alpha^2, \ldots, \alpha^{n-1}\}\). Multiplying by \(\alpha\) shows that \(\alpha^{n+1} \in M\) as well, and by induction every power of \(\alpha\) lies in \(M\). Therefore \(R[\alpha] = M\) is finitely generated.

(ii) \(\Rightarrow\) (iii): Take \(T = R[\alpha]\).

(iii) \(\Rightarrow\) (i): Let \(T\) be finitely generated as an \(R\)-module with generators \(t_1, \ldots, t_n\). Since \(\alpha \in T\) and \(T\) is a ring, we have \(\alpha t_i \in T\) for each \(i\), so we may write

for some \(a_{ij} \in R\). In matrix form, \((\alpha I_n - A)\mathbf{t} = 0\), where \(A = (a_{ij})\) and \(\mathbf{t} = (t_1, \ldots, t_n)^T\). Multiplying on the left by the adjugate matrix gives \(\det(\alpha I_n - A) \cdot t_i = 0\) for each \(i\). Since \(1 \in T\) is an \(R\)-linear combination of the \(t_i\), we obtain \(\det(\alpha I_n - A) = 0\). Expanding the determinant gives a monic polynomial in \(\alpha\) with coefficients in \(R\). ∎

Now \(\mathbb{Z}[\alpha + \beta]\), \(\mathbb{Z}[\alpha - \beta]\), and \(\mathbb{Z}[\alpha\beta]\) are all subrings of \(\mathbb{Z}[\alpha, \beta]\). Since \(\mathbb{Z}\) is a Noetherian ring, every submodule of a finitely generated \(\mathbb{Z}\)-module is itself finitely generated. Thus \(\alpha \pm \beta\) and \(\alpha\beta\) are each contained in a finitely generated \(\mathbb{Z}\)-module, hence are integral over \(\mathbb{Z}\) by condition (iii) of Theorem 3.4. ∎

Each \(c_i\) is integral over \(R\) since \(S\) is integral over \(R\), so by Theorem 3.4, each ring \(R[c_0, \ldots, c_k]\) is finitely generated as a module over \(R[c_0, \ldots, c_{k-1}]\). The element \(\alpha\) is integral over \(R[c_0, \ldots, c_{n-1}]\), so \(R[c_0, \ldots, c_{n-1}, \alpha]\) is finitely generated over \(R[c_0, \ldots, c_{n-1}]\). By iterating the module generation (if \(M\) is finitely generated over \(N\) and \(N\) is finitely generated over \(P\), then \(M\) is finitely generated over \(P\)), we conclude that \(R[c_0, \ldots, c_{n-1}, \alpha]\) is finitely generated as an \(R\)-module. Since \(\alpha\) lies in this ring, it is integral over \(R\) by Theorem 3.4(iii). ∎

This shows that \(a_n \alpha\) is a root of a monic polynomial in \(\mathbb{Z}[x]\), so \(a_n \alpha \in \mathcal{O}_K\). ∎

By Theorem 3.2, the element \(\alpha\) is an algebraic integer if and only if both \(2a \in \mathbb{Z}\) and \(a^2 - db^2 \in \mathbb{Z}\).

Write \(a = m/2\) and \(b = n/2\) with \(m, n \in \mathbb{Z}\) (taking \(2a \in \mathbb{Z}\) already forces \(a\) to be a half-integer, and a similar analysis of \(a^2 - db^2 \in \mathbb{Z}\) forces \(b\) to be a half-integer as well). Then the integrality condition \(a^2 - db^2 \in \mathbb{Z}\) becomes \(m^2 - dn^2 \equiv 0 \pmod{4}\).

Case 1: \(d \not\equiv 1 \pmod{4}\). Since \(d\) is squarefree, we have \(d \equiv 2\) or \(3 \pmod{4}\). A case analysis shows \(m^2 - dn^2 \equiv 0 \pmod{4}\) forces both \(m\) and \(n\) to be even. So \(a, b \in \mathbb{Z}\), and \(\mathcal{O}_K = \mathbb{Z}[\sqrt{d}]\).

Case 2: \(d \equiv 1 \pmod{4}\). Then \(m^2 - dn^2 \equiv m^2 - n^2 \equiv 0 \pmod{4}\), which holds if and only if \(m \equiv n \pmod{2}\). The algebraic integers are therefore elements of the form \(\frac{m + n\sqrt{d}}{2}\) with \(m \equiv n \pmod{2}\). This is precisely \(\mathbb{Z}\left[\frac{1+\sqrt{d}}{2}\right]\), since every such element can be written as \(a + b \cdot \frac{1+\sqrt{d}}{2}\) with \(a, b \in \mathbb{Z}\). ∎

To verify this equals the characteristic polynomial of \(M_\alpha\), choose a basis \(\{u_1, \ldots, u_m\}\) for \(K\) over \(\mathbb{Q}(\alpha)\) and use the basis \(\{u_j \alpha^{k-1} : 1 \le j \le m, \, 0 \le k \le \ell-1\}\) for \(K\) over \(\mathbb{Q}\). Relative to this basis, \(M_\alpha\) decomposes into \(m\) blocks, each being the companion matrix of \(p(x)\), giving \(f_\alpha(x) = p(x)^m\). ∎

The argument for the norm is identical, with products replacing sums. ∎

Conversely, suppose \(N_{K/\mathbb{Q}}(\alpha) = \pm 1\). Then \(\alpha \prod_{i=2}^{n} \sigma_i(\alpha) = \pm 1\), so \(\alpha^{-1} = \pm \prod_{i=2}^{n} \sigma_i(\alpha)\). Each \(\sigma_i(\alpha)\) is an algebraic integer, so their product is an algebraic integer. Since \(\alpha^{-1} \in K\) and is an algebraic integer, \(\alpha^{-1} \in \mathcal{O}_K\). ∎

∎

∎

Choose a basis \(\{\omega_1, \ldots, \omega_n\} \subset \mathcal{O}_K\) minimizing \(|\operatorname{disc}(\omega_1, \ldots, \omega_n)|\). We claim this is an integral basis. If not, there exists \(\gamma \in \mathcal{O}_K\) with \(\gamma = a_1\omega_1 + \cdots + a_n\omega_n\) where some \(a_j \notin \mathbb{Z}\). Say \(a_1 \notin \mathbb{Z}\), and write \(a_1 = a + r\) with \(a \in \mathbb{Z}\) and \(0 < r < 1\). Replace \(\omega_1\) by \(\omega_1' = \gamma - a\omega_1 = r\omega_1 + a_2\omega_2 + \cdots + a_n\omega_n\). Then \(\{\omega_1', \omega_2, \ldots, \omega_n\}\) is a basis of algebraic integers, and the change of basis has determinant \(r\), so

contradicting minimality. ∎

Taking the product over all \(k\):

Now \(\prod_{k} \prod_{i \ne k}(\theta_k - \theta_i) = \prod_{i < j}(\theta_i - \theta_j)(\theta_j - \theta_i) = (-1)^{n(n-1)/2}\prod_{i < j}(\theta_i - \theta_j)^2\). ∎

Case 2: \(d \equiv 1 \pmod{4}\). An integral basis is \(\bigl\{1, \frac{1+\sqrt{d}}{2}\bigr\}\), and

∎

which equals \(\delta\). Each summand is an algebraic integer. Now consider the partition of \(S_n\) into even and odd permutations: \(\delta = A - B\) where \(A\) is the sum over even permutations and \(B\) is the sum over odd permutations. Then \(A + B = \sum_{\pi} |\operatorname{sgn}(\pi)| \prod \sigma_i(\omega_{\pi(i)})\) and

Both \(A + B\) and \(AB\) are symmetric functions of the \(\sigma_i(\omega_k)\), hence lie in \(\mathbb{Q}\). Since they are also algebraic integers, they lie in \(\mathbb{Z}\). Therefore \(\operatorname{disc}(K) = (A+B)^2 - 4AB \equiv (A+B)^2 \pmod{4}\), and a perfect square modulo 4 is either 0 or 1. ∎

If \(r_2\) is even, then \(\overline{\delta} = \delta\), so \(\delta \in \mathbb{R}\) and \(\delta^2 > 0\). If \(r_2\) is odd, then \(\overline{\delta} = -\delta\), so \(\delta\) is purely imaginary and \(\delta^2 < 0\). In both cases, the sign of \(\operatorname{disc}(K) = \delta^2\) is \((-1)^{r_2}\). ∎

(ii) By induction on \(n\). We have \(\Phi_1(x) = x - 1 \in \mathbb{Z}[x]\). For \(n > 1\), write \(x^n - 1 = \Phi_n(x) g(x)\) where \(g(x) = \prod_{d \mid n, d \ne n} \Phi_d(x) \in \mathbb{Z}[x]\) by the induction hypothesis. Since \(g\) is monic, long division of \(x^n - 1\) by \(g(x)\) in \(\mathbb{Z}[x]\) yields a quotient \(\Phi_n(x) \in \mathbb{Z}[x]\).

(iii) By induction. \(\Phi_1(0) = -1\). For \(n \ge 2\), evaluating \(x^n - 1 = \Phi_n(x) \Phi_1(x) h(x)\) at \(x = 0\) gives \(-1 = \Phi_n(0)(-1)(1) = -\Phi_n(0)\), so \(\Phi_n(0) = 1\). (Here \(h(x) = \prod_{d \mid n, d \ne 1, d \ne n} \Phi_d(x)\), which satisfies \(h(0) = 1\) by induction.)

(iv) From part (i), \(x^p - 1 = \Phi_p(x) \Phi_1(x) = \Phi_p(x)(x-1)\), so \(\Phi_p(x) = \frac{x^p - 1}{x - 1} = x^{p-1} + \cdots + x + 1\). Similarly, \(x^{p^k} - 1 = \Phi_{p^k}(x) \cdot (x^{p^{k-1}} - 1)\), giving \(\Phi_{p^k}(x) = \frac{x^{p^k} - 1}{x^{p^{k-1}} - 1} = \Phi_p(x^{p^{k-1}})\). Evaluating at \(x = 1\): \(\Phi_{p^k}(1) = \Phi_p(1) = p\). ∎

We will show that if \(\theta\) is any root of \(f\) and \(p\) is any prime with \(\gcd(p, n) = 1\), then \(\theta^p\) is also a root of \(f\). Since every \(k\) with \(\gcd(k, n) = 1\) can be written as a product of primes coprime to \(n\), iterating this step shows that \(\zeta^k\) is a root of \(f\) for every such \(k\), giving \(\Phi_n \mid f\) and hence \(f = \Phi_n\).

Suppose, for contradiction, that \(f(\theta^p) \ne 0\) for some root \(\theta\) of \(f\) and some prime \(p\) with \(p \nmid n\). Then \(\theta^p\) is a root of \(x^n - 1\) but not of \(f\), so \(g(\theta^p) = 0\). Thus \(\theta\) is a root of \(h(x) = g(x^p) \in \mathbb{Z}[x]\). Since \(f\) is the minimal polynomial of \(\theta\), we have \(f \mid h\) in \(\mathbb{Q}[x]\), and since both are in \(\mathbb{Z}[x]\) with \(f\) monic, \(h = fk\) for some \(k \in \mathbb{Z}[x]\).

Reduce modulo \(p\): \(\overline{h}(x) = \overline{g}(x^p) = \overline{g}(x)^p\) by Lemma 5.4. So \(\overline{f}\,\overline{k} = \overline{g}^{\,p}\). Let \(s(x)\) be an irreducible factor of \(\overline{f}\) in \(\mathbb{F}_p[x]\). Then \(s \mid \overline{g}^{\,p}\), hence \(s \mid \overline{g}\). Since \(x^n - 1 = f(x)g(x)\), reducing modulo \(p\) gives \(x^n - 1 = \overline{f}\,\overline{g}\). Since \(s \mid \overline{f}\) and \(s \mid \overline{g}\), we have \(s^2 \mid x^n - 1\) in \(\mathbb{F}_p[x]\).

But the derivative of \(x^n - 1\) is \(nx^{n-1}\), and since \(p \nmid n\), the constant \(n\) is invertible in \(\mathbb{F}_p\). Therefore \(\gcd(x^n - 1, nx^{n-1}) = 1\) in \(\mathbb{F}_p[x]\), which means \(x^n - 1\) has no repeated factors—a contradiction. ∎

Any automorphism \(\sigma \in \operatorname{Gal}(\mathbb{Q}(\zeta_n)/\mathbb{Q})\) must send \(\zeta_n\) to another root of \(\Phi_n\), which is \(\zeta_n^k\) for some \(k\) with \(\gcd(k, n) = 1\). Define \(\psi : \operatorname{Gal}(\mathbb{Q}(\zeta_n)/\mathbb{Q}) \to (\mathbb{Z}/n\mathbb{Z})^\times\) by \(\psi(\sigma_k) = k\). This is a homomorphism:

so \(\psi(\sigma_k \circ \sigma_\ell) = k\ell = \psi(\sigma_k)\psi(\sigma_\ell)\). Since an automorphism of \(\mathbb{Q}(\zeta_n)\) is determined by its action on \(\zeta_n\), the map \(\psi\) is injective. Both groups have order \(\varphi(n)\), so \(\psi\) is an isomorphism. ∎

and the fact that each factor \(1 - \zeta^j\) is an associate of \(1 - \zeta\) (since \(\frac{1 - \zeta^j}{1 - \zeta}\) is a unit for \(\gcd(j,p) = 1\)), we obtain \(p = (1 - \zeta)^s \lambda\) for some unit \(\lambda \in \mathcal{O}_K^\times\).

Now the set \(\{1, (1-\zeta), (1-\zeta)^2, \ldots, (1-\zeta)^{s-1}\}\) is a \(\mathbb{Q}\)-basis for \(K\), and \(\operatorname{disc}(1 - \zeta) = \operatorname{disc}(\zeta)\), which is a power of \(p\) by Theorem 5.9 below.

By Theorem 4.18, any \(\alpha \in \mathcal{O}_K\) can be written as

where \(d = \operatorname{disc}(\zeta)\) is a power of \(p\) and \(\ell_1, \ldots, \ell_s \in \mathbb{Z}\).

Suppose \(\mathcal{O}_K \ne \mathbb{Z}[\zeta]\). Then there exists \(\alpha \in \mathcal{O}_K \setminus \mathbb{Z}[\zeta]\) of the above form where not all \(\ell_i\) are divisible by \(p\). Let \(i\) be the smallest index with \(p \nmid \ell_i\). Then

Since \(p = (1-\zeta)^s \lambda\), multiplying by \((1-\zeta)^{s-i}\lambda\) and simplifying shows that \(\theta = \frac{\ell_i}{1-\zeta} \in \mathcal{O}_K\). Taking norms: \(N(1-\zeta) \cdot N(\theta) = N(\ell_i)\), giving \(p \cdot N(\theta) = \ell_i^s\). Since \(N(\theta) \in \mathbb{Z}\), this forces \(p \mid \ell_i^s\), hence \(p \mid \ell_i\), contradicting our choice. ∎

For the inductive step, write \(n = p_1^{a_1} \cdots p_k^{a_k}\) and set \(m = p_1^{a_1} \cdots p_{k-1}^{a_{k-1}}\) and \(q = p_k^{a_k}\). By induction, \(\mathcal{O}_{\mathbb{Q}(\zeta_m)} = \mathbb{Z}[\zeta_m]\) and \(\mathcal{O}_{\mathbb{Q}(\zeta_q)} = \mathbb{Z}[\zeta_q]\).

The compositum of \(\mathbb{Q}(\zeta_m)\) and \(\mathbb{Q}(\zeta_q)\) is \(\mathbb{Q}(\zeta_n)\), since by the Euclidean algorithm there exist integers \(g, h\) with \(\zeta_n = \zeta_m^g \zeta_q^h\). Moreover, \([\mathbb{Q}(\zeta_n) : \mathbb{Q}] = \varphi(n) = \varphi(m)\varphi(q)\), so the extensions have maximal compositum degree. Since \(\operatorname{disc}(\mathbb{Q}(\zeta_m))\) is supported only on primes dividing \(m\) and \(\operatorname{disc}(\mathbb{Q}(\zeta_q))\) is a power of \(p_k\), we have \(\gcd(\operatorname{disc}(\mathbb{Q}(\zeta_m)), \operatorname{disc}(\mathbb{Q}(\zeta_q))) = 1\).

By Theorem 4.21,

∎

Now \(\varphi(n)\) is a power of 2 if and only if \(n = 2^k p_1 \cdots p_\ell\) where each \(p_i\) is a distinct Fermat prime. Indeed, for an odd prime \(p\), \(\varphi(p^r) = p^{r-1}(p-1)\) is a power of 2 only if \(r = 1\) and \(p - 1\) is a power of 2, i.e., \(p\) is a Fermat prime. ∎

Taking norms over \(\mathbb{Q}(\zeta_n)/\mathbb{Q}\):

Since \(\zeta_n\) is a unit in \(\mathcal{O}_{\mathbb{Q}(\zeta_n)}\), \(N(\zeta_n^{n-1}) = \pm 1\). By Theorem 4.16, \(N(\Phi_n'(\zeta_n)) = (-1)^{\varphi(n)(\varphi(n)-1)/2} \operatorname{disc}(\zeta_n) = \pm \operatorname{disc}(\mathbb{Q}(\zeta_n))\). Since \(g(\zeta_n) \in \mathcal{O}_{\mathbb{Q}(\zeta_n)}\), \(N(g(\zeta_n)) \in \mathbb{Z}\). Therefore \(\operatorname{disc}(\mathbb{Q}(\zeta_n))\) divides \(n^{\varphi(n)}\).

For \(p\) an odd prime, \(\Phi_p(x) = \frac{x^p - 1}{x - 1}\) and \(g(x) = x - 1\). Differentiating \(x^p - 1 = \Phi_p(x)(x-1)\) and substituting \(x = \zeta_p\):

Taking norms: \(p^{p-1} = N(\Phi_p'(\zeta_p)) \cdot N(\zeta_p - 1)\). Now \(N(\zeta_p - 1) = \prod_{j=1}^{p-1}(\zeta_p^j - 1) = (-1)^{p-1}\Phi_p(1) = p\) and \(N(\zeta_p^{p-1}) = 1\) since \(p-1\) is even. Also, \(N(\Phi_p'(\zeta_p)) = (-1)^{(p-1)(p-2)/2} \operatorname{disc}(\zeta_p)\). Therefore

giving \(\operatorname{disc}(\mathbb{Q}(\zeta_p)) = (-1)^{(p-1)/2} p^{p-2}\). (Here we use that \((-1)^{(p-1)(p-2)/2} = (-1)^{(p-1)/2}\) since \(p\) is odd.) ∎

(ii) \(\Rightarrow\) (i): If \(h(x)f(x) = k(x)g(x)\) with \(\deg h \le m-1\) and \(\deg k \le n-1\), then comparing degrees, the roots of \(k\) cannot account for all roots of \(f\), so some root of \(f\) must also be a root of \(g\).

(ii) \(\Leftrightarrow\) (iii): Write \(h(x) = c_{m-1}x^{m-1} + \cdots + c_0\) and \(k(x) = d_{n-1}x^{n-1} + \cdots + d_0\). Comparing coefficients of \(x^{n+m-1}, x^{n+m-2}, \ldots, x^0\) in the equation \(hf = kg\) gives a system of \(n+m\) linear equations in the \(n+m\) unknowns \(c_0, \ldots, c_{m-1}, -d_0, \ldots, -d_{n-1}\). This system has a nontrivial solution if and only if the coefficient matrix has zero determinant, and this determinant is precisely the transpose of the Sylvester matrix. Since \(\det(A) = \det(A^T)\), condition (ii) holds if and only if \(R(f,g) = 0\). ∎

We regard the \(x_i\) and \(y_j\) as indeterminates and work in the polynomial ring \(\mathbb{C}[x_1, \ldots, x_n, y_1, \ldots, y_m]\). By Proposition 6.2, whenever \(x_i = y_j\) we have \(R(f,g) = 0\), so \((x_i - y_j)\) divides \(R(f,g)\). Since these are distinct irreducible elements in a UFD, the full product \(\prod_{i,j}(x_i - y_j)\) divides \(R(f,g)\).

Now \(S\) is homogeneous of degree \(m\) in the \(a_i\) (via the symmetric functions of the \(x_i\)) and of degree \(n\) in the \(b_j\) (via the symmetric functions of the \(y_j\)), matching the degrees of \(R(f,g)\). Since \(S\) divides \(R\) and both have the same degree, we have \(R = cS\) for some constant \(c \in \mathbb{C}\).

Comparing leading terms: the coefficient of \(a_n^m b_m^n\) in \(R(f,g)\) is \(1\) (from the Sylvester determinant), and the same coefficient in \(S\) is \(1\). Therefore \(c = 1\), and \(R(f,g) = S\).

The alternative forms follow because \(g(x) = b_m \prod_{j=1}^m (x - y_j)\), so \(a_n^m \prod_{i=1}^n g(x_i) = S\), and similarly for \(f(y_j)\). ∎

Now \(f(x) = \prod_{k=1}^n (x - \alpha_k)\), so

Therefore

The sign arises because the ordered product over all \(i \ne j\) pairs differs from the product over \(i < j\) by a factor of \((-1)^{n(n-1)/2}\). ∎

(ii) If \([KL : \mathbb{Q}] = mn\), then \(KL\) has exactly \(mn\) embeddings into \(\mathbb{C}\). Each embedding \(\varepsilon : KL \hookrightarrow \mathbb{C}\) is determined by \(\varepsilon|_K\) and \(\varepsilon|_L\) (since products of elements of \(K\) and \(L\) generate \(KL\)). There are \(m\) choices for \(\varepsilon|_K\) and \(n\) choices for \(\varepsilon|_L\), giving \(mn\) pairs, and since there are exactly \(mn\) embeddings, each pair \((\sigma, \tau)\) corresponds to a unique embedding. The converse is similar. ∎

where \(a_{ij}, r \in \mathbb{Z}\) with \(\gcd(a_{11}, \ldots, a_{mn}, r) = 1\). If \(\gamma \in \mathcal{O}_{KL}\), we must show that \(r \mid d\).

By symmetry, it suffices to show \(r \mid \operatorname{disc}(K)\). Since \([KL : \mathbb{Q}] = mn\), for each embedding \(\sigma_i : K \hookrightarrow \mathbb{C}\), there exists an extension \(\sigma_i' : KL \hookrightarrow \mathbb{C}\) that fixes \(L\) pointwise (by Lemma 6.6). Set \(x_i = \sum_{j=1}^n \frac{a_{ij}}{r} \beta_j \in L\) for each \(i\), so that

By Cramer’s rule, \(x_k = \gamma_k / \delta\), where \(\delta = \det(\sigma_i(\alpha_j))\) satisfies \(\delta^2 = \operatorname{disc}(K)\), and each \(\gamma_k\) is an algebraic integer. Then \(\operatorname{disc}(K) \cdot x_k = \delta \gamma_k \in \mathcal{O}_K\), and since \(x_k \in L\), we have \(\operatorname{disc}(K) \cdot x_k \in \mathcal{O}_L\). In particular,

for all \(i, j\). Since \(\gcd(a_{11}, \ldots, a_{mn}, r) = 1\), it follows that \(r \mid \operatorname{disc}(K)\). By the same argument applied to \(L\), we get \(r \mid \operatorname{disc}(L)\), so \(r \mid d\). ∎

For the inductive step, write \(n = p_1^{e_1} \cdots p_k^{e_k}\), and set \(m = p_1^{e_1} \cdots p_{k-1}^{e_{k-1}}\). Let \(K = \mathbb{Q}(\zeta_m)\) and \(L = \mathbb{Q}(\zeta_{p_k^{e_k}})\). By induction, \(\mathcal{O}_K = \mathbb{Z}[\zeta_m]\) and \(\mathcal{O}_L = \mathbb{Z}[\zeta_{p_k^{e_k}}]\).

First, \(KL = \mathbb{Q}(\zeta_n)\): since \(\gcd(m, p_k^{e_k}) = 1\), there exist integers \(x, y\) with \(xm + yp_k^{e_k} = 1\), so \(\zeta_n = \zeta_m^y \cdot \zeta_{p_k^{e_k}}^x \in KL\). Moreover,

so \([KL : \mathbb{Q}] = [K : \mathbb{Q}][L : \mathbb{Q}]\). Since \(\operatorname{disc}(K)\) is a power of \(p_1 \cdots p_{k-1}\) and \(\operatorname{disc}(L)\) is a power of \(p_k\), we have \(\gcd(\operatorname{disc}(K), \operatorname{disc}(L)) = 1\). By Theorem 6.7,

so \(\mathcal{O}_{\mathbb{Q}(\zeta_n)} = \mathbb{Z}[\zeta_n]\). ∎

Now suppose \(\lambda \in \mathcal{O}_K\) with \(\{1, \lambda, \lambda^2\}\) an integral basis. Write \(\lambda = a + b\theta + c\omega\) for \(a, b, c \in \mathbb{Z}\). A computation shows that \(\lambda^2 = A_1 + A_2 \theta + A_3 \omega\) where

By the change-of-basis formula,

But \(2b^3 - bc^2 + b^2c + 2c^3 \equiv bc(b - c) \pmod{2}\), which is always even. Therefore \(4 \mid \operatorname{disc}(\lambda)\), so \(\operatorname{disc}(\lambda) \ne -503 = \operatorname{disc}(K)\), and \(\{1, \lambda, \lambda^2\}\) can never be an integral basis. ∎

(i) \(\Rightarrow\) (ii): If a nonempty collection \(\mathcal{S}\) had no maximal element, we could build a strictly ascending chain \(I_1 \subsetneq I_2 \subsetneq \cdots\) in \(\mathcal{S}\), contradicting (i).

(ii) \(\Rightarrow\) (iii): Let \(I\) be an ideal. Consider the collection \(\mathcal{S}\) of finitely generated ideals contained in \(I\). By (ii), \(\mathcal{S}\) has a maximal element \(M = (a_1, \ldots, a_r)\). If \(M \ne I\), choose \(b \in I \setminus M\); then \((a_1, \ldots, a_r, b) \in \mathcal{S}\) strictly contains \(M\), contradicting maximality. So \(M = I\) is finitely generated. ∎

(1) \(\mathcal{O}_K\) is Noetherian. Every nonzero ideal \(I \subseteq \mathcal{O}_K\) has an integral basis \(\{\alpha_1, \ldots, \alpha_n\}\) (Theorem 8.4 of the previous chapter), so \(I = (\alpha_1, \ldots, \alpha_n)\) is finitely generated.

(2) Every nonzero prime ideal is maximal. Let \(P \subseteq \mathcal{O}_K\) be a nonzero prime ideal. It suffices to show \(\mathcal{O}_K / P\) is a field. Since \(P\) is nonzero, it contains a nonzero integer \(a \in P \cap \mathbb{Z}_{>0}\) (take the norm of any nonzero element). If \(\{\omega_1, \ldots, \omega_n\}\) is an integral basis for \(\mathcal{O}_K\), then every element of \(\mathcal{O}_K/P\) is represented by an integer linear combination of \(\omega_1, \ldots, \omega_n\) with coefficients in \(\{0, 1, \ldots, a-1\}\). Hence \(|\mathcal{O}_K/P| \le a^n < \infty\). Since every finite integral domain is a field, \(P\) is maximal.

(3) \(\mathcal{O}_K\) is integrally closed. Suppose \(\gamma \in K\) satisfies \(\gamma^m + c_{m-1}\gamma^{m-1} + \cdots + c_0 = 0\) with \(c_i \in \mathcal{O}_K\). Then \(\gamma\) lies in the ring \(A = \mathbb{Z}[c_0, \ldots, c_{m-1}, \gamma]\). Since each \(c_i\) is an algebraic integer of degree at most \([K : \mathbb{Q}]\), and \(\gamma^m\) can be expressed in terms of lower powers using the relation, the ring \(A\) is finitely generated as an abelian group. Hence \(\gamma\) is an algebraic integer, so \(\gamma \in \mathcal{O}_K\). ∎

The ideal \(M\) is not prime (since any prime ideal contains itself, a product of one prime). So there exist \(r, s \in R \setminus M\) with \(rs \in M\). Set \(M_1 = M + (r)\) and \(M_2 = M + (s)\). Both \(M_1\) and \(M_2\) strictly contain \(M\), so neither is in \(\mathcal{S}\). Hence each contains a product of prime ideals: say \(P_1 \cdots P_\ell \subseteq M_1\) and \(Q_1 \cdots Q_k \subseteq M_2\). But then

contradicting \(M \in \mathcal{S}\). ∎

If \(r = 1\), then \(P_1 \subseteq (a) \subseteq I\), so \(P_1 = (a) = I\) (since \(P_1\) is maximal). Take \(\gamma = 1/a \in K \setminus R\); then \(\gamma I = R\).

If \(r > 1\), by minimality of \(r\), \(P_2 \cdots P_r \not\subseteq (a)\). Choose \(b \in P_2 \cdots P_r \setminus (a)\) and set \(\gamma = b/a\). Then \(\gamma \notin R\) (since \(b \notin (a)\)), but \(\gamma I \subseteq \gamma P_1 \subseteq \frac{b}{a} P_1 = \frac{1}{a} P_1 P_2 \cdots P_r \subseteq \frac{1}{a}(a) = R\). ∎

Let \(B = \frac{1}{\alpha} IJ\), an ideal of \(R\). We want \(B = R\). Suppose not: by Lemma 7.8, there exists \(\gamma \in K \setminus R\) with \(\gamma B \subseteq R\). Since \(\alpha \in I\), we have \(J \subseteq B\), so \(\gamma J \subseteq \gamma B \subseteq R\). Then \(\frac{\gamma}{\alpha} IJ = \gamma B \subseteq R\), meaning \((\gamma J) I \subseteq (\alpha)\), so \(\gamma J \subseteq J\) by definition of \(J\).

But \(J\) has an integral basis (being a nonzero ideal of a ring of integers), hence is a finitely generated abelian group. The inclusion \(\gamma J \subseteq J\) with \(J\) finitely generated implies \(\gamma\) is integral over \(R\). Since \(R\) is integrally closed, \(\gamma \in R\), contradicting \(\gamma \notin R\). ∎

Since \(M \subsetneq P\) and \(M = PC\), we have \(C \ne R\). If \(C\) were a product of primes, then \(M = PC\) would be too, contradicting \(M \in \mathcal{S}\). So \(C \in \mathcal{S}\). But \(C \supseteq M\) (since \(M = PC \subseteq C\)) and \(C \ne M\) (otherwise \(M = PM\) and cancellation gives \(P = R\), a contradiction). This contradicts the maximality of \(M\) in \(\mathcal{S}\). Hence \(\mathcal{S} = \emptyset\).

Uniqueness: Suppose \(P_1 \cdots P_r = Q_1 \cdots Q_s\) with all \(P_i, Q_j\) prime. Then \(P_1 \supseteq Q_1 \cdots Q_s\). Since \(P_1\) is prime, \(P_1 \supseteq Q_j\) for some \(j\). Since nonzero primes are maximal, \(P_1 = Q_j\). Cancelling (by Corollary 7.10) gives \(P_2 \cdots P_r = Q_1 \cdots \hat{Q}_j \cdots Q_s\). By induction, the factorizations agree up to reordering.

(No proper nonempty product of prime ideals can equal \(R\), since each \(P_i \subsetneq R\), so the base case of the induction is immediate.) ∎

The prime ideals of \(\mathbb{Z}[\alpha]\) containing \(p\) correspond to the prime ideals of this product, which are exactly the ideals \((p, g_i(\alpha))\) corresponding to the irreducible factors \(\overline{g}_i\). Tracing the isomorphisms gives the stated factorization. Since \(p \nmid [\mathcal{O}_K : \mathbb{Z}[\alpha]]\), the factorization in \(\mathbb{Z}[\alpha]\) lifts to the same factorization in \(\mathcal{O}_K\). ∎

so \(p \mid \operatorname{Tr}((\alpha\beta)^p)\). Moreover,

for some algebraic integer \(\gamma\), so \(p \mid (\operatorname{Tr}(\alpha\beta))^p\) and hence \(p \mid \operatorname{Tr}(\alpha\beta)\).

Write \(\alpha = a_1\omega_1 + \cdots + a_n\omega_n\) with \(a_i \in \mathbb{Z}\) and \(\{\omega_1, \ldots, \omega_n\}\) an integral basis. Since \(\alpha \notin (p)\), some \(a_i\) (say \(a_1\)) is not divisible by \(p\). Since \(p \mid \operatorname{Tr}(\alpha\omega_i)\) for all \(i\), the first row of the matrix \(\bigl(\operatorname{Tr}(\omega_i \omega_j)\bigr)\) — after replacing row 1 by \(\sum a_k \operatorname{Tr}(\omega_k \omega_j)\) — shows that \(p \mid a_1 D\). Since \(p \nmid a_1\), we conclude \(p \mid D\).

(\(\Leftarrow\)): If \(p \mid D\), the trace form on \(\mathcal{O}_K/(p)\) is degenerate: there exists \(x \in \mathcal{O}_K/(p)\), \(x \ne 0\), with \(\operatorname{Tr}(xy) = 0\) for all \(y \in \mathcal{O}_K/(p)\). A nondegenerate trace form characterizes products of separable field extensions, hence \(\mathcal{O}_K/(p)\) is not a product of fields, meaning the factorization of \((p)\) has a repeated factor. ∎

It therefore suffices to show \(N(I) = a_{11} \cdots a_{nn}\).

Every element of \(\mathcal{O}_K\) is congruent modulo \(I\) to a unique element of the form \(r_1\omega_1 + \cdots + r_n\omega_n\) with \(0 \le r_i < a_{ii}\). The existence follows by successively reducing: given \(\gamma = b_1\omega_1 + \cdots + b_n\omega_n\), divide \(b_n\) by \(a_{nn}\), subtract the appropriate multiple of \(\alpha_n\), and repeat. The uniqueness follows because if two such representatives were congruent mod \(I\), their difference would be an element of \(I\) with each coordinate strictly less than \(a_{ii}\) in absolute value, which forces all coordinates to be zero (by the minimality conditions defining the \(a_{ii}\)). Hence \(N(I) = \prod_{i=1}^n a_{ii}\). ∎

so

By Theorem 8.2, \(N(I) = |N_{K/\mathbb{Q}}(\alpha)|\). ∎

For any fixed \(m\), all \(\alpha_i\) with \(i \ne m\) lie in \(BP_m\), so if \(\alpha \in BP_m\) then \(\alpha_m \in BP_m\), contradicting the choice of \(\alpha_m\). Hence \(\alpha \notin BP_m\) for any \(m\), which means \(P_m \nmid \frac{(\alpha)}{B}\) for any \(m\), giving \(\gcd\!\left(\frac{(\alpha)}{B}, C\right) = \mathcal{O}_K\). ∎

Claim: The elements \(\beta_i + \alpha\gamma_j\), for \(1 \le i \le N(B)\) and \(1 \le j \le N(C)\), represent the distinct cosets of \(\mathcal{O}_K / BC\).

Distinctness: Suppose \(\beta_i + \alpha\gamma_j \equiv \beta_k + \alpha\gamma_\ell \pmod{BC}\). Since \(BC \subseteq B\), reducing mod \(B\) gives \(\beta_i \equiv \beta_k \pmod{B}\), so \(i = k\). Then \(\alpha(\gamma_\ell - \gamma_j) \equiv 0 \pmod{BC}\), meaning \(BC \mid (\alpha)(\gamma_\ell - \gamma_j)\). Since \(\gcd\!\left(\frac{(\alpha)}{B}, C\right) = \mathcal{O}_K\), we conclude \(C \mid (\gamma_\ell - \gamma_j)\), so \(j = \ell\).

Completeness: Given \(\omega \in \mathcal{O}_K\), choose \(i\) with \(\omega \equiv \beta_i \pmod{B}\). Then \(\omega - \beta_i \in B\), and since \(B = \gcd((\alpha), BC)\) (because \(\gcd\!\left(\frac{(\alpha)}{B}, C\right) = \mathcal{O}_K\) implies \((\alpha) + BC = B\)), write \(\omega - \beta_i = \alpha a + b\) with \(a \in \mathcal{O}_K\) and \(b \in BC\). Choose \(j\) with \(a \equiv \gamma_j \pmod{C}\). Then \(\omega = \beta_i + \alpha\gamma_j + \alpha(a - \gamma_j) + b\), and \(\alpha(a - \gamma_j) + b \in BC\), so \(\omega \equiv \beta_i + \alpha\gamma_j \pmod{BC}\).

Therefore \(N(BC) = N(B) \cdot N(C)\). ∎

∎

Step 1: Every ideal class has a small representative. Let \([I]\) be an ideal class, and choose an integral representative. Consider the inverse \(I^{-1}\). We seek \(\alpha \in I^{-1}\) (nonzero) such that \(J = \alpha I\) is an integral ideal of norm at most \(M_K\). Since \(N(\alpha I) = |N_{K/\mathbb{Q}}(\alpha)| \cdot N(I)\) (by multiplicativity), we need \(|N_{K/\mathbb{Q}}(\alpha)| \le M_K / N(I) = M_K \cdot N(I^{-1})\).

Embed \(I^{-1}\) as a lattice in Minkowski space \(V_K \cong \mathbb{R}^n\), and apply Minkowski’s Lattice Theorem: if \(S \subseteq \mathbb{R}^n\) is a convex, symmetric set with \(\operatorname{vol}(S) > 2^n \cdot |\det(I^{-1})|\), then \(S\) contains a nonzero lattice point.

Take \(S = \{(v_1, \ldots, v_n) \in V_K : \sum |v_i| \le t\}\). This set is convex and symmetric, with volume \(\operatorname{vol}(S) = 2^r \pi^s t^n / n!\). The lattice determinant is \(|\det(I^{-1})| = N(I^{-1})\sqrt{|\operatorname{disc}(K)|}\).

By the AM–GM inequality, any vector in \(S\) satisfies \(\prod |v_i| \le (t/n)^n\). So we need \((t/n)^n \le M_K N(I^{-1})\) (to ensure \(S \subseteq \Lambda\), the locus of vectors of sufficiently small norm) and \(\operatorname{vol}(S) > 2^n |\det(I^{-1})|\) (to apply Minkowski).

Combining these two conditions and optimizing \(t\) shows that for every \(B > M_K N(I^{-1})\), there exists a nonzero \(\alpha \in I^{-1}\) with \(|N(\alpha)| < B\). Since the norm of an ideal is a positive integer, this gives an ideal \(J = \alpha I\) with \(N(J) \le M_K\) in the class \([I]^{-1}\) — hence also a representative of norm at most \(M_K\) in the class \([I]\).

Step 2: Finitely many ideals of bounded norm. If \(N(I) \le M_K\), then \(N(I) \in I\) (Proposition 8.5), so \((N(I)) \subseteq I\), hence \(I \mid (N(I))\). The ideal \((N(I))\) has only finitely many divisors (by unique factorization), and \(N(I)\) ranges over finitely many integers at most \(M_K\). Thus there are only finitely many ideal classes. ∎

be the fundamental parallelepiped. Every point \(x \in \mathbb{R}^n\) has a unique representation \(x = \lambda + \gamma\) with \(\lambda \in \Lambda\) and \(\gamma \in \mathcal{P}\), and \(\mu(\mathcal{P}) = d(\Lambda)\).

For each \(\lambda \in \Lambda\), define

The sets \(R(\lambda)\) are pairwise disjoint subsets of \(\mathcal{P}\) (after translating each piece of \(S\) back into \(\mathcal{P}\)), and

Case 1: Suppose \(\mu(S) > m \cdot d(\Lambda) = m \cdot \mu(\mathcal{P})\). Since the sum of the measures \(\mu(R(\lambda))\) exceeds \(m \cdot \mu(\mathcal{P})\), there must exist a point \(\nu_0 \in \mathcal{P}\) that belongs to at least \(m+1\) of the sets \(R(\lambda)\). (If every point belonged to at most \(m\) sets, the sum of measures could not exceed \(m \cdot \mu(\mathcal{P})\).) Thus there exist distinct \(\lambda_1, \ldots, \lambda_{m+1} \in \Lambda\) such that \(\nu_0 + \lambda_i \in S\) for each \(i\). Setting \(x_i = \lambda_i + \nu_0\), we have \(x_i - x_j = \lambda_i - \lambda_j \in \Lambda\).

Case 2: Suppose \(\mu(S) = m \cdot d(\Lambda)\) and \(S\) is compact. For each \(r \ge 1\), let \(S_r = (1 + \epsilon_r) S\) where \(\epsilon_r \to 0^+\). Then \(\mu(S_r) = (1+\epsilon_r)^n \mu(S) > m \cdot d(\Lambda)\), so by Case 1, there exist distinct points \(x_{1,r}, \ldots, x_{m+1,r} \in S_r\) with differences in \(\Lambda\). Since \(S\) is compact (hence bounded), the sequences \(x_{j,r}\) have convergent subsequences with limits \(x_j^0 \in S\) (since \(S\) is closed). Because \(\Lambda\) is discrete, the differences \(x_{j,r} - x_{i,r} \in \Lambda\) must eventually stabilize, so \(x_j^0 - x_i^0 \in \Lambda\) as required. ∎

Order the \(x_i\) so that \(x_1 > x_2 > \cdots > x_{m+1}\), where we say \(x_i > x_j\) if the first nonzero coordinate of \(x_i - x_j\) is positive. Define

for \(j = 1, \ldots, m\). By the ordering, the \(m\) pairs \(\pm \lambda_1, \ldots, \pm \lambda_m\) are all distinct.

Since \(S\) is symmetric, \(-\frac{1}{2}x_{m+1} = \frac{1}{2}(-x_{m+1}) \in \frac{1}{2}S\). Since \(S\) is convex, \(\frac{1}{2}S\) is convex, so

Wait – we need to be slightly more careful. We have \(\frac{1}{2}x_j \in \frac{1}{2}S\) and \(-\frac{1}{2}x_{m+1} \in \frac{1}{2}S\). Since \(S\) is convex and symmetric, \(\lambda_j = \frac{1}{2}x_j + (-\frac{1}{2}x_{m+1})\). In fact, since \(\frac{1}{2}x_j \in \frac{1}{2}S\) and \(-\frac{1}{2}x_{m+1} \in \frac{1}{2}S\), convexity of \(S\) gives

because \(x_j, -x_{m+1} \in S\) and \(S\) is convex. Thus each \(\lambda_j\) is a nonzero lattice point in \(S\), and by symmetry \(-\lambda_j \in S\) as well. ∎

Form the \(n \times n\) matrix \(B\) whose \((i,j)\)-entry is \(\sigma_i(\omega_j)\) (using all \(n\) embeddings, including conjugate pairs). The columns of \(B\) are the vectors \(\sigma(\omega_j)\) (before identifying \(\mathbb{C}\) with \(\mathbb{R}^2\)). If there were a linear dependence among the columns, then there would exist complex numbers \(a_1, \ldots, a_n\) (not all zero) such that \(\sum_j a_j \sigma_i(\omega_j) = 0\) for all \(i\). By linearity of the \(\sigma_i\), this would give \(\sigma_i(\sum_j a_j \omega_j) = 0\) for each \(i\), making the embeddings \(\sigma_1, \ldots, \sigma_n\) linearly dependent as functions from \(K\) to \(\mathbb{C}\).

But by the theorem on linear independence of characters (distinct homomorphisms from a group to a field are linearly independent), the embeddings \(\sigma_1, \ldots, \sigma_n\) are linearly independent over \(\mathbb{C}\). This contradiction shows that the columns of \(B\) are linearly independent over \(\mathbb{C}\), hence over \(\mathbb{R}\). ∎

since \(\operatorname{Re}(z) = \frac{z + \bar{z}}{2}\) and \(\operatorname{Im}(z) = \frac{z - \bar{z}}{2i}\). By the discriminant formula, \(|\det(\sigma_j(\alpha_i))| = \sqrt{|\operatorname{disc}(K)|} \cdot N(A)\). Therefore

and since \(D_0 \neq 0\), the image \(\sigma(A)\) is indeed a lattice. ∎

This set is convex and symmetric about the origin. Its measure is

We choose \(t\) so that \(\mu(S_t) = 2^n \cdot d(\Lambda)\), where \(\Lambda = \sigma(A)\) has \(d(\Lambda) = 2^{-r_2} \sqrt{|\operatorname{disc}(K)|} \cdot N(A)\). This gives

so

Since \(S_t\) is compact, Minkowski’s theorem (Theorem 9.4 with \(m = 1\)) yields a nonzero lattice point \(\sigma(\alpha) \in S_t\) for some \(\alpha \in A\), \(\alpha \neq 0\). Then

For the second statement, let \([I]\) be any ideal class, and let \(A\) be an ideal with \(IA \sim (1)\). By the above, there exists \(\alpha \in A\), \(\alpha \neq 0\), with \(|N(\alpha)| \le C_K \cdot N(A)\). Since \(\alpha \in A\), there is an ideal \(B\) with \(AB = (\alpha)\), so \(B \sim I\). Since \(N(A) \cdot N(B) = N(\alpha) \le C_K \cdot N(A)\), we get \(N(B) \le C_K\). ∎

(ii) \(\Rightarrow\) (iii) via Minkowski: Since \(\left(\frac{-1}{p}\right) = 1\), there exists \(\ell \in \mathbb{Z}\) with \(\ell^2 \equiv -1 \pmod{p}\). Consider the lattice \(\Lambda \subseteq \mathbb{R}^2\) with \(\mathbb{Z}\)-basis \(\{(1, \ell), (0, p)\}\), so that \(d(\Lambda) = p\). Let \(S\) be the open disc of radius \(r = \sqrt{2p/\pi}\) centered at the origin. Then \(\mu(S) = \pi r^2 = 2p > 2^2 \cdot p = 4p\)… let us recalculate: we need \(\mu(S) > 4 d(\Lambda) = 4p\), so set \(r^2 = 4p/\pi\), giving \(\mu(S) = 4p\). Since the closed disc is compact, Minkowski’s theorem gives a nonzero lattice point \((m, m\ell + np) \in S\). Then

Working modulo \(p\), we have \(m^2 + (m\ell + np)^2 \equiv m^2 + m^2\ell^2 = m^2(1 + \ell^2) \equiv 0 \pmod{p}\). Since the quantity is strictly between \(0\) and \(2p\) and divisible by \(p\), it must equal \(p\). Thus \(p = m^2 + (m\ell + np)^2\).

(iii) \(\Rightarrow\) (ii): Since the squares modulo 4 are \(\{0, 1\}\), and \(p\) is odd, we need \(x^2 + y^2 \equiv 1 \pmod{4}\) (as \(p\) is odd, not both \(x, y\) are even), which forces \(p \equiv 1 \pmod{4}\). ∎

Claim: For any prime \(p\), there exist \(a, b \in \mathbb{Z}\) such that \(a^2 + b^2 \equiv -1 \pmod{p}\).

If \(p \equiv 1 \pmod{4}\), then \(-1\) is a square mod \(p\) and we may take \(b = 0\). If \(p \equiv 3 \pmod{4}\), the set \(\{y^2 + 1 \mid y \in \mathbb{F}_p\}\) has \(\frac{p+1}{2}\) elements (counting \(0^2 + 1 = 1\) and the \(\frac{p-1}{2}\) distinct nonzero squares, each giving a distinct value after adding 1). Since there are only \(\frac{p-1}{2}\) nonzero squares in \(\mathbb{F}_p\), some value \(y_0^2 + 1\) must be a non-square. Then \(-(y_0^2+1)\) is a square, so there exists \(x_0\) with \(x_0^2 \equiv -(y_0^2+1) \pmod{p}\). (For \(p = 2\) the result is trivial: \(2 = 1^2 + 1^2 + 0^2 + 0^2\).)

Now consider the lattice \(\Lambda \subseteq \mathbb{R}^4\) with basis

Then \(d(\Lambda) = p^2\). Let \(S\) be a closed ball of radius \(r\) with \(\mu(S) = \frac{\pi^2 r^4}{2}\). Choose \(r^2 = \frac{4p}{\pi\sqrt{2}}\) so that \(\mu(S) = 2^4 p^2\); since the ball is compact, Minkowski’s theorem yields a nonzero lattice point \((x, y, z, w) \in S\).

Writing \((x,y,z,w) = \alpha v_1 + \beta v_2 + \gamma v_3 + \delta v_4\), we have \(x = \alpha\), \(y = \beta\), \(z = a\alpha + b\beta + p\gamma\), \(w = b\alpha - a\beta + p\delta\). Working modulo \(p\):

since \(a^2 + b^2 \equiv -1\). Also \(0 < x^2 + y^2 + z^2 + w^2 \le r^2 < 2p\). Since the sum is positive, divisible by \(p\), and less than \(2p\), it must equal \(p\). ∎

Conversely, if \(N(\alpha) = \pm 1\), then \(\prod_{i=1}^n \sigma_i(\alpha) = \pm 1\). The element \(\alpha^{-1} = \pm \prod_{i \neq 1} \sigma_i(\alpha)\) is a product of algebraic integers (the conjugates of \(\alpha\)), hence an algebraic integer. Since \(\alpha^{-1} \in K\), we have \(\alpha^{-1} \in \mathcal{O}_K\), so \(\alpha\) is a unit. ∎

Conversely, suppose \(\alpha \in \mathcal{O}_K\) with \(|\sigma_i(\alpha)| \le 1\) for all \(i\). The set of such elements is a bounded subset of the lattice \(\sigma(\mathcal{O}_K)\), hence finite. Now if \(\alpha \in \mathcal{O}_K^*\) lies in the kernel, then every power \(\alpha^k\) also satisfies \(|\sigma_i(\alpha^k)| = 1\) for all \(i\), so the powers \(\alpha^k\) lie in a finite set. Therefore \(\alpha^j = \alpha^k\) for some \(j \neq k\), giving \(\alpha^{j-k} = 1\), so \(\alpha\) is a root of unity. ∎

Step 1: \(L(U)\) is a discrete subgroup of \(H\).

Let \(B = \{(y_1, \ldots, y_{r_1+r_2}) \in \mathbb{R}^{r_1+r_2} \mid |y_i| \le b\}\) be an arbitrary hypercube. If \(L(\sigma(\alpha)) \in B\), then \(|\sigma_i(\alpha)| \le e^b\) for real embeddings and \(|\sigma_j(\alpha)| \le e^{b/2}\) for complex embeddings. Then the minimal polynomial \(\prod_\sigma (t - \sigma(\alpha)) \in \mathbb{Z}[t]\) has coefficients bounded in terms of \(b\) alone. There are only finitely many such integer polynomials, hence only finitely many such \(\alpha\). Therefore \(L(U) \cap B\) is finite for every bounded \(B\), so \(L(U)\) is discrete.

Since \(L(U)\) is a discrete subgroup of the \((r_1+r_2-1)\)-dimensional space \(H\), it is a free abelian group of rank \(r \le r_1 + r_2 - 1\).

Step 2: \(G/U\) is compact, where \(G = \{v \in V_K^* \mid |N(v)| = 1\}\).

Consider \(G = \{v \in V_K^* \mid |N(v)| = 1\}\), which is a closed subgroup of \(V_K^*\). For any \(v \in G\), multiplication by \(v\) preserves the Lebesgue measure of regions in \(V_K\) (since \(|N(v)| = 1\) and \(v\) acts as a linear map with determinant \(\pm N(v)\)).

Let \(C \subseteq G\) be any compact, symmetric, convex region with \(\mu(C) \ge 2^n \cdot d(\sigma(\mathcal{O}_K))\). For any \(g \in G\), the translated region \(g^{-1}C\) has the same measure and is still symmetric, compact, and convex. By Minkowski’s theorem, there exists \(0 \neq \alpha \in \mathcal{O}_K\) with \(\sigma(\alpha) \in g^{-1}C\).

Since \(C\) is compact, \(|N(C)|\) is bounded, so there are only finitely many possible values of \(|N(\alpha)|\) arising this way. Let \(\alpha_1, \ldots, \alpha_m \in \mathcal{O}_K\) represent all possible absolute norms. For any \(g \in G\), we have \(\sigma(\alpha) \in g^{-1}C\) for some \(\alpha\) with \(|N(\alpha)| = |N(\alpha_i)|\), so \(\alpha = \alpha_i u\) for some unit \(u\), and hence \(gU \cap \sigma(\alpha_i^{-1})C \neq \emptyset\).

Therefore the coset space \(G/U\) is covered by the finite union \(\bigcup_{i=1}^m G \cap \sigma(\alpha_i^{-1})C\), which is compact. Since \(G/U\) is a closed subset of a compact set, it is compact.

Step 3: \(L(U)\) has rank \(r_1 + r_2 - 1\).

The map \(L : G \to H \cong \mathbb{R}^{r_1+r_2-1}\) is continuous and surjective. Since \(G/U\) is compact, its image \(L(G)/L(U) = H/L(U)\) is compact. Now \(L(U) \cong \mathbb{Z}^r\) for some \(r \le r_1+r_2-1\), and \(H/L(U) \cong (S^1)^r \times \mathbb{R}^{r_1+r_2-1-r}\). For this to be compact, we need \(r_1+r_2-1-r = 0\), i.e., \(r = r_1+r_2-1\).

Conclusion: The kernel of \(L \circ \sigma\) restricted to \(\mathcal{O}_K^*\) is \(\mu_K\) (Theorem 10.5), and the image \(L(U)\) is a free abelian group of rank \(r_1+r_2-1\). By the first isomorphism theorem,

Since \(\mu_K\) is finite, the sequence \(1 \to \mu_K \to \mathcal{O}_K^* \to \mathbb{Z}^{r_1+r_2-1} \to 0\) splits (as \(\mathbb{Z}^{r_1+r_2-1}\) is free), giving \(\mathcal{O}_K^* \cong \mu_K \times \mathbb{Z}^{r_1+r_2-1}\). ∎

By the theory of splitting in quadratic fields, the prime \(q\) splits in \(\mathbb{Q}(\sqrt{p^*})\) if and only if \(p^*\) is a square modulo \(q\), i.e., \(\left(\frac{p^*}{q}\right) = 1\). Therefore

Rearranging gives the classical form of quadratic reciprocity. ∎

(ii) We have \(1 + \zeta = \frac{1 - \zeta^2}{1 - \zeta}\), and by part (i), both \(1 - \zeta^2\) and \(1 - \zeta\) are associates, so their ratio is a unit.

(iii) The cyclotomic polynomial gives

Setting \(x = 1\):

where \(u = \prod_{j=1}^{p-1} \frac{1-\zeta^j}{1-\zeta} \in \mathbb{Z}[\zeta]^*\) by part (i). ∎

for every embedding \(\sigma\). An algebraic integer all of whose conjugates have absolute value 1 must be a root of unity. ∎

Step 1: The ideals \((x + \zeta^j y)\) are pairwise coprime.

Suppose \(\mathfrak{p}\) is a common prime factor of \((x + \zeta^j y)\) and \((x + \zeta^{j'} y)\) for \(j \neq j'\). Then \(\mathfrak{p}\) divides

By Lemma 12.2(i), \(\zeta^{j-j'} - 1\) is an associate of \(1 - \zeta\), so \(\mathfrak{p}\) divides \(y(1-\zeta)\). Since \((1-\zeta)\) is the unique prime above \(p\), either \(\mathfrak{p} = (1-\zeta)\) or \(\mathfrak{p}\) divides \((y)\).

If \(\mathfrak{p} = (1-\zeta)\), then \(\mathfrak{p}\) divides \(x + \zeta^j y \equiv x + y \pmod{(1-\zeta)}\), so \(p \mid (x+y)\). Similarly \(\mathfrak{p} \mid z^p\), so \(p \mid z\). But then \(x^p + y^p = z^p \equiv 0 \pmod{p}\), giving \(x + y \equiv 0 \pmod{p}\), so \(x^p + y^p = (x+y)(\cdots) \equiv 0 \pmod{p^2}\) (by the binomial theorem), forcing \(p^2 \mid z^p\), hence \(p \mid z\). But we assumed \(p \nmid z\), a contradiction. Similarly, \(\mathfrak{p}\) cannot divide \((y)\) without contradicting \(p \nmid y\).

Step 2: Each \((x + \zeta^j y)\) is a \(p\)-th power of an ideal.

Since the ideals \((x + \zeta^j y)\) are pairwise coprime and their product \((z^p) = (z)^p\) is a \(p\)-th power, unique factorization of ideals forces each \((x + \zeta^j y) = I_j^p\) for some ideal \(I_j\).

Step 3: Each \(I_j\) is principal (by regularity).

Since \(p\) is regular, \(p \nmid h_p\). The class \([I_j]\) satisfies \([I_j]^p = 1\) in the class group. Since \(\gcd(p, h_p) = 1\), the only element of order dividing \(p\) in the class group (which has order \(h_p\)) is the identity. So \([I_j] = 1\), meaning \(I_j\) is principal.

Step 4: Derive a contradiction.

Taking \(j = 1\), we have \((x + \zeta y) = (t)^p\) for some \(t \in \mathbb{Z}[\zeta]\), so \(x + \zeta y = ut^p\) for some unit \(u\).

Write \(t = b_0 + b_1\zeta + \cdots + b_{p-2}\zeta^{p-2}\). Working modulo the ideal \((p) = (1-\zeta)^{p-1}\), the Frobenius-type relation gives

since \(\zeta^k \equiv 1 \pmod{(1-\zeta)}\). Similarly \(\bar{t}^p \equiv (b_0 + \cdots + b_{p-2})^p \pmod{p}\), so \(t^p \equiv \bar{t}^p \pmod{p}\).

By Lemma 12.3, \(u/\bar{u} = \pm \zeta^j\) for some \(j\). Consider the case \(u/\bar{u} = \zeta^j\). Then

This gives

Since \(1, \zeta, \zeta^2, \ldots, \zeta^{p-2}\) form a basis for \(\mathbb{Z}[\zeta]\) over \(\mathbb{Z}\), and modulo \(p\) the ring \(\mathbb{Z}[\zeta]/(p) \cong \mathbb{F}_p[x]/(x-1)^{p-1}\), this linear combination being zero modulo \(p\) with the terms \(1, \zeta, \zeta^{j-1}, \zeta^j\) forces \(j \in \{0, 1, 2, p-1\}\) (otherwise we would have a nontrivial relation among fewer than \(p-1\) distinct basis elements). Each possibility leads to \(p \mid x\), \(p \mid y\), or \(p \mid z\), contradicting our assumption \(p \nmid xyz\). ∎

with \(0 = r_n < r_{n-1} < \cdots < r_1 < b\). Then

∎

For the inductive step, suppose the formula holds for continued fractions of length \(k\). Then

By the inductive hypothesis (applied with \(a_k' = a_k + 1/a_{k+1}\) in the last position, noting that \(p_i' = p_i\) and \(q_i' = q_i\) for \(i < k\)):

Multiplying numerator and denominator by \(a_{k+1}\):

∎

By induction, \(p_k q_{k-1} - q_k p_{k-1} = (-1)^{k-1}\), so \(p_{k+1} q_k - q_{k+1} p_k = (-1)^k\).

(ii) From (i), \(p_{k+1} q_k - q_{k+1} p_k = (-1)^k\), so \(\gcd(p_k, q_k) \mid (-1)^k\), giving \(\gcd(p_k, q_k) = 1\).

(iii) Using (i):

(iv) and (v): From (iii) and the fact that \(q_k \ge 1\) is strictly increasing for \(k \ge 1\), the differences \(c_{k+1} - c_k\) alternate in sign and decrease in absolute value. By the alternating series test, the series \(c_0 + \sum_{k=0}^\infty (c_{k+1} - c_k)\) converges, and the even convergents \(c_0 < c_2 < c_4 < \cdots\) increase to the limit while the odd convergents \(c_1 > c_3 > c_5 > \cdots\) decrease to it. ∎

This gives \(s > q_k\) for all \(k\), contradicting \(q_k \to \infty\).

Uniqueness of partial quotients: If \(x = [a_0, a_1, a_2, \ldots]\), then \(a_0 < x < a_0 + 1\) (by Theorem A.5(v) with the fact that \([a_1, a_2, \ldots] > a_1 \ge 1\)), so \(a_0 = \lfloor x \rfloor = \lfloor x_0 \rfloor\). Then \(x_1 = 1/(x - a_0) = [a_1, a_2, \ldots]\), and by induction \(a_n = \lfloor x_n \rfloor\) and \(x_n = [a_n, a_{n+1}, \ldots]\).

Every irrational has a continued fraction expansion: Given \(x \in \mathbb{R} \setminus \mathbb{Q}\), define \(x_0 = x\), \(a_k = \lfloor x_k \rfloor\), and \(x_{k+1} = 1/(x_k - a_k)\). Since \(x_0\) is irrational, \(x_k - a_k\) is never zero, and each \(x_k\) is irrational with \(a_k \ge 1\) for \(k \ge 1\). One verifies that \(x = [a_0, a_1, \ldots, a_n, x_{n+1}]\) for all \(n\), so

giving \(x = \lim c_n = [a_0, a_1, a_2, \ldots]\). ∎

One finds \(u, v \in \mathbb{Z}\) with \(u \neq 0\) (since \(v = 0\) would give \(s = uq_k\) and \(|sx - r| \ge |q_k x - p_k|\)) and \(v \neq 0\) (since \(u = 0\) would give \(s = vq_{k+1} \ge q_{k+1}\)). Moreover, \(u\) and \(v\) have opposite signs (since \(s = uq_k + vq_{k+1} > 0\) and \(s < q_{k+1}\)).

Since \(x\) lies between \(c_k\) and \(c_{k+1}\), the quantities \(q_k x - p_k\) and \(q_{k+1}x - p_{k+1}\) have opposite signs. Combined with \(u\) and \(v\) having opposite signs, the products \(u(q_k x - p_k)\) and \(v(q_{k+1}x - p_{k+1})\) have the same sign, so

contradicting our assumption.

(ii) If \(|x - r/s| < |x - p_k/q_k|\) and \(s \le q_k\), then \(|sx - r| = s|x - r/s| < s|x - p_k/q_k| \le q_k|x - p_k/q_k| = |q_k x - p_k|\), contradicting (i) (which gives \(s \ge q_{k+1} > q_k\)).

(iii) Given \(|x - r/s| < 1/(2s^2)\), choose \(k\) with \(q_k \le s < q_{k+1}\). If \(r/s \neq p_k/q_k\), then \(|r/s - p_k/q_k| \ge 1/(sq_k)\) (since \(rq_k - sp_k\) is a nonzero integer). The triangle inequality gives

where the last inequality uses (i) applied to \(p_k/q_k\). Subtracting \(1/(2sq_k)\) gives \(1/(2sq_k) < 1/(2s^2)\), so \(s < q_k\), contradicting \(q_k \le s\). ∎

Conversely, if \(x\) is irrational and satisfies \(ax^2 + bx + c = 0\) with \(a, b, c \in \mathbb{Z}\), \(a \neq 0\), then \(x = \frac{-b \pm \sqrt{b^2 - 4ac}}{2a}\). Setting \(d = b^2 - 4ac\) (which must be positive and non-square since \(x\) is real and irrational), we get the desired form. ∎

Case 1: \(0 < r^2 - ds^2 \le \sqrt{d}\). Then \(r > s\sqrt{d}\), and

By Theorem A.7(iii), \(r/s\) is a convergent of \(\sqrt{d}\).

Case 2: \(-\sqrt{d} < r^2 - ds^2 < 0\). Then \(r < s\sqrt{d}\), so \(r/\sqrt{d} < s\), and

By Theorem A.7(iii), \(s/r\) is a convergent of \(1/\sqrt{d}\). Since the convergents of \(1/\sqrt{d}\) are the reciprocals of the convergents of \(\sqrt{d}\) (by the observation that if \(x > 1\) then \(1/x = [0, a_0, a_1, \ldots]\) and \(d_n = 1/c_{n-1}\)), it follows that \(r/s\) is a convergent of \(\sqrt{d}\). ∎