1.

Sets, Logic and Algebra

Sets, Logic and Algebra

2. Sets, Logic and Algebra

Arjeh M. Cohen, Hans Cuypers, and Hans Sterk

Copyright © Eindhoven University of Technology, 2012-2017
3. Sets, Logic and Algebra

Contents

1 Sets 1
1.1 Sets and Subsets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 How to describe a set? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Operations on Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Cartesian products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.5 Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Logic 12
2.1 Logical operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2 Proposition Calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 Quantifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3 Relations 20
3.1 Binary relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2 Equivalence relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.3 Relations and Directed Graphs . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.4 Composition of Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.5 Transitive Closure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4 Maps 30
4.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.2 Special Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4. Sets, Logic and Algebra

5 Orders 37
5.1 Orders and Posets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2 Maximal and Minimal Elements . . . . . . . . . . . . . . . . . . . . . . . . 40
5.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

6 Recursion and Induction 44

6.1 Recursion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
6.2 Natural Induction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.3 Strong Induction and Minimal Counter Examples . . . . . . . . . . . . . . . 50
6.4 Structural Induction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

7 Cardinalities 56
7.1 Cardinality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
7.2 Countable sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.3 Some uncountable sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

8 Permutations 62
8.1 Symmetric Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
8.2 Cycles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.3 Alternating groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
8.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

9 Arithmetic 77
9.1 Divisors and Multiples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
9.2 Euclid’s algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
9.3 Linear Diophantine equations . . . . . . . . . . . . . . . . . . . . . . . . . . 91
9.4 Prime numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
9.5 Factorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
9.6 The b-ary number system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
9.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5. Sets, Logic and Algebra

10 Modular arithmetic 112

10.1 Arithmetic modulo n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
10.2 Linear congruences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
10.3 The Theorems of Fermat and Euler . . . . . . . . . . . . . . . . . . . . . . . 128
10.4 The RSA cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
10.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

11 Polynomials 140
11.1 The notion of a polynomial . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
11.2 Division of polynomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
11.3 Polynomial functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
11.4 Factorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
11.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

12 Arithmetic modulo polynomials 160

12.1 Congruence modulo a polynomial . . . . . . . . . . . . . . . . . . . . . . . 160
12.2 The residue class ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
12.3 Two special cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
12.4 Inverses and fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
12.5 Finite fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
12.6 Error correcting codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
12.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

13 Monoids and groups 185

13.1 Binary operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
13.2 Monoids and semigroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
13.3 Invertibility in monoids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
13.4 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
13.5 Cyclic groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
13.6 Cosets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
13.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
6. Sets, Logic and Algebra

14 Rings and fields 222

14.1 Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
14.2 Constructions with rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
14.3 Domains and fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
14.4 Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
14.5 Ideals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
14.6 Residue class rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
14.7 Finite fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
14.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

15 Groups 277
15.1 Permutation groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
15.2 Orbits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
15.3 Permutation group algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 290
15.4 Automorphisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
15.5 Quotient groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
15.6 Structure theorems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
15.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
7. Sets, Logic and Algebra

List of Tables

2.1 Logical operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

9.1 The primes less than or equal to 1013. . . . . . . . . . . . . . . . . . . . . . 95

9.2 Eratosthenes’ sieve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
9.3 Prime factorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

10.1 Addition table for Z/17Z. . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

10.2 Multiplication table for Z/17Z. . . . . . . . . . . . . . . . . . . . . . . . . 117
10.3 The multiplication table modulo 24 . . . . . . . . . . . . . . . . . . . . . . 121
10.4 Multiplication table for Z/17Z. . . . . . . . . . . . . . . . . . . . . . . . . 123
10.5 Multiplication table modulo 6. . . . . . . . . . . . . . . . . . . . . . . . . . 124
10.6 Euler totient function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

12.1 The multiplication table of a quotient ring. . . . . . . . . . . . . . . . . . . 172

13.1 Multiplication in monoids . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

15.1 Groups of order at most 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

1. Sets, Logic and Algebra

Chapter 1

Sets

1.1 Sets and Subsets

A set is any collection of “things” or “objects”. Your immediate family is a set. A shopping
list is a set of items that you wish to buy when you go to the store. The cars in the dealership
parking lot is a set. The only thing that matters to a set is what is in it. There is no notion of
order or how many of a particular item. A thing that is in a set is called an element or member
of the set. A set is uniquely defined by its elements.
In set theory the notions of set, element and is an element of are basic. We assume these
notions to be known.
Mathematical examples of sets are N, the set of natural numbers, Z, the set of integers, Q,
the set of all rational numbers (i.e., fractions) and R, the set of all real numbers.
We use the following notation: If V is a set, then by v ∈ V we mean that v is an element from
the set V . We also say “v is in V ”, or “v belongs to V ”. By v 6∈ V we denote that the element
v is not in V .
A common way to describe a set is by enumerating its elements and write them between curly
brackets. The elements are separated by commas. The order in which elements are given is
irrelevant. Also the multiplicity in which elements occur does not matter. For example

{1, 2, 3}, {2, 1, 3}, and {1, 1, 1, 1, 2, 2, 3}

denote the same set.

Definition 1.1.1. Suppose A and B are sets. Then A is called a subset of B, if for every element
a ∈ A we also have that a ∈ B.
If A is a subset of B, then we write A ⊂ B or A ⊆ B. We also say that B contains A.
By B ⊃ A or B ⊇ A we mean A ⊂ B or A ⊆ B.
2. Sets, Logic and Algebra

For each set B we find B to be a subset of itself. So B ⊆ B. Moreover, the empty set 0, / that
is the set with no elements, is a subset of B. A subset A of a set B which is not the empty set
nor the full set B is called a proper subset of B. To indicate that a subset A of B is not the full
set B we also write A ( B.
If B is a set, then by P(B) we denote the set of all subsets A of B. The set P(B) is called the
power set of B.
Notice that the power set of a set is never empty. Indeed, it always contains the empty set 0/
as an element.

Proposition 1.1.2. Suppose A, B and C are sets. Then the following hold:

(a) If A ⊆ B and B ⊆ C then A ⊆ C.

(b) If A ⊆ B and B ⊆ A then A = B.

Proof. We prove the first statement. Suppose that A ⊆ B and B ⊆ C. Let a ∈ A. Since A ⊆ B,
we find a ∈ B. Now, since we also have B ⊆ C, the element a is also in C.
This shows that for every element a ∈ A, we also have a ∈ C. Hence A ⊆ C.
As for the second statement. Every element of A is in B and every element of B in A. But as
a set is uniquely determined by its elements, we find A = B.

John Venn (1834-1923)

Many statements and assertions on sets are illustrated by so-called Venn diagrams. The
philosopher and mathematician John Venn (1834-1923) introduced the Venn diagram in 1881.

B A

If A ⊆ B and B ⊆ C, then A ⊆ C.
3. Sets, Logic and Algebra

The second statement “If A ⊆ B and B ⊆ A, then A = B” may seem to be a trivial observation,
but it will prove to be very useful. It provides a way to show that two sets are equal!
Indeed, to prove that two sets A and B are equal, we first show that A ⊆ B by proving that
each element a ∈ A is also an element from B and then that B ⊆ A by proving that each b ∈ B
is also in A.
Example 1.1.3. It is true that 1 ∈ {1, 2, 3} and {1} ⊆ {1, 2, 3}, but not that 1 ⊆ {1, 2, 3} or
{1} ∈ {1, 2, 3}.

Example 1.1.4. Notice that 0/ ∈ {0}

/ and 0/ ⊆ {0}.
/

Example 1.1.5. Suppose A = {x, y, z}, then P(A) consists of the following 8 subsets of A:

/ {x}, {y}, {z}, {x, y}, {x, z}, {y, z}, {x, y, z}.
0,

Example 1.1.6. The following inclusions are proper:

N ⊂ Z ⊂ Q ⊂ R.

1.2 How to describe a set?

If V is a set, then we can describe V by enumerating all its elements and put them in between
curly brackets. This, however, is a nontrivial task if V is large or even impossible if V has
infinitely many elements.
In this section we offer some new ways of how to describe a set. Think, for example, of the
following description of a set: Let X be the set of all real numbers x satisfying 0 ≤ x and
x ≤ 1.
To describe this set we make use of a known set, the set of real numbers (the reference set),
and a predicate, in this case “0 ≤ x and x ≤ 1”. For every value of the variable x the predicate
provides an assertion (also called statement or proposition), that is a declarative sentence
which is either true or false.
An element x from the real numbers is in the set if and only if the predicate yields a true
assertion for that particular x.
In general a predicate P is a statement in which a variable occurs. For each value of the
variable the statement becomes an assertion about that particular value of the variable that
can be true or false.
Example 1.2.1. Some assertions are: 7 is a prime; 2π is a zero of the function sin; I have a
brother; Paris is the capital of France; Eindhoven is the capital of the Netherlands.
Some predicates on real numbers: x is positive; sin(x) < 1/2; x is a zero of the function cos.
Some more examples but now on positive integers: n is a prime; or n is even.

The way to use these predicates to define and describe sets is the following.
4. Sets, Logic and Algebra

Definition 1.2.2. Let P be a predicate with reference set X, then

{x ∈ X | P(x)}
denotes the subset of X consisting of all elements x ∈ X for which the assertion P(x) is true.

Other ways to denote this set are

{x ∈ X : P(x)} and {x ∈ X; P(x)}.

The name of the variable, in our example x, is of no importance outside the definition of the
set. So
{x ∈ X | P(x)} = {y ∈ X | P(y)}.

We say that the variable is bounded to the definition of the set.

Example 1.2.3. The set {x ∈ R | x > 0} consists of the positive real numbers.
The set {z ∈ Z | z is divisible by 2} is the set of all even integers.

Besides enumeration of all elements and the use of predicates, there are still other ways
of describing sets. Examples are: the set of even integers; the set of points on a line; the
citizens of New York. Here a set is given by its objects. But we will also encounter notions
like {1, 3, 5, 7, 9, 11, . . . } to denote the set of odd natural numbers, or {. . . , −2, 0, 2, 4, . . . } to
denote the set of all even integers.

1.3 Operations on Sets

Definition 1.3.1. Let A and B be sets.

The intersection of A and B, notation A ∩ B, is the set of all elements contained in both A and
B.
The union of A and B, notation A ∪ B, is the set of elements that are in at least one of A or B.

Below you see a Venn diagram for the intersection and union of two sets.
5. Sets, Logic and Algebra

A B

A B

The intersection A ∩ B and union A ∪ B of the two sets A and B in red.

Proposition 1.3.2. Let A, B and C be sets. Then the following hold:

(a) A ∪ B = B ∪ A;
(b) A ∪ 0/ = A;

(c) A ⊆ A ∪ B;
(d) If A ⊆ B, then A ∪ B = B;
(e) (A ∪ B) ∪C = A ∪ (B ∪C);
(f) A ∩ B = B ∩ A;

(g) A ∩ 0/ = 0;
/
(h) A ∩ B ⊆ A;
(i) If A ⊆ B, then A ∩ B = A;

(j) (A ∩ B) ∩C = A ∩ (B ∩C).

Proof. We prove (e).

First we show that (A ∪ B) ∪ C ⊆ A ∪ (B ∪ C). Therefore, let x ∈ (A ∪ B) ∪ C. Then, by
definition of the union, x ∈ A ∪ B or x ∈ C. If x ∈ C, then, again by definition of the union,
x ∈ B ∪C and thus also in A ∪ (B ∪C). If x ∈ A ∪ B, then x ∈ A and hence in A ∪ (B ∪C), or
x ∈ B and then also in B ∪C and in A ∪ (B ∪C). Thus, if x ∈ (A ∪ B) ∪C, then x ∈ A ∪ (B ∪C).
We have shown that (A ∪ B) ∪C ⊆ A ∪ (B ∪C).
Similarly we find that x ∈ A ∪ (B ∪ C) implies x ∈ (A ∪ B) ∪ C, from which we deduce (A ∪
B) ∪C ⊇ A ∪ (B ∪C).
6. Sets, Logic and Algebra

Combining the above, we find (A ∪ B) ∪C = A ∪ (B ∪C).

Due to property (a) and (f) we call the operators ∩ and ∪ commutative. This in analogy with
the commutative law for addition or multiplication for real numbers or integers.
Property (e) and (j) are the associative laws for the intersection and union. Due to these
properties we do not have to put brackets in expressions like A ∩ B ∩ C or A ∪ B ∪ C. We
simply can define the union A1 ∪ · · · ∪ Ak of a finite number of sets A1 , . . . , Ak to be (. . . (A1 ∪
A2 ) · · ·∪Ak−1 )∪Ak . Similarly, the intersection A1 ∩· · ·∩Ak is well defined, it equals (. . . (A1 ∩
A2 ) · · ·∩Ak−1 )∩Ak . But these unions and intersections can also be taken over an infinite index
set:

A ∩ B ∩C

A B

A ∩ B ∩C
Definition 1.3.3. Suppose I is a set and for each element i there exists a set Ai , then
[
Ai := {x | there is an i ∈ I with x ∈ Ai }
i∈I

and \
Ai := {x | for all i ∈ I we have x ∈ Ai }.
i∈I
(The set I is called the index set.)
If C is a set (also called collection) of sets, then we can define

A := {x | there is an A ∈ C with x ∈ A}
[

A∈C

and
A := {x | for all A ∈ C we have x ∈ A}.
\

A∈C

Example 1.3.4. Suppose for each i ∈ N the set Ai is defined as {x ∈ R | 0 ≤ x ≤ i}. Then
\
Ai = {0}
i∈I
7. Sets, Logic and Algebra

(here we assume 0 ∈ N) and

[
Ai = R≥0 = {x ∈ R | x ≥ 0}.
i∈I

Definition 1.3.5. Let A and B be sets. The difference of A and B, notation A \ B, is the set of
all elements from A that are not in B.
The symmetric difference of A and B, notation A4B, is the set consisting of all elements that
are in exactly one of A or B.

A B A B

The difference A \ B and symmetric difference A4B of the sets A and B.

Proposition 1.3.6. Let A, B and C be sets. Then the following hold:

(a) A \ B ⊆ A;
(b) If A ⊆ B, then A \ B = 0;
/

(c) A = (A \ B) ∪ (A ∩ B);
(d) A4B = (A \ B) ∪ (B \ A);
(e) A4B = B4A;

(f) If A ⊆ B, then A4B = B \ A;

(g) A4(B4C) = (A4B)4C.

Below you find some statements involving more than one of the operators ∩, ∪, \ or 4.
8. Sets, Logic and Algebra

Proposition 1.3.7. Let A, B and C be sets. Then the following hold:

(a) (A ∪ B) ∩C = (A ∩C) ∪ (B ∩C);

(b) (A ∩ B) ∪C = (A ∪C) ∩ (B ∪C);
(c) A \ (B ∪C) = (A \ B) ∩ (A \C);

(d) A \ (B ∩C) = (A \ B) ∪ (A \C).

Definition 1.3.8. If one is working inside a fixed set U and only considering subsets of U,
then the difference U \ A is also called the complement of A in U. We write A∗ or Ac for the
complement of A in U. In this case the set U is also called the universe.

A∗

The complement A∗ of a set A in the universe U.

Proposition 1.3.9. For subsets A, B and C of the universe U we have:

(a) A ∪ A∗ = U;
(b) B \C = B ∩C∗ ;

(c) (A∗ )∗ = A;
(d) If A ⊆ B then B∗ ⊆ A∗ ;
(e) (A ∪ B)∗ = A∗ ∩ B∗ ;
(f) (A ∩ B)∗ = A∗ ∪ B∗ .
9. Sets, Logic and Algebra

1.4 Cartesian products

Suppose a1 , a2 , . . . , ak are elements from some set, then the ordered k-tuple of a1 , a2 , . . . , ak is
denoted by (a1 , a2 , . . . , ak ).
Definition 1.4.1. The Cartesian product A1 ×· · ·×Ak of sets A1 , . . . , Ak is the set of all ordered
k-tuples (a1 , a2 , . . . , ak ) where ai ∈ Ai for 1 ≤ i ≤ k.
In particular, if A and B are sets, then

A × B = {(a, b) | a ∈ A and b ∈ B}.

Notice that taking the Cartesian product is not associative. The sets A × (B ×C), (A × B) ×C
and A × B ×C are all different. However, there is a canonical way of identifying all three sets.
Indeed, leave out all brackets except for the outer ones.
If for all 1 ≤ i ≤ k we have Ai = A, then A1 × · · · × Ak is also denoted by Ak . In this way we
also encounter R2 as the coordinate system for the real plane.

René Descartes (1596-1650)

Cartesian means relating to the French mathematician and philosopher René Descartes (Latin:
Cartesius), who, among other things, worked to merge algebra and Euclidean geometry. His
work was influential in the development of analytic geometry, calculus, and cartography.
The idea of a Cartesian product was developed in 1637 in two writings by Descartes. In
part two of his Discourse de la Méthode, Descartes introduces the new idea of specifying the
position of a point or object on a surface, using two intersecting axes as measuring guides.
This is exactly the way one nowadays uses R2 as a coordinate system for the real plane. In
La Géométrie, he further explores the above-mentioned concepts.

1.5 Partitions

Definition 1.5.1. Let S be a nonempty set. A collection Π of subsets of S is called a partition

if and only if

(a) 0/ 6∈ Π;
10. Sets, Logic and Algebra

S
(b) X∈Π X = S;
(c) for all X 6= Y ∈ Π we have X ∩Y = 0.
/

Example 1.5.2. The set {1, 2, . . . , 10} can be partition into the sets {1, 2, 3}, {4, 5} and {6, 7, 8, 9, 10}.

Example 1.5.3. Suppose L is the set of all lines in R2 parallel to a fixed line `. Then L
partitions R2 .

1.6 Exercises

/ {0}, {0}?
Exercise 1.6.1. Which of the following sets are equal to each other: 0, /

Exercise 1.6.2. What are the sets that have no proper subset?

Exercise 1.6.3. How many elements does the set {0,

/ {0},
/ 0}/ have?

Exercise 1.6.4. Suppose A = {{1}, {2, 3}}. Which of the following is true: {1} ⊆ A, {2, 3} ⊆
A, {{2, 3}} ⊆ A?

Exercise 1.6.5. Suppose A = {0, {1, 2}}. Give all subsets of P(A).

Exercise 1.6.6. Suppose a set A contains n elements. How many elements does P(A) have?

Exercise 1.6.7. Which of the following statements is true for all sets A, B and C? Give a proof
or a counter example.

(a) A ⊆ ((A ∩ B) ∪C).

(b) (A ∪ B) ∩C = (A ∩ B) ∪C.
(c) (A \ B) ∩C = (A ∩C) \ (B ∩C).

Exercise 1.6.8. Let A, B and C be sets. Prove the following.

(a) If A ⊆ B, then (A ∪C) ⊆ (B ∪C).

(b) If A ⊆ C and B ⊆ C, then (A ∪ B) ⊆ C.
(c) If A ∪ B = A ∩ B, then A = B.

Exercise 1.6.9. Suppose A and B are sets. Show the following.

(a) A \ (B \ A) = A.
(b) A ∪ B = (A \ B) ∪ (A ∩ B) ∪ (B \ A)

(c) If A4B = A, then B = 0.

/
11. Sets, Logic and Algebra

Exercise 1.6.10. Suppose T is a set of sets with the property that for all A, B ∈ T also (A\B) ∈
T . Prove that for A, B ∈ T also A ∩ B ∈ T .

Exercise 1.6.11. Which of the following sets is empty?

(a) {x ∈ R | x2 = 9 and 2x = 4}.

(b) {x ∈ R | x 6= x}.

(c) {x ∈ R | x + 8 = 8}.
(d) {x ∈ R | x2 = 3 or x2 = 1}.
(e) {x ∈ R | x2 ≥ −1}.

Exercise 1.6.12. Give a description of the form {x ∈ X | P(x)} for each of the following sets.

(a) the even integers.

(b) the circles in R2 with radius 2.
(c) the lines in R2 parallel to the y-axis.
12. Sets, Logic and Algebra

Chapter 2

Logic

As we have seen in the previous section, we can describe sets using predicates and assertions.
In this section we will learn how to work and manipulate with assertions and predicates.

2.1 Logical operators

Definition 2.1.1. Let a and b be assertions.
The assertion a and b (notation a ∧ b) is true, if and only if both a and b are true.
The assertion a or b (notation a ∨ b) is true, if and only if at least one of a and b is true.
The negation of a is denoted by ¬a. This negation is true if and only if a is false.

The above definition can be summarized in the following table:

a b a∧b a∨b ¬a
true true true true false
true false false true false
false true false true true
false false false false true

Table 2.1: Logical operators

The symbols ∧, ∨ and ¬ can be used to form new assertions or predicates out of old ones and
hence to describe sets. E.g.,

{x ∈ R | (0 ≤ x) ∧ (x ≤ 5)}
is the set of all reals x with 0 ≤ x ≤ 5.
13. Sets, Logic and Algebra

Example 2.1.2. If A and B are subsets of the universe U, then

A ∩ B = {x ∈ U | x ∈ A ∧ x ∈ B},

A ∪ B = {x ∈ U | x ∈ A ∨ x ∈ B}
and
A∗ = {x ∈ U | ¬(x ∈ A)}.

Definition 2.1.3. If a and b are assertions, then the assertion if a then b (notation a ⇒ b) is
true if and only if one of the following occurs:

(a) a is true and b is true;

(b) a is false and b is true;
(c) a is false and b is false.

Example 2.1.4. Notice that the definitions of “. . . or . . . ” and of “if . . . then . . . ” are a bit
different from what we are used to in common language.
In common language the “or” is usually an exclusive “or”. If we say “would you like to have
a cup of coffee or tea”, we do not expect the answer yes, but a choice.
Also statements involving “if . . . then . . . ” are often used in a different way than in logic.
Indeed, a statement like “if London is the capital of Germany, then Paris is the capital of
France” is not always considered to be true. In logic, however, it is a true statement.

Definition 2.1.5. Suppose a and b are assertions.

By a ⇐ b we denote if b then a and by a ⇔ b we denote (a ⇐ b) ∧ (a ⇒ b). This is expressed
as a if and only if b. This leads to the following table.

a b a⇒b a⇐b a⇔b

true true true true true
true false false true false
false true true false false
false false true true true

Of course we can apply the above operators not only to assertions but also to predicates.
Example 2.1.6. Consider the set

{n ∈ Z | (2 divides n) ∧ (3 divides n)}.

The set consists of the common multiples of 2 and 3, i.e., the multiples of 6.
The set
{n ∈ Z | (2 divides n) ⇒ (3 divides n)}
14. Sets, Logic and Algebra

consists of all odd integers and the multiples of 6. Indeed, if n is even, it is also a multiple of
3 and hence of 6.
Up till now we have seen only examples in which there is only one variable involved in a
predicate. Here you see an example with more than one variable:

{n ∈ Z | there is an m ∈ Z with n = m2 }.

This is the set of integers that are a square.

2.1.7. Suppose p and q are two assertions, and we want to prove that p ⇒ q is true, then it
suffices to prove that in case p is true, the statement q is also true. For, in case p is false, the
implication p ⇒ q is always true.

Example 2.1.8. For sets A, B and C we have the following:

((A ⊆ B) ∧ (B ⊆ C)) ⇒ (A ⊆ C)

In the proof of this statement as given in 1.1.2 we start with the assumption that (A ⊆ B)∧(B ⊆
C) is true, and then deduce that A ⊆ C. By the above this suffices to prove the statement.

2.2 Proposition Calculus

In proposition calculus we study the various expressions obtained by using the operators
∧, ∨, ¬ and ⇒.
We use these operators and assertions p1 , . . . , pk to form new assertions, and analyze them. A
very helpful tool is then a truth table.
Example 2.2.1. Let p, q and r be assertions and consider the assertion

((p ∨ q) ∧ r) ⇔ ((p ∧ r) ∨ (q ∧ r)).

We claim this assertion to be true. We can check that using the following truth table, where
L = (p ∨ q) ∧ r and M = (p ∧ r) ∨ (q ∧ r).

p q r p∨q L p∧r q∧r M L⇔M

true true true true true true true true true
true true false true false false false false true
true false true true true true false true true
true false false true false false false false true
false true true true true false true true true
false true false true false false false false true
false false true false false false false false true
false false false false false false false false true
15. Sets, Logic and Algebra

Proposition 2.2.2. Suppose p, q and r are assertions. Then the following assertions
are true:
(a) p ∨ ¬p;

(b) p ⇔ ¬(¬p);
(c) ¬(p ∧ ¬p);
(d) (p ⇒ q) ⇔ (¬p) ∨ q);

(e) (¬(p ∨ q)) ⇔ ((¬p) ∧ (¬q))

(f) (¬(p ∧ q)) ⇔ ((¬p) ∨ (¬q))
(g) (p ⇒ q) ⇔ ((¬q) ⇒ (¬p));
(h) ((p ∨ q) ∧ r) ⇔ ((p ∧ r) ∨ (q ∧ r));

(i) ((p ∧ q) ∨ r) ⇔ ((p ∨ r) ∧ (q ∨ r)).

Proof. A proof of each of the above statements can be given by the use of a truth table. In
particular, (h) has been proved in Example 2.2.1.
Definition 2.2.3. Suppose p and q are assertions or predicates.
We say p implies q if p ⇒ q is true. We call p and q equivalent, if p implies q and q implies
p.

2.2.4. Let p and q be assertions. Notice that p ⇒ q is true if and only if ¬q ⇒ ¬p. In other
words, p ⇒ q and ¬q ⇒ ¬p are equivalent statements.
Thus to prove p ⇒ q it suffices to prove ¬q ⇒ ¬p.
Another way of using the equivalence of p ⇒ q and ¬q ⇒ ¬p is the so-called Proof by
Contradiction.
Suppose one wants to prove an assertion p. Then a way to do that is to assume that p is not
true and deduce a contradiction with some obviously true statement q.
Thus, one proofs ¬p ⇒ ¬q, and by the above equivalence q ⇒ p. But then the truth of q
implies p to be true.

Here are some examples:

Example 2.2.5. Consider the following statement: If an integer n is equal to 3m + 2 for some
m ∈ Z, then n is not a square. This statement is equivalent to the following statement:
If an integer n is a square, then it is not of the form 3m + 2 for some m ∈ Z.
We prove the latter statement and thus also the first.
16. Sets, Logic and Algebra

Suppose n = k2 for some k ∈ Z. Then k is of the form 3l + i for some i ∈ {0, 1, 2}. Hence
n = k2 = (3l + i)2 = 9l 2 + 6l + i2 . If i = 0, we find n to be a multiple of 3, and hence not of
the form 3m + 2 for some m ∈ Z. If i = 1, then n = 3(3l 2 + 2l) + 1 and again not of the form
3m + 2 for some m ∈ Z. And finally, if n = 2, then n = 3(3l 2 + 2l + 1) + 1 which again is not
of the form 3m + 2 for some m ∈ Z.

Example 2.2.6 (Proof by Contradiction). Assertion p: there are no positive integers x, y with
x2 − y2 = 1.
We will prove the assertion p to be true by contradiction.
Suppose p is not true. We will show that this implies that x or y is not positive, a clear
contradiction with the statement q telling us that an integer can not be both positive and not
positive.
Assume that there exist positive integers x and y with x2 − y2 = 1. Since x2 − y2 = (x − y) ·
(x + y) it follows that either x − y = 1 and x + y = 1 or x − y = −1 and x + y = −1. In the first
case we can add the two equations to get x = 1 and y = 0, contradicting our assumption that x
and y are positive. The second case is similar, getting x = −1 and y = 0, again contradicting
our assumption.

2.3 Quantifiers

In many statements and assertions we find phrases like “For all x we have . . . ” or “There
exists an x with . . . ”. This kind of phrases can be expressed using quantifiers.
Definition 2.3.1. Let P be a predicate on a reference set X. Then by

∀x∈X [P(x)]

we denote the assertion “For all x ∈ X the assertion P(x) is true”.

∀ is called the for all-quantifier or universal quantifier.
By
∃x∈X [P(x)]
we denote the assertion “ There exists an x ∈ X with P(x) true”. ∃ is called the existential
quantifier.

Sometimes we might also encounter the quantifier ∃!, which represents “there is a unique”.
Example 2.3.2. The following statements are true:

∀x∈R [x ≥ 0 ⇒ |x| = x],

∃x∈R [|x| = x],

∀x∈Q [−1 < sin(x) < 1].
17. Sets, Logic and Algebra

Here a few statements that are false:

∀x∈R [|x| = x],

∀x∈R [−1 < sin(x) < 1].

2.3.3. We can make combinations of quantifiers to create various assertions. For example

∀x∈Z ∃y∈ Z [x + y = 0]

which reads as: for all x ∈ Z there exists a y ∈ Z such that x + y = 0. Clearly this statement is
true, since for each x ∈ Z we can take y to be equal to −x.

Proposition 2.3.4 (DeMorgan’s rule). The statement

¬(∀x∈X [P(x)])

is equivalent with the statement

∃x∈X [¬(P(x))].

The statement
¬(∃x∈X [P(x)])
is equivalent with the statement

∀x∈X [¬(P(x))].

Example 2.3.5. Let X = {1, 2, . . . , 9} and consider the following statements.

P = ∀x∈X ∃y ∈ X [x + y = 10]
and
Q = ∃x∈X ∀y ∈ X [x + y = 10].

The assertion P is true. Indeed, for x = 1 we can choose y = 9, for x = 2 we choose y = 8 and
so on. In general, for x ∈ X we can choose y to be equal to 10 − x.
The assertion Q is false. We prove ¬Q. By DeMorgan’s rule (2.3.4) the assertion ¬Q is
equivalent with
R = ∀x∈X ∃y ∈ X [x + y 6= 10].
So it suffices to prove the latter assertion. Let x ∈ X and choose y = 1 if x 6= 9 and 2 otherwise.
Then x + y 6= 10. This proves R and hence ¬Q.
18. Sets, Logic and Algebra

2.4 Exercises

Exercise 2.4.1. Express the following sets using the symbols A, B, C and operators ∩, ∪, ∗

and \.

(a) {x | ((x ∈ A) ∧ (x ∈ B)) ∨ (x ∈ C)};

(b) {x | (x ∈ A) ∨ ((x ∈ B) ∧ (x ∈ C))}
(c) {x | ((x 6∈ A) ∧ (x 6∈ B)) ∨ (x 6∈ C)}.

Exercise 2.4.2. Describe the following sets using assertions involving x ∈ A, x ∈ B, x ∈ C and
the symbols ¬, ∧ and ∨

(a) (A \ B) ∩C;
(b) (A ∪ B) ∩C∗ ;

(c) (A \C) ∪ (B ∩C).

Exercise 2.4.3. Suppose p is true and q is false. What about

(a) p ⇒ (p ⇒ q);
(b) p ⇒ (q ⇒ p);

(c) q ⇒ (p ⇒ q);
(d) q ⇒ (q ⇒ p).

Exercise 2.4.4. For assertions p, q and r we have

((p ∧ q) ∨ r) ⇔ ((p ∨ r) ∧ (q ∨ r))

and
((p ∨ q) ∧ r) ⇔ ((p ∧ r) ∨ (q ∧ r)).

Prove these two statements with and without the use of a truth table.

Exercise 2.4.5. Which of the following is true?

(a) ∀x∈R ∃y∈R [x2 ≥ y];

(b) ∃x∈R ∀y∈R [x2 ≥ y];

(c) ∀y∈R ∃x∈R [x2 ≥ y];
(d) ∃y∈R ∀x∈R [x2 ≥ y].
19. Sets, Logic and Algebra

Exercise 2.4.6. (a) Give an infinite sequence a1 , a2 , . . . such that

∀m∈N ∃k∈R ∀n≥m [an ≥ k].

Also provide a sequence for which the above statement is false.

(b) Same question for the statement

∃m∈N ∀k∈R ∃n≥m [an ≥ k].

(c) Same questions for

¬(∃m∈N ∀k∈R ∃n≥m [an ≥ k]).

Exercise 2.4.7. Provide a finite set V ⊆ N for which

∀z∈N ∃x∈V ∀y∈V [x + y 6= z].

Also provide a finite set V ⊆ N for which

¬(∀z∈N ∃x∈V ∀y∈V [x + y 6= z]).

20. Sets, Logic and Algebra

Chapter 3

Relations

3.1 Binary relations

Definition 3.1.1. A (binary) relation R between the sets S and T is a subset of the Cartesian
product S × T .
If (a, b) ∈ R, we say a is in relation R to b. We denote this by aRb. The set S is called the
domain of the relation and the set T the codomain. If S = T we say R is a relation on S.

Example 3.1.2. We give some examples:

(a) “Is the mother of” is a relation between the set of all females and the set of all people.
It consists of all the pairs (person 1, person 2) where person 1 is the mother of person
2.

(b) “There is a train connection between” is a relation between the cities of the Nether-
lands.
(c) The identity relation “=” is a relation on a set S. This relation is often denoted by I.
So,

I = {(s, s) | s ∈ S}.

(d) We say an integer n divides an integer m, notation n | m, if there is an element q ∈ Z

such that qn = m. Divides | is a relation on Z consisting of all the pairs (n, m) ∈ Z × Z
with n | m.
(e) “Greater than” > or “less than” < are relations on R.
(f) R = {(0, 0), (1, 0), (2, 1)} is a relation between the sets S = {0, 1, 2} and T = {0, 1}.

(g) R = {(x, y) ∈ R2 | y = x2 } is a relation on R.

21. Sets, Logic and Algebra

(h) Let Ω be a set, then “is a subset of” ⊆ is a relation on the set S of all subsets of Ω.

Besides binary relations one can also consider n-ary relations with n ≥ 0. An n-ary relation R
on the sets S1 , . . . , Sn is a subset of the Cartesian product S1 × · · · × Sn . In these notes we will
restrict our attention to binary relations. Unless stated otherwise, a relation will be assumed
to be binary.
Let R be a relation from a set S to a set T . Then for each element a ∈ S we define [a]R to be
the set
[a]R := {b ∈ T | aRb}.
(Sometimes this set is also denoted by R(a).) This set is called the (R-) image of a. For b ∈ T
the set
R [b] := {a ∈ S | aRb}

is called the (R-) pre-image of b or R-fiber of b.

Definition 3.1.3. If S = {s1 , . . . , sn } and T = {t1 , . . . ,tm } are finite sets and R ⊆ S × T is a
binary relations, then the adjacency matrix AR of the relation R is the n × m matrix whose
rows are indexed by S and columns by T defined by

As,t = 1 if (s,t) ∈ R;
= 0 otherwise.

Notice that a presentation of the adjacency matrix of a relation is defined up to permutations

of the rows and columns of the matrix. If the sets S and T are equal, then it is customary to
put the rows in the same order as the columns.
If s ∈ S, then [s]R consists of those t ∈ T such that the entry t of the row s in AR equals 1.
For t ∈ T the set R [t] consists of the elements s ∈ S for which the entry s in the column of t is
nonzero.
Example 3.1.4. (a) The adjacency matrix of the relation R = {(0, 0), (1, 0), (2, 1)} between
the sets S = {0, 1, 2} and T = {0, 1} equals
 
1 0
 1 0 .
0 1
(We number rows from top to bottom and columns from left to right.)
(b) The adjacency matrix of the identity relation on a set S of size n is the n × n identity
matrix
 
1 0 ··· 0 0

 0 1 ··· 0 0 

In =  .. .. ..
.
 
 . . .
 0 0 ··· 1 0 
0 0 ··· 0 1
22. Sets, Logic and Algebra

(c) The adjacency matrix of relation ≤ on the set {1, 2, 3, 4, 5} is the upper triangular ma-
trix  
1 1 1 1 1
 0 1 1 1 1 
 
 0 0 1 1 1 .
 
 0 0 0 1 1 
0 0 0 0 1

Some relations have special properties:

Definition 3.1.5. Let R be a relation on a set S. Then R is called

• Reflexive if for all x ∈ S we have (x, x) ∈ R;

• Irreflexive if for all x ∈ S we have (x, x) 6∈ R;

• Symmetric if for all x, y ∈ S we have xRy implies yRx;
• Antisymmetric if for all x, y ∈ S we have that xRy and yRx implies x = y;

• Transitive if for all x, y, z ∈ S we have that xRy and yRz implies xRz.

Example 3.1.6. We consider some of the examples given above:

(a) “Is the mother of” is a relation on the set of all people. This relation is irreflexive,
antisymmetric and not transitive.
(b) “There is a train connection between” is a symmetric and transitive relation.
(c) “=” is a reflexive, symmetric and transitive relation on a set S.

(d) Divides | is a reflexive, antisymmetric and transitive relation on N.

(e) “Greater than” > or “less than” < on R are irreflexive, antisymmetric and transitive.
(f) The relation R = {(x, y) ∈ R2 | y = x2 } is not reflexive nor irreflexive.

If R is a relation on a finite set S, then special properties like reflexivity, symmetry and tran-
sitivity can be read of from the adjacency matrix A. For example, the relation R on a set S is
reflexive if and only if the main diagonal of A only contains 1’s, i.e., As,s = 1 for all s ∈ S.
The relation R is symmetric if and only if the transposed matrix A> of A equals A. (The
transposed matrix M > of an n × m matrix M is the m × n matrix with entry i, j equal to M j,i .)

3.2 Equivalence relations

As we noticed in the above example, “being equal” is a reflexive, symmetric and transitive
relation on any set S. Relations having these three properties deserve some special attention.
23. Sets, Logic and Algebra

Definition 3.2.1. A relation R on a set S is called an equivalence relation on S if and only if

it is reflexive, symmetric and transitive.

Example 3.2.2. Consider the plane R2 and in it the set S of straight lines. We call two lines
parallel in S if and only if they are equal or do not intersect. Notice that two lines in S are
parallel if and only if their slope is equal. Being parallel defines an equivalence relation on
the set S.

Example 3.2.3. Fix n ∈ Z, n 6= 0, and consider the relation R on Z by aRb if and only if a − b
is divisible by n. We also write a = b mod n.
The relation R is an equivalence relation. Indeed, suppose a, b, c ∈ Z. Then

(a) aRa as a − a = 0 is divisible by n.

(b) If aRb, then a − b is divisible by n and hence also b − a. Thus bRa.
(c) If aRb and bRc, then n divides both a − b and b − c and then also (a − b) + (b − c) =
a − c. So aRc.

Example 3.2.4. Let Π be a partition of the set S, i.e., Π is a set of nonempty subsets of S such
that each element of S is in a unique member of Π. In particular, the union of all members of
Π yields the whole set S and any two members of Π have empty intersection.
We define the relation RΠ as follows: a, b ∈ S are in relation RΠ if and only if there is a subset
X of S in Π containing both a and b. We check that the relation RΠ is an equivalence relation
on S.

• Reflexivity. Let a ∈ S. Then there is an X ∈ Π containing a. Hence a, a ∈ X and aRΠ a

• Symmetry. Let aRΠ b. then there is an X ∈ Π with a, b ∈ X. But then also b, a ∈ X and
bRΠ a.
• Transitivity. If a, b, c ∈ S with aRΠ b and bRΠ c, then there are X,Y ∈ Π with a, b ∈ X and
b, c ∈ Y . However, then b is in both X and Y . But then, as Π partitions S, we have X = Y .
So a, c ∈ X and aRΠ c.

The following theorem implies that every equivalence relation on a set S can be obtained from
a partition of the set S. But first a lemma:

Lemma 3.2.5. Let R be an equivalence relation on a set S. If b ∈ [a]R , then [b]R = [a]R .

Proof. Suppose b ∈ [a]R . Thus aRb. If c ∈ [b]R , then bRc and, as aRb, we have by transitivity
aRc. In particular, [b]R ⊆ [a]R .
Since, by symmetry of R, aRb implies bRa and hence a ∈ [b]R , we similarly get [a]R ⊆ [b]R .
24. Sets, Logic and Algebra

Theorem 3.2.6. Let R be an equivalence relation on a set S. Then the set of R-

equivalence classes partitions the set S.

Proof. Let ΠR be the set of R-equivalence classes. Then by reflexivity of R we find that each
element a ∈ S is inside the class [a]R of ΠR .
If an element a ∈ S is in the classes [b]R and [c]R of Π, then by the previous lemma we find
[b]R = [a]R and [b]R = [c]R . In particular [b]R equals [c]R . Thus each element a ∈ S is inside a
unique member of ΠR , which therefore is a partition of S.

3.3 Relations and Directed Graphs

A directed edge of a set V is an element of V ×V . If e = (v, w) is a directed edge of V , then v

is called its tail and w its head. Both v and w are called end points of the edge e. The reverse
of the edge e is the edge (w, v).
A directed graph (also called digraph) Γ = (V, E) consists of a set V of vertices and a subset E
of V ×V of (directed) edges. The elements of V are called the vertices of Γ and the elements
of E the edges of Γ. Clearly, the edge set of a directed graph is a relation on the set of vertices.
Conversely, if R is a binary relation on a set S, then R defines a directed graph (S, R) on the
set S, which we denote by ΓR . Hence there is a one-to-one correspondence between directed
graphs and relations. It is often convenient to switch from a relation to the corresponding
digraph or back.
In this subsection we introduce some graph theoretical language and notation to be used in
the sequel.
Suppose Γ = (V, E) is a digraph. A path from v to w, where v, w ∈ V , is a sequence v0 , v1 , . . . , vk
of vertices with v0 = v, vk = w and (vi , vi+1 ) ∈ E for all 0 ≤ i < k. The length of the path is k.
A path is called simple if all the vertices v0 up to vk−1 are distinct. A cycle is a path form v to
v and is called simple if the path is simple.
If v, w ∈ V are vertices of the digraph Γ, then the distance from v to w is the minimum of the
lengths of the paths from v to w. (The distance is set to ∞ if there is no path from v to w.)
The digraph is called weakly connected if for any two vertices v and w there is a path from v
to w or from w to v. It is called strongly connected if there exist paths in both directions.
If W is a subset of V , then the induced subgraph of Γ on W is the digraph (W, E ∩ (W ×W )).
A (weakly) connected component C of Γ is a maximal subset of V such that the induced
subgraph is (weakly) connected. This means that the induced subgraph is connected and
there is no path between a vertex inside and one outside C.
A strongly connected component is a maximal subset of V such that the induced subgraph is
strongly connected. This means that the induced subgraph is strongly connected and there
are no vertices v ∈ C and w 6∈ C such that there are paths in both directions between v and w.
25. Sets, Logic and Algebra

Notice that connected components not neccesarily exist. Indeed, if R = {(1, 2), (1, 3)}, then
we do not have a connected component. However, strongly connected components do exist.
To prove this, suppose Γ is a digraph and v a vertex. Let C be the set of all vertices w such
that there is a path from v to w (or from w to v).
Now suppose w, w0 ∈ C. Then there is a path from w to v and a path from v to w0 . Notice that
all points in these pathes are in C. Combining these pathes, we find a path from w to w0 . In
the same way we find a path from w0 to w inside C. So C is strongly connected.
Now take a vertex u outside C. If there is a path from u to some point w in C, then there is
also a path from u to v. This contradicts the definition of C. Thus, from u there is no path to
a vertex in C, and C is a strongly connected component.

3.4 Composition of Relations

If R1 and R2 are two relations between a set S and a set T , then we can form new relations
between S and T by taking the intersection R1 ∩R2 or the union R1 ∪R2 . Also the complement
of R2 in R1 , R1 \ R2 , is a new relation. Furthermore we can consider a relation R> (sometimes
also denoted by R−1 , R∼ or R∨ ) from T to S as the relation {(t, s) ∈ T × S | (s,t) ∈ R}.
Another way of making new relations out of old ones is the following. If R1 is a relation
between S and T and R2 is a relation between T and U then the composition or product
R = R1 ; R2 (sometimes denoted by R2 ◦ R1 or R1 ∗ R2 ) is the relation between S and U defined
by sRu if and only if there is a t ∈ T with sR1t and tR2 u.

Product of two relations

Example 3.4.1. Suppose R1 is the relation {(1, 2), (2, 3), (3, 3), (2, 4)} from {1, 2, 3} to {1, 2, 3, 4}
and R2 the relation {(1, a), (2, b), (3, c), (4, d)} from {1, 2, 3, 4} to {a, b, c, d}. Then R1 ; R2 is
the relation {(1, b), (2, c), (3, c), (2, d)} form {1, 2, 3} to {a, b, c, d}.

Suppose R1 is a relation from S to T and R2 a relation from T to U with adjacency matrices

A1 and A2 , respectively. Consider the matrix product M = A1 A2 . An entry Ms,u is obtained
by multiplying row s from A1 with column u from A2 and equals the number of t ∈ T with
(s,t) ∈ R1 and (t, u) ∈ R2 .
Notice, if R1 = R2 , then entry s,t equals the number of paths of length 2 in ΓR starting in s
and ending in t.
26. Sets, Logic and Algebra

The adjacency matrix A of R1 ; R2 can be obtained from M by replacing every nonzero entry
by a 1.
Example 3.4.2. Suppose R1 = {(1, 2), (2, 3), (3, 3), (2, 4), (3, 1)} from {1, 2, 3} to {1, 2, 3, 4}
and R2 = {(1, 1), (2, 3), (3, 1), (3, 3), (4, 2)} from {1, 2, 3, 4} to {1, 2, 3}. Then the adjacency
matrices A1 and A2 for R1 and R2 are
 
  1 0 0
0 1 0 0  0 0 1 
A1 =  0 0 1 1  , A2 =   1 0 1 .

1 0 1 0
0 1 0
The product of these matrices equals
 
0 0 1
M= 1 1 1 .
2 0 1
So, the adjacency matrix of R1 ; R2 is
 
0 0 1
 1 1 1 .
1 0 1

Proposition 3.4.3. Suppose R1 is a relation from S to T , R2 a relation from T to U

and R3 a relation from U to V . Then R1 ; (R2 ; R3 ) = (R1 ; R2 ); R3 .

Proof. Suppose s ∈ S and v ∈ V with sR1 ; (R2 ; R3 )v. Then we can find a t ∈ T with sR1t and
t(R2 ; R3 )v. But then there is also a u ∈ U with tR2 u and uR3 v. For this u we have sR1 ; R2 u
and uR3 v and hence s(R1 ; R2 ); R3 v.
Similarly, if s ∈ S and v ∈ V with s(R1 ; R2 ); R3 v, then we can find a u ∈ U with s(R1 ; R2 )u and
uR3 v. But then there is also a t ∈ T with sR1t and tR2 u. For this t we have tR2 ; R3 u and sR1t
and hence sR1 ; (R2 ; R3 )v.

Let R be a relation on a set S and denote by I the identity relation on S, i.e., I = {(a, b) ∈
S × S | a = b}. Then we easily check that I; R = R; I = R.
Let R be a relation on a set S and consider the directed graph ΓR with vertex set S and edge
set R. Then two vertices a and b are in relation R2 = R; R, if and only if there is a c ∈ S such
that both (a, c) and (c, b) ∈ R. Thus aR2 b if and only if there is a path of length 2 from a to b.
For n ∈ N, the n-th power Rn of the relation R is recursively defined by R0 = I and Rn+1 =
R; Rn . Two vertices a and b are in relation Rn if and only if, inside ΓR , there is a path from a
to b of length n.
We notice that whenever R is reflexive, we have R ⊆ R2 and thus also R ⊆ Rn for all n ∈ N
with n ≥ 1. Actually, a and b are then in relation Rn if and only if they are at distance ≤ n in
the graph ΓR .
27. Sets, Logic and Algebra

3.5 Transitive Closure

Lemma 3.5.1. Let C be a collection of relations R on a set S. If all relations R in

C are transitive (symmetric or reflexive), then the relation R∈C R is also transitive
T

(symmetric or reflexive, respectively).

Proof. Let R = R∈C R. Suppose all members of C are transitive. Then for all a, b, c ∈ S
T

with aRb and bRc we have aRb and bRc for all R ∈ C . Thus by transitivity of each R ∈ C we
also have aRc for each R ∈ C . Thus we find aRc. Hence R is also transitive.
The proof for symmetric or reflexive relations is left to the reader.

The above lemma makes it possible to define the reflexive, symmetric or transitive closure of a
relation R on a set S. It is the the smallest reflexive, symmetric or transitive relation containing
R. This means, as follows from Lemma 3.5.1, it is the intersection R0 ∈C R0 , where C
T

is the collection of all reflexive, symmetric or transitive relations containing R. Indeed, the
above lemma implies that R0 ∈C R0 is the smallest transitive (symmetric or reflexive) relation
T

containing R if we take for C the appropriate set of all transitive (symmetric or reflexive)
relations containing R.
Example 3.5.2. Suppose
R = {(1, 2), (2, 2), (2, 3), (5, 4)}
is a relation on S = {1, 2, 3, 4, 5}.
The reflexive closure of R is then the relation

{(1, 1), (1, 2), (2, 2), (2, 3), (3, 3), (4, 4), (5, 5), (5, 4)}.

The symmetric closure equals

{(1, 2), (2, 1), (2, 2), (2, 3), (3, 2), (5, 4), (4, 5)}.

And, finally, the transitive closure of R equals

{(1, 2), (2, 2), (2, 3), (1, 3), (5, 4)}.

One easily checks that the reflexive closure of a relation R equals the relation I ∪ R and the
symmetric closure equals R ∪ R> . The transitive closure is a bit more complicated. It contains
R, R2 , . . . . In particular, it contains n>0 Rn , and, as we will show below, is equal to it.
S

Rn is the transitive closure of the relation R.

S
Proposition 3.5.3. n>0
28. Sets, Logic and Algebra

Proof. Define R̄ = n>0 Rn . We prove transitivity of R̄. Let aR̄b and bR̄c, then there are
S

sequences a1 = a, . . . , ak = b and b1 = b, . . . , bl = c with ai Rai+1 and bi Rbi+1 . But then the

sequence c1 = a1 = a, . . . , ck = ak = b1 , . . . , ck+l−1 = bl = c is a sequence from a to c with
ci Rci+1 . Hence aRk+l−2 c and aR̄c.
So, as the transitive closure of R contains R̄ and the latter is transitive, they are equal.

The transitive, symmetric and reflexive closure of a relation R is an equivalence relations. In

terms of the graph ΓR , the equivalence classes are the strongly connected components of ΓR .
Example 3.5.4. If we consider the whole World Wide Web as a set of documents, then we
may consider two documents to be in a (symmetric) relation R if there is a hyperlink from
one document to the another.
The reflexive and transitive closure of the relation R defines a partition of the web into inde-
pendent subwebs.

Example 3.5.5. Let S be the set of railway stations in the Netherlands. Two stations a and b
are in relation R if there is a train running directly from a to b.
If R̄ denotes the transitive closure of R, then the railway stations in [a]R̄ are exactly those
stations you can reach by train when starting in a.

3.6 Exercises

Exercise 3.6.1. Which of the following relations on the set S = {1, 2, 3, 4} is reflexive, ir-
reflexive, symmetric, antisymmetric or transitive?

(a) {(1, 3), (2, 4), (3, 1), (4, 2)};

(b) {(1, 3), (2, 4)};
(c) {(1, 1), (2, 2), (3, 3), (4, 4), (1, 3), (2, 4), (3, 1), (4, 2)};
(d) {(1, 1), (2, 2), (3, 3), (4, 4)};
(e) {(1, 1), (2, 2), (3, 3), (4, 4), (1, 2), (2, 3), (3, 4), (4, 3), (3, 2), (2, 1)}.

Exercise 3.6.2. Let A = {1, 2, 3, 4} and R1 = {(1, 2), (1, 3), (2, 4), (2, 2), (3, 4), (4, 3)} and
R2 = {(1, 1), (1, 2), (3, 1), (4, 3), (4, 4)}. Compute R1 ; R2 and R2 ; R1 . Is the composition of
relations commutative?

Exercise 3.6.3. Compute for each of the relations R in Exercise 3.6.1 the adjacency matrix
and draw the digraph ΓR .

Exercise 3.6.4. Compute for each of the relations R in Exercise 3.6.1 the adjacency matrix of
R2 .

Exercise 3.6.5. Compute for each of the relations in Exercise 3.6.1 the reflexive closure, the
symmetric closure and the transitive closure.
29. Sets, Logic and Algebra

Exercise 3.6.6. Suppose R is a reflexive and transitive relation on S. Show that R2 = R.

Exercise 3.6.7. Suppose R1 and R2 are two relations from the finite set S to the finite set T
with adjacency matrices A1 and A2 , respectively.
What is the adjacency matrix of the relation R1 ∩ R2 , R1 ∪ R2 , or R>
1?

Exercise 3.6.8. Suppose R1 and R2 are two relations on a set S. Let R be the product R1 ; R2 .
Prove or disprove the following statements

(a) If R1 and R2 are reflexive, then so is R.

(b) If R1 and R2 are irreflexive, then so is R.
(c) If R1 and R2 are symmetric, then so is R.

(d) If R1 and R2 are antisymmetric, then so is R.

(e) If R1 and R2 are transitive, then so is R.
30. Sets, Logic and Algebra

Chapter 4

Maps

4.1 Definition

Examples of maps are the well known functions f : R → R given by f (x) = x2 , f (x) = sin x,
or f (x) = x21+1 . We can view these maps as relations on R. Indeed, the function f : R → R
can be viewed as the relation {(x, y) | y = f (x)}. Actually, maps are special relations:
Definition 4.1.1. A relation F from a set A to a set B is called a map or function from A to B
if for each a ∈ A there is one and only one b ∈ B with aFb.
If F is a map from A to B, we write this as F : A → B. Moreover, if a ∈ A and b ∈ B is the
unique element with aFb, then we write b = F(a).
The set of all maps from A to B is denoted by BA .
A partial map F from a set A to a set B is a relation with the property that for each a ∈ A
there is at most one b with aFb. In other words, it is a map from a subset A0 of A to B, where
A0 consists of those elements a ∈ A for which there is a b ∈ B with aFb.

Example 4.1.2. We have encountered numerous examples of maps. Below you will find some
familiar ones.

(a) polynomial functions like f : R → R, with f (x) = x3 for all x.

(b) functions like cos, sin and tan.
√ +
(c) : R → R, taking square roots.

(d) ln : R+ → R, the natural logarithm.

If f : A → B and g : B → C, then we can consider the product f ; g as a relation from A to C.

We also use the notation g ◦ f and call it the composition of f and g. We prefer the latter
notation for the composition of functions, as for all a ∈ A we have
(g ◦ f )(a) = g( f (a)).
31. Sets, Logic and Algebra

Proposition 4.1.3. Let f : A → B and g : B → C be maps, then the composition g ◦ f

is a map from A to C.

Proof. Let a ∈ A, then g( f (a)) is an element in C in relation f ; g with a. If c ∈ C is an element

in C that is in relation f ; g with a, then there is a b ∈ B with a f b and bgc. But then, as f is a
map, b = f (a) and, as g is a map, c = g(b). Hence c = g(b) = g( f (a)).

Let A and B be two sets and f : A → B a map from A to B. The set A is called the domain of
f , the set B the codomain. If a ∈ A, then the element b = f (a) is called the image of a under
f . The subset of B consisting of the images of the elements of A under f is called the image
or range of f and is denote by Im( f ). So

Im( f ) = {b ∈ B | there is a a ∈ A with b = f (a)}.

If A0 is a subset of A, then the image of A0 under f is the set f (A0 ) = { f (a) | a ∈ A0 }. So,
Im( f ) = f (A).
If a ∈ A and b = f (a), then the element a is called a pre-image of b. Notice that b can have
more than one pre-image. Indeed if f : R → R is given by f (x) = x2 for all x ∈ R, then both
−2 and 2 are pre-images of 4. The set of all pre-images of b is denoted by f −1 (b). So,

f −1 (b) = {a ∈ A | f (a) = b}.

If B0 is a subset of B then the pre-image of B0 , denoted by f −1 (B0 ) is the set of elements a

from A that are mapped to an element b of B0 . In particular,

f −1 (B0 ) = {a ∈ A | f (a) ∈ B0 }.

Example 4.1.4. (a) Let f : R → R with f (x) = x2 for all x ∈ R. Then f −1 ([0, 4]) = [−2, 2].
(b) Consider the map mod 8 from Z to Z. The inverse image of 3 is the set {. . . , −5, 3, 11, . . . }.

Theorem 4.1.5. Let f : A → B be a map.

• If A0 ⊆ A, then f −1 ( f (A0 )) ⊇ A0 .
• If B0 ⊆ B, then f ( f −1 (B0 )) ⊆ B0 .

Proof. Let a0 ∈ A0 , then f (a0 ) ∈ f (A0 ) and hence a0 ∈ f −1 ( f (A0 )). Thus A0 ⊆ f −1 ( f (A0 )).
Let a ∈ f −1 (B0 ), then f (a) ∈ B0 . Thus f ( f −1 (B0 )) ⊆ B0 .
32. Sets, Logic and Algebra

Example 4.1.6. Let f : R → R be defined by f (x) = x2 for all x ∈ R. Then f −1 ( f ([0, 1]}))
equals [−1, 1] and thus properly contains [0, 1]. Moreover, f ( f −1 ([−4, 4])) = [0, 4] which
is properly contained in [−4, 4]. This shows that we can have strict inclusions in the above
theorem.

Theorem 4.1.7. Let f : A → B and g : B → C be maps. Then Im(g ◦ f ) = g( f (A)) ⊆

Im(g).

4.2 Special Maps

Definition 4.2.1. A map f : A → B is called surjective, if for every b ∈ B there is an a ∈ A

with b = f (a). In other words if Im( f ) = B.
The map f is called injective if for each b ∈ B, there is at most one a with f (a) = b. So the
pre-image of b is either empty or consist of a unique element. In other words, f is injective if
for any elements a and a0 from A we find that f (a) = f (a0 ) implies a = a0 .
The map f is bijective if it is both injective and surjective. So, if for each b ∈ B there is a
unique a ∈ A with f (a) = b.
33. Sets, Logic and Algebra

Surjective, injective and bijective map

Example 4.2.2. (a) The map sin : R → R is not surjective nor injective.
(b) The map sin : [−π/2, π/2] → R is injective but not surjective.
(c) The map sin : R → [−1, 1] is a surjective map. It is not injective.
(d) The map sin : [−π/2, π/2] → [−1, 1] is a bijective map.

Theorem 4.2.3. [Pigeonhole Principle] Let f : A → B be a map between two sets of

size n ∈ N. Then f is injective if and only if it is surjective.

Remark 4.2.4. The above result is called the pigeonhole principle because of the following.
If one has n pigeons (the set A) and the same number of holes (the set B), then one pigeonhole
is empty if and only if one of the other holes contains at least two pigeons.
34. Sets, Logic and Algebra

Example 4.2.5. Suppose p and q are two distinct prime numbers. We consider the map
φ : {0, 1, . . . , p − 1} → {0, 1, . . . , p − 1} defined by φ (x) = y where y is the unique element in
{0, 1, . . . , p − 1} with y = q · x mod p. See 3.2.3.
We claim that the map φ is a bijection. By the pigeon hole principle it suffices to show that φ
is injective.
So, let x, x0 be two elements with φ (x) = φ (x0 ). Then q · x mod p = q · x0 mod p from which
we deduce that q · (x − x0 ) = 0 mod p. Since p is a prime distinct from q, we find p | x − x0 .
But then x = x0 . Hence φ is injective and thus also bijective.

If f : A → B is a bijection, i.e., a bijective map, then for each b ∈ B we can find a unique a ∈ A
with f (a) = b. So, also the relation f > = {(b, a) ∈ B × A | (a, b) ∈ f } is a map. This map is
called the inverse map of f and denoted by f −1 .

Proposition 4.2.6. Let f : A → B be a bijection. Then for all a ∈ A and b ∈ B we have

f −1 ( f (a)) = a and f ( f −1 (b)) = b. In particular, f is the inverse of f −1 .

Proof. Let a ∈ A. Then f −1 ( f (a)) = a by definition of f −1 . If b ∈ B, then, by surjectivity of

f , there is an a ∈ A with b = f (a). So, by the above, f ( f −1 (b)) = f ( f −1 ( f (a))) = f (a) =
b.

Theorem 4.2.7. Let f : A → B and g : B → C be two maps.

(a) If f and g are surjective, then so is g ◦ f ;

(b) If f and g are injective, then so is g ◦ f ;

(c) If f and g are bijective, then so is g ◦ f .

Proof. (a) Let c ∈ C. By surjectivity of g there is a b ∈ B with g(b) = c. Moreover, since

f is surjective, there is also an a ∈ A with f (a) = b. In particular, g ◦ f (a) = g( f (a)) =
g(b) = c. This proves g ◦ f to be surjective.
(b) Let a, a0 ∈ A with g ◦ f (a) = g ◦ f (a0 ). Then g( f (a)) = g( f (a0 )) and by injectivity of g
we find f (a) = f (a0 ). Injectivity of f implies a = a0 . This shows that g ◦ f is injective.

(c) (i) and (ii) imply (iii).

35. Sets, Logic and Algebra

Proposition 4.2.8. If f : A → B and g : B → A are maps with f ◦ g = IB and g ◦ f = IA ,

where IA and IB denote the identity maps on A and B, respectively. Then f and g are
bijections. Moreover, f −1 = g and g−1 = f .

Proof. Let b ∈ B, then f (g(b)) = b. Thus the map f is surjective. If a, a0 ∈ A with f (a) =
f (a0 ), then a = g( f (a)) = g( f (a0 )) = a0 . Hence f is also injective. In particular, f is bijective.
By symmetry we also find g to be bijective, and it follows that f −1 = g and g−1 = f .

Lemma 4.2.9. Suppose f : A → B and g : B → C are bijective maps. Then the inverse
of the map g ◦ f equals f −1 ◦ g−1 .

Proof. ( f −1 ◦ g−1 )(g ◦ f )(a) = f −1 (g−1 (g( f (a)))) = f −1 ( f (a)) = a.

4.3 Exercises

Exercise 4.3.1. Which of the following relations are maps from A = {1, 2, 3, 4} to A?

(a) {(1, 3), (2, 4), (3, 1), (4, 2)};

(b) {(1, 3)(2, 4)};

(c) {(1, 1), (2, 2), (3, 3), (4, 4), (1, 3), (2, 4), (3, 1), (4, 2)};
(d) {(1, 1), (2, 2), (3, 3), (4, 4)}.

Exercise 4.3.2. Suppose f and g are maps from R to R defined by f (x) = x2 and g(x) = x + 1
for all x ∈ R. What is g ◦ f and what is f ◦ g?

Exercise 4.3.3. Which of the following maps is injective, surjective or bijective?

(a) f : R → R, f (x) = x2 for all x ∈ R.

(b) f : R → R≥0 , f (x) = x2 for all x ∈ R.
(c) f : R≥0 → R≥0 , f (x) = x2 for all x ∈ R.

Exercise 4.3.4. Suppose R1 and R2 are relations on a set S with R1 ; R2 = I and R2 ; R1 = I.

Prove that both R1 and R2 are bijective maps.
36. Sets, Logic and Algebra

Exercise 4.3.5. Let R be a relation from a finite set S to a finite set T with adjacency matrix
A. Prove the following statements:

(a) If every row of A contains one nonzero entry, then R is a map.

(b) If moreover, every column contains at most one entry, then the map R is injective.
(c) If every row and column contain only one 1, then R is a bijection. What is the adjacency
matrix of the inverse map?

Exercise 4.3.6. Let S and T be two sets. If R is a relation of S × T , then for each t ∈ T we
have the pre-image
R [t] = {s ∈ S | sRt}

which is a subset of S.
Prove that the relation {(t,R [t]) | t ∈ T } is a map from T to the power set P(S) of S.
Moreover, show that, if f : T → P(S) is a map, then R f = {(s,t) | s ∈ f (t)} is a relation on
S × T with R f [t] = f .
37. Sets, Logic and Algebra

Chapter 5

Orders

5.1 Orders and Posets

Definition 5.1.1. A relation v on a set P is called an order if it is reflexive, antisymmetric
and transitive. That means that for all x, y and z in P we have:

• x v x;
• if x v y and y v x, then x = y;
• if x v y and y v z, then x v z.

The pair (P, v) is called a partially ordered set, or for short, a poset.
Two elements x and y in a poset (P, v) are called comparable if x v y or y v x. The elements
are called incomparable if x 6v y and y 6v x.
If any two elements x, y ∈ P are comparable, so we have x v y or y v x, then the relation is
called a linear order.

Example 5.1.2. • The identity relation I on a set P is an order.

• On the set of real numbers R the relation ≤ is an order relation. For any two numbers
x, y ∈ R we have x ≤ y or y ≤ x. This makes ≤ into a linear order. Restriction of ≤ to any
subset of R is again a linear order.
• Let P be the power set P(X) of a set X, i.e., the set of all subsets of X. Inclusion ⊆ defines
a partial order on P. This poset contains a smallest element 0/ and a largest element X.
Clearly, ⊆ defines a partial order on any subset of P.
• The relation “Is a divisor of” | defines an order on the set of natural numbers N. We can
associate this example to the previous one in the following way. For each a ∈ N denote by
D(a) the set of all divisors of a. Then we have
a | b ⇔ D(a) ⊆ D(b).
38. Sets, Logic and Algebra

• On the set P of partitions of a set X we define the relation “refines” by the following. The
partition Π1 refines Π2 if and only if each π1 ∈ Π1 is contained in some π2 ∈ Π2 . The
relation “refines” is a partial order on P.
Notice, for the corresponding equivalence relations RΠ1 and RΠ2 we have Π1 refines Π2 if
and only if RΠ1 ⊆ RΠ2 .

• If v is an order on a set P, then w also defines an order on P. Here x w y if and only if

y v x. The order w is called the dual order of v.

Definition 5.1.3. If v is an order on the set P, then the corresponding directed graph with
vertex set P and edges (x, y), where x v y, is acyclic (i.e., contains no cycles of length > 1).

Helmut Hasse (1898-1979)

If we want to draw a picture of the poset, we usually do not draw the whole digraph. Instead
we only draw an edge from x to y from P with x v y if there is no z, distinct from both x and
y, for which we have x v z and z v y. This digraph is called the Hasse diagram for (P, v),
named after the German mathematician Helmut Hasse (1898-1979).
Usually pictures of Hasse diagrams are drawn in such a way that two vertices x and y with
x v y are connected by an edge going upwards. For example the Hasse diagram for the poset
(P({1, 2, 3}), ⊆) is drawn as below. (In computer science one usually draws the diagram up
side down.)
39. Sets, Logic and Algebra

{1, 2, 3}

{2, 3} {1, 3} {1, 2}

{1} {2} {3}

0/

Hasse diagram
5.1.4. [New posets from old ones] There are various ways of constructing new posets out of
old ones. We will discuss some of them. In the sequel both P and Q are posets with respect
to some order, which we usually denote by v, or, if confusion can arise, by vP and vQ .

• If P0 is a subset of P, then P0 is also a poset with order v restricted to P0 . This order is

called the induced order on P0 .
• w induces the dual order on P.

• Let S be some set. On the set of maps from S to P we can define an ordering as follows.
Let f : S → P and g : S → P, then we define f v g if and only if f (s) v g(s) for all s ∈ S.
• On the Cartesian product P × Q we can define an order as follows. For (p1 , q1 ), (p2 , q2 ) ∈
P × Q we define (p1 , q1 ) v (p2 , q2 ) if and only if p1 v p2 and q1 v q2 . This order is called
the product order.

• A second ordering on P × Q can be obtained by the following rule. For (p1 , q1 ), (p2 , q2 ) ∈
P × Q we define (p1 , q1 ) v (p2 , q2 ) if and only if p1 v p2 and p1 6= p2 or if p1 = p2 and
q1 v q2 . This order is called the lexicographic order on P × Q.
Of course we can extend this to direct products of more than two sets.
40. Sets, Logic and Algebra

5.2 Maximal and Minimal Elements

Definition 5.2.1. Let (P, v) be a partially order set and A ⊆ P a subset of P. An element a ∈ A
is called the largest element or maximum of A, if for all a0 ∈ A we have a0 v a. Notice that a
maximum is unique, see Lemma 5.2.2 below.
An element a ∈ A is called maximal if for all a0 ∈ A we have that either a0 v a or a and a0 are
incomparable.
Similarly we can define the notion of smallest element or minimum and minimal element.
If the poset (P, v) has a maximum, then this is often denoted as > (top). A smallest element
is denoted by ⊥ (bottom).
If a poset (P, v) has a minimum ⊥, then the minimal elements of P \ {⊥} are called the atoms
of P.

Lemma 5.2.2. Let (P, v) be a partially order set. Then P contains at most one maxi-
mum and one minimum.

Proof. Suppose p, q ∈ P are maxima. Then p v q as q is a maximum. Similarly q v p as p

is a maximum. But then by antisymmetry of v we have p = q.

Example 5.2.3. • If we consider the poset of all subsets of a set S, then the empty set 0/ is the
minimum of the poset, whereas the whole set S is the maximum. The atoms are the subsets
of S containing just a single element.
• If we consider | as an order on N, then 1 is the minimal element and 0 the maximal element.
The atoms are those natural numbers > 1, that are only divisible by 1 and itself, i.e., the
prime numbers.

Lemma 5.2.4. Let (P, v) be a finite poset. Then P contains a minimal and a maximal
element.

Proof. Consider the directed graph associated to (P, v) and pick a vertex in this graph. If this
vertex is not maximal, then there is an edge leaving it. Move along this edge to the neighbor.
Repeat this as long as no maximal element is found. Since the graph contains no cycles, we
will never meet a vertex twice. Hence, as P is finite, the procedure has to stop. This implies
we have found a maximal element.
A minimal element of (P, v) is a maximal element of (P, w) and thus exists also.
41. Sets, Logic and Algebra

Example 5.2.5. Notice that minimal elements and maximal elements are not necessarily
unique. In fact, they do not even have to exist. In (R, ≤) for example, there is no maxi-
mal nor a minimal element.

Algorithm 5.2.6. [Topological sorting] Given a finite poset (P, v), we want to sort the ele-
ments of P in such a way that an element x comes before an element y if x v y. This is called
topological sorting. In other words, topological sorting is finding a map ord : P → {1, . . . , n},
where n = |P|, such that for distinct x and y we have that x v y implies ord(x) < ord(y). We
present an algorithm for topological sorting.
Suppose we are given a finite poset (P, v), then for each element p in P we determine the
indegree, i.e., the number of elements q with q v p. While there are vertices in P with
indegree 0, pick one of them, say q, and set ord(q) to be the smallest value in {1, . . . , n}
which is not yet an image of some point. Now remove q from P and lower all the indegrees
of the neighbors of q by 1.
Notice that, by the Existence of minimal and maximal elements (5.2.4), we will always find
elements in P with indegree 0, unless P is empty.
Example 5.2.7. Topological sort has various applications. For example consider a spread-
sheet. In a spreadsheet various tasks depend on each other. In particular, some of the compu-
tations need input from other computations and therefore they can only be carried out after
completion of the other computations. If there are no cycles in these computations, this puts
a partial order on the set of tasks within a spreadsheet. By topological sort the task list can be
linearized and the computations can be done in a linear order.

Definition 5.2.8. If (P, v) is a poset and A ⊆ P, then an upperbound for A is an element u

with a v u for all a ∈ A.
A lowerbound for A is an element u with u v a for all a ∈ A.
If the set of all upperbounds of A has a minimal element, then this element is called the least
upperbound or supremum of A. Such an element, if it exists, is denoted by sup A. If the
set of all lowerbounds of A has a maximal element, then this element is called the largest
lowerbound or infimum of A. If it exists, the infimum of A is denoted by inf A.

Example 5.2.9. Let S be a set. In (P(S), ⊆) any set A of subsets of S has a supremum and
an infimum. Indeed, [ \
sup A = X and inf A = X.
X∈A X∈A

Example 5.2.10. If we consider the poset (R, ≤), then not every subset A of R has a supre-
mum or infimum. Indeed, Z ⊆ R has no supremum and no infimum.

Example 5.2.11. In (N, |) the supremum of two elements a and b is the least common multiple
of a and b. Its infimum is the greatest common divisor.

If (P, v) is a finite poset, then as we have seen above, we can order the elements from P as
p1 , p2 , . . . , pn such that pi v p j implies i < j. This implies that the adjacency matrix of v is
uppertriangular, which means that it has only nonzero entries on or above the main diagonal.
42. Sets, Logic and Algebra

Definition 5.2.12. An ascending chain in a poset (P, v) is a (finite or infinite) sequence p0 v

p1 v . . . of elements pi in P. A descending chain in (P, v) is a (finite or infinite) sequence of
elements pi , i ≥ 0 with p0 w p1 w . . . of elements pi in P.
The poset (P, v) is called well founded if any descending chain is finite.

Example 5.2.13. The natural numbers N with the ordinary ordering ≤ is well founded. Also
the ordering | on N is well founded.
However, on Z the order ≤ is not well founded.

5.3 Exercises

Exercise 5.3.1. Let | denote the relation “is a divisor of ” defined on Z. Even if we let 0 be a
divisor of 0, then this does not define an order on Z. Prove this.

Exercise 5.3.2. Let | denote the relation “is a divisor of ” . This relation defines an order on
the set D = {1, 2, 3, 5, 6, 10, 15, 30} of divisors of 30. Draw the Hasse diagram.
Draw also the Hasse diagram of the poset of all subsets of {2, 3, 5}. Compare the two dia-
grams. What do you notice?

Exercise 5.3.3. Let v denote an order relation on a finite set P. By H we denote the relation
defining adjacency in the Hasse diagram of v. Prove that v is the transitive reflexive closure
of H.

Exercise 5.3.4. Let m, n ∈ N. By Πm we denote the partition of Z into equivalence classes

modulo m. What is a necessary and sufficient condition on n and m for Πm to be a refinement
of Πn .

Exercise 5.3.5. Show that the relations as defined in 5.1.4 are indeed orders.

Exercise 5.3.6. In the figure below you see three diagrams. Which of these diagrams are
Hasse diagrams?

Exercise 5.3.7. Suppose (A, vA ) and (B, vB ) are posets. If A and B are disjunct, then we
define the relation v on A ∪ B as follows:
x v y if x, y ∈ A and x vA y;
or x, y ∈ B and x vB y;
and if x ∈ A and y ∈ B.
43. Sets, Logic and Algebra

(a) Prove that v is an order on A ∪ B.

(b) Give necessary and sufficient conditions such that v is a linear order on A ∪ B.

Exercise 5.3.8. On Z we define v by x v y if and only if x − y is odd and x is even, or, x − y

is even and x ≤ y.
Show that v is an order on Z. Is this order linear?

Exercise 5.3.9. Find a well founded linear order on N × N.

44. Sets, Logic and Algebra

Chapter 6

Recursion and Induction

6.1 Recursion

A recursive definition tells us how to build objects by using ones we have already built. Let
us start with some examples of some common functions from N to N which can be defined
recursively:
Example 6.1.1. The function f (n) = n! can be defined recursively:

f (0) := 1;
for n > 0: f (n) := n · f (n − 1).

Example 6.1.2. The sum 1 + 2 + · · · + n can also be written as ∑ni=1 i. Here we make use of
the summation symbol ∑, which, for any map f with domain N, we recursively define by:

∑1i=1 f (i) := f (1);

n−1
for n > 1: ∑ni=1 f (i) := [∑i=1 f (i)] + f (n);

Similarly, n! is often expressed as ∏ni=1 i. Here we use the product symbol ∏ which is
recursively defined by:

∏1i=1 f (i) := f (1);

n−1
for n > 1: ∏ni=1 f (i) := [∏i=1 f (i)] · f (n).

Example 6.1.3 (Fibonacci sequence). The Italian mathematician Fibonacci (1170-1250) stud-
ied the population growth of rabbits. He considered the following model of growth.
45. Sets, Logic and Algebra

Fibonacci (1170-1250)
Start with one pair of rabbits, one male and one female rabbit.
As soon as a pair of rabbits, male and female, is one months old, it starts producing new
rabbits. It takes another month before the young rabbits, again a pair consisting of a male
and a female rabbit, are born. Let F(n) denote the number of pairs in month n. We have the
following recursive definition for F. Here n ∈ N:

F(1) := 1;
F(2) := 1;
F(n + 2) := F(n + 1) + F(n).

Indeed, in month n + 2 we still have the pairs of one month earlier, i.e., F(n + 1), but also the
young pairs of those pairs which are at least one month old in month n + 1, i.e., the number
of pairs in month n.

In the examples above we see that for a recursively defined function f we need two ingredi-
ents:

• a base part, where we define the function value f (n) for some small values of n like 0 or 1.
• a recursive part in which we explain how to compute the function in n with the help of the
values for integers smaller than n.

Of course, we do not have to restrict our attention to functions with domain N. Recursion can
be used at several places.
Example 6.1.4. Let S be the subset of Z defined by:

3 ∈ S;
if x, y ∈ S then also −x and x + y ∈ S.
46. Sets, Logic and Algebra

Then S consists of all the multiples of 3. Indeed, if n = 3m for some m ∈ N, then n =

(. . . (3 + 3) + 3) + · · · + 3) + 3, and hence is in S. But then also −3m ∈ S. Thus S contains all
multiples of 3.
On the other hand, if S contains only multiples of 3, then in the next step of the recursion, only
multiples of 3 are added to S. So, since initially S contains only 3, S contains only multiples
of 3.

Example 6.1.5. Suppose R is a relation on a set S. We define R ⊆ S × S recursively by

R⊆R
if (a, b) and (b, c) in R then also (a, c) ∈ R.

Then R is the transitive closure of R. Indeed, R contains R and is transitive. Hence it contains
the transitive closure of R. We only have to show that R is contained in the transitive closure
of R. This will be shown 6.4.2.

Example 6.1.6. Suppose Σ is a set of symbols. By Σ∗ we denote the set of all strings over Σ.
The set Σ∗ can be defined by the following:

λ (the empty string) is in Σ∗ ;

if w ∈ Σ∗and s ∈ Σ, then w.s is in Σ∗ .

Here . stands for concatenation of the strings. So, If Σ = {a, b, c}, then

Σ∗ = {λ , a, b, c, aa, ab, ac, ba, bb, bc, ca, cb, cc, aaa, . . . }.

Example 6.1.7. A (finite, directed) tree is a (finite) digraph Γ such that:

• Γ contains no cycles;

• there is a unique vertex, called the root of the tree with indegree 0; all other vertices have
indegree 1;
• for any vertex v there is a path from the root to v.

A tree is called binary is every vertex has outdegree 0 or 2. Notice that the graph consisting
of a single vertex is a binary tree.
Moreover, if T1 = (V1 , E1 ) and T2 = (V2 , E2 ) are binary trees, then we can make a new binary
tree Tree(T1 , T2 ) in the following way. As vertex set we take the vertices of T1 and T2 and add
a new vertex r. This vertex r is the root of the new tree and is the tail of two new edges with
head r1 and r2 , the roots of T1 and T2 , respectively. All other edges come from T1 and T2 . So
Tree(T1 , T2 ) = (V1 ∪V2 ∪ {r}, E1 ∪ E2 ∪ {(r, r1 ), (r, r2 )}).
47. Sets, Logic and Algebra

A tree composed out of two subtrees.

We can also give a recursive definition of the set of finite binary trees in the following way.
The set T of finite binary trees is defined by:

• the binary tree on a single vertex is in T ;

• if T1 and T2 are in T , then Tree(T1 , T2 ) is in T .

Notice that a recursive definition of some operation or structure consists of:

• a definition of the basic structures or operations

• a procedure to construct new basic structures or operations out of already constructed ones.

These two ingredients do not guarantee that a recursion is well defined. To avoid contradicting
rules, we assume that if an object x is used (at some stage) in the construction of an object y,
then y is not used in the construction of x.
This leads to an ordering v on the objects constructed. The basic objects are the minimal
elements of the order; if x1 , . . . , xn are objects used to create y then we say xi < y. The
transitive and reflexive closure v of this relation is an order.
Indeed, if x v y, then x is used in the construction of y but, unless x = y, the object y is not
used for constructing x. As each object is constructed in finitely many steps, the order v only
has descending chains of finite length. It is well founded.
Example 6.1.8. Consider the set T of finite directed binary trees as defined in Example 6.1.7.
If Ti = (Vi , Ei ), i = 1, 2, are trees in T , then we say T1 v T2 if and only if V1 ⊆ V2 and E1 is
the set of all edges in E2 with tail in V1 .

The red tree T1 is part of the tree T , so T1 v T .

48. Sets, Logic and Algebra

This relation is a well founded order on T . (Prove this!) It is the transitive closure of the
relation < defined in the above example.

6.2 Natural Induction

6.2.1. Principle of Natural Induction. Suppose P(n) is a predicate for n ∈ Z. Let b ∈ Z. If

the following holds:

• P(b) is true;
• for all k ∈ Z, k ≥ b we have that P(k) implies P(k + 1).

Then P(n) is true for all n ≥ b.

We give some examples:

Example 6.2.2. We claim that for all n ∈ N we have
n
1
∑ i = 2 n(n + 1).
i=1

We first check the claim for n = 1:

1
1
∑ i = 1 = 2 1(1 + 1).
i=1

Now suppose that for some k ∈ N we do have

k
1
∑ i = 2 k(k + 1).
i=1

Then
k+1 k
1 1
∑ i = ( ∑ i) + (k + 1) = k(k + 1) + (k + 1) = (k + 1)(k + 2).
i=1 i=1 2 2

Hence if the claim holds for some k in N, then it also holds for k + 1.
The principle of natural Induction implies now that for all n ∈ N we have
n
1
∑ i = 2 n(n + 1).
i=1

Example 6.2.3. For all n ∈ N and x ∈ R, x 6= 1, we have

n
xn+1 − x
∑ xi = x−1
.
i=1
49. Sets, Logic and Algebra

Here is a proof of this statement using natural induction. First consider the case n = 1. Then
2 −x
the left hand side of the above equation equals x. The right hand side equals xx−1 = x. So, for
n = 1, equality holds.
xk+1 −x
Now assume that ∑ki=1 xi = x−1 for some k ∈ N. Then ∑k+1 i k i
i=1 x = [∑i=1 x ] + x
k+1 . By

xk+1 −x k+1 = xk+2 −x .

assumption this equals x−1 + x x−1
The Principle of Natural Induction implies now that for all n ∈ N we have
n
xn+1 − x
∑ xi = x−1
.
i=1

Example 6.2.4. Let a, b, c ∈ R. A linear recurrence is a recurrence relation of the form

a0 := a;
an+1 := b · an + c;

This is a generalization of the the recurrence relation as given in Example 6.2.3. For linear
recurrence relations we can find a closed formula. Indeed,

bn − 1
 
n n−1 n−1 n
an = b · a + b c+b ·c+···+b·c+c = b ·a+ · c.
b−1
We give a proof by induction.
 
b1 −1
For n = 1 we indeed have a1 = b · a + c = b1 · a + b−1 · c.
Suppose that for some k ∈ N we do have the equality

bk − 1
 
k
ak = b · a + · c.
b−1

Then

ak+1 = b · ak + c  
k −1
= b · (bk · a + bb−1 · c) + c
 k+1 
k+1 b −b
= b · a + b−1 · c + c
 k+1 
= bk+1 · a + b −b+(b−1) ·c
 k+1 b−1

k+1 b −1
= b · a + b−1 · c.

By the principle of natural induction we now have proved that

bn − 1
 
n
an = b · a + · c.
b−1
for all n ∈ N with n > 0.
50. Sets, Logic and Algebra

Example 6.2.5. Let S be a set with n elements, then P(S), the set of all subsets of S, has size
2n . We give a proof by induction.
For n = 0, the set S is the empty set and S itself is the only subset of S. So indeed, in this case
P(S) has size 20 = 1.
Suppose for some k ∈ N all sets of size k have exactly 2k distinct subsets. Then consider a
set S of size k + 1. Fix an element s ∈ S. Then all subsets of S not containing s are precisely
the subsets of S \ {s}. Hence, there are 2k such subsets of S. For each such subset T there is
a unique subset T ∪ {s} of S containing s. As every subset T 0 of S containing s is obtained as
T 0 \ {s} ∪ {s} there are also 2k subsets containing s.
We conclude that P(S) contains 2k + 2k = 2k+1 elements.
Now the principle of natural induction implies that every set S of n elements admits exactly
2n subsets.

As we have seen in the above examples, a proof by natural induction consists of 4 steps:

• A statement P(n) for all n ∈ N.

• A base b, for which P(b) is true.

• A proof that for all k ∈ N (or k ≥ b) we have: P(k) implies P(k + 1).
• The conclusion that for all n ≥ b we have P(n) is true.

6.3 Strong Induction and Minimal Counter Examples

In this section we discuss two variations on Natural Induction. The first is strong induction.
6.3.1. Principle of Strong Induction. Suppose P(n) is a predicate for n ∈ Z. Let b ∈ Z. If
the following holds:

• P(b) is true;
• for all k ∈ Z, k ≥ b we have that P(b), P(b + 1), . . . , P(k − 1) and P(k) together imply P(k +
1).

Then P(n) is true for all n ≥ b.

(Of course strong induction is just a variation of natural induction. Indeed, just replace the
predicate P(n) by the predicate Q(n) := P(b) ∧ P(b + 1) ∧ · · · ∧ P(n).)
We give some examples.
51. Sets, Logic and Algebra

Example 6.3.2. Consider the game of Nimm. In this game for two players a (positive) num-
ber of matches is placed on the table. The two players take turns removing one, two or
three matches from the table. The player to remove the last match form the table loses.

The first player has a winning strategy if and only if the number of matches, n say, is not of
the form 4m + 1, with m ∈ N. Otherwise, the second player has a winning strategy.
We prove this statement with strong induction.
If n = 1, then the first player has to take the match from the table and loses.
Now suppose that the statement is correct for all values of n with 1 ≤ n ≤ k for some k ∈ N.
We will prove it to be true for n = k + 1.
We divide the prove in two parts:

• k + 1 = 4m + 1 > 1 for some m ∈ N.

Since the first player can remove 1, 2 or 3 matches, the second player is faced with k, k − 1
or k − 2 matches. Since these numbers are not of the form 4l + 1, l ∈ N, our induction
hypothesis implies that there is a winning strategy for the second player.
• k + 1 = 4m + i for some m ∈ N and i = 2, 3 or 4.
The first player can removes i − 1 matches. Then the second player is facing 4m + 1
matches. By our induction hypothesis, there is a winning strategy for the first player.

Example 6.3.3. Suppose you have to divide an n × m chocolate bar into nm pieces. Then you
will need to break it at least nm − 1 times. This we can prove by strong induction on the size
of nm.

If nm = 1, then we are dealing with a single piece of chocolate, and we don’t have to do
anything. So indeed, we need zero breaks.
Suppose, nm > 1 and for all n0 × m0 bars with n0 m0 < nm, we need at least n0 m0 − 1 breaks to
divided into n0 m0 pieces. Then consider an n×m bar. Break it ones. Then one obtains two bars
B0 and B1 of size n0 ×m0 and n1 ×m1 , respectively, with n0 m0 +n1 m1 = nm. By our induction
hypothesis, one has to break bar B0 at least n0 m0 − 1 times and bar B0 at least n0 m0 − 1 times.
Hence in total we have to break the bar at least 1 + (n0 m0 − 1) + (n1 m1 − 1) = nm − 1.
 52. Sets, Logic and Algebra

By the principle of strong induction we have shown that indeed one has to break an n × m
chocolate bar at least nm − 1 times to get nm pieces.

The second variation of natural induction that we discuss is the (non)-existence of a minimal
counter example.
6.3.4. Minimal Counter Example. Let P(n) be a predicate for all n ∈ Z. Let b ∈ Z. If the
statement that P(n) is true for all n ∈ Z, n ≥ b, is not true, then there is a minimal counter
example. That means, there is an m ∈ Z, m ≥ b with

P(m) false and

P(n) true for all n ∈ N with b ≤ n < m.

Example 6.3.5. A prime is a a natural number p > 2 such that each divisor of p equals 1 or
p. Every element n ∈ N with n > 1 is divisible by a prime.
Suppose m is a minimal counter example to this statement. Then, as m|m, we find that m
cannot be prime. Hence, it admits a divisor 1 < m1 < m. As m is a minimal counter example
to the statement, m1 is divisible by some prime p. But by transitivity of the relation “divides”,
p also divides m. This contradicts m being the minimal counter example. Hence we have
proved the statement.

6.4 Structural Induction

In this final section we discuss another variation of induction, the so-called structural in-
duction. If a structure of data types is defined recursively, then we can use this recursive
definition to derive properties by induction.
In particular,

• if all basic elements of a recursively defined structure satisfy some property P,

• and if newly constructed elements satisfy P, assuming the elements used in the construction
already satisfy P,

then all elements in the structure satisfy P.

We give some examples.
Example 6.4.1. In Example 6.1.7 we have given a recursive definition of the set T of finite
binary trees.

(∗) In every binary tree T the number edges is one less than the number of vertices.

We prove this by induction:

The tree consisting of a single vertex has 1 vertex and 0 edges. Hence for this tree the
statement is correct.
53. Sets, Logic and Algebra

Now assume suppose a tree T = (V, E) is obtained as Tree(T1 , T2 ) where T1 = (V1 , E1 ) and
T2 = (V2 , E2 ) are two binary trees satisfying (∗). Then the number of vertices in T equals
1 + |V1 | + |V2 |, and the number of edges equals 2 + |E1 | + |E2 |. Since |V1 | = |Ei | + 1 we find
that |V | = |V1 | + |V2 | + 1 = (|E1 | + 1) + (|E2 | + 1) + 1 = |E| + 1. Hence T also satisfies (∗).
This proves that all finite binary trees satisfy (∗).

Example 6.4.2. Let R be a relation on a set S. In 6.1.5 we defined the relation R. We will use
structure induction to show that R is the transitive closure of R.
We already showed that R contains the transitive closure. So it remains to prove that R is
contained in the closure.
Denote the transitive closure of R by T R. Our first step in the proof is to show that R is
contained in T R. But this is by definition of T R. Next suppose (a, b), (b, c) of R are also
in T R, then the element (a, c) of R is also in T R as T R is transitive. Hence by structural
induction, we have R ⊆ T R and hence we may conclude that R = T R.

Although we will not go into the details, we want to mention that natural, strong and structural
induction are actually particular cases of induction on a well founded order:
6.4.3. The Principle of Induction on a well founded order. Let (P, v) be a well founded
order. Suppose Q(x) is a predicate for all x ∈ P satisfying:

• Q(b) is true for all minimal elements b ∈ P.

• If x ∈ P and Q(y) is true for all y ∈ P with y v x but y 6= x, then P(x) holds.

Then Q(x) holds for all x ∈ P.

6.5 Exercises

Exercise 6.5.1. John wants to buy a new house. Therefore he needs $200,000 from the bank.
He can pay off this mortgage in 20 years, $10,000 a year. Besides these $10,000, John also
has to pay 8% interest a year over the amount, he still has to pay to the bank.
What is the total amount John has to pay to the bank for this mortgage of $200.000?

Exercise 6.5.2. Suppose f (n) is the number of strings of length n with symbols from the
alphabet {a, b, c, d} with an even number of a’s.

(a) What is f (0)? And what f (1)?

(b) Show that f satisfies the recurrence

f (n + 1) = 2 · f (n) + 4n .
54. Sets, Logic and Algebra

Exercise 6.5.3. Suppose f satisfies the recurrence relation

f (n + 2) := 2 f (n + 1) − 4 f (n).

Show that for all n ∈ N we have f (n + 3) = −8 f (n).

Exercise 6.5.4. Let F be the Fibonacci sequence.

(a) Show that for all n > 2 we have

n
F(n + 2) = 1 + ∑ F(i).
i=1

(b) Show that for all n > 2 we have

n
F(2n + 1) = 1 + ∑ F(2i).
i=1

Exercise 6.5.5. Suppose f is defined on N by

f (0) := 1,
2n
f (n) = n+1 f (n − 1) for all n > 0

Compute f (1), f (2), . . . , f (5). Can you find a closed formula for f (n)? Prove that your
formula is correct for all n ∈ N.

Exercise 6.5.6. Suppose f is defined on N by

n
2i − 1
∑ i4 − 2i3 + 3i2 − 2i + 2
i=1

Compute f (1), f (2), . . . , f (5). Can you find a closed formula for f (n)? Prove that your
formula is correct for all n ∈ N.

Exercise 6.5.7. Suppose f is defined on N by

n
3i2 − 3i + 1
∑ (i3 + 1)(i3 − 3i2 + 3i)
i=1

Compute f (1), f (2), . . . , f (5). Can you find a closed formula for f (n)? Prove that your
formula is correct for all n ∈ N.

Exercise 6.5.8. In a triangle in the plane, the sum of all the three angles equals 180◦ . In a 4-
gon, the sum of all the four angles equals 360◦ . How about the sum of the angles in a convex
n-gon with n ≥ 5? (An n-gon is called convex, if any straight line between two vertices of the
n-gon does not leave the interior of the n-gon.)
 55. Sets, Logic and Algebra

Exercise 6.5.9. Suppose you have an infinite collection of coins of 2 and 5 Euro cents.
Prove, using strong induction, that you can pay any amount of n Euro cents, where n ∈ N, n ≥
4.
Give also a proof by assuming the existence of a minimal counter example and reaching a
contradiction.

Exercise 6.5.10. Give a recursive definition of the set of all finite directed trees.
Use structural induction to prove that in all finite directed trees the number of edges is one
less than the number of vertices.

Exercise 6.5.11. Consider the set T of binary trees as recursively defined in Example 6.1.7.
A leaf of a tree is a vertex with outdegree 0. Denote by l the number of leaves in a tree T ∈ T .
Then l = (v + 1)/2 where v is the number of vertices. Prove this using structural induction.

Exercise 6.5.12. Let S be the subset of Z defined by

−12, 20 ∈ S;

if x, y ∈ S, then x + y ∈ S.

We use structural induction to show that S = {4k | k ∈ Z}. The proof is divided into three
parts.

a) Show that 4 and −4 are in S.

b) Prove, by structural induction, that S ⊆ {4k | k ∈ Z}.

c) Use a) and structural induction to prove that S ⊇ {4k | k ∈ Z}.

56. Sets, Logic and Algebra

Chapter 7

Cardinalities

Let S be a set. To measure the size of a set, we can try to count the number of elements it
contains. If S contains only finitely many elements, then that is easy. But also in case that S
contains infinitely many elements, we can still measure its size.

7.1 Cardinality

Definition 7.1.1. Two sets A and B have the same cardinality if there exists a bijection from
A to B.

Example 7.1.2. Two finite sets have the same cardinality if and only if they have the same
number of elements.

Example 7.1.3. The sets N and Z have the same cardinality. Indeed, consider the map f :
N → Z defined by f (2n) = n and f (2n + 1) = −n where n ∈ N. This set is clearly a bijection.

Theorem 7.1.4. Having the same cardinality is an equivalence relation.

Proof. We have to check that having the same cardinality is reflexive, symmetric and transi-
tive.
Reflexivity. Let A be a set. Then the identity map a ∈ A 7→ a is a bijection from A to itself.
So A has the same cardinality as A.
Symmetry. Suppose A has the same cardinality as B. Then there is a bijection f : A → B.
Now f has an inverse f −1 , which is a bijection from B to A. So B has the same cardinality as
A.
57. Sets, Logic and Algebra

Transitive. Suppose A has the same cardinality as B and B the same cardinality as C. So,
there exit bijections f : A → B and g : B → C. But then g ◦ f : A → C is a bijection from A to
C. So A has the same cardinality as C.

7.2 Countable sets

Definition 7.2.1. A set is called finite if it is empty or has the same cardinality as the set
Nn := {1, 2, . . . , n} and infinite otherwise.

Definition 7.2.2. A set is called countable if it is finite or has the same cardinality as the set
N.
An infinite set that is not countable is called uncountable.

Theorem 7.2.3. Every infinite set contains an infinite countable subset.

Proof. Suppose A is an infinite set. Since A is infinite, we can start enumerating the elements
of a1 , a2 , . . . such that all the elements are distinct. This yields a sequence of elements in A.
The set of all the elements in this sequence form a countable subset of A.

Theorem 7.2.4. Let A be a set. If there is a surjective map form N to A, then A is

countable.

Proof. Let f : N → A be a surjection. Then consider the sequence f (1), f (2), . . . . Remove
from this sequence (going from left to right) each element that you have seen before. The
result is either a finite sequence, or an infinite sequence f (n1 ), f (n2 ), . . . of which all elements
are distinct. In the latter case, consider the map g : N → A with g(i) = f (ni ). This map is a
bijection, which proves A to be countable.

Corollary 7.2.5. Let A be countable and f : A → B surjective, then B is countable.

Proof. If A is finite, then so is B. Thus assume that A has infinitely many elements. Since A
is countable, there is a bijection g : N → A. But then f ◦ g is a surjection from N to B. Hence
we can apply the previous result.
58. Sets, Logic and Algebra

Theorem 7.2.6. Any subset of a countable set countable.

Proof. Suppose A is an infinite subset of a countable set B. Let f : N → B be bijective and fix
an element a ∈ A. Now consider the map g : N → A defined by g(x) = f (x) if f (x) ∈ A and
g(x) = a if f (x) ∈ B \ A. Then g is surjective, as f is surjective. Now Theorem 7.2.4 implies
A to be countable.

Proposition 7.2.7. N × N is countable.

Proof. Let n ∈ N. Let m be maximal with Σm m

i=0 i < n. Now let k = n − Σi=0 i. So, 1 ≤ k ≤
m + 1.
We define f : N → N × N in the following way:

f (n) = (k, m + 2 − k).

So, in a table this looks as follows:

f (1) = (1, 1) f (2) = (1, 2) f (4) = (1, 3) f (7) = (1, 4) ...

f (3) = (2, 1) f (5) = (2, 2) f (8) = (2, 3) ...
f (6) = (3, 1) f (9) = (3, 2) ...
.. ..
. .

The map f is a bijection. By construction, f is injective. Indeed, the m and k are uniquely
defined by n.
So it only remains to prove surjectivity. Let (k, l) ∈ N × N. Set m = k + l − 2. Hence (k, l) =
(k, m + 2 − k) and (k, l) = f (n) for n equal to Σm
i=0 i + k.

Theorem 7.2.8. Let A and B be countable sets. Then A × B is countable.

Proof. Suppose f : N → A and g : N → B are surjections. The map h : N × N → A × B

defined by h((i, j)) = ( f (i), g( j)) is surjective. So, since N × N is countable, also A × B is
countable.
59. Sets, Logic and Algebra

Proposition 7.2.9. The sets Z and Q are countable.

Proof. The map g : {−1, 1} × N → Z given by g(x, y) = xy is surjective. By Theorem 7.2.8

we find {−1, 1} × N to be countable, and hence also Z.
Now let f : Z × N → Q be defined by f (i, j) = ij for (i, j) ∈: Z × N. This is clearly a surjective
map.
By the previous result and Theorem 7.2.8 we find Z × N to be countable and hence also
Q.

Theorem 7.2.10. Let C be a countable collection of countable sets. Then

S
A∈C A is
countable.

Proof. For each A ∈ C there exists a bijection fA : N → A. Moreover, as C is countable, there

exists also a bijection g : N → C . We write Ai = g(i).
the map f : N × N →
S
Now consider
S A∈C A defined by f (i, j) = fAi ( j). This is a surjection.
Thus A∈C A is countable.
S
Example 7.2.11. Let S be the set of all finite subsets of N. Then S = i∈N Si , where Si is the
set of subsets of size at most i of N.
Now, by 7.2.8, Ni is countable. But the map (a1 , . . . , ai ) ∈ Ni 7→ {a1 , . . . , ai } ∈ Si is clearly
surjective. Thus Si is also countable. Now Theorem 7.2.10 implies S to be countable.

7.3 Some uncountable sets

We have encoutered various sets that are countable. In this section we concentrate on sets
that are uncountable and derive a way to prove this.

Proposition 7.3.1. The set {0, 1}N is uncountable.

Proof. Let F : N → {0, 1}N . By fi we denote the function F(i) from N to {0, 1}.
We will show that F is not surjective by constructing a function f ∈ {0, 1}N which is different
from all the functions fi with i ∈ N.
60. Sets, Logic and Algebra

For each i ∈ N let

f (i) = 0 if fi (i) = 1 and
f (i) = 1 if fi (i) = 0.

Clearly, for all i ∈ N we have f (i) 6= fi (i) and hence f 6= fi . So, F is not surjective. This shows
that there is no surjection from N to {0, 1}N . In particular, {0, 1}N is not countable.

If A is a set, then for each subset B of A we define the characteristic function χB : A → {0, 1}
to be the function that takes the value 1 on all elements in B and the value 0 in all elements in
A \ B.
Clearly, every element f ∈ {0, 1}A is the characteristic function of the set {a ∈ A | f (a) = 1}.
So, we find the map B ∈ A 7→ χB to be a bijection between from P(A) to {0, 1}A .

Corollary 7.3.2. P(N) is uncountable.

7.3.3. The main argument in the above proof is called Cantor’s diagonal argument. Consider
the following table.
f1 (1) f1 (2) f1 (3) ...
f2 (1) f2 (2) f2 (3) ...
f3 (1) f3 (2) f3 (3) ...
.. .. ..
. . .
We create a new function f which differs from all the fi at the diagonal of this table, i.e. at
position i.

Corollary 7.3.4. R is uncountable.

f (i)
Proof. Consider the map f ∈ {0, 1}N 7→ Σ∞ i=1 10i ∈ R. This map is injective. So, if R is
countable, then so is {0, 1}N , which contradicts the above.
This proves R to be uncountable.

Theorem 7.3.5. If A and B are sets with the same cardinality, then also P(A) and
P(B) have the same cardinality.
61. Sets, Logic and Algebra

Proof. Suppose A and B have the same cardinality. Let f : A → B be a bijection.

Consider the map fˆ : P(A) → P(B) given by fˆ(S) = { f (s) | s ∈ S}. This set is a bijection.

Corollary 7.3.6. If A is an infinite set, then P(A) is uncountable.

Proof. If A is uncountable, then clearly P(A) is uncountable, as it contains the subset {{a} |
a ∈ A} of the same cardinality as A.
If A is countable, then P(A) is uncountable, as follows from 7.3.5 and 7.3.2.

7.4 Exercises

Exercise 7.4.1. Prove that the following sets are countable.

(a) {x ∈ R | x2 ∈ Q}.
(b) {x ∈ R | sin(x) ∈ Q}.

Exercise 7.4.2. Let S be the subset

{ f ∈ {0, 1}N | ∃m∈N ∀n≥m [ f (n) = 0]}

of {0, 1}N is countable.

Exercise 7.4.3. If A is an uncountable set and B is a countable subset of A, then A \ B is

uncountable. Give a proof.

Exercise 7.4.4. Let S be the set of all finite subsets of N. Prove that S is countable.

Exercise 7.4.5. Prove that the set of all infinite integer sequences (ai )i∈N , where ai ∈ N for
all i is uncountable.
62. Sets, Logic and Algebra

Chapter 8

Permutations

8.1 Symmetric Groups

In this section we are mainly concerned with bijections of a finite set X to itself. Often we
work with the set X of integers from 1 to n, thus X = {1, . . . , n}. There is no loss of generality,
since we will see soon that there is no essential difference in the naming of the elements.
The advantage of the natural numbers as names of the elements of X is twofold:

• they have a natural ordering (this is convenient since we often intend to write the elements
in a row);
• there is an infinite number of them (in contrast with, for example, the letters of the alpha-
bet).

We will use no arithmetic properties of the natural numbers (as names of elements of X) apart
from the ordering.

We introduce permutations and describe multiplication of permutations as composition of

maps.
Definition 8.1.1. Let X be a set.

• A bijection of X to itself is also called a permutation of X. The set of all permutations of X

is denoted by Sym(X). It is called the symmetric group on X.

• The product g · h of two permutations g, h in Sym(X) is defined as the composition g◦h of

g and h. Thus, for all x∈X, we have g·h(x)=g(h(x)).
• If X={1, . . . , n}, we also write Symn instead of Sym(X). Furthermore, a permutation f of
X is often given by [ f (1), f (2), . . ., f (n)].
63. Sets, Logic and Algebra

The product of two permutations in Symn is again a permutation and hence an element of
Symn . (Prove this!)
As also happens when taking the product of two reals, we often write gh instead of g · h for
the product of the permutations g and h.

The identity map id : X→X plays a special role: g=g·id and g=id·g, for all g in Sym(X).
The inverse of g∈Sym(X), denoted by g−1 , is again a permutation and satisfies g−1 ·g=id
and g·g−1 =id. We call id the identity element for the product on Sym(X). We often use e to
denote the identity element. For every positive integer m, we denote by gm the product of m
factors g. Instead of (g−1 )m we also write g−m .
We call Sym(X) the symmetric group on X and Symn the symmetric group of degree n.
Example 8.1.2. Let g and h be the permutations of {1, . . . , 4} with g(1)=2, g(2)=3, g(3)=1,
g(4)=4, and h(1)=1, h(2)=3, h(3)=4, h(4)=2. So g=[2, 3, 1, 4] and h=[1, 3, 4, 2]. Then
g·h is the permutation with g·h(1) = g(1) = 2, g·h(2) = g(3) = 1, g·h(3) = g(4) = 4, and
g·h(4) = g(2) = 3, so g·h=[2, 1, 4, 3].
Similarly, h·g is the permutation with h·g(1) = h(2) = 3, h·g(2) = h(3) = 4, h·g(3) = h(1) =
1, and h·g(4) = h(4) = 2, so h·g=[3, 4, 1, 2].
In particular, g·h and h·g are not the same. The official terminology is that g and h do not
commute.
The inverse of g is the map that sends 1 to 3, 2 to 1, 3 to 2, and 4 to 4, so g−1 =[3, 1, 2, 4].
We will shortly describe notations for permutations that are more convenient for our purposes
than the lists we have seen so far: matrices and disjoint cycles.

Remark 8.1.3. Sometimes the product g·h is defined the other way around: as h◦g.
In other words, the product is the right composition of functions instead of left composition.
Right composition is convenient when writing mappings at the right-hand side of their argu-
ments: for x∈X, the element g·h(x) is then as well the image under g·h of x as the image
under h of the image under g of x. In formula: g·h(x)=h(g(x)).
Right composition is standard in the computer algebra packages GAP and Magma. One
should be aware of this fact!

A permutation can be described in matrix notation by a 2 by n matrix with the numbers

1, . . ., n in the first row and the images of 1, 2, . . ., n (in that order) in the second row. Since
there are n! possibilities to fill the second row, the following theorem holds.

Theorem 8.1.4. Symn has exactly n! elements.

64. Sets, Logic and Algebra

The first row of the 2 by n matrix describing a permutation in Symn is always 1, 2, . . ., n and
hence yields no essential information. Therefore,
 we often
 omit the first row; the permutation
1 2 3
is then given in list notation. For example, becomes [3, 1, 2] in list notation.
3 1 2
Nevertheless, the matrix notation is useful for calculating products and inverses.

• Product: To calculate g·h for two permutations g, h in Symn , we first look up, for each
i∈{1, . . . , n}, the value h(i), then we look for this value in the first row of the g matrix;
below this entry you find g·h(i).
     
1 2 3 1 2 3 1 2 3
Indeed, if g = , and h = then gh = .
2 3 1 2 1 3 3 2 1
• Inverse: If g is written as the 2 by n matrix M, then the inverse of g is described by the
matrix obtained from M by interchanging the two rows and sorting the columns in such a
way that the first row is again 1, 2, . . ., n.
   
1 2 3 −1 2 3 1
Indeed if g = , then g = .
2 3 1 1 2 3

Example 8.1.5. Sym3 has the following 6 elements:

           
1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3
, , , , , .
1 2 3 1 3 2 2 1 3 2 3 1 3 1 2 3 2 1

Instead of the conventional matrix notation, we also write permutations as lists. In the so-
called list notation we leave out the first row, since that row is always the same. Here are the
6 permutations again in list notation:

[1, 2, 3] , [1, 3, 2] , [2, 1, 3] , [2, 3, 1] , [3, 1, 2] , [3, 2, 1].

Definition 8.1.6. The order of a permutation g is the smallest positive integer m such that
gm =e.

Example 8.1.7. • The order of the identity is 1.

• The order of the permutation [2, 1, 3] (in list notation) in Sym3 is 2.

• The order of the permutation g=[2, 3, 4, 1] (in list notation) in Sym4 is 4 :

g2 =[3, 4, 1, 2], g3 =[4, 1, 2, 3], g4 =e.

Remark 8.1.8. Of course we must justify that the notion order makes sense. If g is a per-
mutation in Symn , then the permutations g, g2 , g3 , . . . can not all be distinct, because there
are only finitely many permutations in Symn (n! to be precise). So there must exist positive
numbers r < s such that gr =gs . Since g is a bijection, we find gs−r =e. So there exist positive
numbers m with gm =e, and in particular a smallest such number. Therefore each permutation
g has a well-defined order.
65. Sets, Logic and Algebra

8.2 Cycles
Let g be a permutation of Sym(X). We distinguish between the points which are moved and
the points which are fixed by g.
Definition 8.2.1. The fixed points of g in X are the elements of x of X for which g(x)=x holds.
The set of all fixed points is fix(g) = {x ∈ X | g(x) = x}.

The support of g is the complement in X of fix(g). It is denoted by support(g).

Example 8.2.2. Consider the permutation g = [1, 3, 2, 5, 4, 6] ∈ Sym6 . The fixed points of
g are 1 and 6. So fix(g) = {1, 6}. Thus the points moved by g form the set support(g) =
{2, 3, 4, 5}.

Cycles are elements in Symn of special importance.

Definition 8.2.3. Let g∈Symn be a permutation with support(g)={a1 , . . . , am }, where the ai
are pairwise distinct. We say g is an m-cycle if g(ai )=g(ai+1 ) for all i∈{1, . . . , m − 1} and
g(am )=a1 . For such a cycle g we also use the cycle notation (a1 , . . . , am ).
2-cycles are called transpositions.

Example 8.2.4. • In Sym3 all elements are cycles. The identity element e is a 0 - or 1-cycle,
the other elements are 2 - or 3-cycles: (1, 2), (1, 3), (2, 3), (1, 2, 3) and (1, 3, 2). No two of
these 5 cycles are disjoint.
• In Sym4 , the element (in list notation) [2, 1, 4, 3] is not a cycle, but it is the product (1, 2)·(3, 4)
of the transpositions (1, 2) and (3, 4).

Remark 8.2.5. • The cycle notation of a permutation g does not tell us in which Symn we
are working in. This is in contrast to the matrix notation. So (1, 2) might belong to Sym2
just as well as to Sym3 . This yields no real confusion because of the natural identification
of Symn−1 with the part of Symn consisting of all permutations fixing n :
Symn−1 = {g∈Symn | g(n)=n } .

• The composition of permutations in Symn (where n > 2 ) is not commutative. This means
that the products g·h and h·g are not always the same. If g·h=h·g, then we say that g and
h commute. Two cycles c and c0 are called disjoint if the intersection of their supports is
empty. Two disjoint cycles always commute. (Prove this!) A cycle (a1 , a2 , . . ., an ) also
commutes with its inverse (an , . . ., a2 , a1 )

Every element in Symn is a product of cycles. Even more is true:

Theorem 8.2.6. Every permutation in Symn is a product of disjoint cycles. This

product is unique up to rearrangement of the factors.
66. Sets, Logic and Algebra

Proof. First we show that every g in Symn can be written as a product of disjoint cycles (the
existence). Then we prove the uniqueness of this product. Both parts are proved by induction.

Assertion. Every permutation is a product of disjoint cycles.

We use induction with respect to the number of elements in the support of the permutation
g. If the support of g is empty, then g is 1, the identity element, a 0-cycle. We regard
this as an empty product of cycles. Now assume that for some number k > 0 any element
g with |support(g)| <k can be written as a product of disjoint cycles. Let g be an element
with k elements in its support. Fix an element x in support(g). We try to ‘split off‘ a cycle
containing x. We set a0 =x and ai =g(ai−1 ) for i > 0. Let m denote the smallest positive
integer for which am =x and consider the cycle c=(a1 , a2 , . . ., am ). Its support is a subset of
support(g). So the permutation h=g·c−1 fixes all points of fix(g) as well as the points ai ,
with i < m + 1. Indeed, for 0 ≤ i ≤ m we have h(ai ) = g·c−1 (ai ) = g(ai−1 ) = ai , where we
set am =a0 . This implies that the support of h is contained in support(g)\{a1 , a2 , . . ., am }.
By the induction assumption we may write h as a product of disjoint cycles c1 , c2 , . . ., ck . The
support of these cycles is contained in support(h) and therefore disjoint from {a1 , a2 , . . ., am }.
But then g = h·c = c1 ·c2 · · ·ck ·c is a product of disjoint cycles. By induction we have finished
the first part of the proof.

Assertion. The disjoint product decomposition is unique up to permutation of the cycles.

Assume that g is the product of the disjoint cycles c1 , c2 , . . ., ck and at the same time of the
disjoint cycles d1 , d2 , . . ., dl , all of length at least 2. We prove the uniqueness by induction on
k. The case k=0 is trivial. So assume that k > 0. Then support(g) is not empty and we can
find an element x in support(g). As x is not fixed by g, there exist cycles ci and d j which do
not fix x. Without loss of generality we may suppose that x∈support(c1 ) and x∈support(d1 ).
For every m∈N, we have (c1 )m (x) = gm (x) = (d1 )m (x). In particular c1 =d1 . But then also
c2 · · ·ck = (c1 )−1 ·g = (d1 )−1 ·g = d2 · · ·dl . The induction hypothesis yields that k − 1=l − 1
and, possibly after renumbering of the indices, ci =di for all i from 0 to k. This proves the
proposition.

If a permutation is written as a product of disjoint cycles, we say that it is given in disjoint

cycles form or disjoint cycles notation. The 1-cycles are usually left out in this notation.
Example 8.2.7. The above proof actually shows how to find the disjoint cycles decomposition
of a permutation. Consider the permutation (in list notation)
g=[8, 4, 1, 6, 7, 2, 5, 3]
in Sym8 . The following steps lead to the disjoint cycles decomposition.

• Choose an element in the support of g, for example 1. Now construct the cycle
(1, g·1, g2 ·1, . . .).
67. Sets, Logic and Algebra

In this case this cycle is (1, 8, 3). On {1, 3, 8} the permutation g and the cycle (1, 8, 3)
coincide.
• Next, choose an element in the support of g, but outside {1, 3, 8}, for example 2. Construct
the cycle
(2, g·2, g2 ·2, . . .).
In the case at hand, this cycle is (2, 4, 6). Then g and (1, 8, 3)·(2, 4, 6) coincide on the set
{1, 2, 3, 4, 6, 8}.

• Choose an element in the support of g but outside {1, 2, 3, 4, 6, 8}, say 5. Construct the
cycle
(5, g·5, g2 ·5, . . .),
i.e., (5, 7). Then g and (1, 8, 3)·(2, 4, 6)·(5, 7) coincide on {1, 2, 3, 4, 5, 6, 7, 8} and we are
done.

Note that the three cycles (1, 8, 3), (2, 4, 6), (5, 7) commute, so that g can also be written as
(5, 7)·(1, 8, 3)·(2, 4, 6) or as (2, 4, 6)·(5, 7)·(1, 8, 3), etc.

The above proposition justifies the following definition:

Definition 8.2.8. The cycle structure of a permutation g is the (unordered) sequence of the
cycle lengths in an expression of g as a product of disjoint cycles.

So, rephrasing the above proposition, we can say that every permutation has a unique cycle
structure.

The choice X={1, . . ., n} fixes the set X under consideration. Suppose someone chooses a
different numbering of the elements in X. How do we compare two permutations of X with
respect to these two numberings?
There is a permutation h of X, which changes our numbering in the new one; so h can be used
as a change of names. We describe a given permutation g with respect to the new numbering
as follows. First, we apply the ‘back-transformation‘ h−1 to our own numbering, then we
apply g, and, finally, we use h again to translate back to the other numbering.

g
original X X

h−1 h

new X X
f
68. Sets, Logic and Algebra

As a formula, with respect to the new numbering, the transformation g ‘reads’ h·g·h−1 . The
map g 7→ h·g·h−1 is called conjugation with h. The cycle decomposition of g yields a nice
way to calculate the effect of conjugation with a permutation h:

Lemma 8.2.9. Let h be a permutation in Symn .

• For every cycle (a1 , . . . , am ) in Symn we have

h·(a1 , . . . , am )·h−1 =(h(a1 ), . . . , h(am )).

• If (g1 , . . . , gk ) are in Symn , then h·g1 · · · gk ·h−1 =hg1 h−1 · · · hgk h−1 . In particular,
if g1 , . . ., gk are (disjoint) cycles, then h·g1 · · ··gk ·h−1 is the product of the (disjoint)
cycles h·g1 ·h−1 , . . ., h·gk ·h−1 .

Proof. The proofs of both items in the lemma are easy verifications if you take the following
approach.

Part 1: Conjugation of a cycle.

We compute h·(a1 , . . . , am )h−1 (x) by distinguishing two cases.

• If x=h(ai ) for some 1≤i≤m :

h·(a1 , . . . , am ) · h−1 (x) = h(a1 , . . . , am )h−1 (h(ai )) = h(a1 , . . . , am )(ai )) = h(ai+1 ) (with the
convention that am+1 =a1 ).
• If x is not equal to h(ai ) for all 1 ≤ i ≤ m, then h−1 (x) is not in {a1 , . . ., am }, so that
g·h−1 (x)=h−1 (x) and consequently h·(a1 , . . . , am ) · h−1 (x) = hh−1 (x) = x.

We conclude that h·(a1 , . . . , am )·h−1 =(h(a1 ), . . ., h(am )).

Part 2: Conjugation of a product of permutations.

The second item of the lemma follows once you realize that in the product hg1 h−1 · · ·hgk h−1
the pairs h−1 h cancel, so that hg1 · · ·gk h−1 is what remains. In particular, for cycles gi , the
first item of the lemma then shows that the product hg1 h−1 · · ·hgk h−1 is the product of the
cycles hgi h−1 .
If cycles have disjoint supports, then their conjugates also have disjoint supports: The support
of hch−1 , where c is a cycle, is h(support(c)) (see the first item of the lemma), so that the
supports of hg1 h−1 , . . ., hgk h−1 are the sets h(support(g1 )), . . . , h(support(gk )). Since h is a
bijection, these sets are disjoint if the sets support(g1 ) ,. . . , support(gk ) are disjoint.
69. Sets, Logic and Algebra

Example 8.2.10. Let be an equilateral triangle with vertices A, B, and C. The reflection in the
line L through B and the midpoint of the edge AC induces a permutation of the three vertices:
A7→C, B7→B, C7→A.

A C

We can describe the reflection by the permutation (A,C).

If we name the three vertices 1, 2, 3 for A, B,C, respectively, then we can describe the reflec-
tion by the permutation (1, 3). A rotation through +120◦ is also a permutation of the three
vertices. This rotation is described by the permutation (1, 3, 2).
If we choose other names for the vertices, for example 1, 3, 2 for A, B,C, then the description
of the reflection and the rotation change. The reflection is then for example described by
(1, 2) and the rotation by (1, 2, 3). This renumbering may be achieved by the permutation
k=(2, 3). Indeed, we see that k·(1, 2)·k−1 =(1, 2) and k·(1, 3, 2)·k−1 =(1, 2, 3).
Conjugation is similar to basis transformation in linear algebra.

It follows that any two conjugate permutations (one permutation can be obtained from the
other by conjugation) have the same cycle structure. The converse also holds.

Theorem 8.2.11. Two elements g and h in Symn have the same cycle type if and only
if there exists a permutation k in Symn with g=k·h·k−1 .

Proof. This implication follows from the conjugation formulas from Lemma 8.2.9.
We write both g and h as a product of disjoint cycles si and t j , respectively, all of length
at least 2. Since g and h have the same cycle structure, we can write g=s1 ·s2 ·. . .·sk and
h=t1 ·t2 ·. . .·tk in such a way that si and ti have equal length for all i. Suppose si =si,1 ·si,2 · · ·si,ki
and ti =ti,1 ·ti,2 · · ·ti,ki . Denote by u a permutation with u(si, j )=ti, j for all i from 1 to k and j
from 1 to ki . This is possible since the supports of the si are disjoint as well as the supports of
the ti . (Notice that there may be more than one permutation u satisfying these requirements.)
The conjugation formulas yield that ugu−1 =h.
70. Sets, Logic and Algebra

Example 8.2.12. In Sym4 the permutations (in list notation) g=[2, 1, 4, 3] and h=[3, 4, 1, 2]
are conjugate, since both have the cycle structure 2, 2 : g=(1, 2)·(3, 4) and h=(1, 3)·(2, 4). A
permutation k such that k·g·k−1 =h is k=[1, 3, 2, 4]. In disjoint cycles notation this is (2, 3).

Transpositions play an important role among permutations.

Theorem 8.2.13. Let n≥2. Every element of Symn is the product of (not necessarily
disjoint) transpositions.

Proof. Since every permutation in Symn can be written as a product of disjoint cycles , it
suffices to show that every cycle is a product of 2-cycles.
Now every m-cycle (a1 , . . ., am ), is equal to the product

(a1 , a2 )(a2 , a3 ) · · · (am−1 , am ),

and the proof is complete.

Example 8.2.14. Let a=[a1 , . . ., an ] be a list of n integers. The algorithm ‘Bubble sort‘ ranks
the elements of a with respect to increasing value. The algorithm works as follows. Take an
element ai of the list, compare it with the predecessor ai−1 , and switch both elements if ai is
less than ai−1 . First, i decreases from n to 2 . Then the least element is in the first position
of the list. Now one repeats the procedure, but only with i decreasing from n to 3 . By this
time the second least element is in the second position. And so forth. Finally, the algorithm
yields a sorted list. The switch of two elements of the list is a transposition (i − 1, i) applied
to the positions i − 1 and i of the two elements in the list. If a is filled with the numbers
from 1 to n, then it yields, after applying all the transpositions (i − 1, i) where ai is less than
ai−1 a permutation with j=a j for all j∈{1, . . . , n}. Hence we may write each permutation
as a product of transpositions, in particular even of transpositions of the form (i − 1, i). This
yields again a proof of the theorem.

8.3 Alternating groups

From the theory in Section 8.2, every permutation can be written as a product of transpo-
sitions. To be able to distinguish between products of even and odd length, we need the
following result.
71. Sets, Logic and Algebra

Theorem 8.3.1. If a permutation is written in two ways as a product of transpositions,

then both products have even length or both products have odd length.

Proof. Suppose that the permutation g can be written both as the product of transpositions
c1 · · ·ck with k even, and as the product of transpositions d1 · · ·dm with m odd. Then

e=c1 · · ·ck ·d1−1 · · ·dm−1

expresses the identity as the product of an odd number of transpositions. We will show that
this is impossible.
So assume that the identity element e is a product of an odd number of transpositions. We
choose such a product e=t1 · · ·tm with m minimal subject to being odd. It is obvious that
m > 0.

Assertion. We may assume that t1 =(1, 2).

If t1 =(i, j), we can conjugate left-hand side and right-hand side by (1, i)·(2, j).

Assertion. We may assume that there is some l > 0 with t1 up to tl all moving 1, that is,
ti =(1, ai ) for all i≤l, and that tl+1 up to tm all fix 1.

Applying the formulas (a, b)·(1, c)=(1, c)·(a, b) and (a, b)·(1, b)=(1, a)·(a, b), where 1, a, b
and c are different numbers in {1, . . ., n}, we can shift all transpositions which contain 1 to
the front without violating the minimality of m.

Assertion. There is an index i with i∈{2, . . . , l} such that ti =t1 .

We must have t1 ·t2 · · ·tl (1)=1. Therefore 2=t1 (1) lies in the support of t2 · · ·tl , and at least
one of the ai with i > 1 is equal to 2.

Final contradiction.

We have ti = t1 = t1−1 , and, because of minimality of m, also t2 6=t1 . Hence, e = t1 · · ·tm =

t1 ·(t2 · · ·ti−1 )·(t1 )−1 ·ti+1 · · ·tm = s2 · · ·si−1 ·ti+1 · · ·tm , where s j =t1 ·t j ·(t1 )−1 for j∈{2, . . . , i − 1}
is also a transposition. We have written e as a product of m−2 transpositions. This contradicts
the minimality of m.

In other words, no permutation can be written both as a product of transpositions of even

length and as such a product of odd length. So if one product involves an even (odd) number
of factors, then all products involve an even (odd) number of factors.

This justifies the following definition.

72. Sets, Logic and Algebra

Definition 8.3.2. Let g be an element of Sn . The sign (signum) of g, denoted by sign(g), is

defined as

• 1 if g can be written as a product of an even number of 2-cycles, and

• −1 if g can be written as a product of an odd number of 2-cycles.

We say that g is even if sign(g)=1 and odd if sign(g)=−1.

The sign is multiplicative.

Theorem 8.3.3. For all permutations g, h in Symn , we have

sign(g·h)=sign(g)·sign(h).

Proof. Let g and h be elements of Symn .

If one of the permutations is even and the other is odd, then g·h can obviously be written as
the product of an odd number of transpositions and is therefore odd.
If g and h are both even or both odd, then the product g·h can be written as the product of an
even number of transpositions so that g·h is even.

We also say that sign is a multiplicative map from Symn to {1, −1}. (The notion morphism
explores this view further in a general context.)
Remark 8.3.4. • The sign of a permutation and its inverse are the same. There are vari-
ous ways to see this, one of which is based on the multiplicative property of the sign.
Since g·g−1 =e, we find sign(g) · sign(g−1 ) = sign(gg−1 ) = sign(e) = 1, so that sign(g)
and sign(g−1 ) must both be 1 or both be −1.

• Every m-cycle (a1 , . . ., am ) can be written as the product of m − 1 transpositions:

(a1 , . . ., am )=(a1 , a2 )·(a2 , a3 )·. . .·(am−1 , am ).

Since transpositions are odd, the multiplicativity of the sign implies that the sign of an m -
cycle is (−1)m−1 , i.e., a cycle of even length is odd and a cycle of odd length is even.
73. Sets, Logic and Algebra

The previous theorem implies the following way of determining the sign.

Corollary 8.3.5. If a permutation g is written as a product of cycles, then

sign(g)=(−1)w , where w is the number of cycles of even length.

Proof. Since sign is a multiplicative mapping, the sign of g is the product of the signs of
every factor. Now a cycle of odd length has sign 1, so we only need to count the number of
cycles of even length.

Application 8.3.6. Permutations and the sign of permutations occur in the explicit expression
for determinants. If A is an n by n matrix with entries Ai j then the determinant det(A) is the
sum over all n! permutations g in Symn of the products sign(g)·A1g(1) ·A2g(2) ·. . .·Ang(n) , i.e.,

det(A)= ∑ sign(g)·A1g(1) ·A2g(2) · · ·Ang(n) .

g∈Symn

In the case of a 2 by 2 matrix A we find two terms: A11 ·A22 corresponding to the identity
permutation, which has sign 1, and −A12 ·A21 corresponding to the permutation (1, 2), which
has sign −1.
Summing yields the familiar formula

det(A)=A11 ·A22 − A12 ·A21 .

It is still easy to write down the explicit 6 term formula for a 3 by 3 determinant, but since n!
grows so rapidly, the formula becomes quite impractical for computations if n gets large. For
computations of determinants more practical methods are available derived from the above
formula. Such methods are discussed in courses on linear algebra.

The fact that sign is multiplicative implies that products and inverses of even permutations
are even. This gives rise to the following definition.
Definition 8.3.7. By Altn we denote the set of even permutations in Symn . We call Altn the
alternating group on n letters.
The alternating group is closed with respect to taking products and inverse elements.

Example 8.3.8. For n=3, the even permutations are (in cycle notation): e, (2, 3, 1) and (3, 1, 2).

There are just as many even as odd permutations in Symn .

74. Sets, Logic and Algebra

n!
Theorem 8.3.9. For n > 1, the alternating group Altn contains precisely 2 elements.

Proof. An element g of Symn is even (respectively, odd), if and only if the product g·(1, 2) is
odd (respectively, even). Hence the map g7→g·(1, 2) defines a bijection between the even and
the odd elements of Symn . But then precisely half of the n! elements of Symn are even.

3-cycles are the smallest nontrivial even cycles. They are the building blocks for even per-
mutations:

Theorem 8.3.10. Every even permutation is a product of 3-cycles.

Proof. Every element of Alt(X) is a product of an even number of transpositions. Hence it

suffices to prove that each product of two transpositions, different from the identity element,
can be written as a product of 3-cycles.
Let (a, b) and (c, d) be two different transpositions.
If a, b, c and d are pairwise distinct, then

(a, b) · (c, d)=(a, b) · (b, c) · (b, c) · (c, d)=(a, b, c) · (b, c, d).

Without loss of generality we are left with the case where a, b, d are pairwise distinct and
b=c. But then (a, b) · (b, d)=(a, b, d).
This proves the theorem.

8.4 Exercises

Exercise 8.4.1. In Sym6 we choose the permutations a=(1, 2, 3) , b=(2, 3, 4, 5, 6) and c=(1, 4, 6, 3).

(a) Calculate a−1 , a·b·c, a·b·c2 , c−1 ·b and (a·c·b)−1 .

(b) Calculate the sign of each of the above permutations.

75. Sets, Logic and Algebra

Exercise 8.4.2. Let g be a permutation in Symn . Show that if i∈support(g), then g(i)∈support(g).

Exercise 8.4.3. How many elements of Sym5 have the cycle structure 2, 3?

Exercise 8.4.4. Let g be the permutation

(1, 2, 3)·(2, 3, 4)·(3, 4, 5)·(4, 5, 6)·(5, 6, 7)·(6, 7, 8)·(7, 8, 9)

in Sym6 .

(a) Write g as a product of disjoint cycles.

(b) Calculate the fixed points of g.
(c) Write g−1 as a product of disjoint cycles.
(d) Is g even?

Exercise 8.4.5. (a) If the permutations g and h in Symn have disjoint supports, then g and
h commute, i.e., g·h=h·g. Prove this.
(b) Suppose that the permutations g and h in Symn commute. Prove that (g·h)m =gm ·hm
for all positive numbers m.
(c) Suppose that the permutations g and h in Symn have disjoint supports. Prove that
(g·h)m =1 for some positive number m implies that gm =1 and hm =1.
(d) If the permutation has order t and if gm = id for some positive number m, show that t
divides m. In particular, if c is a t-cycle and cm = id for some positive number m, then
m is divisible by t.

Exercise 8.4.6. (a) Prove that for n > 4 every permutation in Symn can be written as a
product of 4-cycles.
(b) Prove that for n > 5 every even permutation can be written as a product of 5-cycles.

Exercise 8.4.7. Let a=(1, 2, 3)(4, 7, 9)(5, 6). Determine an element b in Sym9 such that
b·a·b−1 =(9, 8, 7)(6, 5, 4)(3, 2).

Exercise 8.4.8. Let g be an element of Symn with n > 2.

(a) If g commutes with the transposition (i, j), where i6= j, then g(i)∈{i, j}. Prove this.
(b) Show that g·i=i, whenever g commutes with the transpositions (i, j) and (i, k), where
i, j, k are mutually distinct.
(c) Prove that the identity map is the only permutation in Symn that commutes with all
elements of Symn .

Exercise 8.4.9. Write all elements of Alt4 as products of disjoint cycles.

Exercise 8.4.10. Let a=(1, 2) and b=(2, . . ., n).

76. Sets, Logic and Algebra

(a) Calculate b·a·b−1 .

(b) Calculate bk ·a·b−k , for k∈N.
(c) Prove that every element of Symn can be written as a product of elements from {a, b, b−1 }.

Exercise 8.4.11. Label the vertices of a quadrangle with the numbers 1 to 4.

(a) Which permutation of the four vertices describes the rotation through + 90 ° whose
center is the middle point of the quadrangle? And which one describes the reflection in
the diagonal through the vertices 1 and 3 ?
(b) Determine the permutations g of Sym4 satisfying: If {i, j} is an edge of the quadrangle,
then so is {g(i), g( j)}.
(c) Describe each of the permutations of the above part in geometric terms as a reflection
or a rotation. Which of these permutations are even?
 
1 2
Exercise 8.4.12. Put the numbers 1, 2, 3, 4 into a 2 by 2 matrix as follows. .
3 4

(a) Suppose you are allowed to interchange two columns or two rows. Which permutations
of Sym4 can you get using these moves repeatedly? What if you allow as extra type of
move a reflection in the diagonal of the matrix?
(b) Suppose you are allowed to do the following types of moves: Choose a column or row
and interchange the two entries. What permutations do you get this way?
 
1 2 3
(c) Now consider the 3 by 3 matrix 4 5 6. Individual moves are: Choose two
7 8 9
rows (or two columns) and interchange them. Show that you can label each resulting
permutation with a pair of permutations from Sym3 ×Sym3 . Conclude that you get 36
permutations.

Exercise 8.4.13. Label the vertices of a regular tetrahedron with the integers 1, 2, 3, 4 (see
figure). Consider the following moves: For each face of the tetrahedron the corresponding
move consists of turning the face 120 degrees clockwise or counter clockwise and moving the
labels accordingly (so the vertex opposite the face remains fixed). After applying a number
of moves, we read off the resulting permutation g in the obvious way: g(i) is the new label of
vertex i.

(a) List the 8 moves as permutations.

(b) Suppose, after a number of moves, we have obtained the permutation g. Show that
applying a move h leads to the permutation g·h−1 .
(c) Which permutations of 1, 2, 3, 4 can you get by using these moves?
77. Sets, Logic and Algebra

Chapter 9

Arithmetic

In this chapter we study properties of the set Z of integers. We mainly deal with its mul-
tiplicative structure and discuss notions such as the greatest common divisor (gcd) and the
least common multiple (lcm) of two (or more) integers.

9.1 Divisors and Multiples

Let Z denote the set of integers. We know how to add integers, how to subtract them and how
to multiply them. Division is a bit harder.
A schematic representation of all positive divisors of 30.
Definition 9.1.1. Let a ∈ Z and b ∈ Z.

• We call b a divisor of a, if there is an integer q such that a = q· b.

• If b is a nonzero divisor of a then the (unique) integer q with a = q· b is called the quotient
of a by b and denoted by ba , a/b, or quot(a, b).

If b is a divisor of a, we also say that b divides a, or a is a multiple of b, or a is divisible by

b. We write this as b|a.

Example 9.1.2. If a = 13 and b = 5 then b does not divide a. Indeed, if there were an integer
q such that a = q· b, then q should be between 2 and 3, so q = 2 or q = 3. But neither value
of q works. For instance, the former choice gives remainder 3 as a = 2· b + 3.
However, if a = 15 and b = 5 then b does divide a, as a = 3· b. So, in the latter case, the
quotient of a by b equals 3.

Example 9.1.3. For all integers n we find n − 1 to be a divisor of n2 − 1.

Indeed, n2 − 1 = (n + 1) · (n − 1).
78. Sets, Logic and Algebra

More generally, for all m > 2 we have nm − 1 = (n − 1) · nm−1 + nm−2 + · · · + 1 . So, n − 1

divides nm − 1.

Example 9.1.4. The even integers are simply the integers divisible by 2, such as 2, 6, and
−10. Any even integer can be written in the form 2· m for some integer m.
The integers which are not divisible by 2, like 1 and −7, are usually called odd.

The following observations are straightforward, but very useful.

Lemma 9.1.5. Suppose that a, b and c are integers.

(a) If a divides b, and b divides c, then a divides c.

(b) If a divides b and c, then a divides x· b + y· c for all integers x and y.

(c) If b is nonzero and if a divides b, then |a| ≤ |b|.

Proof.
Assertion. Part (a).
Suppose a divides b, and b divides c. Then there exist integers u and v such that b = u· a and
c = v· b. Consequently, c = v· (u· a). Hence, c = (v· u)· a, and so a divides c.
Assertion. Part (b).

Suppose that a divides b and c. Then there exist integers u and v such that b = u· a and c = v· a.
So, for all integers x and y, we have x· b + y· c = x· u· a + y· v· a. But this equals (x· u + y· v) · a.
Hence, x· b + y· c is a multiple of a for all integers x and y.
Assertion. Part (c).

Since a divides b, there exists an integer q such that q· a = b. As b is nonzero, q must be

nonzero. From this equality we get |q| · |a| = |b|. Since |q| ≥ 1, we conclude that |a| ≤ |b|.

Clearly, division is not always possible within the integers. Indeed, suppose you need to fit
rods of length b = 4 one after the other in a box of length a = 23. Then you can fit 5 rods
in the box, and there will be an open space of length 3. This is an example of division with
remainder.
Here is a precise statement about division with remainder.
79. Sets, Logic and Algebra

A division with remainder.

Theorem 9.1.6 (Division with Remainder). If a ∈ Z and b ∈ Z \ {0}, then there are
unique integers q and r such that a = q· b + r, |r| < |b|, and a· r ≥ 0.

Proof. In the case where both a and b are positive, the proof is roughly as follows. Find the
greatest multiple q· b of b that is less than or equal to a; this can be accomplished by starting
with q = 0 and increasing q by 1 until a − (q + 1) · b < 0. Then r = a − q· b.
A proof follows that proceeds by induction on |a|.
Assertion. The theorem holds if |a| = 0.

Suppose |a| = 0. Then a = 0. Clearly, q = 0 and r = 0 is a solution. To show that this solution
is unique, suppose that q and r represent a solution. Then r = (−q) · b. If q 6= 0, then |q| ≥ 1,
so |r| ≥ |b|, which contradicts the requirement |r| < |b|. Hence q = 0. It immediately follows
that also r = 0. This establishes uniqueness of the solution.
Assertion. Existence of q and r for nonnegative a and b.

Suppose that a and b are nonnegative. If a < b, then we set q = 0 and r = a. If a ≥ b,

then |a − b| < |a|, so the induction hypothesis implies that there exist integers q0 and r0 (with
0 ≤ r0 < b) such that a − b = q0 · b + r0 . This rewrites to a = (q0 + 1) · b + r0 . Now q = q0 + 1
and r = r0 satisfy the requirements of the theorem.
Assertion. Existence of q and r for negative a and positive b.

If a < 0, then −a > 0, so by the above assertion there are q0 and r0 with −a = q0 · b + r0 with r0
non-negative and |r0 | < |b|. But then a = (−q0 ) · b + (−r0 ) with |−r0 | < |b| and a· (−r0 ) ≥ 0.
So q = −q0 and r = −r0 satisfy the requirements of the theorem.
Assertion. Existence of q and r for negative b.

If b is negative, then applying one of the two previous assertions to −a and −b yields q0 and r0
with −a = q0 · (−b) + r0 , where r0 satisfies |r0 | < −b and (−a) · r0 ≥ 0. If we take q = −q0 and
r = −r0 then a = q· b + r and |r| < |b| and a· r ≥ 0 as required. We have shown the existence
of both q and r.
80. Sets, Logic and Algebra

Assertion. Uniqueness of q and r for nonzero a.

Suppose that a = q· b + r and a = q0 · b + r0 with both |r| and |r0 | less than |b| and satisfying
a· r ≥ 0 and a· r0 ≥ 0.
Suppose moreover that r ≥ r0 . This restriction is not essential as the roles of r and r0 can be
interchanged. By subtracting the two equalities we find r − r0 = (q0 − q) · b. Now, since a is
nonzero, r and r0 have the same sign. But then, as both r and r0 are in absolute value less
than |b|, we find that r − r0 < |b|. It follows that the integral multiple (q0 − q) · b of b satisfies
(q0 − q) · b ∈ [0, |b|). This can only happen if q0 − q = 0. In other words, q = q0 . It also follows
that r = r0 .

Example 9.1.7. If a = 23 and b = 7, then division of a by b yields 23 = 3· 7 + 2. So, the

quotient of a = 23 by b = 7 equals 3 and the remainder is 2.
If a = −23 and b = 7, the quotient and remainder are q = −3 and r = −2, respectively.
Finally, if a = −23 and b = −7, the quotient and remainder are q = 3 and r = −2, respectively.

Example 9.1.8. For all integers n greater than 2 the remainder of n2 + 1 divided by n + 1 is 2.
This follows immediately from the equality n2 + 1 = (n + 1) · (n − 1) + 2.
What is the remainder when n is less than or equal to 2?

Example 9.1.9. An odd integer leaves remainder 1 or −1 upon division by 2, since these
are the only two nonzero integers whose absolute value is less than 2. Any odd integer can
therefore be written in the form 2· m + 1 or 2· m − 1 for some integer m. In particular, adding
or subtracting 1 from an odd integer gives an even integer. Likewise, adding or subtracting 1
from an even integer produces an odd integer.

Remark 9.1.10. The definitions of quotient and remainder as given here are used in many
programming languages and computer algebra packages, see for example Java or GAP. How-
ever, sometimes slightly different definitions are used. For example, in Mathematica the
remainder r of a divided by b is defined by the property that a = q· b + r for some integer q
where |r| < |b| and b· r ≥ 0.

The integer q of the theorem is called the quotient of a divided by b. It is denoted by

quot(a, b). The integer r is called the remainder of a divided by b and will be denoted by
rem(a, b).
The Division with Remainder Theorem (9.1.6) states that there exist a quotient q and a re-
mainder r, but it does not tell you how to find those two integers. A standard and well-known
algorithm is of course long division. We describe (a variation of) this algorithm for finding q
and r.
Algorithm 9.1.11 (Division and Remainder). • Input: an integer a and a nonzero integer b.
• Output: the quotient q and remainder r of a upon division by b as a list [q, r].
81. Sets, Logic and Algebra

DivisionRemainder := procedure(a, b)
local variables
q := 0 , r, x
while (q + 1) · |b| ≤ |a| do
x := q , q := x + 1
r := |a| − q· |b|
if (a ≥ 0) ∧ (b > 0)
then
return
[q, r]
else
if (a ≥ 0) ∧ (b < 0)
then
return
[−q, r]
else
if (a < 0) ∧ (b > 0)
then
return
[−q, −r]
else
return
[q, −r]

Proof.
Assertion. Correctness.
By construction we have a = q· b + r. Moreover, as |q| · |b| ≤ |a| < (|q| + 1) · |b| we find
|r| < |b|. This proves correctness.
Assertion. Termination.

Since b is nonzero, the while loop will end. Thus the algorithm terminates.

For a better understanding of the relations between two or more integers, it is useful to con-
sider the divisors and multiples they have in common.
82. Sets, Logic and Algebra

Positive common divisors of 18 and 24.

Definition 9.1.12. Let a and b be integers.

• An integer d is a common divisor of a and b if d|a and d|b.

• If a and b are not both zero, the largest common divisor of a and b exists (see below) and
is called the greatest common divisor of a and b.
We denote the greatest common divisor (gcd) of a and b by gcd (a, b).
• If the greatest common divisor of a and b equals 1, then a and b are called relatively prime.

Example 9.1.13. The positive divisors of a = 24 are 1, 2, 3, 4, 6, 8, 12, and 24. Those of
b = 15 are 1, 3, 5, and 15. Hence, the common divisors of a and b are 1 and 3 and their
negatives. So the greatest common divisor equals 3.

Example 9.1.14. The positive common divisors of a = 24 and b = 16 are 1, 2, 3, 4, and 8.

Hence, the greatest common divisor of a and b equals 8.

Example 9.1.15. Suppose that n > 1 is an integer. Then any common divisor of n + 1 and
n − 1 is also a divisor of n + 1 − (n − 1) = 2. Hence gcd (n + 1, n − 1) = 2 if n is odd, and
gcd (n + 1, n − 1) = 1 if n is even.

Remark 9.1.16. If b divides a, then so does −b. For, if a = q· b, then a = (−q) · (−b). In
particular, any nonzero integer has positive divisors, so gcd (a, b) > 0 if a or b is nonzero.
Since the divisors of a coincide with those of |a|, we have gcd (a, b) = gcd (|a| , |b|).

If a and b are not both 0, their greatest common divisor exists. To see this, first note that the
set of common divisors of a and b is certainly bounded above by the largest of |a| and |b| by
83. Sets, Logic and Algebra

Properties of Divisors (9.1.5). Since the set is nonempty (1 is in it), it must have a largest
element.
For the sake of completeness, we define the greatest common divisor of 0 and 0 to be 0.
The greatest common divisor of more than two integers is defined analogously.
Just like studying common divisors of two integers, we can also consider common multiples
of two (or more) integers.

Some positive common multiples of 2 and 7.

Definition 9.1.17. Let a and b be nonzero integers.

• The integer c is a common multiple of a and b if c is a multiple of a and of b (that is, a|c
and b|c).

• The smallest positive common multiple of a and b is called the least common multiple of a
and b.

We denote the least common multiple (lcm) of a and b by lcm (a, b).

Example 9.1.18. The first 5 positive multiples of a = 13 are 13, 26, 39, 52, and 65.
The first 13 multiples of b = 5 are 5, 10, 15, 20, 25, 30, 35, 40, 45, 50, 55, 60, and 65.
So, the only positive common multiple of a = 13 and b = 5 less than or equal to a· b is 65.
In particular, lcm (13, 5) = 65.

For any two nonzero integers a and b there exists a positive common multiple, namely |a· b|.
As a consequence, the least common multiple of a and b is well defined.
Of course, the least common multiple of more than two integers can be defined in a similar
way.
The least common multiple and the greatest common divisor of two integers are closely re-
lated.
84. Sets, Logic and Algebra

Theorem 9.1.19 (Relation between ggd and lcm). Let a and b be positive integers.
Then a· b = gcd (a, b) · lcm (a, b).

Proof. Our strategy is to apply division with remainder to a· b and lcm (a, b), and relate the
quotient to gcd (a, b). Let q be the quotient and let r be the remainder of this division.
First we investigate the remainder r. We rewrite a· b = q· lcm (a, b)+r as r = a· b−q· lcm (a, b)
Since both a· b and lcm (a, b) are divisible by a and b, we infer that the remainder r is also
divisible by a and b. In other words, r is a common multiple of a and b. But r < lcm (a, b) by
the Division with Remainder Theorem (9.1.6), so r = 0. Consequently, a· b = q· lcm (a, b).
Next, we claim that q divides a and b. To see this, first let u be such that lcm (a, b) = u· b.
Multiplying both sides by q gives a· b = q· u· b. As b is nonzero, this equality can be simplified
to a = q· u, which proves the claim that q divides a. The proof that q divides b is entirely
similar.
So q is a common divisor of a and b. In particular, q is less than or equal to gcd (a, b).
Finally, we show that q is also greater than or equal to gcd (a, b).
Since gcd (a, b) divides both a and b, (a· b)/gcd (a, b) is also a common multiple of a and b.
As (a· b)/q is the least common multiple of a and b, we conclude that q is greater than or
equal to gcd (a, b). Hence q equals gcd (a, b), which proves the theorem as a· b = q· lcm (a, b).

The above theorem enables us to compute the lcm of two integers from the gcd and vice
versa.
Example 9.1.20. For a = 24 and b = 15, we find gcd (a, b) = 3, lcm (a, b) = 120 and a· b =
360. We see that 3· 120 = 360.

Example 9.1.21. Suppose that n > 1 is an integer. Then, as we have seen in Example 9.1.15,
gcd (n + 1, n − 1) = 2 if n is odd, and gcd (n + 1, n − 1) = 1 if n is even. So, lcm (n + 1, n − 1) =
(n+1)·(n−1)
2 if n is odd, and lcm (n + 1, n − 1) = (n + 1) · (n − 1) if n is even.

9.2 Euclid’s algorithm

The greatest common divisor of two integers a and b can be determined by Euclid’s Algo-
rithm, one of the most important algorithms we will encounter. It is based on the observation
that, if a = q· b + r, then gcd (a, b) is equal to gcd (b, r), see Properties of Divisors (9.1.5),
where q = quot(a, b) and r = rem(a, b).
For simplicity, we will assume the arguments of gcd to be positive. This does not really
restrict us when we bear in mind that the arguments of gcd can be replaced by their absolutes
in view of .
85. Sets, Logic and Algebra

Euclid of Alexandria (about 325 BC-265 BC).

Algorithm 9.2.1 (Euclid’s Algorithm). • Input: two positive integers a and b.
• Output: the gcd of a and b.
GCD := procedure(a, b)
local variables
c
while b > 0 do
c := a , a := b , b := rem(c, b)
return
a

Proof. We use three properties of the greatest common divisor of nonnegative integers that
follow from Properties of Divisors (9.1.5):

gcd (a, b) = gcd (b, a) (9.1)

gcd (a, b) = gcd (a, b − k· a) (9.2)

(for every integer k), and

gcd (a, 0) = a (9.3)

86. Sets, Logic and Algebra

Assertion. Correctness.

If a0 and b0 denote the values of a and b, respectively, at the end of the body of the while loop,
then a0 = b0 and b0 = a − q· b, where q is the quotient of division with remainder of a by b.
By the first two of the three properties, the greatest common divisor is an invariant, that is,
gcd (a0 , b0 ) = gcd (a, b). As a consequence, the value of gcd (a0 , b0 ) remains unaffected upon
changing the arguments. At the end of the while loop, b0 = 0, so the third property gives that
the output a is equal to the initial value of gcd (a0 , b0 ).
Assertion. Termination.

The variable b decreases with each step. (By a step we mean a percursion of the full body
of the while loop.) After at most b steps we arrive at the point where b equals 0. Then the
algorithm ends.

Remark 9.2.2. The while loop in Euclid’s Algorithm can be described rather conveniently in
matrix form. Let q be the quotient of division of a by b. Then the vector (a, b)T is replaced
b)T . We 
by (b, a − q· can also write this as the product of the matrix M and the vector (a, b)T ,
0 1
where M =
1 −q

Example 9.2.3. Euclid’s Algorithm computes the greatest common divisor of two positive
integers. In this example, you can see all the steps of the algorithm.
We compute the greatest common divisor of a = 123 and b = 13.
In each step of the algorithm we replace (simultaneously) a by b, and b by the remainder of
a divided by b.
The algorithm starts with a = 123 and b = 13.
Each row of the following table represents a step in the algorithm.

Step n a b
0 123 13
1 13 6
2 6 1
3 1 0

Since the value of the second parameter has become 0, the algorithm stops.
We conclude that the greatest common divisor of a = 123 and b = 13 equals 1.

Example 9.2.4. In this example, we compute the greatest common divisor of a = 56 and
b = 36.
In the following table you find the values of a and b in each step of Euclid’s Algorithm.
Since the value of the second parameter has become 0, the algorithm stops.
We conclude that the greatest common divisor of a = 56 and b = 36 equals 4.
87. Sets, Logic and Algebra

Step n a b
0 56 36
1 36 20
2 20 16
3 16 4
4 4 0

There is also an extended version of Euclid’s Algorithm (9.2.1), which determines, apart
from gcd (a, b), integers x and y such that a· x + b· y = gcd (a, b). We say that gcd (a, b) can be
expressed as an integral linear combination of a and b. To find such an integral linear combi-
nation for gcd (a, b), we record at each step of Euclid’s Algorithm (9.2.1) how to express the
intermediate results in the input integers.

One step in the Extended Euclidean Algorithm applied to 67 and 24. Using the expressions
for the intermediate results 19 and 5, the next occurring integer, 4, can also be expressed in
the input values.
Algorithm 9.2.5 (Extended Euclidean Algorithm). • Input: positive integers a and b.
• Output: list of integers [g, x, y] with g = gcd (a, b), and g = x· a + y· b.
ExtendedGCD := procedure(a, b)
local variables
a1 , b1
u := 0 , v := 1 , x := 1 , y := 0
u1 , v1 , x1 , y1
while b > 0 do
a1 := a , b1 := b
u1 := u , v1 := v , x1 := x , y1 := y
a := b1 , b := rem(a1 , b1 )
x := u1 , y := v1
u := x1 − quot(a1 , b1 )· u1 , v := y1 − quot(a1 , b1 )· v1
return
[a, x, y]

Proof.
Assertion. Correctness.
Find the gcd of a and b using Euclid’s Algorithm (9.2.1). In each step of the while-loop of the
algorithm the two input values are changed into two new values. These values can be defined
recursively by a0 = a and b0 = b and for n ≥ 1 by an+1 = bn and bn+1 = an − quot(an , bn )· bn .
88. Sets, Logic and Algebra

We prove by induction on n that every an and bn can be written as a linear combination of a

and b with integer coefficients.
For n = 0 this is trivial.
Suppose for some n we have an = x· a + y· b and bn = u· a + v· b for certain integers x, y, u,
and v. Then after the next step we obtain an+1 = bn which equals u· a + v· b. Thus also an+1
is a linear combination of a and b with integer coefficients.
Furthermore we have bn+1 = an −q· bn . So, bn+1 = x· a+y· b−q· (u· a + v· b) = (x − q· u) · a+
(y − q· v) · b, where q = quot(an , bn ). In particular, also bn+1 is a linear combination of a and
b with integer coefficients.
By induction we have proven for all n that an and bn can be written as a linear combination
of a and b with integer coefficients.
Since Euclid’s algorithm will eventually return the gcd of a and b as an for some n, the
extended Euclidean algorithm will output integers x and y with gcd (a, b) = x· a + y· b.
Assertion. Termination.

As Euclid’s Algorithm (9.2.1) terminates, so does the extended Euclidean algorithm.

Remark 9.2.6. Integers x and y satisfying x· a + y· b = gcd (a, b) are not unique, since, for any
integer t, we have (x + t· b) · a + (y − t· a) · b = gcd (a, b).

Remark 9.2.7. In terms of matrices, the algorithm can be written somewhat more succinctly.
 
x y
The idea is that in each step the values of the variables are such that the matrix M =
  u v
a
applied to the column vector (the input values) gives the updated values of a and b.
b
   
gcd (a, b) a
At the end, we obtain = M· , with the appropriate matrix M. Compar-
0 b
ing the first and second entries on both sides of this equality gives gcd (a, b) = x· a + y· b and
0 = u· a + v· b, where x, y, u, and v are the suitably updated entries of the matrix M.

Example 9.2.8. The extended Euclidean algorithm computes the greatest common divisor of
two positive integers and expresses it as an integral linear combination of the input. In this
example, you can see all the steps of the algorithm.
We compute the greatest common divisor of a = 123 and b = 13 following the extended
Euclidean algorithm.
Each row of the following table represents a step in the algorithm.
We conclude that the greatest common divisor of a = 123 and b = 13 equals 1. From the
same table we infer that 1 can be written as 1 = (−2) · 123 + 19· 13.

The Extended Euclidean Algorithm (9.2.5) provides us with the following characterization of
the gcd.
89. Sets, Logic and Algebra

Step n a b x y u v
0 123 13 1 0 0 1
1 13 6 0 1 1 −9
2 6 1 1 −9 −2 19
3 1 0 −2 19 13 −123

Theorem 9.2.9 (Characterization of the gcd). The following three statements con-
cerning the positive integers a, b, and d are equivalent.

(a) gcd (a, b) = d.

(b) The integer d is a positive common divisor of a and b such that any common
divisor of a and b is a divisor of d.

(c) d is the least positive integer that can be expressed as x· a + y· b with integers x
and y.

Proof.
Assertion. The second statement is equivalent to the first.
To show that the first assertion implies the second, let d = gcd (a, b). Then d is a common
divisor of a and b. By the Extended Euclidean Algorithm (9.2.5) we have d = x· a + y· b for
some integers x and y. If c is any common divisor of a and b, then it also divides x· a+y· b = d,
see Properties of Divisors (9.1.5). This proves that the first assertion implies the second.
As for the other way around, suppose that d is as in the second statement. Since gcd (a, b)
is a common divisor of a and b it must divide d. On the other hand d cannot be greater
than gcd (a, b). Hence d and gcd (a, b) must be equal. This proves that the second statement
implies the first.
Assertion. The third statement is equivalent to the first.

Let d = gcd (a, b) and let e be the least positive integer that can be expressed as x· a + y· b
with integers x and y. We show that d = e. Since d is a common divisor of a and b the
equality e = x· a + y· b implies that d divides e (see Properties of Divisors (9.1.5)). So d ≤ e.
Moreover, as a result of the Extended Euclidean Algorithm (9.2.5), d itself can also be written
as an integral linear combination of a and b. So d ≥ e by the defining property of e. Hence e
must be equal to d. This proves the equivalence.
Assertion. Conclusion.

Since both the second and the third statement of the theorem are equivalent to the first, all
three statements are equivalent. This finishes the proof of the theorem.
90. Sets, Logic and Algebra

These different characterizations of the gcd, in particular the possibility to express the gcd
of two integers a and b as an integral linear combination of a and b, will turn out to be very
useful in various applications.
The following corollary to the Characterization of the gcd (9.2.9) deserves to be stated sepa-
rately.

Corollary 9.2.10 (Characterization of Relatively Prime Numbers). Integers a and b

are relatively prime if and only if there exist integers x and y such that x· a + y· b = 1.

Proof. Apply the previous Characterization of the gcd (9.2.9) with d = 1.

Example 9.2.11. For all natural numbers m, n, and k with m < n, the integers km and kn − 1
are relatively prime. For, kn−m · km − 1· (kn − 1) = 1.

Example 9.2.12. Suppose that n is a positive integer. Then the greatest common divisor
of
n2 +n+1 and n2 equals 1. Indeed, this follows from the equality n· n2 −(n − 1) · n2 + n + 1 =
1

A first application of the Characterization of the gcd (9.2.9) is the following useful result for
deducing divisibility of one integer by another.

Proposition 9.2.13. Let a, b, and c be integers. If a and b are relatively prime, then
a|b· c implies a|c.

Proof. Since the gcd of a and b equals 1, Characterization of Relatively Prime Numbers
(9.2.10) implies that there exist integers x and y such that x· a + y· b = 1. Multiplying both
sides of this equation by c yields that x· a· c + y· b· c = c. Since a|x· a· c and a|b· c (and hence
also a|y· b· c) we conclude that a| (( x· a· c) + (y· b· c )) = c, which proves the proposition.

Example 9.2.14. The above proposition is a generalization of the following well known state-
ment: The product of two integers is even if and only if at least one of the two integers is even.
91. Sets, Logic and Algebra

9.3 Linear Diophantine equations

Let a, b, and c be integers. A linear equation in the unknowns x and y is an equation of the
form x· a + y· b = c. If the unknowns x and y are integers, such equations are known as linear
Diophantine equations.
We will use the Extended Euclidean Algorithm (9.2.5) to derive an algorithm for finding all
integer pairs x, y that satisfy the linear Diophantine equation x· a + y· b = c, for given integers
a, b, and c.
If we interpret the equation over Q or R and if we assume that b is not equal to 0, then the
solutions are all of the form (x, y) = (x, (c − x· a) /b). However, not all of these solutions are
integral, and we have to find out which ones are.

Diophantus’ book on Arithmetic. Diophantus’ work inspired Fermat to write in the margin
of this book his famous last theorem: for n > 2 there are no nonzero integers x, y and z, such
that xn + yn = zn .
We first discuss a special case, the homogeneous equation, i.e., the case where c equals 0.

Lemma 9.3.1. If x· a + y· b = 0 and gcd (a, b) = 1, then there exists an integer n such
that x = −n· b and y = n· a.

Proof. Suppose that x· a + y· b = 0 and that gcd (a, b) = 1. From x· a = −b· y it follows that
a|b· y. Since gcd (a, b) = 1, we find a|y, see Result on the divisor of a product (9.2.13). This
92. Sets, Logic and Algebra

means that there exists an integer n such that a· n = y. Substitution of y in the original equation
gives x = −n· b. This proves the lemma.

From Lemma on Diophantine Equation Solving (9.3.1) we conclude the following.

Lemma 9.3.2 (Homogeneous Diophantine Equation Solving). Suppose that a and b

are integers which are not both equal to 0. Then the integer solutions to the equation
x· a + y· b = 0 are given by x = −n·b n·a
d and y = d , where d = gcd (a, b) and n ∈ Z.

Proof. First we note that the integers da and db are relatively prime: Use the Extended Eu-
clidean Algorithm (9.2.5) to find a relation of the form u· a + v· b = d, divide both sides by d,
and, finally, apply the Characterization of Relatively Prime Numbers (9.2.10).
Next, we turn to the equation x· a + y· b = 0. After dividing both sides of the equation x· a +
y· b = 0 by d, we arrive at the setting of Lemma on Diophantine Equation Solving (9.3.1). Our
equation then reads x· da + y· db = 0, where gcd da , db = 1. Lemma on Diophantine Equation

Solving (9.3.1) now shows that there exists an integer n such that x = −n· db and y = n· da , as
required.

Example 9.3.3. To find the integral solutions to the equation 24· x+15· y = 0 we first compute
the gcd of 24 and 15. Using for example the Euclid’s Algorithm (9.2.1) as in Example 9.2.3,
we find gcd (24, 15) = 3 By Homogeneous Diophantine Equation Solving (9.3.2), x = 15·n 3 =
24·n
5· n and y = −( 3 ) = (−8) · n with n ∈ Z.

We are now ready to solve general linear Diophantine equations of the form x· a + y· b = c.
We do this in the form of an algorithm.

Algorithm 9.3.4 (Linear Diophantine Equation Solving Algorithm). • Input: integers a, b,

and c, with a and b not both equal to 0 .
• Output: set of all integer solutions (x, y) to the Diophantine equation x· a + y· b = c.
93. Sets, Logic and Algebra

SolveDiophantine := procedure(a, b, c)
local variables
e := extended − gcd (a, b)
g := e[1]
x0 := e[2]
y0 := e[3]
if g|c
then
returnn 
x0 ·c−n·b y0 ·c+n·a 
g , g  n ∈ Z}
else
return
∅

Proof.
Assertion. Termination.
As there are no loops in the algorithm, this is obvious....provided we interpret the returned
output set as finite data (instead of returning elements of the set one by one).
Assertion. Correctness.

By definition of the extended gcd algorithm, the value of the variable g is equal to gcd (a, b).
If there are solutions to the equation x· a + y· b = c, then g divides c. Indeed, for all integer
solutions x and y, the integer g divides x· a + y· b, which is equal to c.
So, suppose that g divides c. If x0 · a + y0 · b = g, then gc · x0 · a + gc · y0 · b = c. So x1 = gc · x0 and
y1 = gc · y0 form a solution to the equation.
If (x2 , y2 ) is another solution to the equation a· x + y· b = c, then the differences x2 − x1 and
y2 − y1 form a solution to the so-called homogeneous equation a· x + y· b = 0. Hence all
solutions of a· x + y· b = c, if there are any, are of the form (x1 , y1 ) plus a single solution to
the homogeneous equation a· x + y· b = 0.
From Homogeneous Diophantine Equation Solving (9.3.2) we conclude that every solution
is of the form x = x0 ·c−n·b
g and y = y0 ·c−n·a
g , which proves correctedness of the algorithm.

Example 9.3.5. Let a, b, and c be integers. We determine the integral solutions to the equation
24· x + 15· y = 63
Following the Linear Diophantine Equation Solving Algorithm (9.3.4), we use the Extended
Euclidean Algorithm (9.2.5) to compute the gcd of 24 and 15 and express it as a linear com-
bination of these numbers. We find gcd (24, 15) = 3 = 2· 24 − 3· 15. As 3 divides 63, there
are solutions.
By the Linear Diophantine Equation Solving Algorithm (9.3.4) the general solution to the
equation 24· x + 15· y = 63 is now x = 2·63−n·15
3 and y = (−3)·63+n·24
3 , where n runs through Z.
94. Sets, Logic and Algebra

This solution simplifies to x = 42 − 5· n and y = −63 + 8· n, with n running through Z, the

sum of a particular solution and any solution of the homogeneous equation.
Of course, the particular solution x = 42 and y = −63 could have been found by multiplying
both sides of the equation 3 = 2· 24 − 3· 15 by 21.

Note thestructure of thesolutions in the Linear Diophantine Equation Solving Algorithm

x0 ·c y0 ·c
(9.3.4): gcd(a,b) , gcd(a,b) is one particular solution to the equation x· a + y· b = c, and all
other solutions are obtained by adding all solutions (x0 , y0 ) of the homogeneous equation
x0 · a + y0 · b = 0 to it.

9.4 Prime numbers

In this section we discuss prime numbers, the building blocks for the multiplicative structure
of the integers. We start with a definition of primes.

A prime has only ‘trivial’ divisors.

Definition 9.4.1. A prime is an integer p greater than 1 that has no positive divisors other
than 1 and p itself.

Example 9.4.2. The integer 17 is prime.

The integer 51 is not prime, since it is divisible by 3.

Example 9.4.3. Suppose that n is a positive integer such that 2n − 1 is prime. Then n itself is
prime.
Indeed, if n is the product of two integers a and b (both at least 2), then 2n − 1 = (2a )b − 1,
which is divisible by 2a − 1.

The smallest prime number is 2 (and not 1). The first five primes are 2, 3, 5, 7, and 11, but
there are many more.

Theorem 9.4.4 (Euclid’s Theorem). There are infinitely many primes.

95. Sets, Logic and Algebra

Proof. Suppose that there are only finitely many primes, say p1 , ..., pn , and no others. We
will derive a contradiction by showing that there must exist at least one other prime, distinct
from all the pi .
Consider the integer m = 1 + ∏ni=1 pi Then m > 1. Moreover, for each i ∈ {1, ..., n}, the
integer m is clearly not divisible by pi . Hence, the smallest divisor p of m greater than 1 is
distinct from p1 , ..., pn .
We claim that p is prime. Indeed, any positive divisor d of p is also a divisor of m. So, since
p is the smallest divisor of m greater than 1, we find d to be equal to either 1 or p, which
proves our claim. So, we have found a prime p distinct from all the primes p1 , ...., pn . This
contradicts the assumption that p1 , ...., pn are the only primes.

Example 9.4.5. The primes less than or equal to 1013 are

2 3 5 7 11 13 17 19 23 29
31 37 41 43 47 53 59 61 67 71
73 79 83 89 97 101 103 107 109 113
127 131 137 139 149 151 157 163 167 173
179 181 191 193 197 199 211 223 227 229
233 239 241 251 257 263 269 271 277 281
283 293 307 311 313 317 331 337 347 349
353 359 367 373 379 383 389 397 401 409
419 421 431 433 439 443 449 457 461 463
467 479 487 491 499 503 509 521 523 541
547 557 563 569 571 577 587 593 599 601
607 613 617 619 631 641 643 647 653 659
661 673 677 683 691 701 709 719 727 733
739 743 751 757 761 769 773 787 797 809
811 821 823 827 829 839 853 857 859 863
877 881 883 887 907 911 919 929 937 941
947 953 967 971 977 983 991 997 1009 1013

Table 9.1: The primes less than or equal to 1013.

Example 9.4.6. Although there are infinitely many prime numbers, see Euclid’s Theorem
(9.4.4), the gaps between two consecutive prime numbers can be arbitrarily large.
For example, none of the hundred consecutive integers between 101! + 2 and 101! + 101 is
prime. A nontrivial divisor (i.e., a divisor greater than 1 and less than the number itself) of
101! + n, where n ∈ {2, ..., 101}, is n.

Example 9.4.7. Suppose that L is a finite list of primes, for example [2, 3, 5, 7, 11, 13, 17]. Put
m = 1+ ∏i∈L i. According to the proof of the theorem, a new prime occurs among the divisors
of m, which equals 510511.
The smallest nontrivial positive divisor of 510511 equals 19, a prime not in L.
96. Sets, Logic and Algebra

Remark 9.4.8. Although there are infinitely many prime numbers, we actually know only a
finite number of them. The largest known prime, as of December 2005, is 230402457 − 1. In
its decimal representation this number is 9,152,052 digits long. It was found on December
15, 2005, by Curtis Cooper and Steven Boone, two members of a collaborative effort to
find primes known as GIMPS. Before finding the prime, Cooper and Boone ran the GIMPS
program for 9 years. The GIMPS program searches for so-called Mersenne primes.
Mersenne primes are primes of the form 2n − 1. The prime number 230402457 − 1 is the 43rd
known Mersenne prime.
Prime numbers of the form 2n − 1 are called Mersenne primes, since they were studied first
by Marin Mersenne (1588-1648).

Marin Mersenne (1588-1648).

By Example 9.4.3, the integer 2n − 1 can be prime only when n itself is a prime.
A few examples of Mersenne primes are 3 = 22 − 1, 7 = 23 − 1, 31 = 25 − 1 and 127 = 27 − 1.
Mersenne found that 211 − 1 is not a prime. Can you find its prime divisors?

Eratosthenes’ sieve is an algorithm for making the list of all primes less than or equal to some
integer n.

Eratosthenes (about 276 BC-194 BC).

If M is a list of integers and m is an integer, we shall write M ∪ [m] for the list obtained by
appending m to M.
Algorithm 9.4.9 (Eratosthenes’ Sieve). • Input: a positive integer n.
• Output: the list of primes less than or equal to n.
97. Sets, Logic and Algebra

Sieve := procedure(n)
local variables
L := {2, ..., n}
M := list2.nil
m
while L 6= list2.nil do
m := L[1] , L := L\m· {1, ..., n} , M := M ∪ [m]
return
M

Proof.
Assertion. Termination.
At each step (that is, percursion of the body of the while loop), the length of the list L strictly
decreases, so the algorithm will stop after running the while loop at most the length of L
times.
Assertion. Correctness.

By construction, the output list M consists of all numbers in {2, ..., n} that are no multiple of
a strictly smaller number. These are precisely the primes less than or equal to n.

Example 9.4.10. We will make a list of all the primes in the interval from 2 to n = 20. We
use Eratosthenes’ Sieve (9.4.9). We start with the complete list of integers from 2 to n = 20.
See the first row of the table below. Next, in each consecutive row, we remove the proper
multiples of the first element for which this has not yet been done.

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
2 3 5 7 9 11 13 15 17 19
2 3 5 7 11 13 17 19
2 3 5 7 11 13 17 19

Table 9.2: Eratosthenes’ sieve

We have removed multiples of 2, 3 and 5, respectively.

The numbers in the last row of the table are all prime. They form the set of all primes less
than or equal to 20.

Remark 9.4.11. The number of runs of the while loop in Eratosthenes’ Sieve (9.4.9) equals
the number of primes in the interval {1, ..., n}. In each run, one has to check less than n
integers. So the algorithm takes certainly less than n2 operations. However, the memory use
for the algorithm is quite big, as the whole range of numbers from 2 to n has to be in memory
at the start of the algorithm.
98. Sets, Logic and Algebra

Remark 9.4.12. Eratosthenes’ Sieve (9.4.9) can also be used as a prime test. However, to
avoid problems of big memory use as indicated in Remark on the Running time of Eratos-
thenes’ sieve (9.4.11), one can apply the following straightforward algorithm
√ for verifying if
the integer n is prime. Let an integer variable m run from 2 up to n and check whether n
is divisible by m. If for some m we find that it divides n, then we stop and decide that n is
composite, otherwise we decide that n is prime.

Using Eratosthenes’ sieve we can find all the primes in the interval {1, ..., n}. The number of
such primes can be approximated as follows.

Theorem 9.4.13 (Prime Number Theorem).  (n) be the number of primes

Let primes
primes(n)
in the interval {1, ..., n}. Then we have lim n =1
n→∞− ln(n)

n
The Prime Number Theorem is often stated as primes (n) ≈ ln(n) when n tends to infinity. The
Prime Number Theorem was proved by Hadamard and de la Vallee Poussin in 1896.

Jacques Hadamard (1865-1963).

Example 9.4.14. To find a large prime, for example a 100-digit number, we can use a random
technique. Indeed, if we pick a 100-digit number at random, then by the Prime Number
Theorem (9.4.13), the probability of having picked a prime is roughly ln 101100 . Hence we
( )
expect to find a prime after at most ln 10100 < 300 picks.

Using a fast prime test (which does exist!), this can be easily done by a computer.

Example 9.4.15 (Secure internet traffic). The software company ‘Frames’ has finally pro-
duced a good operating system. The company wants to produce DVDs with this operating
system at plants in the US, Europe, and Australia. All plants have a master copy of the op-
erating system, but before starting the production, they first want to make sure that all these
copies are the same.
For security reasons, the company does not want to compare the systems bit by bit over the
internet. Indeed, competing companies could get secret information or hackers could corrupt
it. So, the president of ‘Frames’ has asked the mathematics department to come up with a
quick and very secure way of checking. The mathematicians’ response is the following.
99. Sets, Logic and Algebra

The procedure. All plants have high quality equipment at their disposal. First a random
prime number p is chosen in the interval between 1 and some integer a which can be repre-
sented in the binary system with n bits. So a is approximately equal to 2n . Next, each plant
transforms the bit-string of the operating system, which has approximately length b say, into
a number x, and then computes the remainder r = rem(x, p). Finally the three plants compare
the remainders thus obtained. This can be done easily, as these remainders are just numbers
between 0 and p. If they all find the same remainder, they decide that their copies are the
same.
The security. Why does this test yield a secure way of checking whether all three copies of
the operating system are the same? Suppose that one plant’s system is a bit-string representing
the number x, while another plant’s system represents the number y. If the bit-strings have
length (approximately) b, then these numbers x and y have size at most 2b . Of course, x = y
implies rem(x, p) = rem(y, p). This means that the conclusion x 6= y is justified if rem(x, p) 6=
rem(y, p). So suppose that rem(x, p) = rem(y, p). How large is the probability of an error?
How large is the probability that x 6= y?
In this case x − y must be a nonzero multiple of p. So the probability P of a wrong conclusion
is at most the quotient of the number of prime divisors of x − y by the number of primes less
than 2n .
First we analyze the numerator of this quotient. If k is the number of primes that divide the
number z = x − y, then z ≥ 2k . But that implies that k is at most b.
Now the denominator. According to the Prime Number Theorem the number of primes less
than 2n is approximately 2n /ln (2n ). So, a good estimate for the denominator is 2n /n.
Combining the above, we find that P, the probability of declaring x and y to be the same while
they are not, is at most b·n
2n .
A concrete example. Suppose that the operating system fits on a single DVD of 5 Gigabyte.
Then the number b of bits on the DVD equals 5· 210 · 210 · 210 · 23 . So, if we pick the prime p
at random between 1 and 2200 , then the probability of declaring x and y to be the same while
33
they are not, is less than 5·22200·200 , which is less than 2−153 .
In a similar way one can analyze the probability of declaring x and y to be not the same, while
they are equal.

The next theorem gives a characterization of primes.

Theorem 9.4.16 (Prime Characterization). Let p > 1. Then p is a prime if and only
if, for all integers b and c, the condition p|b· c implies that p|b or p|c.

Proof.
Assertion. If.
100. Sets, Logic and Algebra

Proof. Suppose that p is prime. Assume that p|b· c for some integers b and c. If p|b we are
done. If p is not a divisor of b, then p and b have no common divisors greater than 1 and we
can apply Result on the divisor of a product (9.2.13) to find that p divides c.

Assertion. Only if.

Proof. If p is not prime, then p = b· c for two integers b and c that are greater than 1 and
smaller than p. Then p divides the product b· c, but divides neither b nor c (as b and c are
smaller than p). We conclude that if, for all integers b and c the condition p|b· c implies that
p|b or p|c, then p is a prime.

Example 9.4.17. Suppose a = b· c, where b and c are integers. The following fact is well
known. If a is even, then so is at least one of b or c. It is one implication in the special case
p = 2 of the theorem.

Prime Characterization (9.4.16) has the following useful corollary.

Corollary 9.4.18. If p is a prime and b1 , ..., bs are integers such that p| ∏si=1 bi , then
there is an index i ∈ {1, ..., s} such that p|bi .

Proof. Let p be a prime and b1 , ..., bs integers providing a counterexample to the corollary
with s minimal. Hence p| ∏si=1 bi , but p does not divide bi for each index i.
Since p does not divides bs , the Prime Characterization (9.4.16) implies that p divides ∏s−1
i=1 bi .
By the minimality of s, the integers b1 , ..., bs−1 do not provide a counterexample to the state-
ment of the corollary. Thus, there is an index i less than s such that p divides bi . This
contradicts our assumptions. Hence, no counterexamples exist and we have proven the corol-
lary.

Example 9.4.19. Let p be a prime, then p does not divide a product of integers, none of which
is divisible by p. For example, if i is a positive integer less than p, then p does not divide
p − i!· i!.
101. Sets, Logic and Algebra

9.5 Factorization

The prime numbers are the building blocks for the multiplicative decomposition of integers.
We will now see how integers are built up out of primes.

Building integers from primes.

Theorem 9.5.1 (Unique Factorization). Every positive integer a > 1 can be written
as the product of finitely many primes: a = ∏si=1 pi where s is a positive integer and
each pi is a prime. Up to the order of the factors, this factorization is unique.

Proof. The proof is divided into two steps. Each step is proved by induction on a.
Assertion. Every integer a is a product of primes.

The case a = 2 is trivial. So suppose that a is at least 3 and that all positive integers less than
a can be expressed as a product of primes. If a itself is a prime, then we are done. If a is
not a prime, then it has a divisor b such that 1 < b and b < a . According to the induction
hypothesis, both b and a/b can be written as a product of primes. Explicitly, b = ∏ti=1 pi
and ba = ∏ri=1 qi where t and r are positive integers and all pi and qi are primes. But then,
102. Sets, Logic and Algebra

as a = b· (a/b), we can write a as the product a = ∏ti=1 pi · ∏ri=1 qi . Hence, a is a product of

primes.
Assertion. The factorization of an integer a is unique (up to order).

Again the case a = 2 is easy. Suppose that a > 2, and also suppose that uniqueness of the
factorization into primes has been proven for the integers less than a.
If a = ∏ti=1 pi and a = ∏ri=1 qi are two ways of expressing a as a product of primes, then it
follows that p1 divides a. But then p1 also divides ∏ri=1 qi .
Using (9.4.18) we conclude that there exists an index i in the set {1, ..., r} such that p1 |qi .
But then, as p1 and qi are prime, we have p1 = qi . Without loss of generality we can assume
i to be 1, so p1 = q1 .
Now apply the induction hypothesis to the integer a/p1 with the two expressions as products
of primes pa1 = ∏ti=2 pi and pa1 = ∏ri=2 qi .
These factorizations of a/p1 are the same (up to the order of the factors) and therefore the
two factorization of a are also the same.

Example 9.5.2. Factoring a number into its prime factors is hard! Up to now (2006), the best
factorization algorithms can factor numbers consisting of about 100 digits. Factorization of
much larger numbers is exceptional. For example, there are numbers with more than 200
digits that have been factorized. One of the more famous examples is the number called
RSA-129. In a newspaper article of April, 1994, the following factorization record by A.K.
Lenstra, et al. was announced. RSA-129:

1143816257578888676692357799761466120102182967212423625625618429
35706935245733897830597123563958705058989075147599290026879543541
=
3490529510847650949147849619903898133417764638493387843990820577
×
32769132993266709549961988190834461413177642967992942539798288533

It is not difficult to check that the product of these two factors is indeed the large number:
any computer system that can work with these large numbers will confirm it. But it is very
hard (indeed many thought it to be unfeasible) to find the factors given the product.
As an indication of how difficult this is, you should try to calculate how many years it would
cost to find the above factorization using the obvious algorithm of trying all integers less than
the number to be factored. You may assume that the multiplication of two numbers of 130
digits takes about 1/100000-th of a second. There remains the problem of checking that these
two numbers are prime. By means of Eratosthenes’ Sieve (9.4.9), this would take a very long
time. However there exist primality tests that can check if a 130 digit number is prime in a
reasonable amount of time. In 2002, Agrawal, Kayal, and Saxena came up with an algorithm
that, for input a prime number p, gives a proof of primality in time a polynomial function of
the input length, the logarithm of p.
103. Sets, Logic and Algebra

Example 9.5.3. The prime factorizations of the integers between 2 and 20 are

2 21
3 31
4 22
5 51
6 21 · 31
7 71
8 23
9 32
10 21 · 51
11 111
12 22 · 31
13 131
14 21 · 71
15 31 · 51
16 24
17 171
18 21 · 32
19 191
20 22 · 51

Table 9.3: Prime factorizations

Remark 9.5.4. If a is a square, then ord p (a) is even for each prime p. Using this observation
it is not difficult to prove that the square root of 2 is not rational, i.e., it is not in Q. This

2
means that there are no integers a and b with b 6= 0 such that ab = 2. For, if such a and
b exist, then 2· b2 = a2 and so ord2 (2· b2 ) = ord2 (a2 ). But ord2 (2· b2 ) is odd and ord2 (a2 ) is

2
even, a contradiction. Therefore, the assumption that a and b with ba = 2 exist is false.
The same method implies that any n-th root of a prime numer is not rational. Indeed,
n suppose
q is a prime and n is at least 2. If a and b are two integers with ba = q1/n , then ab = q. So
q· bn = an and hence ordq (q· bn ) = ordq (an ). But ordq (q· bn ) equals 1 + n· ordq (b), a multiple
of n plus 1, while ordq (an ) equals n· ordq (a), a multiple of n. This is a contradiction.

Remark 9.5.5. There also exist arithmetic systems in which uniqueness of √ factorizations is
not guaranteed. For example, in the system R of numbers of the form √a+b·
−5 with √ a,
b ∈ Z
we can express 6 in two essentially different ways: 6 = 3· 2 = 1 + −5 · 1 − −5 . The
system R is an example of a ring, an algebraic structure with properties similar to those of Z,
Q, or R.

For a non-zero integer a, we denote the number of times that the prime p occurs in its factor-
ization by ord p (a). So ord p (a) is the maximum of all integers n for which a is divisible by
pn .
104. Sets, Logic and Algebra

The factorization into primes of a can be written as

a= ∏ pord p (a) (9.4)

p∈P

Here the product is taken over the set P of all primes. Note however, that only a finite number
of factors is distinct from 1.
By definition, a product that has the empty set as index set (the empty product) is 1. With this
convention the equality also holds for a = 1.
Here is an explicit description of the gcd and lcm of two integers in terms of their prime
factorizations.

Theorem 9.5.6. If a and b are positive integers, then

gcd (a, b) = ∏ pmin(ord p (a),ord p (b)) (9.5)

p∈P

and
lcm (a, b) = ∏ pmax(ord p (a),ord p (b)) (9.6)
p∈P

In particular we have
a· b = gcd (a, b) · lcm (a, b) (9.7)

Proof. We prove the first equality: For each prime p we certainly have: min (ord p (a), ord p (b)) ≤
ord p (a) and min (ord p (a), ord p (b)) ≤ ord p (b). Hence the right-hand side of the equality
gcd (a, b) = ∏ p∈Ppmin(ord p (a),ord p (b)) is a common divisor of a and b. In particular, by the
Characterization of the gcd (9.2.9), we find that the right-hand side divides gcd (a, b).
On the other hand, if for some prime p we have ord p (gcd (a, b)) = m, then pm divides both a
and b. Therefore, m ≤ ord p (a) and m ≤ ord p (b).

Hence the left-hand side of the equation gcd (a, b) = ∏ p∈P pmin(ord p (a),ord p (b)) is a divisor of
the right-hand side.
Combining the above the equality follows.
The proof of the second equality is left to the reader.
The third statement is a direct consequence of the first two, when you take into account that,
for any two integers, their sum is equal to the sum of their maximum and their minimum. In
Relation between ggd and lcm (9.1.19) another proof of this statement is given.
105. Sets, Logic and Algebra

Example 9.5.7. Suppose that a is a positive integer and that pn divides a for some prime
number p and positive integer
 n. Choose n maximal with this property, so n = ord p (a). Then
a
the binomial coefficient is not divisible by p.
pn
 
a pn −1
Indeed, the binomial coefficient can be written as the quotient of ∏i=0 (a − i) by
pn
n
(p )!.
Now for all positive integers b with b ≤ pn we find that ord p (b) equals ord p (a − b). So every
factor p in the numerator is canceled by a factor p in the denominator.

Example 9.5.8. Given the integers a and b we can express them as a product of primes.
Indeed, we can factor a = 345 and b = 246 as a = 3· 5· 23 and b = 2· 3· 41
Moreover, gcd (a, b) = 3 and lcm (a, b) = 2· 3· 5· 23· 41
Each of the factors in the above products is prime. You can check this with the Prime test of
Eratothenes (9.4.12).

The prime factorization is very well suited for studying the multiplicative structure of the
integers. However, it is not so convenient to study the additive structure.

9.6 The b-ary number system

We commonly represent integers in the decimal system. But there are also other systems, like
the binary system which is heavily used in computer science. The decimal and binary system
are two examples in a series.
Definition 9.6.1 (b-ary representation). Let b > 1 be an integer. A b-ary representation, or
representation with respect to base b, of an integer a ≥ 0 is a sequence of numbers a0 , ..., ak
with 0 ≤ ai < b (the digits), such that a = ∑ki=0 ai · bi
We write a = [ak , ..., a0 ]b . We speak of the b-ary number system.

Remark 9.6.2. Besides the binary system, the octal (base 8) and hexadecimal (base 16) sys-
tems are often used in computer science.
In base 8 we use the digits 0 to 7, but in base 16 we need more digits. Apart from the digits
0 to 9, it is customary to use the symbols A, B, C, D, E, F to represent the decimal numbers
10, 11, 12, 13, 14, and 15, respectively.
Thus, the integer 123 is represented as [7B]16 .

In the b-ary number system, every positive number can be written in precisely one way.
106. Sets, Logic and Algebra

Theorem 9.6.3. Let b > 1 be an integer. Every integer a ≥ 0 has a b-ary representa-
tion. Furthermore, this representation is unique if a > 0 and if we require that ak 6= 0
for the ‘most significant’ (i.e., left most) digit in a = [ak , ..., a0 ]b .

Proof. The proof consists of two parts. In both we proceed by induction on a.

Assertion. Existence: the number a has a b-ary representation.

For a = 0, a b-ary representation is [0]b . Now suppose that a > 0 and that the existence
assertion is true for all non-negative integers less than a. Let r be the remainder of division of
a by b. Then 0 ≤ r and r < b. Moreover, b|a − r. Since a−r b < a, we can apply the induction
hypothesis. We find that there are digits a0 , ..., ak satisfying a−r k i
b = ∑i=0 ai · b Rewriting this
k i+1
expression as a = r + ∑i=0 ai · b we find that a = [ak , ..., a0 , r]b .
Assertion. Uniqueness of the representation.

Suppose that a = [ak , ..., a0 ]b and also a = [cl , ..., c0 ]b are both b-ary representations of a.
By the assumption on the most significant digit we have ak 6= 0 and cl 6= 0. According to
the first representation, the remainder when a is divided by b is equal to a0 and, according
to the second, it equals c0 . Hence a0 = c0 . If a < b, then a = a0 and we are finished.
Otherwise, we apply the induction hypothesis to the number a−a 0
b , which is smaller than a.
It has representations [cl , ..., c1 ]b and [ak , ..., a1 ]b in the b-ary number system. So, by the
induction hypothesis, k = l and ai = ci for all i ∈ {1, ..., k}. As we already proved a0 = c0 ,
this establishes that the two representations are the same.

Example 9.6.4. The proof of Theorem on b-ary Representation (9.6.3) provides an algorithm
for computing the b-ary representation of the integer a (which is given in the decimal system).
Suppose a = 1238 and b = 7. The last symbol in the string representing a equals rem(a, b),
while the string before the last symbol is the representation of quot(a, b).
We begin with the empty string. At each step of the algorithm we insert the remainder
rem(a, b) at the beginning of the string and replace a by quot(a, b).
The algorithm starts with a = 1238 and stops when a is equal to 0.
Each row of the following table represents a step in the algorithm.

n an = quot(an−1 , b) rem(an−1 , b)
1 176 6
2 25 1
3 3 4
4 0 3
107. Sets, Logic and Algebra

The algorithm has finished! The b-ary representation, where b = 7, of a = 1238 equals
[3416]7 .

9.7 Exercises

Exercise 9.7.1. Determine the remainder of a divided by b for each of the following pairs a,
b.

(a) 480, 175;

(b) 5621, 192;
(c) 983675, 105120.

Exercise 9.7.2. Suppose that a and b are nonzero integers. Prove that if a divides b and b
divides a, then a = b or a = −b.

Exercise 9.7.3. Show that if a divides b and c divides d, then a· c divides b· d.

Exercise 9.7.4. Use induction to prove that 10 divides 34·n − 1 for all positive integers n.

Exercise 9.7.5. Use induction to prove that, if a and b are integers, a − b divides an − bn for
every positive integer n.

Exercise 9.7.6. Determine the gcd and lcm of a and b for each of the following pairs a, b.

(a) 48, 15;

(b) 21, 19;
(c) 75, 105.

Exercise 9.7.7. Suppose that a and b are nonzero relatively prime integers and suppose that c
is a divisor of a. Prove that c and b are relatively prime.

Exercise 9.7.8. Show that the following three properties hold for the greatest common divisor.
Here, a, b and k are integers.

(a) gcd (a, b) = gcd (b, a)

(b) gcd (a, b) = gcd (a, b − k· a)

(c) gcd (a, 0) = |a|

Exercise 9.7.9. For any positive integer n divide 103·n by 10n − 1 and find the remainder.

Exercise 9.7.10. If n is a positive integer, determine the possibilities for the greatest common
divisor of n and n2 + 3, and also provide examples.
108. Sets, Logic and Algebra

Exercise 9.7.11. Three cogwheels with 24, 15, and 16 cogs, respectively, touch as shown.
What is the smallest positive number of times you have to turn the left-hand cogwheel (with
24 cogs) before the right-hand cogwheel (with 16 cogs) is back in its original position? What
is the smallest positive number of times you have to turn the left-hand cogwheel before all
three wheels are back in their original position?

Three cogs
Exercise 9.7.12. Prove that the square of an odd integer is again odd, where ‘odd’ means
‘not divisible by 2’ or, equivalently, ‘having remainder 1 upon division by 2’. Show that the
remainder of division by 4 of the square of an odd integer is 1. Does the last statement hold
if we replace 4 by 8? And by 16?

Exercise 9.7.13. Suppose that a, b, and c are integers. If c divides a and b, it also divides
rem(a, b). Prove this.

Exercise 9.7.14. If c is a common multiple of the integers a and b, then c is a multiple of

lcm (a, b). Prove this.

Exercise 9.7.15. Determine the gcd of each of the following pairs of numbers, and write this
gcd as a linear combination of the given numbers:

(a) 480, 175;

(b) 5621, 192;
(c) 983675, 105120.

Exercise 9.7.16. Show that, for all positive integers x and y, and nonnegative z, we have
gcd (z· x, z· y) = z· gcd (x, y)

Exercise 9.7.17. Suppose that d is the nonzero gcd of a and b. Prove that a/d and b/d are
relatively prime.

Exercise 9.7.18. Let a, b, and c be integers. Show that gcd (a, b, c) = gcd (gcd (a, b) , c)

Exercise 9.7.19. Let a, b and c be integers. Prove that there are integers x, y, and z such that
gcd (a, b, c) = x· a + y· b + z· c
109. Sets, Logic and Algebra

Exercise 9.7.20. Let a be a rational number such that both 18· a and 25· a are integers. Show
that a itself is an integer.

Exercise 9.7.21. Let a, b, and c be nonzero integers.

Determine the set of all integers that can be expressed in the form x· a + y· b + z· c with x, y,
and z integers.

Exercise 9.7.22. Determine the gcd of each of the following pairs of numbers, and write each
gcd as a linear combination of the given numbers:

(a) 5672, 234;

(b) 5311, 121;
(c) 32125, 1012.

Exercise 9.7.23. Suppose a is a rational number such that 45· a and 36· a are integers. Is a
necessarily an integer? And what if 20· a is also known to be an integer?

Exercise 9.7.24. Find all integer solutions x and y to the following Diophantine equations.

(a) 22· x + 32· y = 12

(b) 12· x + 25· y = 11
(c) 24· x + 36· y = 18

Exercise 9.7.25. In how many ways can you pay 50 eurocents using only 5 eurocent and 20
eurocent coins? Can you do it with exactly 7 coins?

Exercise 9.7.26. Find all integers x, y, and z that satisfy the two equations x + y + 3· z = 19
and x + 2· y + 5· z = 29 simultaneously. Also, determine all solutions with x, y, and z positive.

Exercise 9.7.27. Determine all primes of the form n2 − 4, where n is an integer.

Exercise 9.7.28. Determine all primes p and q satisfying p· q = 4· p + 7· q.

Exercise 9.7.29. Prove that there exist infinitely many primes of the form 4· n + 3, where n is
a positive integer.

Exercise 9.7.30. Let p > 1 be an integer. Prove that p is a prime if and only if for every
integer a either gcd (p, a) = 1 or gcd (p, a) = p.

Exercise 9.7.31. Let p be a prime and let a be a positive multiple of p. Show that there exists
a positive integer n such that a/pn is an integer and gcd (p, a/pn ) = 1.

Exercise 9.7.32. Determine all primes less than 100.

Exercise 9.7.33. Determine all primes of the form n3 + 1, with n an integer.

110. Sets, Logic and Algebra

Exercise 9.7.34. Which of the following integers is prime: 187, 287, 387, 487, or 587?

Exercise 9.7.35. Let n be an integer greater than 1, and let p be the smallest divisor of n
greater than 1. Prove that p is prime.

Exercise 9.7.36. Determine the prime factorization of the integers 111, 143, 724, and 1011.

Exercise 9.7.37. Prove that the cube root of 17 is not rational.

Exercise 9.7.38. Prove that 5 is the only prime p such that 3· p + 1 is a square.

Exercise 9.7.39. The musical pitch of each note corresponds to its frequency, which is ex-
pressed in Hertz. If you double the frequency, you find a note an octave higher. If you change
the frequency by a factor 3/2, you obtain a note which is a so-called fifth higher. Starting
from a given note, you can construct notes which are one, two, etc., octaves higher. Similarly,
you can construct notes which are one, two, etc., fifths higher. Show that these two series of
notes have no note in common, except the note you started with.

Exercise 9.7.40. Suppose that a and b are coprime positive integers and that the positive
integer n is a multiple of both a and b. Show that n is a multiple of a· b.

Exercise 9.7.41. Determine gcd 23 · 35 · 72 , 24 · 5· 5· 11 and lcm 23 · 35 · 72 , 24 · 5· 5· 11 .

Exercise 9.7.42. Determine gcd 43 · 65 · 72 , 84 · 105 · 11 .

Exercise 9.7.43. Determine gcd 24 · 32 · 5· 76 · 11, 22 · 32 · 53 · 11 .

Exercise 9.7.44. How many different positive divisor does 1000 have? And how many
10.000.000?

Exercise 9.7.45. What are the gcd and lcm of the following integers:

(a) 23 · 57 · 11 and 22 · 34 · 52 · 114 ;

(b) 21 · 33 · 52 and 22 · 34 · 5· 11;
(c) 32 · 45 · 72 and 23 · 32 · 65 · 72 .
Exercise 9.7.46. Prove the following identity: gcd a2 , b2 = (gcd (a, b))2 .

Exercise 9.7.47. Compute the 7-ary representation of the following integers given in their
decimal representation: 12373, 32147, and 7231.

Exercise 9.7.48. Write an algorithm that converts numbers given in the decimal system to the
binary system and vice versa.

Exercise 9.7.49. Compute the 3-ary representation of the following integers given in their
decimal representation: 12373, 32147, and 7231.

Exercise 9.7.50. Which b-ary system would you use to weigh all possible weights between 1
and 40 with just four standard weights on a balance?
111. Sets, Logic and Algebra

Exercise 9.7.51. The decimal representation of an integer n is [abcabc]10 , where a, b and c

are elements from {0, ..., 9}.
Prove that 7, 11, and 13 are divisors of n.

Exercise 9.7.52. The integers 1222, 124211, 2113 and 4121 are given in their decimal repre-
sentation.
Give the representation in base 2, 4, and 8, respectively.
112. Sets, Logic and Algebra

Chapter 10

Modular arithmetic

It frequently happens that we prefer to ignore multiples of a given number when we do cal-
culations. Just think of the days in the week or the hours in a day; in the first case we ignore
multiples of seven, in the second case multiples of 12 or 24. In this chapter we will describe
this ‘arithmetic modulo n’. As an application we will describe the RSA cryptosystem.

10.1 Arithmetic modulo n

Clock arithmetic is an example of arithmetic modulo an integer, which is 24 in this case.
Suppose that the time is 15:00 hours. If 20 hours pass by, then it will be 11:00 hours. In
terms of modular arithmetic, we say that 15 + 20 equals 11 modulo 24. Here, modulo means
‘up to a multiple of’. On the other hand, if 83 hours elapse, then it will be 2 o’clock in the
morning. In modular arithmetic, 15 + 83 equals 2 modulo 24. We look at the time of day as
a quantity determined up to a multiple of 24.

Clock arithmetic
113. Sets, Logic and Algebra

We will analyze arithmetic modulo an integer.

Definition 10.1.1. Let n be an integer. On the set Z of integers we define the relation congru-
ence modulo n as follows: a and b are congruent modulo n if and only if n|a − b.
We write a ≡ b (mod n) to denote that a and b are congruent modulo n. If a and b are
congruent modulo n, we also say that a is congruent to b modulo n, or that a is equal to b
modulo n.

Example 10.1.2. If a = 342, b = 241, and n = 17, then a is not congruent to b modulo n.
Indeed a − b = 101 is not divisible by n = 17.
However, if a = 342, b = 240, and n = 17, then a is congruent to b modulo n. Indeed,
a − b = 102 is divisible by n = 17.

Proposition 10.1.3. Let n be an integer. The relation congruence modulo n is reflexive,

symmetric, and transitive; in particular, it is an equivalence relation.
For nonzero n, there are exactly n distinct equivalence classes:

n· Z, 1 + n· Z, ..., n − 1 + n· Z (10.1)
The set of equivalence classes of Z modulo n is denoted by Z/nZ.

Proof. We need to verify that the relation is reflexive, symmetric, and transitive. This implies
congruence modulo n to be an equivalence relation. The other statements of the proposition
follow easily.
Assertion. The relation is reflexive.

Let a be an integer. Then a ≡ a (mod n) as n divides a − a = 0.

Assertion. The relation is symmetric.

Suppose that a and b are integers with a ≡ b (mod n). Then n divides a − b, and hence also
b − a. Thus b ≡ a (mod n).
Assertion. The relation is transitive.

If a, b, and c are integers with a ≡ b (mod n) and b ≡ c (mod n), then n divides both a − b
and b − c. But then n is also a divisor of a − b + b − c = a − c and so a ≡ c (mod n).

Example 10.1.4. As congruence modulo n is an equivalence relation, its equivalence classes

partition the set Z of all integers.
For example, the relation modulo 2 partitions the integers into two classes, the even numbers
and the odd numbers.
114. Sets, Logic and Algebra

Remark 10.1.5. In the Definition of quot and rem (9.1) [80], the notation rem(a, n) for the
remainder r of the division of a by n is introduced. Observe that r is congruent to a modulo
n. The remainder r is a natural representative of the set of all elements congruent to a modulo
n.
If n equals 0, then a is only congruent to itself modulo n.
Congruence modulo n is the same relation as congruence modulo −n. So, when studying
congruence modulo n, we may take n to be non-negative without loss of generality.

The set k + n· Z consists of all integers of the form k + n· m where m is an integer. It is the
equivalence class of congruence modulo n containing the integer k and will also be denoted
by k(mod n).
The integer k is a representative of this equivalence class. If no confusion arises, we will also
denote the class k(mod n) by k itself.

Congruence modulo 3 splits the integers in three disjoint subsets. These subsets are
represented by columns. Integers in the same subset differ by a multiple of 3.
Let n be an integer. Consider Z/nZ, the set of equivalence classes of Z modulo n. Addition
and multiplication with these classes can be defined in the following way.
115. Sets, Logic and Algebra

Addition of congruence classes is defined in terms of representatives. For instance, to add

the two congruence classes modulo 5 above take any representatives in each of these classes,
say 6 in the first and 3 in the second. Then their sum, 9, is a representative of the sum of the
two classes.

Theorem 10.1.6 (Addition and Multiplication). On Z/nZ we define two so-called

binary operations, an addition and a multiplication, by:

• Addition: a(mod n) + b(mod n) = a + b(mod n).

• Multiplication: a(mod n)· b(mod n) = a· b(mod n).

Both operations are well defined.

Proof. We have to verify that the definitions of addition and multiplication are consistent.
That is, if x ≡ x0 (mod n) and y ≡ y0 (mod n), then x + y ≡ x0 + y0 (mod n) and x· y ≡
x0 · y0 (mod n). For then, the outcome of an addition or multiplication is independent of
the chosen representatives. Well, x ≡ x0 (mod n) means that there exists an integer a such
that x − x0 = n· a. Similarly, y ≡ y0 (mod n) means that there exists an integer b such that
y − y0 = n· b.
Assertion. Addition.

The above implies (x + y) − (x0 + y0 ) = x − x0 + y − y0 = n· a + n· b = n· (a + b). Hence x + y ≡

x0 + y0 (mod n).
Assertion. Multiplication.
116. Sets, Logic and Algebra

By the above we find x· y − x0 · y0 = x· (y − y0 ) + (x − x0 ) · y0 = n· b· x + n· a· y0 = n· (b· x + a· y0 ).

Hence x· y ≡ x0 · y0 (mod n).

Example 10.1.7 (Tables for modular addition and multiplication). Here is the addition table
for Z/17Z.

+ 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 0
2 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 0 1
3 3 4 5 6 7 8 9 10 11 12 13 14 15 16 0 1 2
4 4 5 6 7 8 9 10 11 12 13 14 15 16 0 1 2 3
5 5 6 7 8 9 10 11 12 13 14 15 16 0 1 2 3 4
6 6 7 8 9 10 11 12 13 14 15 16 0 1 2 3 4 5
7 7 8 9 10 11 12 13 14 15 16 0 1 2 3 4 5 6
8 8 9 10 11 12 13 14 15 16 0 1 2 3 4 5 6 7
9 9 10 11 12 13 14 15 16 0 1 2 3 4 5 6 7 8
10 10 11 12 13 14 15 16 0 1 2 3 4 5 6 7 8 9
11 11 12 13 14 15 16 0 1 2 3 4 5 6 7 8 9 10
12 12 13 14 15 16 0 1 2 3 4 5 6 7 8 9 10 11
13 13 14 15 16 0 1 2 3 4 5 6 7 8 9 10 11 12
14 14 15 16 0 1 2 3 4 5 6 7 8 9 10 11 12 13
15 15 16 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
16 16 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Table 10.1: Addition table for Z/17Z.

Below is the multiplication table for Z/17Z.

In computations modulo n the following properties of the two operations addition and mul-
tiplication are often tacitly used. They look quite straightforward and are easy to use in
practice. But since we have constructed a new arithmetical structure, they actually do require
proofs. Here is a list of the properties we mean.
117. Sets, Logic and Algebra

· 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
2 0 2 4 6 8 10 12 14 16 1 3 5 7 9 11 13 15
3 0 3 6 9 12 15 1 4 7 10 13 16 2 5 8 11 14
4 0 4 8 12 16 3 7 11 15 2 6 10 14 1 5 9 13
5 0 5 10 15 3 8 13 1 6 11 16 4 9 14 2 7 12
6 0 6 12 1 7 13 2 8 14 3 9 15 4 10 16 5 11
7 0 7 14 4 11 1 8 15 5 12 2 9 16 6 13 3 10
8 0 8 16 7 15 6 14 5 13 4 12 3 11 2 10 1 9
9 0 9 1 10 2 11 3 12 4 13 5 14 6 15 7 16 8
10 0 10 3 13 6 16 9 2 12 5 15 8 1 11 4 14 7
11 0 11 5 16 10 4 15 9 3 14 8 2 13 7 1 12 6
12 0 12 7 2 14 9 4 16 11 6 1 13 8 3 15 10 5
13 0 13 9 5 1 14 10 6 2 15 11 7 3 16 12 8 4
14 0 14 11 8 5 2 16 13 10 7 4 1 15 12 9 6 3
15 0 15 13 11 9 7 5 3 1 16 14 12 10 8 6 4 2
16 0 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

Table 10.2: Multiplication table for Z/17Z.

Proposition 10.1.8 (Properties of Modular Arithmetic). Let n be an integer bigger

than 1. For all integers a, b, and c, we have the following equalities.

• Commutativity of addition: a(mod n) + b(mod n) = b(mod n) + a(mod n)

• Commutativity of multiplication: a(mod n)· b(mod n) = b(mod n)· a(mod n)
• Associativity of addition: (( a(mod n)) + (b(mod n) )) + c(mod n) = a(mod n) +
((( b(mod n)) + (c(mod n) )))

• Associativity of multiplication: (a(mod n)· b(mod n))· c(mod n) =

a(mod n)· (b(mod n)· c(mod n))
• Distributivity of multiplication over addition: a(mod n)· (b(mod n) + c(mod n)) =
a(mod n)· b(mod n) + a(mod n)· c(mod n)

Proof. The laws hold for integers. For instance, in the case of commutativity, we have a+b =
b + a. Now apply the Modular Addition and Multiplication Theorem (10.1.6) to both sides.
The commutativity for Z/nZ follows. The proofs of the other equalities are similar.

Example 10.1.9 (Solving equations). Calculations modulo an integer can sometimes be used
118. Sets, Logic and Algebra

to show that an equation has no integer solutions. By working in Z/4Z, for example, we can
show that 1203 cannot be written as a sum of two (integer) squares. For, in Z/4Z, the set
of squares is {0, 1}. This is easily verified by squaring each of the four elements of Z/4Z.
Indeed, (0(mod 4))2 = 0(mod 4), (1(mod 4))2 = 1(mod 4), (2(mod 4))2 = 0(mod 4) and
(3(mod 4))2 = 1(mod 4).
Now if m and n are integral, then m2 + n2 (mod 4) = m2 (mod 4) + n2 (mod 4), and, by the
above, this sum can only take the values 0(mod 4), 1(mod 4), or 2(mod 4). So m2 + n2 is
not equal to 3 plus a multiple of 4. In particular, 1203 cannot be written as the sum of two
squares.

Example 10.1.10 (The nine test). Suppose that a = [ak , ..., a0 ]10 is the usual decimal repre-
sentation of a. The well-known nine test

(9|a) ⇔ (9| (( ak ) + ... + (a0 ))) (10.2)

is based on modular arithmetic. In order to see this, we work modulo 9.

Since 10 ≡ 1 (mod 9), we find 10n ≡ 1 (mod 9) for all nonnegative integers n. As [ak , ..., a0 ]10 =
ak · 10k + ... + a0 · 100 reduction modulo 9 implies that a ≡ ak + ... + a0 (mod 9). Thus 9|a if
and only if 9| (( ak ) + ... + (a0 )).

Example 10.1.11 (Trigonometric arguments). When playing with a calculator, you may have
noticed that sin (10a ) gives the same value for all values of a bigger than 2, at least when
the argument expresses the number of degrees of an angle. The explanation is that 10a is the
same number modulo 360 for each of these values of a. Check this!

Example 10.1.12 (Calculating with powers). Modular arithmetic can greatly reduce the amount
of work when computing divisibility properties of expressions involving powers. By way
of example, we show that 109 + 1 is divisible by 19. Working modulo 19 we start with
102 ≡ 5 (mod 19). Squaring this equation, we find 104 ≡ 6 (mod 19). Similarly we get
108 ≡ −2 (mod 19) and 109 ≡ −1 (mod 19). But then we deduce that 109 + 1 ≡ 0 (mod 19),
which implies that 19| (( 109 ) + 1).

A neutral element for the addition is 0(mod n). Indeed, a(mod n) + 0 = a(mod n) and
0 + a(mod n) = a(mod n). The opposite of a(mod n) ∈ Z/nZ is −a(mod n), the unique
element b such that a(mod n) + b(mod n) = 0.
A neutral element for the multiplication is 1(mod n), as a(mod n)· 1(mod n) = a(mod n)
and 1(mod n)· a(mod n) = a(mod n).
The set Z/nZ together with addition and multiplication is an example of a quotient ring, an
algebraic structure to be discussed in the theory of rings and fields.
In Z/nZ we can add, multiply, and subtract. But how about division? Does every nonzero
element have an inverse?
Definition 10.1.13. An element a ∈ Z/nZ is called invertible if there is an element b, called
inverse of a, such that a· b = 1.
119. Sets, Logic and Algebra

If a is invertible, its inverse (which is unique, as follows from Uniqueness of the Inverse
(10.1.15)) will be denoted by a−1 .
The set of all invertible elements in Z/nZ will be denoted by Z/nZ× . This set is also called
the multiplicative group of Z/nZ.

Example 10.1.14. In Z/18Z the element 5(mod 18) is invertible. Indeed, since 2· 18 − 7· 5 =
1, the inverse of 5(mod 18) is −7(mod 18). The element 6(mod 18) is not invertible, since
any multiple of 6 is either congruent to 0, 6, or 12 modulo 18.

Remark 10.1.15 (Uniqueness of the Inverse). Multiplicative inverses are unique, i.e., every
invertible element has exactly one inverse. For, if

a(mod n)· b(mod n) = a(mod n)· c(mod n) = 1 (10.3)

then

b(mod n) = b(mod n)· a(mod n)· c(mod n) = a(mod n)· b(mod n)· c(mod n) = c(mod n)
(10.4)

An integer a will be called invertible modulo n if its class a(mod n) is invertible.

In Z division is not always possible. Some nonzero elements do have an inverse, others don’t.
The following theorem tells us precisely which elements of Z/nZ have an inverse.

Theorem 10.1.16 (Characterization of Modular Invertibility). Let n > 1 and a ∈ Z.

(a) The class a(mod n) in Z/nZ has a multiplicative inverse if and only if
gcd (a, n) = 1.
(b) If a and n are relatively prime, then the inverse of a(mod n) is the class
extended − gcd (a, n)2 (mod n).
(c) In Z/nZ, every class distinct from 0 has an inverse if and only if n is prime.

Proof. The second and third statement of the theorem are straightforward consequences of
the first and its proof. So, we only prove the first. There are two parts to the proof.
Assertion. If.

If gcd (a, n) = 1, then, from the Extended Euclidean Algorithm (9.2.5), it follows that there are
integers x and y such that a· x+n· y = 1. In Z/nZ this translates to a(mod n)· x(mod n)+0 = 1.
In particular, x(mod n) is the inverse of a(mod n).
Notice that x indeed coincides with extended − gcd (a, n)2 modulo n, which proves the second
statement.
120. Sets, Logic and Algebra

Assertion. Only if.

If a(mod n) has an inverse b(mod n) in Z/nZ, then there exists an integer x with a· b+x· n = 1.
So, by the Characterization of the gcd (9.2.9), we find gcd (a, n) = 1.

Example 10.1.17. The invertible elements in Z/2n Z are the classes x(mod 2n ) for which x is
an odd integer.
Indeed, the gcd of x and 2n equals 1 if and only if x is odd.

An arithmetical system such as Z/pZ with p prime, in which every element not equal to 0
has a multiplicative inverse, is called a field, just like Q, R, and C.
Suppose that n and a are integers with n > 1 and gcd (a, n) = 1. The Characterization of
Modular Invertibility (10.1.16) not only gives the existence of the inverse of a(mod n) in
Z/nZ, but also a way to compute this inverse.
Algorithm 10.1.18 (Modular Inverse). • Input: integers n > 1 and a.
• Output: the inverse of the class a(mod n) of a in Z/nZ if it exists, and 0 otherwise.
Inverse := procedure(a, n)
local variables
E := extended − gcd (a, n)
if E1 = 1
then
return
E2 (mod n)
else
return
0

Proof.
Assertion. Termination.
By the absence of loops this is obvious.
Assertion. Correctness.

Obvious by part (b) of the Characterization of Modular Invertibility (10.1.16).

Example 10.1.19. Consider a = 24 and n = 35. Then a and n are relative prime. So a(mod n)
has an inverse. To find the inverse of a(mod n), we apply the Extended Euclidean Algorithm.
This gives the following expression of 1 as a linear combination of a and n:

1 = 35· 11 − 24· 16 (10.5)

We deduce that the inverse of a(mod n) equals −16(mod n).

121. Sets, Logic and Algebra

Besides invertible elements in Z/nZ, which can be viewed as divisors of 1, see Definition of
inverse (10.1.13), one can also consider the divisors of 0.
Definition 10.1.20. An element a ∈ Z/nZ not equal to 0 is called a zero divisor if there is a
nonzero element b such that a· b = 0.

Example 10.1.21. The zero divisors in Z/24Z are those elements for which one finds a 0
in the corresponding row (or column) of the multiplication table. These are the elements
2(mod 24), 4(mod 24), 6(mod 24), 8(mod 24), 9(mod 24), 10(mod 24), 12(mod 24),
14(mod 24), 15(mod 24), 16(mod 24), 18(mod 24), 20(mod 24), 21(mod 24), and 22(mod 24).
The multiplication table modulo 24

· 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
2 2 4 6 8 10 12 14 16 18 20 22 0 2 4 6 8 10 12 14 16 18 20 22
3 3 6 9 12 15 18 21 0 3 6 9 12 15 18 21 0 3 6 9 12 15 18 21
4 4 8 12 16 20 0 4 8 12 16 20 0 4 8 12 16 20 0 4 8 12 16 20
5 5 10 15 20 1 6 11 16 21 2 7 12 17 22 3 8 13 18 23 4 9 14 19
6 6 12 18 0 6 12 18 0 6 12 18 0 6 12 18 0 6 12 18 0 6 12 18
7 7 14 21 4 11 18 1 8 15 22 5 12 19 2 9 16 23 6 13 20 3 10 17
8 8 16 0 8 16 0 8 16 0 8 16 0 8 16 0 8 16 0 8 16 0 8 16
9 9 18 3 12 21 6 15 0 9 18 3 12 21 6 15 0 9 18 3 12 21 6 15
10 10 20 6 16 2 12 22 8 18 4 14 0 10 20 6 16 2 12 22 8 18 4 14
11 11 22 9 20 7 18 5 16 3 14 1 12 23 10 21 8 19 6 17 4 15 2 13
12 12 0 12 0 12 0 12 0 12 0 12 0 12 0 12 0 12 0 12 0 12 0 12
13 13 2 15 4 17 6 19 8 21 10 23 12 1 14 3 16 5 18 7 20 9 22 11
14 14 4 18 8 22 12 2 16 6 20 10 0 14 4 18 8 22 12 2 16 6 20 10
15 15 6 21 12 3 18 9 0 15 6 21 12 3 18 9 0 15 6 21 12 3 18 9
16 16 8 0 16 8 0 16 8 0 16 8 0 16 8 0 16 8 0 16 8 0 16 8
17 17 10 3 20 13 6 23 16 9 2 19 12 5 22 15 8 1 18 11 4 21 14 7
18 18 12 6 0 18 12 6 0 18 12 6 0 18 12 6 0 18 12 6 0 18 12 6
19 19 14 9 4 23 18 13 8 3 22 17 12 7 2 21 16 11 6 1 20 15 10 5
20 20 16 12 8 4 0 20 16 12 8 4 0 20 16 12 8 4 0 20 16 12 8 4
21 21 18 15 12 9 6 3 0 21 18 15 12 9 6 3 0 21 18 15 12 9 6 3
22 22 20 18 16 14 12 10 8 6 4 2 0 22 20 18 16 14 12 10 8 6 4 2
23 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

Table 10.3: The multiplication table modulo 24

The following theorem tells us which elements of Z/nZ are zero divisors. They turn out to be
those nonzero elements which are not invertible. Hence a nonzero element in Z/nZ is either
invertible or a zero divisor.
122. Sets, Logic and Algebra

Theorem 10.1.22 (Zero Divisor Characterization). Let n > 1 and a ∈ Z.

(a) The class a(mod n) in Z/nZ is a zero divisor if and only if gcd (a, n) > 1 and
a(mod n) is nonzero.
(b) The residue ring Z/nZ has no zero divisors if and only if n is prime.

Proof. The second statement of the theorem is a straightforward consequence of the first. So,
we only prove the first. There are two parts to the proof.
Assertion. If.

Suppose that gcd (a, n) > 1, and set b = n/gcd (a, n). Then the class b(mod n) of b is nonzero,
but a· b is a multiple of n and so a· b(mod n) = 0. This translates to a(mod n)· b(mod n) = 0
in Z/nZ. In particular, a(mod n) is a zero divisor.
Assertion. Only if.

If a(mod n) is a zero divisor, then it is nonzero and there is a nonzero element b(mod n) in
Z/nZ with a(mod n)· b(mod n) = 0. So, for the representative b0 of b(mod n) in {1, ..., n − 1},
we find that a· b0 is a common multiple of a and n. In particular, lcm (a, n) < a· b0 , which
is certainly less than a· n. Now the Relation between ggd and lcm (9.1.19) implies that
gcd (a, n) > 1.

Example 10.1.23. Below you find the multiplication table of Z/17Z \ {0}. As you can see,
it contains no entry with a 0, which implies that Z/17Z has no zero divisors. Moreover, as
each row and column contains a 1, each nonzero element of Z/17Z is invertible.

Since an element a(mod n) of Z/nZ is either 0, a zero divisor, or invertible, the Modular
Inverse Algorithm (10.1.18) for computing inverses in Z/nZ also provides us with a way to
check whether an arbitrary element of Z/nZ is a zero divisor.
Let n be an integer. Inside Z/nZ, we can distinguish the set of invertible elements and the set
of zero divisors. The set of invertible elements is closed under multiplication, the set of zero
divisors together with 0 is even closed under multiplication by arbitrary elements.
123. Sets, Logic and Algebra

· 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
2 2 4 6 8 10 12 14 16 1 3 5 7 9 11 13 15
3 3 6 9 12 15 1 4 7 10 13 16 2 5 8 11 14
4 4 8 12 16 3 7 11 15 2 6 10 14 1 5 9 13
5 5 10 15 3 8 13 1 6 11 16 4 9 14 2 7 12
6 6 12 1 7 13 2 8 14 3 9 15 4 10 16 5 11
7 7 14 4 11 1 8 15 5 12 2 9 16 6 13 3 10
8 8 16 7 15 6 14 5 13 4 12 3 11 2 10 1 9
9 9 1 10 2 11 3 12 4 13 5 14 6 15 7 16 8
10 10 3 13 6 16 9 2 12 5 15 8 1 11 4 14 7
11 11 5 16 10 4 15 9 3 14 8 2 13 7 1 12 6
12 12 7 2 14 9 4 16 11 6 1 13 8 3 15 10 5
13 13 9 5 1 14 10 6 2 15 11 7 3 16 12 8 4
14 14 11 8 5 2 16 13 10 7 4 1 15 12 9 6 3
15 15 13 11 9 7 5 3 1 16 14 12 10 8 6 4 2
16 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

Table 10.4: Multiplication table for Z/17Z.

Lemma 10.1.24. Let n be an integer with n > 1.

(a) If a and b are elements in Z/nZ× , then their product a· b is invertible and there-
fore also in Z/nZ× . The inverse of a· b is given by b−1 · a−1 .
(b) If a is a zero divisor in Z/nZ and b an arbitrary element, then a· b is either 0 or
a zero divisor.

Proof. Assume that a and b are elements in Z/nZ× . As (a· b)· (b−1 · a−1 ) = a· a−1 = 1 the
inverse of a· b is b−1 · a−1 . This establishes the first assertion.
If a is a zero divisor in Z/nZ, then there is a nonzero element c with a· c equal to 0. But then
a· b· c is also equal to 0. So a· b is 0 or a zero divisor.

Example 10.1.25. The zero divisors in Z/6Z are those elements for which 0 occurs in the
corresponding row (or column) of the multiplication table. The invertible elements are the
elements for which 1 occurs in the corresponding row (or column).
So, the zero divisors are the classes of 2, 3, and 4, while the invertible elements are the classes
of 1 and 5.
Notice that 52 (mod n) = 1(mod n). So indeed, the set of invertible elements is closed under
multiplication.
124. Sets, Logic and Algebra

· 1 2 3 4 5
1 1 2 3 4 5
2 2 4 0 2 4
3 3 0 3 0 3
4 4 2 0 4 2
5 5 4 3 2 1

Table 10.5: Multiplication table modulo 6.

10.2 Linear congruences

In addition to the linear equation

a· x = b (10.6)
with integer coefficients a and b in the single unkown x, we study, for positive integers n, the
related equation

a· x ≡ b (mod n) (10.7)
in the unknown x. Such equation is called a linear congruence. It is closely related to the
equation

a· x = b (10.8)

where a and b are elements of Z/nZ and the unknown x is also in Z/nZ.
Solving such a linear congruence or the related equation in Z/nZ is based on solving

a· x + n· y = b (10.9)
in the unknown x and y; see Linear Diophantine Equation Solving Algorithm (9.3.4). The
results of Linear Diophantine Equation Solving Algorithm (9.3.4) can easily be translated
to the present situation. As a result we obtain the following algorithm for solving linear
congruences.
Algorithm 10.2.1 (Linear Congruence). • Input: integers a, b, and a positive integer n

• Output: the set of all classes x modulo n satisfying the equation a· x ≡ b (mod n)
125. Sets, Logic and Algebra

SolveLinCong := procedure(a, b, n)
local variables
E := extended − gcd (a, n)
g := E1
z := E2
if g|b
then
return
n 
z· bg + k· ng (mod n)  k ∈ Z/nZ}


else
return
∅

Proof.
Assertion. Termination.
Obvious in the absence of loops.
Assertion. Correctness.

For each integer solution x to the linear congruence a· x ≡ b (mod n), there is an integer y
such that the pair x, y is a solution to the linear Diophantine equation a· x + n· z = b, and vice
versa. So, the correctness of the algorithm follows from the correctness of Linear Diophantine
Equation Solving Algorithm (9.3.4) for solving linear Diophantine equations.

Remark 10.2.2. In the terminology of the Linear Congruence Algorithm (10.2.1), the solu-
tions of the related equation a· x = b over Z/nZ are the elements of the set
 
b n 
z· + k· (mod n)  k ∈ Z/nZ} (10.10)
g g

Observe that there are exactly g distinct solutions.

Example 10.2.3. In order to find all solutions to the congruence 24· x ≡ 12 (mod 15) we first
compute the gcd of 24 and 15. Using the Extended Euclidean Algorithm (9.2.5) we find

gcd (24, 15) = 3 = 2· 24 − 3· 15 (10.11)

Now 3 divides 12, so the solution set is

{(2· 12 + k· 15)/3 | k ∈ Z} (10.12)

Instead of using the algorithm, we can also use the expression of the gcd as a linear combina-
tion of 24 and 15 to argue what the solution is. To this end, multiply both sides of the equality
3 = 2· 24 − 3· 15 by 4. This gives 12 = 8· 24 − 12· 15.
126. Sets, Logic and Algebra

So, a solution of the congruence is x = 8(mod 15). Other solutions can be found by adding
multiples of 15/3(mod 15) to this particular solution.
So, the complete set of solutions for x consists of the classes 3(mod 15), 8(mod 15), and
13(mod 15).

We extend the study of a single congruence to a method for solving special systems of con-
gruences.

Theorem 10.2.4 (Chinese Remainder Theorem). Suppose that n1 , ..., nk are pairwise
coprime integers. Then for all integers a1 , ..., ak the system of linear congruences

x ≡ ai (mod ni ) (10.13)
with i ∈ {1, ..., k} has a solution.
Indeed, the integer
k
n
x = ∑ ai · yi · (10.14)
i=1 ni
where for each i we have
 
n
yi = extended − gcd , ni (10.15)
ni 3
satisfies all congruences.
Any two solutions to the system of congruences are congruent modulo the product
∏ki=1 ni .

Proof. The proof consists of two parts.

Assertion. Existence of a solution.

Let n be equal to ∏ki=1 ni . Then, by the assumption that all the ni are coprime we find that for
each i the greatest common divisor of ni and nni equals 1. Thus by the Extended Euclidean
Algorithm (9.2.5) we can find xi and yi with xi · ni + yi · nni = 1. Since xi · ni + yi · nni = 1, we find
that ai · yi · nni is equal to ai if we compute modulo ni , and equal to 0 if we compute modulo n j
where ni 6= n j . This clearly implies that x = ∑ki=1 (ai · yi · nni ) satisfies x ≡ ai (mod ni ) for all i.
So we have found that x is a solution. This solution is not unique. Indeed, for any integer a,
the integer x + a· n is also a solution.
Assertion. Uniqueness modulo n.

Suppose that, besides x, also y is a solution to the system of congruences. Then for each i we
find that the integer ni divides the difference x − y. By the observation that, if two coprime
integers divide an integer, then so does their product, this implies that x − y is a common
127. Sets, Logic and Algebra

multiple of all the ni , and thus a multiple of the least common multiple of the ni , which
equals n. This proves that up to multiples of n there is only one solution.

Example 10.2.5. Suppose that a, b, m, and n are integers. We indicate how to find the com-
mon integral solutions x to the linear congruences x ≡ a (mod m) and x ≡ b (mod n).
Consider the case where a = 13, b = 5, m = 14, and n = 17.
Of course, adding multiples of m· n = 238 to any solution will provide other solutions. There-
fore we can restrict our attention to solutions in the interval {0, ..., 237}.
The positive integers x in{0, ..., 237} satisfying x ≡ 13 (mod 14) are

13, 27, 41, 55, 69, 83, 97, 111, 125, 139, 153, 167, 181, 195, 209, 223, 237 (10.16)

The positive integers x in {0, ..., 237} satisfying x ≡ 5 (mod 17) are

5, 22, 39, 56, 73, 90, 107, 124, 141, 158, 175, 192, 209, 226 (10.17)

So, modulo 238, the unique common solution to both congruences is 209.

Here is another way of making the last statement of Chinese Remainder Theorem (10.2.4): If
x is a solution, then the set of all solutions is the set x(mod ∏ki=1 ni ).
The Chinese Remainder Theorem (10.2.4) can be turned into an algorithm to solve systems
of linear congruences.
Algorithm 10.2.6 (Chinese Remainder Algorithm). • Input: distinct and pairwise coprime
integers n1 , ..., nk , as well as integers a1 , ..., ak .
• Output: a common solution x to the congruences x ≡ ai (mod ni ).
ChineseRemainder := procedure(n1 , ..., nk , a1 , ..., ak )
local variables
i
y1 , ..., yk
n := ∏ki=1 ni
for i := 1 while i ≤ k with step i := i + 1 do
n
yi := extended − gcd ni , ni 3

return
∑ki=1 ai · yi · nni

Proof.
Assertion. Termination.
Obvious.
128. Sets, Logic and Algebra

Assertion. Correctness.

This follows immediately from the Chinese Remainder Theorem (10.2.4).

10.3 The Theorems of Fermat and Euler

Let p be a prime. Consider Z/pZ, the set of equivalence classes of Z modulo p. In Z/pZ we
can add, subtract, multiply, and divide by elements which are not 0. Moreover, it contains no
zero divisors. So Z/pZ has very nice properties. These are used in the proof of the following
important result.

Pierre de Fermat (1601-1665)

Theorem 10.3.1 (Fermat’s Little Theorem). Let p be a prime. For every integer a we
have

a p ≡ a (mod p) (10.18)
In particular, if a is not in 0(mod p) then

a p−1 ≡ 1 (mod p) (10.19)

Equivalently, for all elements a in Z/pZ we have

ap = a (10.20)
For nonzero elements a we have

a p−1 = 1 (10.21)

Proof. Although the statements on integers and on classes are easily seen to be equivalent,
we present a proof for each of these. Let p be a prime.
Assertion. For every integer a we have a p ≡ a (mod p).
129. Sets, Logic and Algebra

For nonnegative a we give a proof by induction on a.

For a equal to 0 the statement is trivial. Now assume that, for some a ≥ p
 0, we have a ≡
p p
a (mod p). By Newton’s Binomium, we find that (a + 1) p equals ∑i=0 · ai . Recall
  i
p p!
that the binomial coefficient is determined by = (p−i)!·i! . Thus, for i not equal to 0 or
i
p, the numerator of this fraction is divisible by the prime p, whereas  the denominator
 is not.
p
We conclude that, for i not equal to 0 or p, the binomial coefficient is divisible by p.
i
As a result we find that (a + 1) p ≡ a p + 1 (mod p). Now, from the hypothesis a p ≡ a (mod p)
we conclude that

(a + 1) p ≡ a + 1 (mod p) (10.22)

This proves the theorem for all nonnegative a.

If a is negative, then, by the above, (−a) p ≡ −a (mod p). If p is odd, we immediately deduce
a p ≡ a (mod p). If p is even, then it is 2 and the above implies that a p ≡ −a (mod p). But as
−a ≡ a (mod 2), we again find that a p ≡ a (mod p). This proves the assertion for all integers
a.
Assertion. For all elements a in Z/pZ we have a p = a.

For a equal to 0 the statements are trivial. Thus assume that a is nonzero. Consider the set
Z/pZ× of nonzero (and hence invertible) elements of Z/pZ.
Consider the map

Ma : Z/pZ× → Z/pZ× , b 7−→ a· b (10.23)

that is, multiplication by a. As Z/pZ contains no zero divisors, see Characterization of

Modular Invertibility (10.1.16), the map is well defined. Moreover, this map is bijective.
Indeed, its inverse is Ma−1 , multiplication by a−1 . As a result we see that the product of
all elements in Z/pZ× is not only equal to ∏z∈Z/pZ× z, but also to ∏z∈Z/pZ× (Ma (z)). The
products are taken over the same set. The order in which the elements are multiplied might
differ, but that does not affect the result. The latter product equals

∏ × ((a· z)) = a p−1 · ∏ × z (10.24)

z∈Z/pZ z∈Z/pZ

By Characterization of Modular Invertibility (10.1.16) the product ∏z∈Z/pZ× z is nonzero and

hence invertible, see Invertibility of Products (10.1.24). Therefore, a p−1 = 1. Multiplying
both sides of the equation by a proves the assertion.
The other statements in Fermat’s Little Theorem (10.3.1) follow easily from the above asser-
tions.
130. Sets, Logic and Algebra

Example 10.3.2. As 7 is prime, Fermat’s Little Theorem (10.3.1) implies that 26 ≡ 1 (mod 7).
Indeed, 26 = 64 = 9· 7 + 1.

Example 10.3.3. The integer 12341234 − 2 is divisible by 7.

Indeed, if we compute modulo 7, then we find 1234 ≡ 2 (mod 7). Moreover, by Fermat’s
Little Theorem (10.3.1) we have 26 ≡ 1 (mod 7), so

12341234 ≡ 21234 ≡ 26·205+4 ≡ 24 ≡ 2mod 7.

Remark 10.3.4. Pierre de Fermat (1601-1665) was a French magistrate who was very inter-
ested in mathematics. He is especially known for the statement that there are no nonzero
integers x, y, z with xn + yn = zn when n is an integer greater than 2. For n = 2 there are lots
of solutions.
Fermat wrote this statement in the margin of a book and claimed to have proved it; see also
Diophatus’ book on Arithmetic (9.3). Although many mathematicians have tried to prove this
statement, it took more than 300 years before a rigorous proof was found. In 1994, Andrew
Wiles finally came up with a proof, that uses very deep and advanced mathematics. Whether
Fermat really proved the statement remains unclear.

Fermat’s Little Theorem (10.3.1) states that the multiplicative group Z/pZ× , where p is a
prime, contains precisely p − 1 elements. For arbitrary positive n, the number of elements in
the multiplicative group Z/nZ× is given by the so-called Euler totient function.

 10.3.5 (Euler totient function). The Euler totient function Φ : N → N is defined by

Definition
Φ(n) = Z/nZ×  for all n ∈ N with n > 1, and by Φ(1) = 1.

Example 10.3.6. Below the values of the Euler totient function are listed for all positive
integers up to 20.

n 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Φ(n)1 1 2 2 4 2 6 4 6 4 10 3 12 6 8 8 16 6 18 8

Table 10.6: Euler totient function

131. Sets, Logic and Algebra

Theorem 10.3.7 (Euler Totient). The Euler totient function (10.3.5) satisfies the fol-
lowing properties.

(a) Suppose that n and m are positive integers. If gcd (n, m) = 1, then

Φ(n· m) = Φ(n)· Φ(m) (10.25)

(b) If p is a prime and n a positive integer, then

Φ(pn ) = pn − pn−1 (10.26)

(c) If a is a positive integer with distinct prime divisors p1 , ..., ps and prime factor-
ization a = ∏si=1 (pi )ni then

s  
Φ(a) = ∏ (pi )ni − (pi )ni −1 (10.27)
i=1

(d) The Euler Totient function satisfies the following recursion:

Φ(1) = 1 (10.28)

and

Φ(n) = n − ∑ (Φ(d)) (10.29)

1≤d<n,d|n

Proof.
Assertion. Part (a).
Suppose that n and m are two positive integers which are coprime. If a and b are two integers
congruent modulo n· m, then they are also congruent modulo n and modulo m.
Moreover, if an integer a is relatively prime to n· m, then clearly a is also relatively prime
to both n and m. Consequently, the map F : Z/n· mZ× → Z/nZ× × Z/mZ× defined by
F (a(mod n· m)) = (a(mod n), a(mod m)) is well defined.
The Chinese Remainder Theorem (10.2.4) implies that for each pair (b(mod n), c(mod m)) in
Z/nZ× × Z/mZ× there is one and only one class a(mod n· m) of Z/n· mZ× which is mapped
onto the pair (b(mod n), c(mod m)) by F. This proves that F is a bijection. So Z/n· mZ×
and Z/nZ× × Z/mZ× have the same number of elements. This proves that Φ(n· m) =
Φ(n)· Φ(m).
Assertion. Part (b).
132. Sets, Logic and Algebra

Suppose that p is a prime and n a positive integer. The integers a which are not relatively
prime to pn are exactly the multiples of p. As there are pn−1 multiples of p in {1, ..., pn }, we
find Φ(pn ) = pn − pn−1 .
Assertion. Part (c).

Part (c) is a direct consequence of the two other statements.

Assertion. Part (d).

The first part is obvious, so we concentrate on proving the second Part.

The set {1, ..., n} is the disjoint union of the sets V (n, d) = {m ∈ {1, ..., n} |gcd (m, n) = d}
where d runs through the set of positive divisors of n (in which case also dn runs through the
set of positive divisors of n).
gcd (m, n) = d if and only if gcd md , dn = 1. The set V (n, d)


For multiples m, n of d, we have
therefore also equals d·V dn , 1 .

n
But |V (m, 1)| =

Φ(m), so V (n, d) contains precisely Φ( d ) elements. Consequently, n =
n
∑1≤d,d|n Φ( d ) = ∑1≤d,d|n (Φ(d)).
Taking apart the summand Φ(n) (occurring for d = n), and bringing the remaining summation
to the other side, we find the required formula.

Example 10.3.8. By the Euler Totient Theorem (10.3.7) we find:

Φ(100) = Φ(22 · 52 ) = Φ(22 )· Φ(52 ) = 22 − 2 · 52 − 5 = 40

(10.30)

Example 10.3.9. The number of invertible elements in Z/6Z can be computed with the for-
mula of Part (4) of the theorem.
Φ(6) = 6 − Φ(1) − Φ(2) − Φ(3) = 6 − 1 − 1 − 2 = 2

Let n be a prime. Then Φ(n) = n − 1. So, by Fermat’s Little Theorem (10.3.1) we have
(a(mod n))Φ(n) = 1(mod n) for all integers a that are not a multiple of n.
This statement can be generalized to arbitrary n.

Leonard Euler
133. Sets, Logic and Algebra

Theorem 10.3.10 (Euler’s Theorem). Suppose n is an integer with n ≥ 2. Let a be an

element of Z/nZ× . Then aΦ(n) = 1.

Proof. The proof of the theorem almost literally follows the second proof of Fermat’s Little
Theorem (10.3.1).
Suppose a in Z/nZ× . Consider the map

Ma : Z/nZ× → Z/nZ× , z 7−→ a· z (10.31)

In other words, Ma is multiplication by a. By the Invertibility of Products (10.1.24), this

map is well defined. Moreover, the map is bijective. Indeed, its inverse is given by Ma−1 ,
multiplication by a−1 . As a result we see that the product of all elements in Z/nZ× equals not
only ∏z∈Z/nZ× z but also ∏z∈Z/nZ× (Ma (z)). The products are over the same set of elements.
They are just taken in different order, but that does not influence the result. In other words,
the products are equal. But the latter product equals ∏z∈Z/nZ× (a· z) = aΦ(p) · ∏z∈Z/nZ× z. By
Invertibility of Products (10.1.24) the product ∏z∈Z/nZ× z is invertible, so, multiplying both
sides of the above equation by its inverse, we find aΦ(n) = 1. This proves the theorem.

Example 10.3.11. The set Z/15Z× contains 8 elements, one of them being 7(mod 15). For
this element we have 78 ≡ 494 ≡ 44 ≡ 12 ≡ 1mod 15
This in accordance with Euler’s Theorem (10.3.10).

Let n be an integer. The order of an element a in Z/nZ× is the smallest positive integer m
such that am = 1. By Euler’s Theorem (10.3.10) the order of a exists and is at most Φ(n).
More precise statements on the order of elements in Z/nZ× can be found in the following
result.

Theorem 10.3.12 (Orders). Let n be an integer greater than 1.

(a) If a ∈ Z/nZ satifies am = 1 for some positive integer m, then a is invertible and
its order divides m.

(b) For all elements a in Z/nZ× the order of a is a divisor of Φ(n).

(c) If Z/nZ contains an element a of order n − 1, then n is prime.

Proof.
134. Sets, Logic and Algebra

Assertion. Part (a).

Suppose a ∈ Z/nZ satifies am = 1 for some integer m. Then, since a· am−1 = 1, the element
a is invertible with inverse am−1 .
Let k be the order of a, and set q = quot(m, k) and r = rem(m, k). Then (a(mod n))r equals
 −q
(a(mod n))m−q·k = (a(mod n))m · (a(mod n))k , which is equal to 1. By the definition of
order, the above implies that r is equal to 0, which proves the first part of the theorem.
Assertion. Part (b).

The second part follows immediately from the first statement of the theorem and Euler’s
Theorem (10.3.10).
Assertion. Part (c).

As for the last statement, Φ(n) = n − 1 if and only if all integers between 0 and n − 1 have
greatest common divisor 1 with n. This implies that n is prime.

Example 10.3.13. The element 7(mod 15) of Z/15Z satisfies 74 ≡ 492 ≡ 42 ≡ 1mod 15
Hence its order divides 8, which is the order of Z/15Z× .

Remark 10.3.14. Fermat’s Little Theorem (10.3.1) and the Theorem on orders (10.3.12) form
a basis for various prime tests. Suppose, for example, that given some large integer n one
wants to decide whether n is prime. Choosing a random integer a one can check whether
an−1 ≡ 1 (mod n).
If this is not the case, one can conclude that a is composite. However, when an−1 ≡ 1 (mod n),
one is still not able to decide that n is prime, but one has at least a good chance that it is.
Repeating this test a couple of times increases the probability of a correct answer to the
question whether n is prime.
However, there are composite integers n, so-called Carmichael numbers, for which it is very
likely that the test will indicate that n is prime. A Carmichael number is a composite integer
n such that an−1 ≡ 1 (mod n) for all integers a with gcd (a, n) = 1. (If gcd (a, n) > 1, then
a(mod n) is not invertible, so gcd (a, n) 6= 1.) The only Carmichael number less than 1000 is
561.

Definition 10.3.15. An element a from Z/pZ is called a primitive element of Z/pZ if every
element of Z/pZ× is a power of a.

Example 10.3.16. The element 2 is a primitive element in Z/11Z× . Indeed its powers are
21 = 2, 22 = 4, 23 = 8, 24 = 5, 25 = 10, 26 = 9, 27 = 7, 28 = 3, 29 = 6, 210 = 1. It is not primitive
in Z/7Z× as 23 = 1 in Z/7Z× .

For every prime p there exist primitive elements; but we cannot say a priori which ones.
135. Sets, Logic and Algebra

Theorem 10.3.17. For each prime p there exists a primitive element in Z/pZ.

10.4 The RSA cryptosystem

Suppose that you want to buy your favorite book or music CD at an internet book or record
shop. To submit the order to the shop, you are required to supply various private data, such as
your name, home address and credit card information. However, if you send this information
unprotected over the internet, it can be intercepted by unreliable persons. To secure your
personal data, the internet shop makes use of so-called public-key cryptography.
This means the following. The shop supplies every customer with a (public) function E. With
this function the customer encrypts his or her personal data, denoted by data, into E (data).
The customer then sends the encrypted message E (data) to the shop.
Besides the encryption function E the shop also has a (secret) decryption function D which
can be used to decrypt the message E (data). This means that E and D have the property
that D (E (data)) = data. The idea is that, in case one does not know D, it is hard (or almost
impossible) to discover data from the encrypted message E (data). Only the trusted shop can
find the personal information in data by applying D to E (data).
We discuss the RSA cryptosystem, an example of a public-key crypto system. The RSA
cryptosystem (RSA stands for Rivest, Shamir, and Adleman, the three mathematicians who
designed the system) is a modern cryptosystem based on modular arithmetic. The basis for
the RSA cryptosystem is Euler’s Theorem (10.3.10). Its security is based on the difficulty of
factoring large integers.
In the RSA cryptosystem the data to be encrypted is assumed to be an integer, x say. (If the
data is computer data, one may view the string of bits representing the data as the binary
representation of the integer x.)
The encryption function E, which is public, makes use of two integers, the modulus m,
which is the product of two primes, and the encoding number e. These two integers are
usually called the public keys. The secret key is a number d, called the decoding number,
which is used for the decoding function D.
Definition 10.4.1 (RSA Decription and Encryption). Suppose that p and q are distinct primes.
Let m = p· q and d and e be two integers such that d· e ≡ 1 (mod (p − 1) · (q − 1)).
Then the encryption function E and decryption function D of an RSA cryptosystem are de-
fined by

• E (x) = rem(xe , m);

• D (x) = rem(xd , m).
136. Sets, Logic and Algebra

The RSA cryptosystem enables the owner of the decryption function D to recover an en-
crypted message, provided the input integer x is not too large. In practice, this can easily be
achieved by splitting the input for the encryption in small separated pieces and subsequently
applying D and E to the individual pieces.

Theorem 10.4.2 (RSA Decoding). Suppose that x is a positive integer less than both
p and q. Then D (E (x)) = x.

Proof. Suppose that x is a positive integer less than both p and q. Then D (E (x)) ≡ xd·e (mod m).
By Euler’s Theorem (10.3.10) we have x(p−1)·(q−1) ≡ 1 (mod m). As d· e ≡ 1 (mod (p − 1) · (q − 1)),
we even have xd·e ≡ x (mod m). Since x is less than both p and q, it is certainly less than m.
In particular, we find x to be equal to D (E (x)).

How secure is RSA? The security of RSA depends of course on the difficulty of computing
the decoding number d. To find this number it is necessary to know the two primes p and q.
Once you know these primes it is a piece of cake to find d. But, as noticed in the section on
Example 9.5.2, factoring the modulus m = p· q into p and q is an extremely time-consuming
task (provided p and q are chosen sufficiently large): if one chooses two very big primes
p and q, then, with current methods, it is almost impossible to find the factorization of the
modulus m = p· q.
So, at the moment, the RSA cryptosystem is believed to provide excellent security. But it
remains unclear whether there exist fast methods to crack the code or not.

10.5 Exercises

Exercise 10.5.1. Show that if a and b leave the same remainder on division by n, then a ≡
b (mod n).

Exercise 10.5.2. Show that if a and b are congruent modulo m, then a2 and b2 are congruent
modulo m.
Give an example to show that a2 and b2 are not necessarily congruent modulo m2 .
137. Sets, Logic and Algebra

Exercise 10.5.3. If a is congruent to 2 modulo 5, then to which of the integers 0, 1, 2, 3, 4 is

a3 − 3· a + 1 congruent?

Exercise 10.5.4. Suppose that the positive integers a and b leave remainders 3 and 4, respec-
tively, on division by 7. Use modular arithmetic to show that a· b leaves remainder 5 on
division by 7.

Exercise 10.5.5. Divisibility by 4 of a number which is written in the decimal system can be
tested as follows: the number is divisible by 4 if and only if the number formed by the two
last digits is divisible by 4.
Prove this statement.

Exercise 10.5.6. Formulate an 8-test (i.e., a test for deciding divisibility by 8) for numbers in
the decimal system.
How does one decide divisibility by 8 for a binary number?

Exercise 10.5.7. Formulate a test and prove its correctness for divisibility by a − 1 in the
a-ary system.

Exercise 10.5.8. Prove that n4 + n2 + 1 is divisible by 3 if n > 0 is not divisible by 3.

Exercise 10.5.9. Prove the following statements:

(a) 13|106 − 1.
(b) 17| (( 108 ) + 1).

(c) If n 6≡ 0 (mod 5), then n4 + 64 is not prime.

(d) The number 21000 + 5 is divisible by 3.
(e) For every n > 0 we find that 3 is a divisor of 22·n − 1.

Exercise 10.5.10. Determine the multiplicative inverses of the given elements or show that
this inverse does not exist.

(a) 3 ∈ Z/37Z;

(b) 4 ∈ Z/14Z.
n
Exercise 10.5.11. Fermat conjectured that numbers of the form 22 + 1 are prime. For n =
5 this conjecture does not hold. Prove, with the help of the following observations, that
5
641| (( 22 ) + 1).

(a) 641 = 29 + 27 + 1 and so 27 · 5 ≡ 27 · 22 + 1 ≡ −1 mod 641.

(b) 24 ≡ −(54 ) (mod 641).

138. Sets, Logic and Algebra

 
p p·(p−1)·...·(p−k+1)
Exercise 10.5.12. The binomial coefficient (pronounce: p choose k) equals k·(k−1)·...·2·1
k
 
p
If p is prime and 0 < k < p, then the binomial coefficient is divisible by p. Prove
k
this! In addition show that for all x and y in Z/pZ the equality (x + y) p = x p + y p holds.

Exercise 10.5.13. What are the invertible elements of Z/nZ where n is an element of {2, 6, 12}?

Exercise 10.5.14. Let p be a prime. What are the invertible elements of Z/p2 Z?

Exercise 10.5.15. Which integers are congruent to 7 modulo 17: 1734, 1127 or 1251?

Exercise 10.5.16. Which integers represent an invertible congruence class modulo 17 and
which a zero divisor: 1734, 1127, 1251?

Exercise 10.5.17. Find for each of the following statements a counterexample.

If a is an invertible element in Z/nZ, and b an arbitrary nonzero element, then a· b is invert-
ible.
If a and b are invertible elements in Z/nZ, then a + b is invertible.
If a and b are zero divisors in Z/nZ, then a + b is also a zero divisor.

Exercise 10.5.18. Let p and q be distinct primes. What are the invertible elements of Z/p· qZ?

Exercise 10.5.19. Solve each of the following linear congruences:

(a) 2· x ≡ 37 (mod 21)

(b) 5· x ≡ 15 (mod 25)
(c) 3· x ≡ 7 (mod 18)

Exercise 10.5.20. Solve the following system of linear congruences: 2· x ≡ 37 (mod 5) and
3· x ≡ 48 (mod 7)

Exercise 10.5.21. Solve the following system of linear congruences: x + y ≡ 6 (mod 11) and
2· x − y ≡ 8 (mod 11)

Exercise 10.5.22. Find the smallest positive x equal to 15 modulo 37 and 13 modulo 42.
Similarly, find the smallest positive x equal to 17 modulo 42 and 13 modulo 49.

Exercise 10.5.23. Is the converse of Fermat’s Little Theorem (10.3.1),

‘if x p−1 ≡ 1 (mod p) for all x not equal to 0(mod p), then p is a prime’
also true?

Exercise 10.5.24. Determine the following remainders: rem(12312112311 , 7), rem(134525323 , 5)

and rem(533211322 , 11).
139. Sets, Logic and Algebra

Exercise 10.5.25. The hypothesis that an integer n is prime if and only if it satisfies the con-
dition that 2n − 2 is divisible by n is called the ‘Chinese Hypothesis’. Leibniz, a famous
mathematician from the 17th-18th century, believed to have proved that this congruence in-
deed implies that n is prime. However, although this condition is necessary for n to be prime,
it is not sufficient. For example, 2341 − 2 is divisible by 341, but 341 = 11· 31 is composite.
Prove that 2341 − 2 is indeed divisible by 341.

Exercise 10.5.26. What value does the Euler totient function take on the integers 334, 231,
and 133?

Exercise 10.5.27. How many zero divisors has Z/nZ?

Exercise 10.5.28. What is the order of 2(mod 35) in Z/35Z? And of 4(mod 35)?

Exercise 10.5.29. Suppose that x is an element of order Φ(n) in Z/nZ. Then every invertible
element of Z/nZ is a power of x. Prove this!

Exercise 10.5.30. Consider the RSA cryptosystem with modulus 2623 and with encoding
number v = 37.
If we represent the letters a, b, c, ..., z by the numbers 01, 02, ..., 26, respectively, and a space
by 00, then try to decode the following text, where in each group of four figures a pair of
these symbols is encoded:
0249 1133 1279 1744 0248 1188 1220 1357 1357.

Exercise 10.5.31. Consider the RSA cryptosystem with modulus 2623 and with encoding
number v = 37.
If we represent the letters a, b, c, ..., z by the numbers 01, 02, ..., 26, respectively, and a space
by 00, then how do you encode the text ‘math is beautiful’?
140. Sets, Logic and Algebra

Chapter 11

Polynomials

In this chapter we extend calculation with integers to calculation with polynomials, expres-
sions in which, beside scalars (from Z, Q, R, C or Z/nZ) also an indeterminate occurs.
You have already seen polynomials when solving quadratic equations and plotting graphs of
quadratic functions. For polynomials we introduce concepts related to the concepts divisor,
gcd, etc., which we have introduced for integers.

11.1 The notion of a polynomial

Let R be one of the rings Z, Q, R, C, Z/nZ.
Definition 11.1.1 (Polynomials). A polynomial over R in the indeterminate X is an expres-
sion of the form a0 +a1 · X +...+an · X n , where n ∈ N, a0 , ..., an ∈ R and X is an indeterminate.

Remark 11.1.2. The following notions are connected to the definition.

• The name of the indeterminate chosen here is X. However, it could be any free symbol,
that is, any symbol to which no meaning or value has been assigned.
• The elements a0 , ..., an are called the coefficients of the polynomial.
Given the name of the indeterminate, the polynomial is uniquely determined by the assign-
ment of a coefficient ak to each natural number k in such a way that ak is nonzero for only
finitely many k.
• The polynomial is built up from terms of the form ak · X k where k ∈ N.
• The powers X k of X, for which the coefficient ak is nonzero, are called the monomials of
the polynomial.
Remark 11.1.3. The summation symbols in a polynomial express the fact that the order of
the terms in the summation is immaterial. For instance, a0 + a1 · X + ... + an · X n = an · X n +
... + a1 · X + a0 .
141. Sets, Logic and Algebra

Example 11.1.4. Consider the polynomial X 3 + 3· X 2 + X − 2. The coefficients are integers,

so we can view the polynomial as an element of Z [X]. As such, its terms are X 3 , 3· X 2 , X,
and −2. Its monomials are X 3 , X 2 , and X.
If the ring of coefficients is Z/3Z, then the expression 3· X 2 disappears and so X 2 is no longer
a monomial of the polynomial.

When speaking about a polynomial in X over R, we refer to a polynomial with coefficients in

R in the indeterminate X.
We also say polynomial in X, or over R, or just polynomial if no confusion is possible about
the ring of coefficients or the indeterminate X.
We write R [X] for the set of all polynomials over R in the indeterminate X.
Two polynomials in R [X] are equal if the corresponding coefficients are equal. Polynomials
of the form a with a ∈ R are called constant.
Using the summation notation we also write a0 + a1 · X + ... + an · X n = ∑nk=0 ak · X k .
A polynomial in X is often denoted by a symbol like a, but sometimes also by a (X) to
emphasize the dependence on X.
Let a = a0 + a1 · X + ... + an · X n and b = b0 + b1 · X + ... + bm · X m be two polynomials in R [X].
To define their sum and product it is convenient to assume m = n. This can always be achieved
by adding terms of the form 0· X k .
Definition 11.1.5. The set of polynomials R [X] provided with the addition and multiplication
specified below is called a polynomial ring.

• The sum of the polynomials a and b is the polynomial a + b = ∑m k

k=0 (ak + bk ) · X .

• The product of the two polynomials a and b is the polynomial a· b = c0 + c1 · X + ... +

c2·m · X 2·m where ck = a0 · bk + a1 · bk−1 + ... + ak · b0 .

Remark 11.1.6. The definition of the product looks rather complicated, but becomes easier
to grasp once you realize that it comes down to expanding the product of a and b as usual and
replacing products like c· X m · d· X n by c· d· X m+n , where c and d are elements of the ring R.

Example 11.1.7. Let a = X 3 + 2· X + 1 and b = X 2 + 3· X + 2.

Inside R [X] we have a + b = X 3 + X 2 + 5· X + 3 and a· b = X 5 + 3· X 4 + 4· X 3 + 6· X 2 + 7· X +
2.
However, inside Z/3Z [X] we have a + b = X 3 + X 2 + 2· X and a· b = X 5 + X 3 + X 2 + X − 1.

Example 11.1.8. The product rule allows us to write some very long polynomials very con-
cisely. For instance, the left-hand side of the following equation only needs a few symbols,
but, when fully written out as a polynomial, the right-hand side needs, in general, n + 1 terms:

n  
n n
(1 + X) = ∑ ·Xk (11.1)
k=0
k
142. Sets, Logic and Algebra

Remark 11.1.9. The sum rule allows us to repeat terms with the same monomials in an
expression of a polynomial. For instance, the monomial X 2 occurs twice at the left-hand side
of the following equation, but only once at the right-hand side: X + 2· X 2 + 3· X 3 − 4· X 2 =
X + (−2) · X 2 + 3· X 3 .

Polynomial rings have an arithmetic structure that shows many similarities with the integers.
For instance, the following rules hold for polynomials (for all a, b, c in R [X]).

• a + b = b + a (commutativity of addition);
• a· b = b· a (commutativity of multiplication);
• (a + b) + c = a + ((b + c)) (associativity of addition);
• (a· b)· c = a· b· c (associativity of multiplication);
• a· (b + c) = a· b + a· c (distributivity of multiplication over addition).

The proofs of these rules are not difficult, but some of them involve quite a bit of writing.
By way of example, the commutativity of multiplication follows directly from the equality
a0 · bk +a1 · bk−1 +...+ak · b0 = b0 · ak +b1 · ak−1 +...+bk · a0 (the expression on the right-hand
side is, apart from the order of the factors in each term, the expression on the left-hand side
read backwards), where the left-hand side is the k-th coefficient of a· b, and the right-hand
side is the k-th coefficient of b· a.
For polynomials, we will discuss division with remainder, gcd, and more notions that are
already familiar for the integers.

11.2 Division of polynomials

Let R be one of the rings Z, Q, R, C, Z/nZ.

Definition 11.2.1. Let a = a0 + a1 · X + ... + an · X n be a polynomial in R [X] with an 6= 0. We
call

• an · X n the leading term and an the leading coefficient of a. The leading term of a is denoted
by lt (a) and the leading coefficient by lc (a).
• n the degree of the polynomial a. The degree of a is denoted degree (a).

Example 11.2.2. Consider the polynomial X 3 + 3· X 2 + X − 2 over Z. It has degree 3 and its
terms are X 3 , 3· X 2 , X, and −2. The leading term is X 3 and the leading coefficient is 1.

If all the coefficients of a polynomial a are equal to 0, then a = 0 (the zero polynomial). It is
practical to define the degree of the zero polynomial to be −∞.
A polynomial of degree 1 is also called a linear polynomial. A polynomial is said to be monic
if its leading coefficient is equal to 1.
143. Sets, Logic and Algebra

Suppose that R has no nonzero elements whose product is 0. If the nonzero polynomial a
has leading coefficient an and the nonzero polynomial bm has leading coefficient b, then the
leading coefficient of a· b is an · bm , as follows from the definition of the product. In that case
we have the following results.

Theorem 11.2.3 (Degree Formulas). Let R be a field and a and b polynomials over R
in X. Then the following assertions hold.

(a) degree (a· b) = degree (a) + degree (b) .

(b) degree (a + b) ≤ max (degree (a) , degree (b)).
(c) If a· b = 0, then a = 0 or b = 0.

Proof. The first part of the proof is obvious from the above. Note that the statement also
holds if a and/or b is the zero polynomial. Here, we use obvious rules like −∞ + m = −∞ for
any integer m.
The second part of the proof is a direct consequence of the definition of addition of polyno-
mials.
In order to prove the third part, suppose that a· b = 0. Then, according to the first assertion,
the degree of a or b is −∞, and hence a or b equals zero.

For the polynomial ring R [X], where R is a field, like Q, R, C or Z/pZ, with p prime,
we introduce, similarly to the integer case, division with remainder. In the integer case this
involves the absolute value as a kind of measure. For polynomials, the appropriate measure
is the degree.
We start with the more general situation where R is an arbitrary ring.
Definition 11.2.4. Suppose that a and b are polynomials in R [X], where R is a field. The
polynomial b is called a divisor of a if there exists a polynomial q ∈ R [X] such that a = q· b.
We use the notation b|a to denote that b divides a.

Example

11.2.5. The polynomial X 2 − 1 is a divisor of X 6 − 1. Indeed, we have X 6 − 1 =
2 4 2


X −1 · X +X +1 .

Example 11.2.6. In the definition of divisor we restrict to fields in order to avoid various prob-
lems. For instance, in Z/9Z the two equalities 6· X 6 = 3· X 2 · 5· X 4 and 6· X 6 = 3· X 2 · 2· X 4
show that a quotient need not be unique.

Instead of b is a divisor of a, we also say that a is a multiple of b, or a is divisible by b, or b

is a factor of a, or b divides a.
There is a division algorithm for polynomials that is much like the one for integers. It can be
144. Sets, Logic and Algebra

used to determine both quotient and remainder. For this algorithm to work, however, we need
the ring of coefficients to be a field.

Theorem 11.2.7 (Division with Remainder). Let R be a field and suppose that a and
b are two polynomials in R [X] with b 6= 0. Then there are polynomials q (the quotient)
and r (the remainder) such that a = q· b + r and degree (r) < degree (b).
The polynomials q and r are uniquely determined. They are called the quotient and
remainder of a divided by b and are denoted by quot (a, b) and rem (a, b), respectively,
just like for integers.
If b 6= 0 divides a, the quotient is denoted by ab or a/b.

Proof. (Compare this proof with the proof of Properties of Divisors (9.1.5) for integers.)
The proof is divided into two parts, one part for existence, the other for uniqueness.
Assertion. There exist polynomials q and r as in the theorem.

Let n be the degree of a and m the degree of b. If n < m, then q = 0 and r = a satisfy the
requirements. Assume therefore that n ≥ m. As b 6= 0, we have m ≥ 0, so n ≥ 0, and therefore,
a 6= 0.
We proceed to prove the assertion by induction on n.
First assume that n = 0, i.e., a is constant. Then also m = 0 and b is constant. In this case,
q = a/b and r = 0 fulfill the requirements.
Now suppose that n > 0 and that (the induction hypothesis) the existence of polynomials q and
r has been proved for polynomials of degree at most n − 1. Let an be the leading coefficient
of a and bm the leading coefficient of b. Consider the polynomial a0 = a − bamn · b· X n−m . The
leading term of the polynomial subtracted from a has been chosen so that the degree of a0
is less than n. According to the induction hypothesis there are polynomials q0 and r0 with
a0 = q0 · b + r0 where the degree of r0 is less than m. Now set q = q0 + bamn · X n−m and r = r0 .
Then q and r satisfy the requirements of the theorem.
Assertion. The polynomials q and r are uniquely determined by the existence requirements
of the theorem.

Suppose that a = q· b+r with degree (r) < degree (b) and also a = q0 · b+r0 with degree (r0 ) <
degree (b) for certain polynomials q, r, q0 , and r0 .
Subtracting these two expressions of a yields: 0 = (q − q0 ) · a+r −r0 . In particular, (q − q0 ) · a =
r0 − r. By Part 2 of the Degree Formulas (11.2.3), the degree of r0 − r is less than the degree
of a, so, by Part 1 of the Degree Formulas (11.2.3), both sides of the equality must be equal
to 0. In particular, r0 − r = 0 and, as a 6= 0, also q = q0 .
145. Sets, Logic and Algebra

Remark 11.2.8. At various places in the proof of Division with Remainder Theorem (11.2.7)
we made use of the fact that in the field R every nonzero element has an inverse.

Example 11.2.9. To determine the quotient q and the remainder r when dividing a = 2· X 4 +X
by b = X 2 + 1 in Q [X] we need the following steps.

• Compare the leading terms of a and b. Subtract 2· X 2 · b
from a in order to cancel the
leading term of a: a − 2· X 2 · b = 2· X 4 + X − 2· X 2 · X 2 + 1 = −2· X 2 + X. From this step
we conclude that 2· X 2 is a term of the quotient q. We now have a = 2· X 2 · b+ −2· X 2 + X .

Since the degree of (−2) · X 2 + X is not less than the degree of b we need a further step.
• Compare the leading terms of (−2)
· X 2 + X and b and subtract (−2) · b from (−2) · X 2 + X.
This yields 2· X 2 + X + 2· X 2 + 1 = X + 2. The resulting polynomial has degree less
than the degree of b, so the division stops here. We conclude that the quotient q satisfies
q = 2· X 2 − 2 and the remainder r satisfies r = X + 2.

It is easy to verify the identity a = q· b + r, i.e., 2· X 4 + X = 2· X 2 − 2 · X 2 + 1 + (X + 2).

The Division with Remainder Theorem (11.2.7) states that there exist a quotient q and a re-
mainder r, but it does not tell you how to find those two polynomials. As for the integers, a
standard and well-known algorithm is long division. We describe (a variation of) this algo-
rithm for finding q and r.
Algorithm 11.2.10 (Polynomial Division and Remainder). • Input: a polynomial a and a
nonzero polynomial b, both in the indeterminate X, and with coefficients in a field.

• Output: the quotient q and remainder r of a upon division by b as a list [q, r].
PolyDivisionRemainder := procedure(a, b)
local variables
q := 0 , r := a
n := degree (a) , m := degree (b)
while n ≥ m do
lc(r)
q := q + lc(b) · X degree(r)−degree(b)
lc(r)
r := r − lc(b) · X degree(r)−degree(b) · b , n := degree (r)
return
[q, r]

Proof.
Assertion. Correctness.
By construction we have a = q· b + r in each step of the while loop. Moreover, after termina-
tion the degree of r is less than the degree of b. This proves correctness.
Assertion. Termination.
146. Sets, Logic and Algebra

Since the degree of r decreases in each step of the while loop, this loop will end. Thus the
algorithm terminates.

The following definitions are analogous to those for integers.

Definition 11.2.11. Let R be a field and let a, b ∈ R [X].

• A common divisor of a and b is a polynomial which divides both a and b.

• A common divisor d is called greatest common divisor (gcd) if, moreover, every common
divisor of a, b (not both zero) is a divisor of d.
• A common multiple of a and b is a polynomial which is divisible by both a and b.

• A least common multiple (lcm) of a and b is a common multiple of a and b of minimal

degree at least 0.

Remark 11.2.12. It is not obvious from the definition that gcd’s exist. Existence would have
been evident, however, if the definition had been: a common divisor of a and b of maximal
degree (similar to the definition of common divisor for two integers). Both definitions will be
shown to be equivalent, but the given definition turns out to be more convenient to set up the
theory. Existence will be shown in Existence and Uniqueness of gcd (11.2.14).

Remark 11.2.13. A gcd is not unique: multiplying by a nonzero constant also provides a gcd.
If we speak of the gcd of a and b we mean a gcd of a and b with leading coefficient equal to
1. This gcd is also denoted by gcd (a, b). Uniqueness of the gcd follows from the Existence
and Uniqueness of gcd (11.2.14).

The concept gcd of a and b is only meaningful when the polynomials a and b are not both
equal to the zero polynomial.
Two polynomials are called relatively prime if their gcd equals 1.

Theorem 11.2.14 (Existence and Uniqueness of gcd). Suppose that R is a field and
a and b are polynomials in R [X], which are not both the zero polynomial. Then a
greatest common divisor of a and b exists, and, moreover, if c and d are two greatest
common divisors of the polynomials a, b, then there is a constant q 6= 0 such that
q· c = d.

Proof. The proof is divided into two parts, one part for existence, one part for uniqueness.
Assertion. There exists a gcd for a and b.
147. Sets, Logic and Algebra

We show that a gcd in R [X] can be found among the polynomials of the form x· a + y· b,
where x and y are also polynomials. The polynomials x· a + y· b are obviously divisible by
every common divisor of a and b. Let d be a nonzero polynomial of the form x· a + y· b of
minimal degree. Then d turns out to be a gcd. Every common divisor of a and b clearly
divides d, it remains to show that d divides a and b. Take any x· a + y· b and divide by d.
This produces a relation x· a + y· b = q· d + r, where the degree of r is less than the degree of
d. From this relation we infer that r is also of the form u· a + v· b, so that r must be 0 by the
minimality of the degree of d. So d divides any x· a + y· b, and in particular a and b. So d is a
gcd of a and b.
Assertion. Two gcd’s of a and b differ by a nonzero constant factor.

From the fact that c and d are both gcd’s of a and b, it follows that c divides d and that d
divides c. The former means that there is a polynomial q with d = c· q. Since d also divides
c, the Degree Formulas (11.2.3) show that the degree of q is 0. This means that q is a nonzero
constant.

Example 11.2.15. Consider the polynomials f = 2· X 2 − 3· X − 2 and g = 4· X 2 − 1. Viewed

as polynomials over Z, the polynomial 2· X + 1 is a gcd of f and g and there is no monic gcd.
Viewed as a polynomials over Q the polynomial X + 21 is the gcd of f and g.

The gcd of two polynomials can be determined similarly to the computation of the gcd for
integers. It is of importance to factorization of polynomials, which in turn is useful for solving
systems of polynomial equations.
In the following we will use, without explicit mentioning it, the following easy to prove facts:
gcd (a, b) = gcd (b, a), gcd (a, b) = gcd (a, b − k· a) (for every polynomial k), gcd (a, 0) = a.
Algorithm 11.2.16 (Euclid’s Algorithm for Polynomials). • Input: two polynomials a and b
in R [X], not both zero, where R is a field.
• Output: the gcd of a and b.
PolyGCD := procedure(a, b)
local variables
c
while degree (b) > −1 do
c := a , a := b , b := rem (c, b)
return
a
lc(a)

Proof.
Assertion. Termination.
As degree (b) goes strictly down at each step, termination is guaranteed.
Assertion. Correctness.
148. Sets, Logic and Algebra

Let a0 and b0 denote the input values of a and b, respectively. Then the values of a and b
at the end of each loop satisfy gcd (a, b) = gcd (a0 , b0 ) In computer science terms, this is an
invariant of the algorithm. At the end we have b = 0 and so a = gcd (a, 0) = gcd (a0 , b0 ).
Division by lc (a) makes the gcd monic.

Example 11.2.17. In the spirit of the algorithm, we compute the gcd of X 4 − 1 and X 6 − 1:

   
gcd X 4 − 1, X 6 − 1 = gcd X 6 − 1, X 4 − 1 = gcd X 4 − 1, X 2 − 1 = gcd X 2 − 1, 0 = X 2 −1

(11.2)

As for the integers, there is an extended version of the Euclidean algorithm, with which we
can find polynomials x and y with x· a + y· b = gcd (a, b).
Algorithm 11.2.18 (Extended Euclidean Algorithm for Polynomials). • Input: polynomials
a and b over a field R, at least one of which is not zero.
• Output: list of polynomials gcd (a, b), x, y such that gcd (a, b) = x· a + y· b.
PolyExtendedGCD := procedure(a, b)
local variables
a1 , b1
u := 0 , v := 1
x := 1 , y := 0
u1 , v1 , x1 , y1
while degree (b) > −1 do
a1 := a , b1 := b , u1 := u , v1 := v , x1 := x , y1 := y
a := b1 , b := rem(a1 , b1 ) , x := u1 , y := v1
u := x1 − quot(a1 , b1 )· u1 , v := y1 − quot(a1 , b1 )· v1
return
h i
a x y
lc(a) , lc(a) , lc(a)

Proof.
Assertion. Termination.
As degree (b) goes strictly down at each step, termination is guaranteed.
Assertion. Correctness.

Let a0 and b0 denote the input values of a and b, respectively. Then the values of a and b
at the end of each loop satisfy a = x· a0 + y· b0 and b = u· a0 + v· b0 . In computer science
terms, these equations are invariants of the algorithm. Since the assignments involving a
and b are as in Euclid’s Algorithm for Polynomials (11.2.16), at the end we have b = 0 and
a = gcd (a0 , b0 ). The above equality for a then gives the required expression of a gcd as a
linear combination of a0 and b0 . In order to obtain the corresponding expression for the gcd,
the three output polynomials are divided by lc (a).
149. Sets, Logic and Algebra

Although we do not use the equality involving u and v, it is worth noting that, at the end of
the algorithm, it gives a linear combination of a0 and b0 that is equal to 0.

Example 11.2.19. A convenient way to interpret the assignments in the algorithm is by means
of
 matrix  multiplication. To this end we put the key variables into a matrix as follows.
a x y
. In terms of this matrix, the loop of the algorithm sees to it that it is multiplied
b u v  
0 1
from the left by the matrix , where q = quot(a, b).
1 −q
For instance, for the extended gcd of the polynomials X 4 − 1 and X 6 − 1 the computations
would consist of multiplying the 2 × 3 matrix from the left by the matrix with the q entry for
q equal to, respectively,

• 0, the quotient of X 4 − 1 after division by X 6 − 1,

• X 2 , the quotient of X 6 − 1 after division by X 4 − 1,
• X 2 , the quotient of X 4 − 1 upon division by X 2 − 1.

Now the product of these three matrices is

−(X 2 )
       
0 1 0 1 0 1 1
· · = .
1 −(X 2 ) 1 −(X 2 ) 1 0 X 4 + 1 −(X 2 )

Since at the outset x, y, u, v build up the identity matrix, the resulting matrix contains
2

top row. Thus the gcd can be expressed as X − 1 =
the final
values of
x and y in the
−(X 2 ) · X 4 − 1 + 1· X 6 − 1 .

The greatest common divisor (gcd) of two positive integers is the greatest among all divisors,
both in the absolute sense and with respect to the (partial) ordering given by division. Here
follows a similar characterization for polynomials, where the degree measures the size.

Theorem 11.2.20 (Degree Maximality of the gcd). Suppose that R is a field. Let a, b,
and c be polynomials in R [X]. If a and b are not both zero and c is a common divisor
of a and b of maximal degree, then c is a greatest common divisor of a and b.

Proof. If d is the gcd of a and b, then by the Extended Euclidean Algorithm for Polynomials
(11.2.18) there are polynomials p and q with d = p· a + q· b. Thus the common divisor c of
a and b is also a divisor of d. As the degree of d is less than or equal to the degree of c, this
implies that c is a scalar multiple of d and hence also a greatest common divisor of a and b.
150. Sets, Logic and Algebra

Example 11.2.21. In R [X], the polynomial X − 1 divides both X 8 − 1 and X 12 − 1, but so

does X 2 + 1, so, by the Degree Maximality of the gcd (11.2.20), it is not a gcd of the two
polynomials.

Remark 11.2.22. For polynomials and integers, the notions degree and absolute value play
comparable roles. These rings are both instances of Euclidean rings, algebraic structures for
which there exists a measure with comparable properties.

The Extended Euclidean Algorithm for Polynomials (11.2.18) provides us with the following
characterization of the gcd.

Theorem 11.2.23 (Characterization of the gcd of Polynomials). Let a and b be two

nonzero polynomials in R [X], where R is a field. Then the following three statements
are equivalent.

(a) gcd (a, b) = d.

(b) The polynomial d is a monic common divisor of a and b of maximal degree.

(c) d is a monic polynomial of least nonnegative degree that can be expressed as
x· a + y· b with x and y polynomials in R [X].

Proof. The proof is divided into two steps.

Assertion. The second statement is equivalent to the first.

This follows immediately from Degree Maximality of the gcd (11.2.20).

Assertion. The third statement is equivalent to the first.

Let d = gcd (a, b) and let e be a polynomial of least nonnegative degree that can be expressed
as x· a + y· b with x and y in R [X]. We show that d = e. Since d is a common divisor of a and
b, the equality e = x· a + y· b implies that d divides e. So degree (d) ≤ degree (e). Moreover,
as a result of the Extended Euclidean Algorithm for Polynomials (11.2.18), d itself can also
be written as a combination of a and b. So degree (e) ≤ degree (d) by the defining property
of e. Hence e must be a scalar multiple of d. As both polynomials have leading coefficient 1,
they are equal. This proves the equivalence.
Since both the second as well as the third statement of the theorem are equivalent to the first,
all three statements are equivalent. This finishes the proof of the theorem.

Example 11.2.24. To see that the polynomials X 5 + 1 and X 3 − 1 have gcd equal to 1, it suf-
fices to verify the following equality and apply the Characterization of the gcd of Polynomials
(11.2.23):
151. Sets, Logic and Algebra

 
1 + X + −(X 2 ) · X 5 + 1 + −1 + X + −(X 2 ) + −(X 3 ) + X 4 · X 3 − 1 = 2

(11.3)

These different characterizations of the gcd, in particular the possibility of expressing the gcd
of two polynomials a and b as a combination of a and b, will turn out to be very useful in all
kinds of applications.

11.3 Polynomial functions

We connect our formal definition of a polynomial with the more common notion of a polyno-
mial function. Let R be one of the rings Z, Q, R, C, Z/nZ. When we refer to R as a field, we
mean to restrict the choice to Q, R, C, or Z/nZ with n prime. In these cases (and only these)
each nonzero element has an inverse.
Definition 11.3.1. Let a (X) = a0 + ... + am · X m be a polynomial in R [X]. By replacing
the variable X in the polynomial a (X) by an element r of R, we find the element a (r) =
a0 + a1 · r + ... + am · rm . In this way we obtain a function a : R → R, r 7−→ a (r) called the
polynomial function of a. An element r of the ring R is called a zero of a (X) if a (r) = 0.

Example 11.3.2. Consider the polynomials X 3 and X in Z/2Z [X]. The polynomial function
of each of these polynomials is the identity map on Z/2Z.

Remark 11.3.3. The set of polynomial functions is useful for many applications, especially
because they are functions which are easy to represent, to manipulate and to use for approxi-
mations of other, more complicated, functions.
By way of example, on the next page, we construct polynomial functions with prescribed
behaviour.

Remark 11.3.4. It is also customary to speak of root of a polynomial, instead of zero of a

polynomial. The notion is in accordance with expressions like cube root of 2, which refers to
the positive real number that is a zero of the real polynomial X 3 − 2 in R [X].

Zeros of a polynomial are related to linear factors (that is, factors of degree 1).

Theorem 11.3.5 (Characterization of the Zeros of a Polynomial). Let R be a field and

f ∈ R [X].

(a) An element x ∈ R is a zero of f if and only if X − x divides f .

(b) If f is a polynomial of degree n, then f has at most n distinct zeros.

152. Sets, Logic and Algebra

Proof. Let x ∈ R. Dividing f by X − x yields f = (X − x) · q + r with r of degree at most zero

and hence in R.
Evaluating both sides at x gives f (x) = r. Consequently, f (x) = 0 if and only if X − x divides
f.
Suppose that f is a polynomial with distinct zeros x1 , x2 , ..., xt . We claim that the product
∏ni=1 (X − xi ) is a divisor of f . For, f (x1 ) = 0 implies that there is a polynomial g1 such that
f = (X − x1 ) · g1 . Now f (x2 ) = 0 is equivalent to (x2 − x1 ) · g1 (x2 ) = 0. But x2 − x1 6= 0 and
so g1 (x2 ) = 0, and hence X − x2 divides g1 . This implies that (X − x1 ) · (X − x2 ) divides f .
Continuing this way, we obtain a proof of the claim.
If f has degree n, then, by the Degree Formulas (11.2.3), every divisor of it has degree at
most n, so the claim implies that f has at most n different zeros.

Remark 11.3.6. Another proof of the second statement of the theorem (and the claim used in
the proof) will follow from Characterization of Relative Prime Polynomials (11.4.6).

Example 11.3.7. Suppose that m and n are positive integers with m dividing n. We con-
sider polynomials over C. Now X m − 1 divides X n − 1. This means that any m-th root of
unity (i.e., a complex number whose m-th power is equal to one) is a zero of X n − 1. By
dividing X n − 1 by the gcd of all X m − 1, for m a proper divisor of n, we find the monic
polynomial all of whose zeros are primitive n-th roots of unity; here, primitive means that
these roots
are no m-th roots
of unity for any proper divisor of n. For example, X 6 =
2 2 2
X − X + 1 · X + X + 1 · (X + 1) · (X − 1) where X − X + 1 is the product to the two lin-
ear factors corresponding to the primitive 6-th roots of unity, X 2 + X + 1 is the product to the
two linear factors corresponding to the primitive third roots of unity, X + 1 the linear factor
corresponding to −1, the primitive second root of 1, and X − 1 the linear factor corresponding
to 1, the primitive first root of 1.

Interpolation concerns the question of finding a function that has prescribed values at a given
number of points. In the polynomial context we are of course looking for polynomial func-
tions. Given n points x1 , ..., xn ∈ R, and n prescribed values a1 , ..., as ∈ R, does a polynomial
function f : R → R exist that interpolates the values ai on xi ?

Theorem 11.3.8 (Lagrange Interpolation). Let n be a positive integer and R a field.

Suppose that n distinct elements x1 , ..., xn ∈ R and n required values a1 , ..., an ∈ R are
given. Then there is a unique polynomial function f : R → R of degree at most n − 1
with f (xi ) = ai for all i.

Proof. Let fi be the polynomial

n
1
· ∏ (X − x j ) (11.4)
X − xi j=1
153. Sets, Logic and Algebra

Then fi (xi ) is nonzero and fi (x j ) = 0 for i 6= j.

But then
n
aj
∑ · fj (11.5)
j=1 f j (a j )

is a polynomial that satisfies the conditions of the Theorem.

Now assume that both f and g do satisfy the condition of the Theorem. Then f − g is poly-
nomial of degree at most n − 1 with at least n distinct zeros. But then the Characterization of
the Zeros of a Polynomial (11.3.5) implies that f − g is the zero polynomial. So f = g.

Example 11.3.9. An example of a polynomial f ∈ R [X] such that the corresponding function
f : R → R satisfies f (1) = 2 and f (2) = 5, is f (X) = X 2 + 1 but also 3· X − 1 One can
look for such a polynomial as follows. Choose a degree, preferably equal to the number of
interpolation points minus 1; but let us now take 2. Then write f (X) = f0 + f1 · X + f2 · X 2
and substitute the given values. This leads to the following system of linear equations: f0 +
f1 · 1 + f2 · 12 = 2 f0 + f1 · 2 + f2 · 22 = 5 Solving these equations gives f0 = 2· r − 1 f1 =
(−3) · r + 3 and f2 = r with r ∈ R. This shows that there are many polynomials with the
required properties. No polynomials of degree d with d ≤ 0 will do the job, exactly one
polynomial of degree d ≤ 1 works (with r = 0), and there is an infinite number of solutions
of degree d ≥ 2. This is in accordance with the Lagrange Interpolation (11.3.8), applied for
n = 2.

The so-called Fundamental Theorem of Algebra says that every polynomial over C has a
zero. Equivalently: every polynomial in C [X] is a product of linear factors. We shall not
prove this fact. Giving a proof is hard and requires a rigorous treatment of C.

Theorem 11.3.10 (Fundamental Theorem of Algebra). Every polynomial over C has

a zero.

Remark 11.3.11. Equivalent to the Fundamental Theorem of Algebra (11.3.10) is the follow-
ing statement: every polynomial in C [X] is a product of linear factors. This is immediate by
the Characterization of the Zeros of a Polynomial (11.3.5).
We can use this fact to find factors of polynomials over R. Let f be a polynomial over R.
Then we can consider f as a polynomial over C. In particular, f will have a (complex) zero,
x say. If x is real, then f is divisible by X − x. If x is not real, then its complex conjugate x is
also a zero of f . Indeed, as all coefficients of f are real we have f (x) = f (x) = 0 = 0
So, if x is not real, then f is divisible by the linear complex polynomials X − x and X − x and
therefore also by the real polynomial (X − x) · (X − x) = X 2 − 2· Re (x) + x· x
We conclude that a real polynomial always has a factor of degree one or two.
154. Sets, Logic and Algebra

11.4 Factorization

In the following R is, without explicit mention of the contrary, always a field, like Q, R, C or
Z/pZ with p prime. These arithmetic systems have in common that every nonzero element
has a multiplicative inverse.
Here is the counterpart in the setting of polynomial rings of primality.
Definition 11.4.1 (Irreducibility). A polynomial f ∈ R [X] is called irreducible if degree ( f ) >
0 and if the only nonconstant polynomials g with g| f have the same degree as f ; in other
words, if f is not a constant and if its only divisors are the constants and the constant multiples
of f . If f is not irreducible, then f is called reducible.

Example 11.4.2. By definition, all polynomials of degree 1 are irreducible. Clearly, such a
statement is no longer true for polynomials of higher degree.
For instance, the only irreducible polynomials of Z/2Z [X] of degrees 2 and 3 are X 2 + X + 1,
X 3 + X + 1, and X 3 + X 2 + 1.

We shall study factorizations of a polynomial, that is, ways to write the polynomial as a
product of polynomials of smaller degree.
With the help of the Fundamental Theorem of Algebra (11.3.10), we can determinte which
polynomials over R and C are irreducible.

Theorem 11.4.3 (Classification of Real and Complex Irreducible Polynomials). A

complex polynomial f ∈ C [X] is irreducible if and only if its degree is 1.
If a real polynomial f ∈ R [X] is irreducible, then its degree is 1 or 2.
The real polynomial a· X 2 + b· X + c ∈ R [X] of degree 2 is irreducible if and only if
b2 − 4· a· c < 0.

Proof. As we have seen in Example 11.4.2, a complex polynomial is always divisible by a

linear polynomial. So indeed, a complex polynomial is irreducible if and only if it is linear.
As we have seen in Example 11.4.2, a real polynomial of positive degree is always divisible
by a linear or a degree 2 polynomial. So, if it is irreducible, then it has degree at most 2.
Moreover, if its degree is 2, then it is irreducible if and only if it has no real zeros. The latter
is equivalent to the discriminant being negative.

Example 11.4.4. The polynomial  a· X 2 + b· X + c ∈ R[X] 2

 with a 6=√0 and b − 4· a· c ≥ 0 is
√
2 2
reducible. It equals the product a· X − −b+ 2·a b −4·a·c
· X − −b− 2·ab −4·a·c
155. Sets, Logic and Algebra

Example 11.4.5. The theorem states that the polynomial a· X 2 + b· X + c ∈ R [X] with a 6= 0
and b2 − 4· a· c < 0 is irreducible.
 But
√ when viewed
  as a complex
√ polynomial
 it is reducible
4·a·c−b2 4·a·c−b2
and equals the product a· X − −b+i· 2·a · X − −b−i· 2·a

Let R be a field. The following result for polynomials parallels the characterization of relative
prime integers.

Lemma 11.4.6 (Characterization of Relative Prime Polynomials). Two polynomials f

and g (not both zero) in R [X] are relatively prime if and only if there exist polynomials
a and b such that a· f + b· g = 1.

Proof.
Assertion. If.
From a relation a· f + b· g = 1 we infer that a common divisor of f and g must be a divisor
of the left-hand side a· f + b· g and therefore of 1. So the gcd of f and g is 1. This proves the
‘if’ part.
Assertion. Only if.

The ‘only if’ implication is an immediate consequence of the Extended Euclidean Algorithm
for Polynomials (11.2.18).

Compare the next theorem with the similar Result on the divisor of a product (9.2.13).

Proposition 11.4.7. If f and g are relatively prime, then f |g· h implies f |h.
If p is an irreducible polynomial and b1 , ..., bs are polynomials such that p|b1 · ...· bs ,
then there is an index i ∈ {1, ..., s} with p|bi .

Proof. By the Extended Euclidean Algorithm for Polynomials (11.2.18), there exist polyno-
mials a and b with a· f + b· g = 1. Multiplying this relation by h yields a· f · h + b· g· h = h
Since f |a· f · h and f |b· g· h, it follows that f |h.
This proves the first part of the theorem. The second follows immediately.
156. Sets, Logic and Algebra

The Result on divisors of a product (11.4.7) leads to unique factorization of polynomials.

Theorem 11.4.8 (Unique Factorization). Let R be a field. Every nonconstant polyno-

mial f ∈ R [X] can be written as the product of a finite number of irreducible polyno-
mials: f = p1 · ...· ps for some positive integer s, and irreducible polynomials pi where
i ∈ {1, ..., s}.
This way of writing is unique up to the order of the irreducible factors and up to
multiplication by constants.

Proof. The proof is divided into two parts: existence and uniqueness.
Assertion. The polynomial f can be written as a product of irreducible factors.

We show by induction on the degree of f that f can be written as a product of irreducible

factors.
If the degree of f equals 1, then f itself is obviously irreducible and we are done.
Now suppose that the degree of f is greater than 1. The induction hypothesis says that every
polynomial of degree less than degree ( f ) can be written as a product of irreducible factors.
If f is irreducible, we are done. If not, then f has a divisor g such that both g and f /g have
degree less than the degree of f . The induction hypothesis implies that both g and f /g can
be written as a product of irreducible factors. But then, as f = ( f /g)· g, we find that f itself
is also a product of irreducible polynomials.
Assertion. The factorization of f into irreducible factors is unique up to order and multipli-
cation by constants.

Again we use induction on the degree n of f .

The case n = 1 is easy and left to the reader.
Now suppose that n > 1, and suppose that uniqueness has been shown for polynomials of
degree less than n. Suppose f = p1 · ...· ps and f = q1 · ...· qt are two possible ways of writing f
as a product of irreducible factors. From Result on divisors of a product (11.4.7) we conclude
that there exists an index k ∈ {1, ...,t} such that ps divides qk . Without loss of generality we
can assume k to be equal to t and, as we may multiply by constants, that ps = qt . Applying
the induction hypothesis to the polynomial pfs with the two ways of writing it as a product of
irreducible factors: pfs = p1 · ...· ps−1 and pfs = q1 · ...· qt−1 yields that these factorizations are
equal (up to the order of the factors and multiplications by constants). Clearly this implies that
the two factorizations of f are also equal (up to the order of the factors and multiplications
by constants).

Example 11.4.9. The factorization in irreducibles of X 4 −1 in Q [X] is X 2 + 1 · (X + 1) · (X − 1).

157. Sets, Logic and Algebra

The first factor is irreducible since it has degree at most two and no rational zeros. Considered
as a polynomial over C, the factorization of X 4 − 1 is (X + i) · (X − i) · (X + 1) · (X − 1).
Considered as a polynomial over Z/2Z, the factorization is (X + 1)4 .

Example 11.4.10. As for integers (compare with the example on the factorization record), it
is not difficult to verify a factorization. However, it is not always as easy to check whether the
found factors are irreducible. A proof that a polynomial f ∈ Q [X] with integer coefficients
is irreducible, can often be given by computing modulo p for a prime number p. If the
polynomial is irreducible modulo p, then it is also irreducible over Q. However, the converse
does not hold. There are polynomials f ∈ Z [X] which are irreducible over Q but reducible
modulo each prime p. An
example is
f (X) = X 4 + 1. Modulo 2 it factors as (X + 1)4 and
modulo 3 as X − X − 1 · X + X − 1 . It carries too far to show that X 4 +1 factors modulo
2 2

every prime.

11.5 Exercises

Exercise 11.5.1. Find the sum and product of the following polynomials.

• X 3 + 2· X 2 − X + 1 and X 2 + 2· X − 1 over Q;
• X 3 + 2· X 2 − X + 1 and X 2 + 2· X − 1 over Z/3Z;

• X 3 + X − 1 and X 2 − X − 2 over Q;
• X 3 + X − 1 and X 2 − X − 2 over Z/3Z.

Exercise 11.5.2. Show that for any prime p and any polynomial a0 +a
1 · X +...+an−1 · X n−1 +
p
an · X n in Z/pZ [X], we have a0 + a1 · X + ... + an−1 · X n−1 + an · X n = a0 + a1 · X p + ... +
an−1 · X p·(n−1) + an · X p·n

Exercise 11.5.3. Determine the gcd of each of the following pairs of polynomials and write
each gcd as a combination of the given polynomials.

• X 2 + 1 and X 3 + 1 as polynomials over Q;

• X 2 + 1 and X 3 + 1 as polynomials over Z/2Z;

• X 2 − X + 1 and X 3 + X + 2 as polynomials over Z/3Z.

Exercise 11.5.4. Suppose that the polynomials a and b have integer coefficients and that b is
monic, i.e., has leading coefficient 1. Prove that the quotient q and remainder r of division of
a by b in Q [X] also belong to Z [X].

Exercise 11.5.5. Analogously to the definition of the gcd of two polynomials one can define
the gcd of more than two (nonzero) polynomials.
158. Sets, Logic and Algebra

Indeed, the gcd of a set of polynomials is a polynomial with leading coefficient 1 and the
property that it is divisible by every common divisor of the polynomials in the set.
Let a, b, and c be three nonzero polynomials with coefficients in Q.

• Show that gcd (a, b, c) = gcd (a, gcd (b, c))

• Show that a, b, c are relatively prime (have gcd 1 ) if and only if there exist polynomials
p, q, r such that p· a + q· b + r· c = 1.

Exercise 11.5.6. Let a, b, and c be polynomials in X. Prove the following:

If a divides b and c, then a divides b + d· c for every polynomial d.

Exercise 11.5.7. Let a, b, and c be polynomials in X. Prove the following:

If a divides b and b divides c, then a divides c.

Exercise 11.5.8. Determine the quotient and remainder of a upon division by b, where a and
b are as below.

(a) a = X 4 + 3· X 2 + X + 1 and b = X 2 + X + 1 in Q [X];

(b) a = X 4 + 3· X 2 + X + 1 and b = X 2 + X + 1 in Z/2Z [X];
(c) a = X 4 + 3· X 2 + X + 1 and b = X 2 + X + 1 in Z/3Z [X].

Exercise 11.5.9. Let a and b be polynomials in X over the field R. The gcd of a and b can be
written as p· a + q· b for some polynomials p and q. Show that every polynomial that can be
written as p· a + q· b with p and q polynomials over R, and divides a and b, is a gcd of a and
b.

Exercise 11.5.10. Determine polynomials a and b in Q [X] such that a· X 2 + 1 +b· X 3 − X + 1 =

X −1

Exercise 11.5.11. Determine polynomials a and b in Z/2Z [X] such that a· X 2 + 1 +b· X 3 − X + 1 =

X −1

Exercise 11.5.12. Find all zeros of each of the following polynomials

(a) X 2 + 2· X + 2 in Z/5Z [X];

(b) X 2 + X + 1 in Z/24Z [X];
(c) X· (X + 1) · (X + 2) in Z/12Z [X];
(d) 2· X 2 + 13· X + 9 in Z/33Z [X].

Exercise 11.5.13. Let f be a polynomial in Z [X] of degree at least 1.

Prove that f (n) cannot be a prime for each n ∈ Z.
159. Sets, Logic and Algebra

Exercise 11.5.14. Find all polynomials p ∈ Q [X] that satisfy p (x) = p (−x) for any x in Q.

Exercise 11.5.15. Find all polynomials p ∈ Z/2Z [X] that satisfy p (x) = p (−x) for any x in
Z/2Z.
What happens if we replace Z/2Z by Z/6Z?

Exercise 11.5.16. Consider the polynomial a = a0 + a1 · X + ... + an−1 · X n−1 + an · X n in Z [X],

with an 6= 0.

(a) Prove: If r ∈ Z is a zero of a, then r is a divisor of a0 .

(b) Suppose that r, s ∈ Z are relatively prime and that r/s is a root in Q of a. Prove that s
divides an and that r divides a0 .
(c) Find all rational roots of the polynomial 15 − 32· X + 3· X 2 + 2· X 3 .

Exercise 11.5.17. Consider the ring Z/3Z [X] of polynomials in X with integer coefficients
modulo 3.

(a) How many polynomials of degree n are there in Z/3Z [X]?

(b) Determine all irreducible polynomials in Z/3Z [X] of degrees 2 and 3.

2
2
Exercise 11.5.18. Verify the identity of polynomials X 2 − 1 + (2· X)2 = X 2 + 1
A Pythagorean triple is a triple of positive integers r, s and t such that r2 + s2 = t 2 According
to the Pythagorean theorem, these triples occur as sides of right triangles.
By substituting rational numbers p/q for X show how to produce Pythagorean triples from

2
2
the identity X 2 − 1 + (2· X)2 = X 2 + 1 .

Exercise 11.5.19. Suppose the polynomials f (X) and g (X) over Q have greatest common
divisor d (X). Fix a in Q and replace every occurrence of X in f and g by X + a. For instance,
if a = 2 then X 2 + X − 1 changes into (X + 2)2 + (X + 2) − 1.
Prove that the gcd of the new polynomials f (X + a) and g (X + a) is d (X + a).

Exercise 11.5.20. Show that the polynomials X − 1 and X 2 + X + 1 over Q are relatively
prime.
Use the Extended Euclidean Algorithm for Polynomials (11.2.18) to find constants a, b, c
such that X 33−1 = X−1
a
+ Xb·X+c
2 +X+1 .

Exercise 11.5.21. Let R be one of the fields Q, R, C, Z/pZ with p prime. Prove that there are
infinitely many irreducible polynomials in R [X].

Exercise 11.5.22.
Determine all irreducible polynomials p and q in Z [X] that satisfy the
equation X 2 + 1 · p + (X + 2) · q = p· q.
160. Sets, Logic and Algebra

Chapter 12

Arithmetic modulo polynomials

One step beyond arithmetic modulo an integer, is arithmetic ‘modulo a polynomial’ (or sev-
eral polynomials). Here polynomials that differ by multiples of a fixed polynomial are con-
sidered equivalent. This construction gives us arithmetical systems that are important in,
for example, coding theory and cryptology. In this chapter, R is always one of the sets
Z, Q, R, C, Z/nZ where n > 1, with the usual addition and multiplication, unless explicitly
stated otherwise.

12.1 Congruence modulo a polynomial

We know computation modulo a fixed integer n. Here we will do something similar, but with
polynomials instead of integers. Thus we work with elements of polynomial rings R [X], with
R a ring like one of Z, Q, R, C, Z/nZ with n > 1.
Often, but not always, we will require that R be a field, that is, a ring in which every nonzero
element is a divisor of 1. Of the above rings, Q, R, C, Z/nZ, with n a prime, are fields.
Definition 12.1.1. Let d be a polynomial in R [X]. We define the relation congruence modulo
d on R [X] as follows. The polynomials a, b ∈ R [X] are congruent modulo d (notation:
a ≡ b (mod d)) if there exists a polynomial q ∈ R [X] such that a − b = q· d; in other words if
a and b differ by a multiple of d.

Example 12.1.2. Consider the constant 2. In Q [X] every polynomial is congruent to 0 modulo
2. However, in Z [X] a polynomial is congruent to 0 modulo 2 if and only if each of its
coefficients is even.
Consider the polynomial d = 3· X − 1 in R [X]. By the Characterization of the Zeros of a
Polynomial (11.3.5) a polynomial in R [X] is congruent to 0 modulo d if and only if its value
at 1/3 (as a polynomial function) is 0.

Our goal will be to port as many results as possible from the arithmetic modulo an integer to
161. Sets, Logic and Algebra

the arithmetic modulo a polynomial. The following theorem tells us that, to begin with, the
most important property (the division into residue classes) is preserved.

Theorem 12.1.3. Congruence modulo d is an equivalence relation on R [X].

Proof. To show that congruence modulo d is an equivalence relation, we have to verify that
this relation is reflexive, symmetric, and transitive.
Assertion. Congruence modulo d is reflexive.

This follows from the fact that for every polynomial a we have: a − a = 0· d.
Assertion. Congruence modulo d is symmetric.

If a and b are congruent modulo d, i.e., if a − b = q· d for some polynomial q, then rewriting
this equality as b − a = (−q) · d shows that b and a are also congruent modulo d.
Assertion. Congruence modulo d is transitive.

If a is congruent to b modulo d and b is congruent to c modulo d, then there exist polynomials

q and p with a − b = q· d and b − c = p· d. Adding these equalities yields a − c = (q + p) · d.
This shows that a and c are congruent modulo d.

Example 12.1.4. Consider the polynomial d = 3· X − 1 in Q [X]. By Characterization of the

Zeros of a Polynomial (11.3.5) two polynomials in R [X] are congruent 0 modulo d if and
only if their values at 1/3 (as a polynomial function) are equal. So the equivalence classes
are in bijective correspondence with Q, the set of possible values of the polynomial function
of d.

We introduce some notation for the equivalence classes of congruence modulo d.

Definition 12.1.5. By (d)R [X] we denote the set { f ∈ R [X] |∃g. f = g· d}
The equivalence class { f ∈ R [X] |∃g. f = a + g· d}, containing the polynomial a, is called
the residue class modulo d of a and is denoted by a + (d)R [X]. The set of residue classes
modulo d is denoted by R [X] /(d)R [X]. This set is called the residue class ring or quotient
ring modulo d.

Example 12.1.6. In Q [X], the polynomials X 6 and 1
represent the same residue class modulo
X 2 − X + 1. Indeed, X 6 − 1 = (X − 1) · X 2 + X + 1 · X 2 − X + 1 · (X + 1) from which we

deduce that X 6 − 1 is divisible by X 2 − X + 1.

Other notations for the residue class modulo d containing the polynomial a are:
162. Sets, Logic and Algebra

• a, when it is clear we mean the residue class,

• or a + (d)R [X].

In these notations, naturally, a is the most obvious representative from the residue class a +
(d)R [X], but not necessarily the only one. For any g ∈ R [X] the polynomial a + g· d is also a
representative of this class.
The notation R [X] /(d)R [X] is similar to the notation Z/nZ introduced in Congruence is an
Equivalence Relation (10.1.3).
Suppose that R is a field and d ∈ R [X]. Then every residue class modulo d contains a canon-
ical representative:

Theorem 12.1.7. If d ∈ R [X] is a polynomial of degree n > 0, then every residue class
modulo d has a unique representative of degree less than n. This unique representative
is the remainder obtained when dividing an arbitrary representative of the class by d.

Proof. Let a + (d)R [X] be the class of a modulo d. The proof is divided into two parts.
Together they imply the theorem.
Assertion. There exists a representative of a + (d)R [X] of degree smaller than n.

Division with remainder leads to an equality a = q· d + r where r is a polynomial of degree

less than n. Rewriting the equality as a − r = q· d shows that a and r are congruent modulo d.
Hence r is a representative of degree less than n of the residue class of a.
Assertion. The class of a modulo d contains at most one element of degree less than n.

Suppose that both a and b are representatives of degree less than n of the same residue class
modulo d. Then a − b = q· d for some polynomial q. Since the degrees of both a and b are
less than the degree of d, the degree of the left-hand side is less than n. But the degree of the
right-hand side can only be less than n if q is the zero polynomial. In particular, a = b.

Example 12.1.8. Consider the residue classes modulo X 2 + 1 in Z/3Z [X]. According to the
Theorem on the Representative of Congruence Classes (12.1.7), every residue class has its
own unique representative of degree at most 1. Conversely, every polynomial of degree at
most 1 represents a different class. Since there are precisely nine polynomials in Z/3Z [X] of
degree at most 1, we find exactly nine residue classes. Below we list their representatives of
degree at most 1.

0, 1, 2, X, 1 + X, 2 + X, 2· X, 1 + 2· X, 2 + 2· X (12.1)
In practice we will often use the short notation, like 1 + X, not only for the representative, but
also to denote the congruence class. Naturally, we prefer it to the long expression 1 + X +
(X 2 + 1)Z/3Z [X] whenever no confusion is imminent.
163. Sets, Logic and Algebra

12.2 The residue class ring

Suppose that R is a ring. Let d be a polynomial in R [X]. In this section we describe how to
add and multiply residue classes in R [X] /(d)R [X].
We use addition and multiplication for the operations of taking sum and product, respectively.
Definition 12.2.1. The sum and product of the residue classes a + (d)R [X] and b + (d)R [X]
in R [X] /(d)R [X] are defined as follows.

• Sum: (a + ((d)R [X] )) + ((b + ((d)R [X] ))) = (a + b) + (d)R [X];

• Product: (a + (d)R [X]) · (b + (d)R [X]) = (a· b) + (d)R [X].

Proposition 12.2.2. Sum and product on R [X] /(d)R [X] are well-defined.

Proof. We need to verify that a different choice of representatives leads to the same residue
class for the sum (and the product).
Assertion. The sum is well defined.

Suppose that a and a0 are both representatives of the same residue class and also that b and b0
represent a single class. Then there are polynomials p and q with a − a0 = p· d and b − b0 =
q· d. Addition leads to the equality (a + b) − (a0 + b0 ) = (p + q) · d. This implies that a + b
and a0 + b0 belong to the same residue class modulo d. Hence addition is well defined.
Assertion. The product is well defined.

The check is similar to the one for addition.

Example 12.2.3. Consider the polynomials a = X 3 + 3· X 2 + 1, b = X 2 + 2· X − 1, and d =

X 2 + X + 1 in Q [X]. Then inside Q [X] /(d)Q [X] we find
(a + ((d)Q [X] )) + ((b + ((d)Q [X] ))) =
(a + b) + (d)Q [X] =
X 3 + 3· X 2 + 1 + X 2 + 2· X − 1 + (d)Q [X] =
X 3 + 4· X 2 + 2· X + (d)Q [X] =
(−2) · X − 3 + (d)Q [X] .

The product modulo d equals

(a + (d)Q [X]) · (b + (d)Q [X]) =
(a· b)
+ (d)Q [X] =
X 3 + 3· X 2 + 1 · X 2 + 2· X − 1 + (d)Q [X] =

−1 + 2· X − 2· X 2 + 5· X 3 + 5· X 4 + X 5 + (d)Q [X] =
5 + 8· X + (d)Q [X] .
164. Sets, Logic and Algebra

Let R be a ring and let d ∈ R [X]. The usual arithmetical rules imply the rules below for
addition and multiplication modulo d. First we identify two special elements.

• The element 0 + (d)R [X] is called the zero element of R [X] /(d)R [X] and
• the element 1 + (d)R [X] is called the unity or unit element.

We often simply denote these elements by 0 and 1, respectively.

Theorem 12.2.4 (Arithmetical Rules). For arbitrary a ∈ R [X] /(d)R [X] we have

• a + 0 = a and 0 + a = a;
• a· 0 = 0 and 0· a = 0;
• a· 1 = a and 1· a = a;

• there exists a unique b ∈ R [X] /(d)R [X] with a + b = 0.

The element b is called the opposite of a and is written as −a. It is also the unique
element with b + a = 0.

Proof. The proofs follow from the corresponding arithmetical rules for addition and multi-
plication of polynomials. By way of illustration, we prove two equalities.
Assertion. For all a we have a· 0 = 0.

Choose a representative a0 from the residue class a. Then a· (0 + (d)R [X]) = a0 · 0 + (d)R [X]
according to the definition of multiplication. The multiplication in R yields a0 · 0 = 0, so that
we find a0 · 0 + (d)R [X] = 0 + (d)R [X] = (d)R [X] = 0. Hence a· 0 = 0.
Assertion. Each element has a unique opposite.

Given a class a choose a representative a0 in it. Now take b to be the class of −a0 . Then the
sum of a and b is the class of a0 + (−a0 ), i.e., the class of 0. This establishes that there is at
least one opposite.
The proof that there is at most one opposite reads as follows. Suppose that the class c is also
an opposite of a. Choose a representative c0 . As a + c = 0, we find a0 + c0 to be divisible by d.
But this implies that −a0 and c0 are congruent modulo d. In particular, their classes coincide:
b = c.

Example 12.2.5. Let R = Z/2Z and d = X 3 + X + 1. Then the residue class a of X in

7 = 1. Indeed, X 7 − 1 = d· X 4 + X 2 + X + 1 in R [X], so a7 − 1 =


R [X] /(d)R [X] satisfies a
0· a4 + a2 + a + 1 = 0.


165. Sets, Logic and Algebra

Some more rules are given in the theorem below.

Theorem 12.2.6 (General Arithmetical Rules). For all a, b, and c in R [X] /(d)R [X]
the following equalities hold.

• a + b = b + a (commutativity of addition);
• a· b = b· a (commutativity of multiplication);
• (a + b) + c = a + ((b + c)) (associativity of addition);
• (a· b)· c = a· (b· c) (associativity of multiplication);

• a· (b + c) = a· b + a· c (distributivity of multiplication over addition).

Proof. The proofs of arithmetical rules for computing modulo a polynomial follow from the
corresponding arithmetical rules for addition and multiplication of polynomials.

Example 12.2.7. When computing modulo a polynomial, it is of importance to note in which

order the computations are carried out. Taking a clever route can gain a lot of time. For
example, let a ∈ R [X] /(X 2 + 1)R [X] be the equivalence class containing the element

27
35
X3 + 1 · X2 + X + 1

and suppose that the question is to find a representative of degree at most 1 for a. Evidently,
it is a lot of work to first work out the product and then find the remainder after division by
X 2 + 1. A considerable reduction of the computational work is achieved by the following
method, in which we make clever use of the relation for the class x of X: x2 = −1

27
35
Using this relation we compute x3 + 1 · x2 + x + 1 = (−x + 1)27 · (−1 + x + 1)35 =
 13
(−x + 1) · (−x + 1)2 · x35 = (−x + 1) · (−2· x)13 · x35 = (−x + 1) · (−2)13 · x48 = 213 · x−213

So a representative of a is 213 · X − 213 . Verify yourself how the arithmetical rules were used.

Let R be a ring and consider the the restriction of the residue class map to R, i.e., the map

j : R → R [X] /(d)R [X] , a 7−→ a + (d)R [X] (12.2)

Lemma 12.2.8. The map j is injective if R is a field and d ∈ R [X] is a polynomial of

positive degree.
166. Sets, Logic and Algebra

Proof. Suppose that a, b ∈ R satisfy j (a) = j (b). We then have j (a − b) = j (0). Therefore
it suffices to check that if c ∈ R satisfies j (c) = 0, then c = 0. Now both c and 0 are represen-
tatives of the residue class j (c) having degree less than 1, and hence less than the degree of
d. As d has positive degree, Theorem on the Representative of Congruence Classes (12.1.7)
implies c = 0.

Example 12.2.9. Let R = R, the real numbers, and take d = X 2 + 1. Then the residue class
ring R [X] /(d)R [X] is a description of the complex numbers C, with the role of the complex
number i being played by X + (d)R [X]. Indeed, (X + (d)R [X])2 = X 2 + (d)R [X] = −1 +
(d)R [X] If you let the complex number a + b· i correspond to the class of a + b· X, you get the
precise correspondence. Here, j is the usual embedding of the real numbers into the complex
numbers.

Remark 12.2.10. Clearly, the condition that the degree of d be positive is necessary.
Let R = Z/6Z and d = 3· X + 1. Then j (2) = j (0), so j is not injective. This shows that the
lemma does not hold if the condition that R be a field is removed.

The injectivity of j tells us that within R [X] /(d)R [X] we find the copy j (R) of R, where the
term copy refers not only to the bijective correspondence between the sets R and j (R), but
also refers to the fact that j respects the operations addition and multiplication.
Let R be a field and d a polynomial of degree n > 0 in R [X]. The residue class ring R [X] /(d)R [X]
carries a vector space structure as follows.

Theorem 12.2.11. The residue class ring S = R [X] /(d)R [X] is a vector space of
dimension n over R, with
• the addition of the ring S,

• scalar multiplication of the scalar r ∈ R and the vector g ∈ S given by the product
r· g in the ring S.
The residue classes of 1, X, ..., X n−1 form a basis of S.

Proof. The proof is divided into three steps.

Assertion. S is a vector space.

First we specify the zero vector and the opposite of a vector:

• The zero vector is the class of the zero polynomial.

• The opposite of a vector coincides with the opposite of that element in the ring S.
167. Sets, Logic and Algebra

The arithmetical rules for the ring S imply that all the axioms of a vector space over R are
satisfied. For example, the ‘scalar’ r ∈ R and the ‘vectors’ f , g ∈ S satisfy r· ( f + g) = r· f +
r· g.
Assertion. The residue classes of 1, X, ..., X n−1 in S span S.

By Division with Remainder Theorem (11.2.7) each residue class contains an element of
degree at most n − 1 which can be written as a linear combination of 1, X, ..., X n−1 .
Assertion. The residue classes of 1, X, ..., X n−1 in S are linearly independent vectors.

Let f be any linear combination of the elements 1, X, ..., X n−1 . Then f is a polynomial of
degree less than n. If f equals 0 modulo d, then f is a multiple of d, so, by the Degree
Formulas (11.2.3), degree ( f ) ≥ degree (d), a contradiction as degree (d) = n. This proves
that the vectors are linearly independent.

Example 12.2.12. Given is the residue class ring S = Z/2Z [X] /(d)Z/2Z [X], where d =
X 3 + X + 1. A basis for S as a vector space over Z/2Z is 1, X, X 2 . (Notice that, here, we have
used the powers of X to denote residue classes in S.)
 With respect
 to this basis, multiplication
0 0 1
by X is a linear map on S expressed by the matrix 1 0 1.
0 1 0

Let R be a field and d ∈ R [X] a polynomial of degree n > 0. The unique representatives of
degree less than n of the various classes in R [X] /(d)R [X] form a subspace R [X]<n of the
vector space R [X]. A complement is formed by the multiples of d:

Theorem 12.2.13. The ring R [X] has the following vector space decomposition:
R [X] = R [X]<n + (d)R [X] Furthermore, the map R [X] → R [X]<n , f 7−→ rem ( f , d)
is the linear projection onto R [X]<n with kernel (d)R [X].

Proof. Division with Remainder Theorem (11.2.7) by d shows that every polynomial f can
be written in a unique way as the sum of a multiple of d and a polynomial of degree less than
n (the remainder). This establishes the first claim.
The map f 7−→ rem ( f , d) is linear. Indeed, if division with remainder applied to the poly-
nomials f and g yields equalities f = q· d + r and g = p· d + s, then for all a and b in R we
have a· f + b· g = (a· q + b· p) · d + (a· r + b· s), so that rem (a· f + b· g, d) = a· rem ( f , d) +
b· rem (g, d).
The kernel of the map consists of course of all multiples of d, and the image of the map is
precisely R [X]<n . Indeed, every polynomial in R [X]<n occurs as remainder upon division by
d of that polynomial itself.
168. Sets, Logic and Algebra

Example 12.2.14. Let R = Z/2Z and d = X 2 + X + 1 ∈ R [X]. The matrix of the map
R [X]<5 → R [X] /(d)R [X] , f 7−→ f + (d)R [X] with respect to the basis 2 3 4
 1, X, X , X , X
 of
1 0 1 1 0
R [X]<5 and the basis 1 + (d)R [X] , X + (d)R [X] of R [X] /(d)R [X] is .
0 1 1 0 1

12.3 Two special cases

We consider two special cases of computations modulo a polynomial. The first special case
is closely related to n-th-order approximations of real valued functions.
Consider the map f 7−→ rem f , X n+1 for polynomials f in R [X]. In terms of polynomial

functions f from R to R, the image of this map corresponds to an approximation of f around

0 of order n. We can transfer this principle to arbitrary, sufficiently often differentiable func-
tions.
Let f be a real-valued function defined on an interval containing 0 ∈ R and sufficiently of-
ten differentiable. Then the polynomial a = a0 + a1 · X
+ ... + an · X n is called the n-th-order
approximation of f around 0 if f (x) = a (x) + O xn+1 for x → 0.
Recall from Analysis or Calculus that this big Oh notation
  means that there are positive real
constants C and epsilon such that | f (x) − a (x)| ≤ C· xn+1  for all x with |x| < epsilon.
Such an n-th-order approximation is unique; in fact it consists of the first n + 1 terms of the
Taylor series of f around 0.

Theorem 12.3.1 (Taylor Approximation). Let f be a continuous n-times differentiable

(1) (n)
real-valued function. Then the polynomial F = f (0) + f 1!(0) · X + ... + f n!(0) · X n in
R [X] is the n-th order approximation of f around 0. Furthermore, if G is an n-th
order approximation of a function g, then rem(F· G, X n+1 ) and rem(F + G, X n+1 ) are
the n-th-order approximations of f · g and f + g, respectively.

Proof. We only give a sketch of the proof. The polynomial function x 7−→ F (x) is the first
part of the Taylor series expansion of f . From Calculus or Analysis it follows that there exists
a real-valued function h satisfying f (x) = F (x) + xn+1 · h (x) for x in the neighbourhood of 0.
From this we conclude that F is an n-th-order approximation of f around 0.
Considering the second part of the theorem, suppose g (x) = G (x) + O xn+1 for x going to

0.
Then we
have f · g−F· G (x) = f
· g−F· g (x)+F· g−F· G (x) = ( f (x) − F (x)) · g (x)+F (x) · (g (x) − G (x)) =
O xn+1 · g (x) + F (x) · O xn+1 = O xn+1 for x going to 0.

So F· G is indeed the n-th-order approximation of f · g around 0.

The proof for f + g is simpler. Do it yourself.
169. Sets, Logic and Algebra

Example 12.3.2. The second-order approximation of the function x 7−→ ex around 0 is the
function x 7−→ 1 + x + x2 /2.
The second-order approximation of the function x 7−→ sin (x) is the function x 7−→ x.
But then the second order approximation of the product function x 7−→ sin (x) ·
ex equals the
function x 7−→ x + x2 , which is the remainder of the division of x· 1 + x + x2 /2 by x3 .

The second special case to discuss is arithmetic modulo the constant polynomial n (greater
than 0) in the polynomial ring Z [X]. Two polynomials in Z [X] are congruent modulo n if
and only if for each i, the coefficients of X i differ by a multiple of n. Therefore, each residue
class has a representative all of whose coefficients lie in {0, 1, ..., n − 1}. This is similar for
polynomials over Z/nZ. The relation is clarified by the following map.
I : Z [X] /(n)Z [X] → Z/nZ [X] , a0 +a1 · X +...+am · X m +(n)Z [X] 7−→ a0 (mod )+a1 (mod )· X +
... + am (mod )· X m .
Since this map is constructed using representatives, we have to check that the result does not
depend on the representatives chosen.

Theorem 12.3.3. The map I is well defined and has the following properties.
• It is a bijection.

• It respects addition: I (a + b) = I (a) + I (b).

• It respects the zeros: I (0 + n) = 0.
• It respects multiplication: I (a· b) = I (a) · I (b).
• It respects the units: I (1 + n) = 1.

Proof.
Assertion. I is well defined.
Let a = a0 + a1 · X + ... + am · X m and b = b0 + b1 · X + ... + bm · X m be two polynomials that are
congruent modulo n (according to the convention in Chapter 3 we may assume the highest
power of a monomial in both a and b to be equal to m). Then a and b differ by a multiple of n
for i = 0, 1, ..., m. This implies that ai ≡ bi (mod n) for i = 0, 1, ..., m. So our definition does
not depend on the representative a or b that we have chosen.
Assertion. I respects addition.

Suppose that a = a0 + a1 · X + ... + am · X m and b = b0 + b1 · X + ... + bk · X k are elements of

Z [X]. Then, adding some powers of X, we can assume that k = m. Now I (a + b + (n)Z [X])
equals (( a0 ) + (b0 )) + (a1 + b1 ) · X + ... + (am + bm ) · X m in Z/nZ [X], which is equal to a0 +
a1 · X + ... + am · X m + (b0 + b1 · X + ... + bm · X m ).
But the latter is equal to I (a + (n)Z [X]) + I (b + (n)Z [X]).
170. Sets, Logic and Algebra

Assertion. I respects zeros.

Indeed, I (0 + (n)Z [X]) = 0.

Assertion. I respects multiplication.

The proof is similar to the proof of the fact that I respects addition.
Assertion. I respects units.

Indeed, I (1 + (n)Z [X]) = 1.

Assertion. I is a bijection.

Suppose that a and b are in Z [X] and satisfy I (a) = I (b). As I respects addition and scalar
multiplication, I (a − b) = 0. But then it is straightforward to check that a − b = 0 modulo
(n)Z [X] and hence a = b modulo (n)Z [X].

Example 12.3.4. The image of 3 + 6· X + 8· X 2 + 2· X 3 − 88· X 4 ∈ Z [X] /(5)Z [X] under the
map I of the theorem is 3 + X + 3· X 2 + 2· X 3 + 2· X 4 ∈ Z/5Z [X].

The conclusion of the above result is that the arithmetic in Z [X] /(n)Z [X] is nothing but the
arithmetic in Z/nZ [X]. In mathematical jargon: The two arithmetical structures are isomor-
phic (i.e., equal of form).

12.4 Inverses and fields

Let R be a ring like Z, Q, R, C, or Z/nZ and d a polynomial in R [X]. In the newly constructed
arithmetical system R [X] /(d)R [X] we have not yet considered division, since it comes with
various complications.
Definition 12.4.1. Suppose that d is a nonconstant polynomial in R [X]. Then f ∈ R [X] /(d)R [X]
is called invertible with respect to multiplication if there exists a g ∈ R [X] /(d)R [X] satis-
fying f · g = 1. Such an element g is called an inverse of f and is denoted by 1f , 1/ f , or
f −1 .

Remark 12.4.2. Suppose that f is an invertible residue class in R [X] /(d)R [X] and both g and
h are inverses of f . Then g = g· 1 = g· ( f · h) = (g· f )· h = 1· h = h Therefore, f has a unique
inverse.

To guarantee the existence of inverses in R, we assume that R is a field (think of Q, R, C or

Z/pZ with p a prime). Let d be a polynomial in R [X] of positive degree.
171. Sets, Logic and Algebra

The following characterization of the invertible elements in R [X] /(d)R [X] yields also a way
of computing inverses with the help of the Extended Euclidean Algorithm for Polynomials
(11.2.18).

Theorem 12.4.3 (Characterization of Invertibility in Residue Class Rings). Let a be

a polynomial in R [X]. Then the residue class a + (d)R [X] in R [X] /(d)R [X] has an
inverse if and only if gcd (a, d) = 1.

Proof.
Assertion. If.
If the residue class a + (d)R [X] has inverse b + (d)R [X], then a· b = 1 + (d)R [X]. Hence there
is a polynomial p with a· b + p· d = 1.
According to the Result on divisors of a product (11.4.7), gcd (a, d) = 1.
Assertion. Only if.

If gcd (a, d) = 1, then the Extended Euclidean Algorithm for Polynomials (11.2.18) produces
polynomials b and p such that a· b + p· d = 1. But then b represents an inverse of the residue
class a + (d)R [X].

Example 12.4.4. We take R = R and d = X n with n > 0. Then a class represented by the
polynomial a is invertible in R [X] /(d)R [X] if and only if the constant term of a differs from
0.

Characterization of Invertibility in Residue Class Rings (12.4.3) allows us to construct new

fields.

Corollary 12.4.5 (Characterization of Fields among Residue Class Rinigs). Let R be

a field and d an irreducible polynomial in R [X]. Then S = R [X] /(d)R [X] is a field,
i.e., every nonzero element in S has an inverse.

Proof. Consider a residue class different from 0 and let a denote a representative of this class.
Then a is not a multiple of d.
Since d is irreducible, gcd (a, d) equals 1 or d. As a is nonzero modulo d, the second pos-
sibility is excluded. So gcd (a, d) = 1, and, by Characterization of Invertibility in Residue
Class Rings (12.4.3), the class of a is invertible.
We conclude that all nonzero elements in S are invertible and S is indeed a field.
172. Sets, Logic and Algebra

Example 12.4.6. We take R = Z/2Z and d = X 2 + X + 1. Then R [X] /(d)R [X] contains the
following four elements: 0, 1, a and a + 1, where a = X + (d)R [X].
The multiplication table for the four elements from R [X] /(d)R [X] is as follows:

· 0 1 a a+1
0 0 0 0 0
1 0 1 a a+1
a 0 a a+1 1
a+1 0 a+1 1 a

Table 12.1: The multiplication table of a quotient ring.

The table shows that a and a + 1 are each other’s inverses. Compare this table with the
multiplication table of Z/4Z. In Z/4Z there is no element b with 2· b = 1. The element
2 of Z/4Z has no inverse. Therefore, the arithmetical system on 4 elements we have just
constructed is fundamentally different from Z/4Z.

12.5 Finite fields

Up to now we have encountered the following finite fields, where p a prime. Z/pZ and
Z/pZ [X] /(d)Z/pZ [X] with d an irreducible polynomial.
The theory of finite fields tells us that these are the only finite fields. This will not be shown
here, but is postpond to later. Nevertheless, we state the main result on finite fields.

Theorem 12.5.1 (Classification of Finite Fields). For each prime p and positive in-
teger n there exists an irreducible polynomial d of degree n in Z/pZ [X]. The residue
class ring Z/pZ [X] /(d)Z/pZ [X] is a finite field.
Any finite field can be constructed in this way.

Example 12.5.2. In order to construct a field of 9 elements, we have to find an irreducible

polynomial of degree 2 over Z/3Z. The monic irreducible polynomials of degree 2 are X 2 +
X + 1, X 2 − X − 1, X 2 + 1. So, we can construct a field of 9 elements by taking the residue
class ring S = Z/3Z [X] /(d)Z/3Z [X] where d = X 2 + 1. One of the special properties of
finite fields is their uniqueness. For example, had we taken one of the other two irreducible
polynomials of degree 2, we would essentially have obtained the same field.

Although we do not prove the Classification of Finite Fields (12.5.1) at this moment, we will
investigate the finite fields somewhat closer. First, we determine the cardinality of such fields.
Let p be a prime number and n a positive integer.
173. Sets, Logic and Algebra

Theorem 12.5.3. If d is an irreducible polynomial over Z/pZ of degree n, then

Z/pZ [X] /(d)Z/pZ [X] is a field with exactly pn elements.
Moreover, this field is the unique field with pn elements.

Proof. According to Characterization of Fields among Residue Class Rinigs (12.4.5), the
residue class ring S = Z/pZ [X] /(d)Z/pZ [X] is a field. On the other hand, S is a vector space
over Z/pZ of dimension n (see the (12.2.11)). There are exactly p possible coefficients for
every basis vector, so this leads to pn elements.
Uniqueness of the field will not be proven here. This will be discussed in later chapters.

Example 12.5.4. Let f = X 3 + X + 1 be a polynomial in Z/2Z [X]. The residue class ring
Z/2Z [X] /( f )Z/2Z [X] has 8 elements. We present the mutiplication table of the 7 nonzero
elements. Here a represents the class of X modulo f .

a2 +
· 1 a 1+a a2 a2 + 1 a2 + a
a+1
a2 +
1 1 a 1+a a2 a2 + 1 a2 + a
a+1
a2 +
a a a2 a2 + a 1+a 1 a2 + 1
a+1
a2 +
1+a 1+a a2 + a a2 + 1 a2 1 a
a+1
a2 +
a2 a2 1+a a2 + a a a2 + 1 1
a+1
a2 +
a2 + 1 a2 + 1 1 a2 a 1+a a2 + a
a+1
a2 +
a2 + a a2 + a 1 a2 + 1 1+a a a2
a+1
a2 + a2 +
a2 + 1 a 1 a2 + a a2 1+a
a+1 a+1

Notice that in each row (and each column) of the table one finds a 1, implying that each ele-
ment has an inverse. So, Z/2Z [X] /( f )Z/2Z [X] is a field and f is an irreducible polynomial.

Let p be a prime, n a positive integer, and d an irreducible polynomial in Z/pZ of degree n.

We are concerned with the finite field S = Z/pZ [X] /(d)Z/pZ [X].
174. Sets, Logic and Algebra

Theorem 12.5.5. Write q = pn for the cardinality of S. Then, for each a, b ∈ S,

(a) a + a + ... + a = 0 (with p terms);

(b) (a + b) p = a p + b p ;
(c) aq = a (Fermat’s Little Theorem).

Proof. We prove the three parts of the theorem separately.

Assertion. Part 1. a + a + ... + a = 0 (with p terms).

We have a + a + ... + a = (1 + 1 + ... + 1) · a = p· a = 0.

Assertion. Part 2. (a + b) p = a p + b p .
 
p p
Expand (a + b) by means of Newton’s Binomium. As each binomial coefficient
i
with i different from 0 and p is zero modulo p (see the proof of Fermat’s Little Theorem
(10.3.1)), we find (a + b) p = a p + b p .
Assertion. Part 3. aq = a.

The proof we give here is similar to the second proof of Fermat’s Little Theorem (10.3.1).
For a = 0 the statements are trivial. Assume that a is nonzero. Consider the set S× of
invertible (that is, nonzero, because S is a field) elements from S. On it, we define the map
Ma = S× → S× , b 7−→ a· b multiplication by a. This map is bijective. Indeed, its inverse equals
Ma−1 , multiplication by the inverse of a. As a result we see that the product of all elements
in S× equals not only ∏b∈S× b but also ∏b∈S× (Ma (b)) as here the order of the factors in the
product is all that has changed. The latter product equals ∏b∈S× ((a· b)) = aq−1 · ∏b∈S× b As
the product is nonzero, it is invertible. Dividing by this product, we deduce that aq−1 = 1.
Multiplying both sides of the equation with a proves the assertion.

The first identity of Special Identities in Finite Fields (12.5.5) can also be written as p· a = 0.
In mathematical jargon, it is referred to by saying that the characteristic of S is p.
The second identity is also called the Freshman’s Dream, as it concurs with the outcome of
ordinary power expansions by many freshmen who forget about cross products.
The third identity is just Fermat’s Little Theorem (10.3.1) for finite fields! (Note that the
proof does not use the particular construction of the field S.)
Special Identities in Finite Fields (12.5.5) implies that every nonzero element in a field S with
q elements raised to the power q − 1 is equal to 1.
175. Sets, Logic and Algebra

An element of S having no smaller (positive) power equal to 1 is called primitive. In general,

for a in S, the smallest positive number l satisfying al = 1 is called the order of a. So a
nonzero element of S is primitive if its order is q − 1.
Without proof we state:

Theorem 12.5.6. Every finite field has a primitive element.

12.6 Error correcting codes

In RSA Decription and Encryption (10.4.1) we introduced the RSA cryptosystem. Using this
system, one can transform sensitive information into a code that is hard (if not impossible) for
outsiders to crack. On the opposite side, however, transportation of data can lead to unwanted
errors. So, it is often necessary to secure the information to be sent in such a way that errors
can be detected or even corrected.
Definition 12.6.1 (Coding theory). Coding theory is the branch of mathematics where one
considers ideas that make it possible to encode information in such a way that errors, occurred
during transmission or caused by other reasons, are corrected.

Example 12.6.2 (CD and DVD). A Game, music or video is stored on a CD or DVD in the
form of a code. Using a laser beam, the CD player reads the information on the disc and
converts it into information transmitted to the viewer or listener. However, the player can
make real errors in reading: there can be scratches or little pieces of dirt on the disc, the laser
beam just misses the right place on the disc, and so on. Nevertheless we want the music to be
replayed as well as possible. We want the CD player to correct its reading errors. The game,
video or music has to be stored on disc in such a way that the player can correct its errors.

Example 12.6.3 (Satellite). Satellites hang above the earth. Information, for example, a TV
program, is sent from one place on earth to the satellite, which sends it back to other places
on earth. In this way we can follow important events live on TV. However, the signals going
to and coming from the satellite suffer from noise. The TV watcher does not want to notice
the damage to the live images.

Example 12.6.4 (Fax and email). Faxes and e-mail messages are transmitted via telephone
lines throughout the world. Telephone lines also suffer from noise. This can cause a fax to be
damaged. The fax has to be protected against this.

Example 12.6.5 (Parity check). A trivial way to secure your information is to keep copies
of it. A somewhat more advanced way is to include control characters in your information.
Suppose that your information is a string of zeros and ones. Now add at each 8-th position
a control character equal to 0 or 1 such that the sum of the control character and the seven
preceding characters are even. So,
176. Sets, Logic and Algebra

110110011010001110011 (12.3)

is transformed into

110110001101000111100111 (12.4)

If at most one mistake occurs in each substring of eight characters, these errors can be de-
tected, but not corrected.

Example 12.6.6 (ISBN). Each book is given a number, the so-called International Standard
Book Number, abbreviated to ISBN. The ISBN consists of 10 symbols. The first 9 symbols
are digits giving information on the book, like the year and place it is published. The last
symbol is a check symbol and is either a digit or the symbol x (representing 10). If the ISBN
of a book is a1 , ..., a9 , b, then the following relation is satisfied. a0 + 2· a1 + ... + 9· a9 ≡
b (mod 11). If one of the symbols is incorrect, then the above equality is violated. This
makes it possible to detect an error.

We come now to a mathematical description of coding theory.

Definition 12.6.7. Let V be a vector space over Z/pZ with p a prime.
A code in V is a set of vectors in V . The vectors of a code are called code words. A linear
code in V is a linear subspace of V . If C is a linear code of dimension k in the n-dimensional
vector space V , then C is referred to as an (n, k)-code.

Example 12.6.8. We consider the numbers 0, ..., 15 in their binary representation (see b-ary
representation (9.6.1)), i.e., sequences of length 4, each element of which is either 0 or 1. So
0 is represented as [0, 0, 0, 0]2 , 7 by [0, 1, 1, 1]2 and 13 by [1, 1, 0, 1]2 .
A mistake in reading such a string causes a wrong number to be read. The following can
help to prevent this. We encode these numbers by vectors in (Z/2Z)7 . Such a vector is often
written, in short, as a word in the alphabet {0, 1}:
(0, 0, 1, 0, 0, 1, 1) is written as 0, 0, 1, 0, 0, 1, 1.
The first 4 coordinates form the binary notation of the number. The remaining 3 positions are
filled in the following way:
Note that the 16 vectors form indeed a vector space. Caution: the vector space addition
in (Z/2Z)7 does not correspond to the addition of the numbers connected to the vectors.
The following property is crucial for its coding capacity: any two vectors differ in at least 3
positions. So if we make at most one reading error, for example, we read 1101110 instead
of 1101010, we can still decide that we are dealing with the number 13. Indeed, the vectors
for all the other numbers differ in at least 2 positions from 1101110. Therefore, we are able
to correct one reading error. We say that the code above for the numbers 0, ..., 15 is a 1-error
correcting code. If at most one error is made, we can correct it. A complication is that we
do not know a priori how many reading errors have been made. If 6 errors are possible, the
original could have been any number.
177. Sets, Logic and Algebra

0 0, 0, 0, 0, 0, 0, 0
1 0, 0, 0, 1, 0, 1, 1
2 0, 0, 1, 0, 1, 0, 1
3 0, 0, 1, 1, 1, 1, 0
4 0, 1, 0, 0, 1, 1, 0
5 0, 1, 0, 1, 1, 0, 1
6 0, 1, 1, 0, 0, 1, 1
7 0, 1, 1, 1, 0, 0, 0
8 1, 0, 0, 0, 1, 1, 1
9 1, 0, 0, 1, 1, 0, 0
10 1, 0, 1, 0, 0, 1, 0
11 1, 0, 1, 1, 0, 0, 1
12 1, 1, 0, 0, 0, 0, 1
13 1, 1, 0, 1, 0, 1, 0
14 1, 1, 1, 0, 1, 0, 0
15 1, 1, 1, 1, 1, 1, 1

Now we address the real ‘coding’ aspects.

Definition 12.6.9. Let C be a code in the vector space V . The distance between two vectors
from V is the number of coordinate positions at which the two vectors differ. The minimal
distance of C is the minimum taken over all distances between any two different code words
from C.

Proof. We show that the distance delta as defined indeed satisfies the axioms for a distance
function with values in N, viz., delta (v, w) = 0 if and only if v = w, symmetry: delta (v, w) =
delta (w, v), and the triangle inequality: delta (v, w) + delta (w, u) ≥ delta (v, u), where u, v, and
w belong to V .
Assertion. delta (v, w) = 0 if and only if v = w.

Clearly, v and w differ in zero positions if and only if they coincide.

Assertion. Symmetry: delta (v, w) = delta (w, v).

The number of positions in which v and w differ is obviously the same as the number of
positions in which w and v differ.
Assertion. Triangle inequality: delta (v, w) + delta (w, u) ≥ delta (v, u).

Let S be the set of positions in which v and w differ and let T denote the set of positions
in which w and u differ. Then v and u differ only in positions within S ∪ T . In particular,
delta (v, u) ≤ |S ∪ T |. As |S ∪ T | ≤ |S| + |T |, |S| = delta (v, w), and |T | = delta (w, u), this
implies the triangle inequality.
178. Sets, Logic and Algebra

Example 12.6.10. The code in Example 12.6.8 can also be depicted graphically. Let x be a
number in {0, ..., 15}. In the diagram below we fill the positions a, b, c, d with zeros and ones
in such a way that [a, b, c, d]2 forms the binary notation of x. We then fill the positions e, f , g
with zeros and ones in such a way that any circle contains an even number of zeros. Now
the code word for the number x is a, b, c, d, e, f , g. The figure can also be used for a given
vector r in (Z/2Z)7 to determine the numbers x for which the code word differs in at most
one position from r. Indeed, given r, change at most one position in such a way that we get
an even number of ones in each circle. Then the number x is the number with binary notation
[a, b, c, d]2 .

If the minimal distance of a code C is equal to d, then any word differing in at most d − 1
positions from a code word w, is either equal to w or not a code word. Therefore minimal
distance d implies perfect detection of at most d − 1 errors. If d > 2· e, it is possible to correct
e errors. Indeed, using the triangle inequality we find that a word v at distance at most e from
a code word w, has distance greater than e to any code word distinct from w.
The smaller the length and the larger its minimal distance the more useful the code is. In the
remainder of this section we will describe a method for constructing useful error-correcting
codes with the help of polynomials.
In the world of digital communication, the binary number system is used a lot. In most
applications and examples we confine ourselves to codes in vector spaces over Z/2Z. In
these vector spaces, scalar multiplication is very simple: there are only two scalars, 0 and 1.
These codes are known as binary codes.
Suppose that p is a prime. In the polynomial ring Z/pZ [X] we consider the polynomial
X n − 1 with n > 1 and the residue class ring S = Z/pZ [X] /(X n − 1)Z/pZ [X]. This ring has
the structure of a vector space over the field Z/pZ with basis 1, ..., X n−1 , cf. (12.2.11). So
each element of S can be represented by the vector of coefficients with respect to this basis,
and vice versa:
a = a0 +a1 · X +...+an−1 · X n−1 +(X n −1)Z/pZ [X] corresponds bijectively to a = (a0 , a1 , ..., an−1 )
179. Sets, Logic and Algebra

The polynomial X n − 1 is reducible for n > 1: it is divisible by X − 1.

Definition 12.6.11. Let g be a divisor of X n − 1 over Z/pZ. The image under the linear map
Z/pZ [X] → S, a 7−→ a· g + (X n − 1)Z/pZ [X] is called the cyclic code of length n generated
by g.

Example 12.6.12. The polynomial
X 7 − 1 over Z/2Z
is the following product of irreducible
polynomials: (X + 1) · X 3 + X + 1 · X 3 + X 2 + 1 If g = X 3 + X + 1, then the cyclic code
generated by g is a linear (7, 4)-code. Compare this code with the code discussed in Exam-
ple 12.6.8.

Let l be the degree of g and write k = n − l. The elements g, ..., X k−1 · g form a basis for the
image space C of the map from (12.6.11). So the dimension of C is equal to k. The space
C is called the code generated by g . The polynomial g is known as the generator of C. The
quotient (X n − 1) /g is called the check polynomial of C.
We use the map of (12.6.11) to convert a so-called information vector from (Z/pZ)k into a
code word in C. This is done as follows:

• Let a = (a0 , a0 , ..., ak−1 ) be a vector in (Z/pZ)k .

• Form the polynomal a = a0 + a1 · X + ... + ak−1 · X k−1 in Z/pZ [X].
• Determine the representative c of the class a· g + (X n − 1)Z/2Z [X] of lowest degree, that
is, c = rem (a· g, X n − 1), cf. Division with Remainder Theorem (11.2.7).

• This polynomial c corresponds to a code word c. Thus, the information vector a is trans-
formed into the code word c.

Let C be a cyclic (n, k)-code with generator g. We present a way to estimate how useful the
cyclic code generated by g is.
Naturally, it is important to be able to find the information vector corresponding to a code
word. For this, the check polynomial h = (X n − 1) /g is used.

Theorem 12.6.13 (Cyclic Decoding Theorem). Let C be a cyclic code of length n

generated by g and let h = (X n − 1) /g be the check polynomial of g. If c is a code
word, viewed as a polynomial of degree at most n − 1, then the information vector
corresponding to the code word c equals −(rem (c· h, X n )).

Example 12.6.14. Take g = (X + 1) · X 3 + X + 1 ∈ Z/2Z [X] to be a generator of a cyclic

code of length 7. The corresponding check polynomial is h = X 3 + X 2 + 1.
Now, choose

an information vector, say, a = X. It maps to code word c = rem a· g, X 7 − 1 = X 5 + X 4 +
X 3 + X Since c· h = X 8 + X, the polynomial of minimal degree in c· h + (X 7 )Z/2Z [X] is X,
which coincides with a.
180. Sets, Logic and Algebra

Proof. Consider c ∈ C as a polynomial. Suppose that c comes from the information vector a,
also considered as a polynomial, of degree at most k − 1. Then c = a· g + m for a polynomial
m ∈ (X n − 1)Z/pZ [X]. By the Degree Formulas (11.2.3), the degrees of c and of a· g are
at most n − 1. Therefore the degree of m is at most n − 1, too, and so m = 0. In particular,
c = a· g, and we obtain the following relation between c and a: c· h = a· g· h = a· (X n − 1) =
X n· a − a
After Division with Remainder Theorem (11.2.7), we conclude −a = rem (c· h, X n ).

Let d and g be polynomials in the polynomial ring R [X]. We will consider the residue class
ring S = R [X] /(d)R [X]. For an element s ∈ S the substitution of s for X in g gives the element
g (s) of S, see the (11.3.1).
If g equals d and s is the class of X modulo d, then g (s) = 0. In this particular case, the image
of X in S is a zero of g in S, cf. Characterization of the Zeros of a Polynomial (11.3.5).
The following result shows how useful codes can be built by means of modular polynomial
arithmetic. The code C of our interest is a cyclic (n, k) code with generator polynomial g.

Theorem 12.6.15 (BCH bound). Set d = X n − 1 and write S = Z/pZ [X] /(X n −
1)Z/pZ [X], where p is a prime. Suppose that g is a divisor of d in Z/pZ [X]. Let
a be the residue class of X in S.
If the set J of all positive integers j with g a j = 0 contains a sequence of m consecu-

tive integers, then the minimal distance of the (n, k)-code C generated by g is at least
m + 1.

Example 12.6.16. Take for g the polynomial X 3 + X + 1 in Z/2Z [X]. Then g divides X 7 − 1
and accordingly we consider the binary cyclic code of length 7 generated by g. According to
the BCH bound, the minimum distance of the code C generated by g is at least 3. Indeed, if
a is the residue class of X modulo X 7 − 1, then both a and a2 are roots of g. So BCH bound
(12.6.15) can be applied with p = 2 and m = 2. Note that 3 is also the minimum distance of
C.

By choosing the generating polynomial in a clever way, codes can be constructed that cor-
rect multiple errors. BCH stands for Bose, Ray-Chaudhuri, and Hocquenghem, the three
mathematicians who discovered the bound.

12.7 Exercises
Exercise 12.7.1. Determine in each of the following cases whether the polynomials a and b
are congruent modulo c.

(a) a = X 3 , b = 1, c = X 2 + X + 1 as polynomials over Q.

181. Sets, Logic and Algebra

(b) a = X 4 + X + 2, b = X + 3, c = X + 1 as polynomials over Z/5Z.

5
5
(c) a = X 3 + X + 1 , b = X 2 + 2· X , c = X − 1 over Q.

Exercise 12.7.2. In each of the following cases, the polynomials a are d given. Find a repre-
sentative of the residue class of a modulo d whose degree is less than the degree of d.

(a) a = X 4 , d = X 2 + X + 1 in Q [X],
(b) a = X 4 + X 2 + 1, d = X 2 + X + 1 in Z/2Z [X].

Exercise 12.7.3. Determine representatives for all congruence classes for each of the follow-
ing residue class rings.

(a) Z/2Z [X] /(X 3 + 1)Z/2Z [X],

(b) Q [X] /(X − 1)Q [X],
(c) R [X] /(2)R [X].

Exercise 12.7.4. Consider the residue class a of X in S = Z/2Z [X] /(X 2 + X + 1)Z/2Z [X].

(a) Describe the elements of S in terms of ‘polynomials’ in a.

(b) Compose a multiplication table for S.

(c) Show that a17 = a + 1.

Exercise 12.7.5. Let a ∈ R. We define the map eval : R [X] /(X −a)R [X] → R by eval ( f + (X − a)R [X]) =
f (a).

(a) Show that this map is well defined.

(b) Show that eval is a bijection.
√
Exercise 12.7.6. We define the two maps f+ and f− from Q [X] /(X 2 − 2)Q [X] to Q + Q· 2
in the following way. For any residue class g + (X 2 − 2)Q [X] we have
√ 
f+ g + (X 2 − 2)Q [X] = g


2 and
 √ 
f− g + (X 2 − 2)Q [X] = g −( 2)

(a) Show that f+ and f− are well defined, i.e., the description of the maps does not depend
on the choice of representative from an equivalence class.
(b) Show that f+ and f− are both injective.

(c) Show that both f+ and f− are both surjective.

182. Sets, Logic and Algebra

(d) Show that, for all a, b in Q [X] /(X 2 − 2)Q [X], f+ (a + b) = f+ (a) + f+ (b) f+ (a· b) =
f+ (a) · f+ (b) f− (a + b) = f− (a) + f− (b) f− (a· b) = f− (a) · f− (b)
√
Both maps give a way to associate the residue class ring Q [X] /(X 2 − 2)Q [X] to Q + Q· 2.

Exercise 12.7.7. Find the representative of degree less than 5 of the residue class of

 
(1 + X) · 1 + X 3 · 1 + X 4 · 1 + X 5

in Z/2Z [X] /(X 5 )Z/2Z [X].

Exercise 12.7.8. The polynomial f in Q [X] satisfies the relation X 3 + 1 · f + a· X 2 + 1 =

X 3 − 1 for some polynomial a in Q [X]. Determine the remainder upon division of f by

X 2 + 1.

Exercise 12.7.9. Let R denote one of the fields Q, R, C, Z/pZ where p is a prime.
Let c, d be a pair of polynomials in R [X] of degrees m and n, respectively. Suppose that c and
d are relatively prime.
Show that for any a and b in R [X] there is exactly one polynomial in R [X] of degree less than
m· n that at the same time is equal to a modulo c and equal to b modulo d. This is the Chinese
Remainder Theorem for polynomials.

Exercise 12.7.10. Write an algorithm that, given two polynomials c and d that are relative
prime and have degree n and m, respectively, and two polynomials a and b, computes the
unique polynomial f of degree less than n· m which is equal to 0 modulo both c and d.
For existence and uniqueness of this polynomial we refer to (12.7.9).

Exercise 12.7.11. Determine the first 3 terms of the Taylor series around 0 of each of the
following functions in x by computation modulo x4 .

1
(a) 1+x
1
(b) 1+x+x2
1
(c) cos(x)

Exercise 12.7.12. Determine the first 3 terms of the Taylor series around 0 of each of the
following functions in x by computation modulo x4 .

1
(a) 1−x
1
(b) 1−x+x3

The smaller the length and the larger its minimal distance the more useful the code is. In the
remainder of this section we will describe a method for constructing useful error-correcting
codes with the help of polynomials.
183. Sets, Logic and Algebra

In the world of digital communication, the binary number system is used a lot. In most
applications and examples we confine ourselves to codes in vector spaces over Z/2Z. In
these vector spaces, scalar multiplication is very simple: there are only two scalars, 0 and 1.
These codes are known as binary codes.
Exercise 12.7.13. Consider the classes of a = 1+X and b = 1+2· X in the ring Z/3Z [X] /(X 2 +
1)Z/3Z [X].
Solve the following equation for z: a· z = b.

Exercise 12.7.14. Consider the element a = X + (X 3 + X + 1)Q [X] in Q [X] /(X 2 + X +

1)Q [X].

(a) Show that X 3 + X + 1 is irreducible in Q [X]. Conclude that Q [X] /(X 2 + X + 1)Q [X]
is a field.
1
(b) Write a as p + q· a + r· a2 with p, q, r ∈ Q.
1
(c) Write a+2 as p + q· a + r· a2 with p, q, r ∈ Q.
1
(d) Same question for a2 +a+1
.

Exercise 12.7.15. Let R be a field and f and d be polynomials in R [X].

Prove or disprove:

(a) If f |d, then f is invertible in R [X] /(d)R [X].

(b) If the degree of d is larger than 1 and R = Z, then R [X] /(d)R [X] is infinite.
(c) If a and b are elements from R [X] /(d)R [X] with a· b = 0, but a nor b are equal to 0,
then both a and b are not invertible.
(d) If a, b, and c are elements from R [X] /(d)R [X] with a· b = a· c, then b = c.
(e) If a, b, and c are elements from R [X] /(d)R [X] with a· b = a· c and a is invertible, then
b = c.
(f) If a4 = 0 for some element a in R [X] /(d)R [X], then 1 − a is invertible.

Exercise 12.7.16. Suppose that R is a field. If d ∈ R [X] is a polynomial of degree 1, then the
map R → R [X] /(d)R [X] , a 7−→ a + (d)R [X] is bijective. Prove this.

Exercise 12.7.17. Let K be one of the fields Q, R, C, Z/pZ with p prime.

(a) Let f , g ∈ K [X] with f irreducible and let a be the class of X in K [X] /( f )K [X]. Show
that f |g if and only if a is a zero of g, where we view g as a polynomial with coefficients
in K [X] /( f )K [X].
(b) Apply the divisibility criterion of the previous part to the polynomials f = X 2 + X + 1
and g = X 6 − X 3 + 1 over the ring Z/2Z to find out whether f divides g.
184. Sets, Logic and Algebra

Exercise 12.7.18. Let R be a ring. A polynomial in R [X] is called monic if its leading coeffi-
cient equals 1.

(a) If d is a monic polynomial in R [X] of positive degree n, then each residue class in
R [X] /(d)R [X] contains an element of degree smaller than n. Prove this.

(b) Let R be equal to Z/4Z and d the polynomial 2· X. Verify that the class of X in
R [X] /(d)R [X] does not contain an element of degree 0.

Exercise 12.7.19. Let d = X 4 + X + 1 ∈ Z/2Z [X] and write S = Z/2Z [X] /(d)Z/2Z [X].

(a) Prove that d is irreducible.

(b) Determine the addition and multiplication table for the field S.

(c) Find a subfield of S of order 4. Here, a subfield of S is a subset Y such that inverses
of nonzero members of Y , and products and sums of arbitrary members of Y , again
belong to Y .

Exercise 12.7.20. Let K = Z/2Z [X] /(d)Z/2Z [X], where d = X 3 + X + 1 and let a be the
class of X modulo d.

(a) Show that the polynomial X 3 + X + 1 in Z/2Z [X] is irreducible and conclude that K is
a field with 8 elements.

(b) Show that (( X 3 ) + X + 1)| (( X 7 ) + 1) and that K = 0, 1, a, a2 , a3 , a4 , a5 , a6 .



(c) The element a is a zero of X 3 + X + 1 (viewed as polynomial in K). Express all zeros
as powers of a.

(d) Find the zeros of X 3 + X 2 + 1.

Exercise 12.7.21. Let d = X 3 + X + 1 ∈ Z/2Z [X] and write S = Z/2Z [X] /(d)Z/2Z [X].

(a) Prove that d is irreducible and conclude that S is a field.

(b) Show that each nonzero element of S is a power of X + (d)Z/2Z [X].

Exercise 12.7.22. Let g be the polynomial X 3 + X 2 + 1 over the field with 2 elements. Then
g is a divisor of X 7 − 1. Determine all codewords in the cyclic code generated by g.

Exercise 12.7.23. Suppose that C is a code in (Z/2Z)n that has minimal distance d with
d ≥ 2· e + 1.
2n
Show that C contains at most !! codewords.
n
∑ei=0
i
185. Sets, Logic and Algebra

Chapter 13

Monoids and groups

In previous chapters we have considered several sets with operations, like addition and mul-
tiplication, defined on them. Such an enriched set is often called a structure. In this chapter
we start with a more systematic approach to structures. The title of this chapter refers to the
two most important ones we shall deal with here.

13.1 Binary operations

The map that takes an integer to its negative is a unary operation on Z, while addition and
multiplication are binary operations on Z in the following sense.
Definition 13.1.1 (Operations). Let V be a set.

• A unary operation is a map V → V .

• A binary operation is a map V ×V → V .
• For each natural number n, an n-ary operation is a map V n → V .

A set together with a number of operations defined on it is called a structure.

Example 13.1.2 (Unary operation). Of course, any map from a set to itself is a unary opera-
tion. But bear in mind maps like these:

• On Z, the map x 7→ −x.

• On Symn , the map g 7→ g−1 .

Example 13.1.3 (Binary operation). Also for binary operations there are many possibilities.
Some of these are quite natural, like projection onto the first or second coordinate. But
examples of interest to us are: addition, multiplication, and subtraction.
186. Sets, Logic and Algebra

Example 13.1.4. The + operator is usually considered as a binary operation, but it can also
be viewed as a 3-ary operator in the following interpretation: + (3, 5, 7) = 3 + 5 + 7.

Remark 13.1.5. There also are nullary operations. Since V 0 is viewed as a singleton (a
set consisting of a single element), nullary operations are distinguished elements of V . For
instance, zero and one of Z/nZ and of R, and the identity of Symn . These elements are
distinguished by properties with respect to other operations. For instance, the effect of adding
a zero element to any element is nil. Most of the time such elements will have special names,
like identity element.

For a binary operations like + : V ×V → V and · : V ×V → V we often use infix notation:

+ (a, b) = a + b (13.1)

· (a, b) = a· b (13.2)

This is in accordance with the familiar notation · for multiplication and + for addition in, for
example, Q.
Most binary operations in which we are interested distinguish themselves from arbitrary ones
in that they have the following property.
Definition 13.1.6. A binary operation · : V ×V → V is called associative if, for all a, b, c ∈ V ,
we have a· (b· c) = (a· b)· c.

Example 13.1.7 (Arithmetic operations). The addition and multiplication on Z, Q, R, and C

are associative.
Subtraction is not.

Exercise 13.1.8. For which integers n > 1 is subtraction on Z/nZ associative?

• None. Not quite.

• All. No, associativity for n = 10 would imply 1 − 2 − 3 = rem(1 − (2 − 3), 10).

• n = 2 True; this is the only value of n for which subtraction coincides with addition.

Remark 13.1.9. The advantage of using the infix notation becomes obvious from the follow-
ing comparison of two ways of writing the associativity law for the binary operation ·:

• For the usual (prefix) notation: · (a, · (b, c)) =· (· (a, b) , c).
• For the infix notation: a· (b· c) = (a· b)· c.

Example 13.1.10. Each polynomial f ∈ Z [X,Y ] determines a binary operation on Z, map-

ping (a, b) ∈ Z × Z to f (a, b) ∈ Z. For instance, let f in Z [X,Y ] be X·Y + X + Y . We
test whether the corresponding binary map is associative. To this end, we expand both
187. Sets, Logic and Algebra

f (x, f (y, z)) and f ( f (x, y) , z), for integers x, y, and z and compare the two. The first ex-
pansion gives f (x, f (y, z)) = f (x, y· z + y + z) = x· y· z + x· y + x· z + y· z + x + y + z and the
second expansion gives the same result.
Therefore the operation defined by this particular f is associative.

It is well known that brackets are superfluous for the binary operations addition and multipli-
cation on real numbers or integers. This is true for arbitrary associative operations. Indeed,
for an associative binary operation brackets are superfluous.

Theorem 13.1.11. If a binary operation is associative, then each positioning of brack-

ets leads to the same result.

Proof. Consider a product x involving the factors x1 , x2 , ..., xn , but with an arbitrary position-
ing of the brackets. We will show, by induction on n, that x is equal to the product involving
the same factors but with the right-most bracketing, that is, x1 · (x2 · (x3 · (...· xn ))).
If n ≤ 2 then there is only one possible bracketing, which is the right-most one.
Suppose, therefore, n ≥ 3. If x is of the form x1 · y with y a product involving the factors
x2 , x3 , ..., xn , then we can apply the induction hypothesis to y. Replacing y in x by its right-
most bracketing gives the right-most bracketing of x.
If x is not of the form described in the previous paragraph, then x is of the form (x1 · y)· z
where for some index i less than n the element y is a product involving the factors x2 , x3 , ..., xi
and z is a product involving the factors xi+1 , xi+2 , ..., xn . But then, by the associative law,
(x1 · y)· z = x1 · (y· z), and we are back in the previous case.

Remark 13.1.12. The number of ways to position n pairs of brackets in a product of n + 1

variables equals the so-called n-th Catalan number.
The first Catalan number is equal to 1. The second is equal to 2, and the third Catalan number
equals 5 corresponding to the following five ways of placing brackets in an expression with
four variables: a· (b· (c· d)), a· ((b· c)· d), (a· b)· (c· d), (a· (b· c))· d, and ((a· b)· c)· d.
 
1 2· n
The n-th Catalan number is given by the formula n+1 · .
n
Can you give a proof?

Example 13.1.13. Consider (a· (((b· c)· d)· e))· f . We can use the associative law to change
bracket positionings so as to obtain the rightmost bracketing a· (b· (c· (d· (e· f )))):

(a· (((b· c)· d)· e))· f =

a· ((((b· c)· d)· e)· f ) =
a· (((b· c)· d)· (e· f )) = (13.3)
a· ((b· c)· (d· (e· f ))) =
a· (b· (c· (d· (e· f )))).
188. Sets, Logic and Algebra

The Theorem on brackets for associative operations (13.1.11) indeed implies that it is not
necessary to use brackets for associative binary operations. Therefore we will often omit the
brackets.
Besides the ordinary addition and multiplication, composition of maps from a set X to itself
is a very important binary operation.
If X is a set, we write Maps(X) for the set of all maps X → X.

Theorem 13.1.14 (Composition is associative). Suppose that X is a set and f , g, h ∈

Maps(X).
The composition of f and g, notation f ◦ g, is the map X → X given by

f ◦ g (x) = f (g (x)) (13.4)

for x ∈ X.
Composition is a binary associative operation on Maps(X).

Proof. For each x ∈ X we have ( f ◦ g) ◦ h (x) = ( f ◦ g) (h (x)) = f (g (h (x))) = f (g ◦ h (x)) =

f ◦ (g ◦ h) (x).

Remark 13.1.15. In Monoids and semi groups as Maps (13.2.25) we shall see a kind of
converse to Composition is associative (13.1.14): every associative operation can be viewed
as coming from composition of maps.

The case where X is a finite set is dealt with in more detail below.
Suppose that X is a finite set and its elements are labeled 1, 2, ..., n. Then an element g of
Maps(X) is fully specified by the list [g (1) , g (2) , ..., g (n)] of length n whose i-th element
equals the image of i under g, as the image of every member of X is specified.
Example 13.1.16 (Maps on five elements). Let X be the set {1, 2, 3, 4, 5}. By a list of length
5 with elements from X we indicate the map X → X sending element i to the i-th element of
the list.
For example, f = [2, 2, 1, 3, 3] is the map f = X → X mapping 1 and 2 to 1, mapping 3 to 1,
and mapping 4 and 5 to 3.
If, in addition, g = [4, 3, 2, 3, 3] and h = [5, 1, 4, 2, 2], then f ◦ g = [3, 1, 2, 1, 1], and so ( f ◦ g) ◦
h = [1, 3, 1, 1, 1]. On the other hand, (g ◦ h) = [3, 4, 3, 3, 3], and so f ◦ (g ◦ h) = [1, 3, 1, 1, 1].
So, indeed, ( f ◦ g) ◦ h = f ◦ (g ◦ h).

Remark 13.1.17. For the finite set X = {1, ..., n}, both permutations of X and elements of
Maps(X) are given by lists. In fact permutations are members of Maps(X) such that every
member of X occurs in the list.
Observe that |Maps(X)| = nn and |Sym(X)| = n!.
189. Sets, Logic and Algebra

Using associativity we can define a very basic structure.

Definition 13.1.18. A semigroup is a structure [S, · ] consisting of a set S and a binary asso-
ciative operation · on S, called multiplication.

Example 13.1.19 (Structures encountered so far). Each of the following structures is a semi-
group: [Z, +], [Z, · ], [Z/nZ, +], [Z/nZ, · ], [R [X] , +], [R [X] , · ] [R [X] /( f )R [X] , +], and
[R [X] /( f )R [X] , · ].

Example 13.1.20 (A variation). [2· Z, +] and [2· Z, · ] are also semigroups.

Example 13.1.21 (Maps). Let X be a set. The set Maps(X) of all maps X → X is a semigroup
with respect to composition of maps.

Example 13.1.22 (Words). The set Words (A) of all words over a given alphabet A with con-
catenation of words is a semigroup.
Here, a word over an alphabet is a sequence of elements from that alphabet. The similarity
with usual words, in which case the alphabet is the usual alphabet {a, b, ..., z} is a reason for
calling these elements words. An alternative name for words is strings.
The concatenation of two words is the act of putting the two words behind each other so as to
make a new word. For example the concatenation of the words semi and group leads to the
word semigroup. Using the infix notation with symbol o for the operation, we have

concaotenation = concatenation (13.5)

Associativity implies that we can write words without brackets!

Semantically, it is not always clear that associativity holds. Consider the word

Mathematical_Knowledge_Management (13.6)
which is an element of the semigroup Words (A) where A consists of the English language
alphabet and the space, represented here by an underscore _. Now a mathematician might be
the appropriate person to deal with

Mathematical_(Knowledge_Management) (13.7)

whereas a computer scientist might be the better expert for

(Mathematical_Knowledge)_Management (13.8)

Remark 13.1.23. Notice that the ordinary addition of integers is the multiplication of the
semigroup [Z, +]. Although this terminology may seem confusing, it indicates that the stan-
dard operations of addition and of ordinary multiplication have quite a lot in common.
190. Sets, Logic and Algebra

More advanced structures, as we will see later on, usually consist of a semigroup with some
additional operations.
When considering a semigroup [S, · ], we often speak of the semigroup S if it is clear what the
associative multiplication · is.
The sets Maps(X) with composition are an important class of semigroups.
Definition 13.1.24. An identity in a semigroup S is an element e of S with the property that,
for all a in S, we have e· a = a and a· e = a.

Example 13.1.25 (Addition). The semigroups Z, Z/nZ, Q, R and C with addition have iden-
tity 0.

Example 13.1.26 (Multiplication). The semigroups Z, Z/nZ, Q, R and C with multiplication

have identity 1.

Example 13.1.27 (Maps). The identity map X → X, x 7→ x is the identity of the semigroup
Maps(X).

Example 13.1.28 (Words). The empty word, that is, the sequence with no letters, is the iden-
tity element of the semigroup Words (A) of all words over a given alphabet A with concate-
nation of words.
We denote the empty word by ε. Of course we have to make sure that this symbol is not an
element of A!

Instead of an identity, one also speaks of a unit element.

Lemma 13.1.29 (Uniqueness of the identity). A semigroup has at most one identity.

Proof. Suppose that e and f are identities of the semigroup [S, · ]. Then e = e· f = f .

Remark 13.1.30. The proof of Uniqueness of the identity (13.1.29) does not need the full
force of the hypotheses that the two elements are identities. We have only used the facts that
e is a left identity and that f is a right identity.
Can you give a proof using only that e is a right identity and that f is a left identity?

Remark 13.1.31. The lemma says that there are either no identities in a semigroup or there
is exactly one. Both cases occur:

• The semigroup [N, · ] of all natural numbers with multiplication has identity 1.
• The semigroup [2· N, · ] of all even natural numbers with multiplication does not have an
identity.
191. Sets, Logic and Algebra

Semigroups with an identity are special and have therefore been given a special name:
Definition 13.1.32. A structure [M, · , e] in which [M, · ] is a semigroup with identity e is called
a monoid. We often refer to a monoid M, if it is clear what the multiplication · is, and what
the identity element is.

Example 13.1.33 (The usual monoids). Consider the usual arithmetic operations on sets like
N, Z, Q, R, C, Z/nZ, R, .... With respect to both addition and multiplication, these sets are
semigroups having an identity element, so they are monoids. We call them the additive and
multiplicative monoids, respectively.

Example 13.1.34 (Matrices). There are two natural ways to make the set Mn (R) of all real
n × n-matrices a monoid:

• The monoid multiplication is matrix multiplication. The identity element is the identity
matrix.
• The monoid multiplication is matrix addition. The identity element is the zero matrix (all
entries of the matrix are equal to 0).

Example 13.1.35 (The symmetric group). The symmetric group Symn with composition as
its binary operation and the identity as the identity element, is a monoid.

Example 13.1.36 (Words). In computer science, the set Words (A) of all words over the al-
phabet A, as already considered in Example 13.1.22 and Example 13.1.28, is a well-known
object of study. It is a monoid with respect to concatenation, whose identity is the ‘empty
word’, the word consisting of 0 letters. Notation ε.

Example 13.1.37. We determine all monoids having 2 elements. The identity element is
denoted by 1.
Let [A, · , 1] be a monoid with two elements. Suppose that a is the unique element of M
different from 1. Then for a· a we have only two possibilities. Either a· a = 1 or a· a = a. This
determines the multiplication · completely and we find two multiplication tables for M. They
give rise to two distinct monoids, denoted by C1,1 and C0,2 . Their multiplication tables are as
follows.

C1,1 1 a
1 1 a
a a a

Table 13.1: Multiplication in monoids

C0,2 1 a
1 1 a
a a 1
192. Sets, Logic and Algebra

Both monoids can be realized on the set Z/2Z. Indeed, addition (with the identity being 0)
leads to C0,2 ; multiplication, (with the identity element being 1) leads to C1,1 .

Since a monoid has only one identity element (as stated in Uniqueness of the identity (13.1.29))
we can speak of the identity of a monoid.

13.2 Monoids and semigroups

There are various constructions of new semigroups and monoids from known ones. The first
we discuss is the direct product.

Theorem 13.2.1 (Direct products). Let [M1 , ·1 ] and [M2 , ·2 ] be two semigroups. We
define a multiplication · on M1 × M2 , the Cartesian product of M1 and M2 , as follows:
(x1 , x2 ) · (y1 , y2 ) = (x1 ·1 y1 , x2 ·2 y2 ).
The resulting structure is again a semigroup, usually called the direct product, and
denoted by M1 × M2 .
If M1 and M2 are monoids, then so is M1 × M2 . The identity element of the product is
(e1 , e2 ) where ei is the identity of Mi .

Proof. We need to show that the multiplication is associative. This is a direct consequence
of the associativity of the multiplications of the two component semigroups, as the following
sequence of equalities shows. Here x1, y1 and z1 are elements from M1 and x2 , y2 , z2 from M2 .

((x1 , x2 ) · (y1 , y2 ))· (z1 , z2 ) =

(x1 ·1 y1 , x2 ·2 y2 ) · (z1 , z2 ) =
((x1 ·1 y1 ·1 )z1 , (x2 ·2 y2 ·2 )z2 ) =
(13.9)
(x1 ·1 (y1 ·1 z1 ), x2 ·2 (y2 ·2 z2 )) =
(x1 , x2 ) · (y1 ·1 z1 , y2 ·2 z2 ) =
(x1 , x2 ) · ((y1 , y2 ) · (z1 , z2 ))

Moreover, (e1 , e2 ) is an identiy element as follows directly from the following.

(e1 , e2 ) · (x1 , x2 ) = (e1 ·1 x1 , e2 ·2 x2 ) = (x1 , x2 )

(13.10)
(x1 , x2 ) · (e1 , e2 ) = (x1 ·1 e1 , x2 ·2 e2 ) = (x1 , x2 ).

Example 13.2.2. We write out the direct product of the two monoids from Example 13.1.37.
These are C0,2 and C1,1 . Their multiplications are given by the following tables.
Their direct product is the monoid on four elements given by the multiplication table below.
193. Sets, Logic and Algebra

· 1 a
1 1 a
a a 1

· 1 b
1 1 b
b b b

Remark 13.2.3. The direct product construction can be carried out with more than two
monoids.
For example, if we take M = [R, +], then the additive structure of the vector space Rn can be
obtained as a direct product of n copies of M.

Definition 13.2.4. Let [M, · , 1] be a monoid. A subset W of M is said to be closed under the
multiplication · if, for all a, b ∈ W , the product a· b belongs to W .
A submonoid of M is a subset W of M closed under multiplication and containing 1.

Example 13.2.5 (The symmetric and alternating groups). The alternating group Altn is a
submonoid of the symmetric group Symn . For, the product of two even permutations is again
even and the identity map is even.
Also, for m > n, the monoid Symn can be viewed as the submonoid of Symm consisting of all
permutations fixing n + 1, n + 2, ..., m.
Both Symn and Altn are submonoids of the monoid Maps ({1, ..., n}) of all maps of {1, ..., n}
to itself.

Example 13.2.6 (Polynomial rings). The set of elements of R [X] which take the value 0 at
some fixed element a form a submonoid of [R [X] , +, 0].
The set of elements of R [X] which take the value 1 at some fixed element form a submonoid
of [R [X] , · , 1].

Example 13.2.7 (Matrix rings). The matrices in M = Mn (R) with determinant 1 form a sub-
monoid, denoted by SL(n, R), of the monoid defined on M by matrix multiplication. Indeed,
if A, B ∈ SL(n, R), then det (A· B) = det (A) · det (B) = 1. Moreover, the identity matrix also
has determinant 1.

· (1, 1) (1, b) (a, 1) (a, b)

(1, 1) (1, 1) (1, b) (a, 1) (a, b)
(1, b) (1, b) (1, b) (a, b) (a, b)
(a, 1) (a, 1) (a, b) (1, 1) (1, b)
(a, b) (a, b) (a, b) (1, b) (1, b)
194. Sets, Logic and Algebra

A second submonoid of M is formed by the set of matrices whose determinant is not equal
to 0. This submonoid is denoted by GL(n, R). Notice that SL(n, R) is also a submonoid of
GL(n, R).

Example 13.2.8 (The integers). The set of even integers 2· Z is closed under addition and
multiplication. The even integers form a submonoid of Z with respect to addition, but not
with respect to multiplication, as 1 is not even.

Remark 13.2.9. A similar definition as in Definition of submonoid (13.2.4) can be made for
semigroups, except that assertions about the identity element should be removed. This remark
will apply more often:

• More notions for monoids apply to semigroups;

• similar notions apply to other structures, to be defined later (such as groups, rings, and
fields).

If W is a submonoid of M, then the restriction of · to W defines a monoid [W, · ↓ W ×W, 1],

which is called the monoid induced on W by ·.
The following theorem shows that the intersection of submonoids of a monoid is again a
submonoid.

Theorem 13.2.10. If C is a collection of submonoids of M, then ∩ c is also a sub-

c∈C
monoid of M.

Proof. Let K = ∩ c. In order to establish that K is a submonoid, we need to prove the

c∈C
following two assertions.
Assertion. The identity element belongs to K.

Every element of C contains the identity 1. Hence, K contains it.

Assertion. K is closed under multiplication.

If a and b are elements of M, then they are elements of each H ∈ C. Thus, a· b ∈ H for every
H ∈ C, whence a· b ∈ K.

The Theorem on intersection of submonoids (13.2.10) shows in particular that, if W and W 0

are submonoids of M, then also W ∩W 0 is a submonoid of M.
If D is a subset of the monoid M, then hDiM is defined to be the set of elements of M that are
products of elements of D. The empty product is (by definition) the unit e of M; in this way,
195. Sets, Logic and Algebra

hDiM is a submonoid of M. This submonoid is called the submonoid (of M) generated by D.

The elements of D are called the generators of hDiM . We say a monoid is cyclic, if it can be
generated by a single element.
Here is an abstract characterization of hDiM .

Theorem 13.2.11. If D is a subset of the monoid M then

(a) hDiM is the smallest submonoid of M containing D;
(b) hDiM = ∩ c, where C is the collection of all submonoids of M containing D.
c∈C

Proof.
Assertion. hDiM is the smallest submonoid of M containing D.
We need to show that every submonoid of M containing D also contains hDiM . Let W be a
submonoid of M containing D. Since elements of D belong to W , their products are in W .
Hence, hDiM is contained in W .
Assertion. hDiM = ∩ c, where C is the collection of all submonoids of M containing D.
c∈C

Let R = ∩ c. It is a submonoid, as we have seen in Theorem on intersection of submonoids

c∈C
(13.2.10). Part 1 implies that hDiM is contained in R. But, as the submonoid generated by D
belongs to C, the intersection R is also contained in hDiM , whence hDiM = R.

Example 13.2.12 (Generation by a single element.). Since every positive integer n can be
written as the sum of n times 1, the element 1 of the monoid [N, +, 0] generates the whole
monoid. This implies that N is cyclic.

Example 13.2.13 (Not finitely generated). The monoid [Z, · , 1] can be generated by the set
of all prime numbers together with 1, but not by a proper subset of this set. Actually, any
generating set of this monoid should contain either +p or −p for every prime p. Thus Z is
not finitely generated.

The following algorithm determines the submonoid of a given monoid M generated by a

given subset D. We shall use the notation x· N for {x· n| n ∈ N}.

Algorithm 13.2.14. • Input: a subset D of a finite monoid M (whose multiplication · is

considered given).
• Output: hDiM .
196. Sets, Logic and Algebra

MonoidGeneratedBy := procedure(D)
local variables
S
N
S := {1} N := D while N 6= ∅ do
S := S ∪ N , N := ∪ c\S
c∈{x·N|x∈D}
return
S

As a third construction method for monoids, we consider the set of words over some alphabet
A with concatenation as operation.
Definition 13.2.15 (Free monoid). Let A be a set of symbols. The free monoid on A is the
structure [Words (A) , o, ε], where

• Words (A) is the set of all words in the alphabet A;

• o is the concatenation of words
• ε is the empty string.
Example 13.2.16. If we take for A the set {0, ..., 9}, then the elements from the free monoid
on A form the set of natural numbers in their natural representation. However, the prod-
uct in this monoid is different from the ordinary multiplication ·. For example the product
o (3124, 532) = 3124532 and hence not equal to 3124· 532.
Another difference is that distinct elements may represent the same natural number; for in-
stance, 00087, 087, and 87.

Example 13.2.17. The free monoid M on a single letter, say A = {c}, has as elements
c0 , c1 , c2 , ...
This monoid has the same shape as [N, 0, +]. The map cn 7→ n establishes the correspondence.
Multiplication in M corresponds to addition in the exponent of c and thus to addition in N.

Our next issue is how to express the fact that two monoids may appear in different guises but
are essentially the same.
The standard notion for comparing structures is that of homomorphism.
Definition 13.2.18 (Homomorphism). Let S1 and S2 be two structures with ni -ary operations
∗i,1 and ∗i,2 , respectively (where i runs through a finite set).
A homomorphism between these structures is a map f : S1 → S2 respecting all operations,
i.e., for all i we have

f (∗i,1 (a1 , · · · , ani )) = ∗i,2 ( f (a1 ) , · · · , f (ani )) (13.11)

If f is bijective, then we call f an isomorphism.

In particular, for monoids [M1 , ·1 , e1 ] and [M2 , ·2 , e2 ] this means the following.
A homomorphism between M1 and M2 is a map f = M1 → M2 with the following properties.
197. Sets, Logic and Algebra

• f (e1 ) = e2 .
• for all a, b: f (a·1 b) = f (a) ·2 f (b).

Example 13.2.19. Suppose that allelements of the monoid M can be expressed as products
of a single element, say c. So M = c0 , c, c2 , c3 , ... . Then the monoid is said to be generated
by c. It is cyclic.
Define a map f : N → M by f (n) = cn . Then we have f (n + m) = cn+m = cn · cm = f (n) · f (m).
Also, f (0) = 1. Hence f is a homomorphism of monoids.
Clearly, f is surjective. But it need not be injective. If M is a free monoid, then the map f is
also injective.
Another example of a homomorphism of monoids is the length function for a free monoid.
Indeed, if M is a free monoid over an alphabet A, then the length function L from M to N
satisfies L (∅) = 0 and L (xoy) = L (x) + L (y). If A has size 1, this length function is the
inverse of the homomorphism f .

If two structures are isomorphic (that is, there is an isomorphism from one to the other), then
they are of the ’same shape’ (morph = shape).
An isomorphism S1 → S1 (that is, with both domain and target structure the same) is called
an automorphism of S1 .
Remark 13.2.20. The notion of homomorphism of semigroups is similar; the condition about
the identity element is dropped, of course.
Notions like homomorphisms, isomorphisms, and automorphisms (see below) exist for all
structures. We shall encounter them again when we discuss rings, groups, and fields.

Theorem 13.2.21 (Isomorphisms of monoids). If f : M1 → M2 is an isomorphism of

monoids, then
(a) the cardinalities of M1 and M2 are equal;
(b) the inverse map f −1 : M2 → M1 is also an isomorphism of monoids.

Moreover, if g : M2 → M3 then g ◦ f : M1 → M3 is also an isomorphism.

Proof.
Assertion. The cardinalities of M1 and M2 are equal;
This follows from the fact that f is a bijection.
Assertion. The inverse map f −1 : M2 → M1 is also an isomorphism of monoids.

Suppose that M1 and M2 are two monoids and that f is an isomorphism from M1 to M2 .
198. Sets, Logic and Algebra

Since f is an isomorphism, f (e1 ) is the identity e2 of M2 . Consequently, f −1 (e2 ) = f −1 ( f (e1 )) =

e1 , the identity of M1 .
Now suppose that a0 and b0 are elements in M2 . Since f is a bijection there exist unique
elements a and b in M1 with a0 = f (a) and b0 = f (b). Then f (a· b) = a0 · b0 . Thus we also
have that f −1 (a0 · b0 ) = a· b = f −1 (a0 ) · f −1 (b0 ).
We have shown that f −1 is also an isomorphism.
Assertion. g ◦ f : M1 → M3 is an isomorphism.

We have
g◦ f (e1 ) = g ( f (e1 )) = g (e2 ) = e3 and g◦ f (x· y) = g ( f (x· y)) = g ( f (x) · f (y)) = g ( f (x)) · g ( f (y)) =
g ◦ f (x) · g ◦ f (y).

Example 13.2.22. Consider the monoids C1,1 and C0,2 , from Example 13.1.37, given by the
following multiplication tables.

· 1 a
1 1 a
a a 1

· 1 b
1 1 b
b b b

Both have size 2. But they are not isomorphic. For otherwise, there would be an isomorphism:
f : C1,1 → C0,2 with f (1)

= 1.
Hence, as f is bijective, also f (a) = a. But then we would
have 1 = f (1) = f a2 = f a2 = b2 = b, a contradiction.

A monoid that can be generated by a single element is called cyclic. Let k, l ∈ N with l >
 0.
An example of a cyclic monoid with generator c is the monoid defined on the set ci  i ∈
{0, ..., k + l − 1}} by means of the following multiplication rules.

• c j · ci = c j+i if j + i < k + l;
• c j · ci = ck+rem( j+i−k,l) , if j + i ≥ k + l;
• c0 = 1 is the identity.

We refer to this monoid as Ck,l .

Clearly, Ck,l is cyclic with generator c.
199. Sets, Logic and Algebra

Theorem 13.2.23 (Characterization of cyclic monoids). Every cyclic monoid is iso-

morphic with either [N, +, 0] or with Ck,l for certain k, l ∈ N.

Proof. Suppose that [C, · , 1] is a cyclic monoid generated by the element g of C. We make
the following case distinction.

• There are k < l with gk =gl . Let k and l be the smallest pair (in lexicographical order) with
this property. Then C = gi  i ∈ {0, ..., l − 1}}. Indeed, for all t ≥ 0, we have gl+t = gk+t .
Put n = l − k. We shall establish that the map Ck,n → C sending ci to gi , is an isomorphism.
Clearly, it is a bijection. In C, we have gk+m·n = gk for all m. So, for all i, j ∈ N with
k + m· n ≤ i + j ≤ k + (m + 1) · n, we have gi · g j = gi+ j−k−m·n · gk+m·n = gi+ j−m·n . Therefore
the powers of g in C satisfy the multiplication laws of Ck,n . This proves that the bijection
Ck,n → C is a homomorphism of monoids. As it is also a bijection, it is an isomorphism.
• There are no such k and l . The map N → C given by n 7→ cn is readily seen to be an
isomorphism from [N, +, 0] to the monoid C.

Remark 13.2.24. If you think of Ck,n in the following way, the reason for the name cyclic
becomes clear. First there is the beginning piece of the monoid consisting of e, c, c2 , ..., ck .
Then comes the cyclic part, consisting of ck , ck+1 , ck+2 , ..., ck+n−1 , ck+n = ck . At the end of
this list we are back at the element ck . After that the cyclic part repeats itself: ck+n+1 =
ck+1 , ck+n+2 = ck+2 , ...
We list some properties of the cyclic monoid Ck,n :
 
• Ck,n  = k + n.
• For every m ∈ N with m > 0, there are precisely m nonisomorphic cyclic monoids with m
elements, viz., Cm−k,k for k = 1, ..., m.
• If k > 0, then no element of Ck,n but 1 is invertible.

• In C0,n every element is invertible (in other words, C0,n is a group, see later).

If M is a monoid, then it can be viewed as a submonoid of a monoid of maps, see Exam-

ple 13.1.22.
200. Sets, Logic and Algebra

Theorem 13.2.25. (a) If M is a semigroup, then the map L : M → Maps(M) given

by Lm = x 7→ m· x is a homomorphism of semigroups.
(b) If, in addition, M is a monoid, then the map L is an injective homomorphism of
monoids.
In particular, each monoid M is isomorphic to a submonoid of Maps(M).

Proof.
Assertion. The map L is a homomorphism.
Suppose x, y belong to M. Then, for each z in M, Lx·y (z) = x· y (z) = x· y· z = Lx (y· z) =
Lx (Ly (z)) = Lx · Ly (z) Consequently, Lx·y = Lx · Ly , proving that L is a homomorphism of
semigroups.
Assertion. Suppose that M is a monoid with identity e. Then L is an injective homomorphism
of monoids.

Suppose that x and y are elements of M with the same image in Maps(M) under L.
Then x = x· e = Lx (e) = Ly (e) = y· e = y so L is injective.
The final assertion follows as M is isomorphic to its image under L.

Example 13.2.26. Consider the multiplicative monoid of Z/4Z. Multiplication by 1 is the

identity map. Multiplication by 0 maps all four element to zero, so equals [0, 0, 0, 0]. Here the
index i of the list corresponds to the element i modulo 4 of Z/4Z. Multiplication by 2 equals
[2, 0, 2, 0] and Multiplication by 3 equals [3, 2, 1, 0]. Verify that the composition of each of
these four elements is again one of these four! This expresses the fact that the image of Z/4Z
under the map L is a submonoid of Maps(Z/4Z).

Remark 13.2.27. For the semigroup with carrier set {a, b} and multiplication given by

· a b
a a a
b a a

the map L is not injective.

Nevertheless, every semigroup S is a sub-semigroup of Maps(X) for X the union of the carrier
set of S and a disjoint singleton {e}.
This can be shown by extending the multiplication on S to a multiplication on X by demanding
that e be the identity of X. This multiplication turns X into a monoid. Now apply the theorem
201. Sets, Logic and Algebra

to X to conclude that X is a submonoid of Maps(X). As S is a sub-semigroup of X, it is also

a sub-semigroup of Maps(X).

13.3 Invertibility in monoids

Definition 13.3.1 (Inverse). In a monoid with identity element 1 an element h is called the
inverse of the element g if g· h = h· g = 1.
An element is called invertible if it has an inverse.

Example 13.3.2 (Addition of integers). Consider [Z, +, 0]. In this monoid every element has
an inverse: The inverse of a is −a.

Example 13.3.3 (Multiplication of integers). Consider [Z, · , 1]. In this monoid only 1 and −1
have an inverse; they are their own inverses.

Example 13.3.4 (Modular arithmetic). Consider [Z/10Z, · , 1]. In this monoid only the ele-
ments 1, 3, 7, 9 have an inverse. They are invertible because 3· 7 ≡ 1 (mod 10) and 9· 9 ≡
1 (mod 10).

Example 13.3.5 (Matrices). Thanks to Cramer’s rule we know that exactly those real n by n
matrices have an inverse with respect to matrix multiplication that have a nonzero determi-
nant.

Example 13.3.6 (Monoid of Maps). Consider the monoid Maps ({1, ..., n}) of all maps {1, ..., n} →
{1, ..., n}, in which multiplication is composition of functions and the identity map is the
identity element. In this monoid an element is invertible if and only if it is a permutation.

Example 13.3.7 (Polyonomials modulo a given polynomial). In Q [X] /(d)Q [X], where d
is some polynomial in Q [X], an element f ∈ Q [X] represents an invertible element in the
multiplicative monoid of Q [X] if and only if gcd ( f , d) = 1.

If an element is invertible, then we can ‘divide by it’, which just means multiplying with the
inverse. But be aware, if multiplication is not commutative, then left and right division might
be different.

Theorem 13.3.8 (Cancellation law). Let x, y, z be elements of a monoid. If x is invert-

ible and x· y = x· z, then y = z.

Proof. Suppose that x, y, z are elements of the monoid with x· y = x· z, and suppose that x
is invertible with inverse u. Multiplying both sides of the equality by u, we find u· (x· y) =
u· (x· z).
Since · is associative, the definition of inverse gives: y = 1· y = (u· x)· y = u· (x· y) = u· (x· z) =
(u· x)· z = 1· z = z.
202. Sets, Logic and Algebra

Hence y = z.

Example 13.3.9. Cancellation does not apply to any three elements in a monoid: For x = 4,
y = 5, and z = 3 in [Z/8Z, · , 1] we have x· y = x· z, but y 6= z.

The inverse of an element from a monoid need not exist, but if it does, it is unique:

Corollary 13.3.10. Every element of a monoid has at most one inverse.

Proof. If both y and z are inverses of x, then x· y = e = x· z. Now apply the Cancellation law
(13.3.8) to conclude that y = z.

Example 13.3.11. • In the monoid [N, +, 0], the element 1 has no inverse.
• In the monoid [Z, +, 0], the element 1 has inverse −1.

The inverse of an invertible element g is denoted by g−1 .

Theorem 13.3.12. Suppose that [M, · , e] is a monoid. Then

(a) e is invertible;
(b) if g and h are invertible, then also g· h is invertible with inverse h−1 · g−1 ;

(c) if g is invertible, then g−1 is also invertible with inverse g;

(d) the subset of invertible elements of M is a submonoid in which every element is
invertible.

Proof.
Assertion. Part 1
e· e = e, so e−1 = e.
Assertion. Part 2

(g· h)· (h−1 · g−1 ) = g· (h· h−1 )· g−1 = g· e· g−1 = g· g−1 = e, so (g· h)−1 = h−1 · g−1 .
Assertion. Part 3

−1
g· g−1 = g−1 · g = e, so g−1 = g.
203. Sets, Logic and Algebra

Assertion. Part 4

Follows from the previous parts.

Example 13.3.13. Consider the monoid of all maps from {1, ..., n} to itself. The set of invert-
ible elements in this monoid is Symn , which is also a monoid.

Example 13.3.14. The invertible elements of the multiplicative monoid of Z/8Z are 1, 3, 5, 7.
Each of these elements is its own inverse. In particular, this submonoid of Z/8Z is not cyclic.

The theorem

n implies that if g is invertible, then gn is invertible for positive n. The inverse of
n
g is g −1 and is denoted by g .−n

13.4 Groups

Monoids in which every element has an inverse deserve a special name.

Definition 13.4.1 (Definition of a group). A group is a structure G, · , e, x 7→ x−1 , consisting
 

of a set G, a binary associative multiplication · with identity element e and a unary operation
x 7→ x−1 such that x−1 is an inverse of x.

Example 13.4.2 (The integers). [Z, +, 0, z 7→ −z] is the additive group of Z.

Example 13.4.3 (Multiplicative groups in arithmetic). In Q, R, and C every nonzero element

has an inverse with respect to multiplication. So on Q \ {0}, R \ {0}, and C \ {0} we have a
group structure with multiplication being the ordinary multiplication.

Example 13.4.4 (The multiplicative group of Z/pZ). Suppose that p is a prime. Then mul-
tiplication defines a group on Z/pZ \ {0}. Indeed, since p is prime, every element has an
inverse.

Example 13.4.5 (Polynomials). Consider the monoid Q [X]. The structure [Q [X] , +, 0, a 7→ −a]
is a group. Multiplication does not define a group structure on Q[X], since X has no inverse.

Example 13.4.6 (Modular polynomial arithmetic). Let R be the ring Q [X] /(X 2 + 1)Q [X].
Then R is a field, as the polynomial X 2 + 1 is irreducible. Thus every nonzero element has a
multiplicative inverse, so multiplication defines a group on \ {0}.

Example 13.4.7 (Symmetric and Alternating groups). Consider the monoids Symn and Altn
consisting of all, respectively, all even permutations. In these monoids, every element has an
inverse. So both these monoids are also groups. This of course justifies the names symmetric
and alternating group.

Example 13.4.8 (Square matrices). Let GL(n, R) denote the set of n by n matrices with real
coefficients and nonzero determinant. Every element in Mn (R) with non-zero determinant
has an inverse with respect to matrix multiplication. Hence GL(n, R) is a group, called the
204. Sets, Logic and Algebra

general linear group. The subset SL(n, R) of matrices of determinant 1 also is a group, called
the special linear group.

Example 13.4.9 (The dihedral groups). These are the groups Dn of symmetries of a regular
n-gon. Consider a regular n-gon Gamma. A rotation over 2·k·π n is a symmetry of Gamma.
Also a reflection in a line through the center and a vertex of Gamma or the middle of an edge
of Gamma is a symmetry. The n different rotations (including the identity) and n different
reflections form a group, denoted Dn .
This group is called the dihedral group of order 2· n.

Example 13.4.10 (The invertible elements of a monoid). By Invertibility in Monoids (13.3.12),

invertible elements of a monoid M form a group, usually denoted by M × .

Remark 13.4.11. Just as with monoids, we often talk about a group G without mentioning
all binary and unary operations. Sometimes we indicate with a single word what type of
operation we are considering.
For example, the additive group of the integers is understood to be the group defined on the
monoid [Z, +, 0], whose inverse map is z 7→ −z.

Remark 13.4.12. Since groups are monoids, the properties that we have derived for monoids
so far, also hold for groups.
Notation introduced for monoids will also apply to groups. For example, a group is called
commutative (or abelian after the mathematician Abel) if the corresponding monoid is com-
mutative, i.e., the multiplication is commutative.

Remark 13.4.13. Note that if G, · , e, x 7→ x−1 is a group, then [G, · , e] is a monoid. Since
 

every element of a monoid has at most one inverse, we could also have defined a group as a
monoid in which every element has an inverse.

We discuss some constructions of groups. Since groups are also monoids, we can consider
the same constructions as in the previous section on monoids. In particular we will deal with
the direct product of two groups.
Definition 13.4.14 (Direct Product of Groups). If G and H are groups, their direct product as
monoids G × H is a group. It is called the direct product of G and H.
Likewise, the product of several groups can be defined. The direct product of n copies of the
same group G is denoted by Gn .

Proof. By Direct products (13.2.1), this direct product is a monoid. But
each element has an
inverse: the inverse of the element (a, b) of G × H is equal to a−1 , b−1 .

Example 13.4.15. The direct product Z/2Z×Z/2Z of two copies of the additive group Z/2Z
consists of e = (0, 0), a = (1, 0), b = (0, 1), and c = (1, 1).
Each nonidentity element has order 2 (that is, x2 = e). Moreover, a· b = c, a· c = b, and
b· c = a. Don’t be confused by the multiplicative notation for the binary operation!
205. Sets, Logic and Algebra

Remark 13.4.16. The direct product construction can be considered associative in the sense
that G × G × G = G × G × G = G × G × G.
Of course, these equalities are considered to be the natural identifications.

Just like submonoids, we can define subgroups.

Definition 13.4.17. A subset H of a group G is called a subgroup if H is a submonoid of the
monoid G and the inverse of every element in H is again in H. Thus, H is a subgroup of G if
the following holds.

• e ∈ H, where e is the identity of G;

• a· b ∈ H and a−1 ∈ H for all a, b ∈ H.

Example 13.4.18 (Some subgroups of the additive group of the integers). Consider the subset
n· Z of Z. This set is closed under addition. Moreover, it contains 0 and for each element x
also its opposite −x. So, n· Z is a subgroup of Z.

Example 13.4.19 (Some subgroups of polynomial rings). Let R be a ring like Z, Q R or

C. For each natural number n, the set of elements of degree at most n form a subgroup of
[R [X] , +, , ].
Also, the set of all elements in R [X] that take the value 0 at some fixed x form a subgroup of
the additive group on R [X].

Example 13.4.20 (Permutation groups). A permutation group is by definition a subgroup of

Sym(X) for some set X. We will often consider the finite case and take X = {1, ..., n}. We
find Symn−1 to be a subgroup of Symn . If m is less than n, then we can think of Symm as
consisting of those permutations in Symn that fix all x with x > m. So, we can view Symm as
a subgroup of Symn . Similarly we can view Altm as a subgroup of Altn .

Example 13.4.21 (Some subgroups of the group of invertible matrices). Recall that SL(n, R)
denotes the set of real n by n matrices with determinant 1. Each element in SL(n, R) has
an inverse with respect to matrix multiplication. This inverse has determinant 1. Also, the
product of two elements of SL(n, R) has determinant 1. Hence SL(n, R) is a subgroup of
GL(n, R), called the special linear group.
The subset of matrices of determinant −1 or 1 also forms a subgroup of GL(n, R). The subset
of upper (or lower) triangular matrices of GL(n, R) or SL(n, R) is closed under multiplication
and inverses and hence a subgroup of GL(n, R) or SL(n, R), respectively.

Example 13.4.22 (The rotations in the dihedral group). The rotations in the dihedral group
form a subgroup. Consider a regular n-gon Gamma. The rotations over 2·k·π
n , k = 0, ..., n − 1,
around the center of form a subgroup with n elements of Dn .

Just like submonoids are monoids, subgroups are themselves groups: A subgroup contains
the identity element, is closed with respect to taking products and contains the inverse of
every one of its elements.
In the context of groups we also have the notion ‘generated by’.
206. Sets, Logic and Algebra

Definition 13.4.23. Let D be a subset of a group G. The set of all products g1 · g2 · ...· gn where
n is a natural number and gi an element or the inverse of an element of D, is a subgroup of G,
called the subgroup generated by D and denoted hDiG .
If the the group G is clear from the context, one often writes hDi instead of hDiG .
If G = hDiG , then we say that G is generated by D. A group is called finitely generated if the
group is generated by a finite set.
We call a group cyclic if it can be generated by a single element.

Example 13.4.24 (Some groups generated by one element). A group generated by a single
element g is cyclic and consists of the (not necessarily distinct) positive and negative powers
of g: ..., g−2 , g−1 , g0 = 1, g1 , g2 , ....
The group [Z, +, 0, ] or [Z/nZ, +, 0, ] is cyclic. It can be generated by 1 and by −1.
The group Z/10Z× of invertible elements in Z/10Z is cyclic. It can be generated by the
element 3.

Example 13.4.25 (Generators for symmetric and alternating groups). Every element of Symn
is a product of transpositions, see Every permutation is a product of transpositions (8.2.13).
Thus Symn is generated by its transpositions. The even elements of Symn can be written as
products of 3-cycles, see Every even permutation is a product of 3-cycles (8.3.10). Hence
Altn is generated by its 3-cycles.

Example 13.4.26 (Two generating reflections for Dn ). Consider Dn the group of symmetries
of a regular n-gon. If r and s denote two reflections in D whose reflection lines make an angle
of πn , then their product is a rotation over π·2 n . Hence we have the following equalities where
1 denotes the identity map. r2 = e = s2 , (r· s)n = 1. Now it is straightforward to check that
the elements of Dn are 1, r, r· s, r· s· r, ..., r· s· r· ...· s· r, s. (Can you find out which one of these
is a reflection and which one is a rotation?) So, the group Dn is generated by r and s.

The subgroup of a group G generated by a set D equals the submonoid generated by D ∪ D−1 ,
where D−1 is the set of all d −1 for d ∈ D.
The two results for monoids on intersections and monoids generated by subsets have their
analogues for groups.

Theorem 13.4.27. Let C be a collection of subgroups of a group G. Then ∩ c is also

c∈C
a subgroup of G.

Proof. Let K be hGiD . Then by the result on intersections of submonoids we find that K is a
submonoid of G. It remains to check that for every k ∈ K, also the inverse k−1 is in K.
Since k is an element of every H in C, also hGiD is in H for every H in C (this is because H
is a subgroup). Hence hGiD is in the intersection K of all H in C.
207. Sets, Logic and Algebra

Now the abstract characterization of hGiD .

Theorem 13.4.28. Let G be a group and D a subset of G. Then

• hGiD is the smallest subgroup of G containing D;
• hGiD = ∩ c, where C is the collection of all subgroups of G that contain D.
c∈C

Proof. Compare this with the proof of Charactrization of the submonoid generated by a set
(13.2.11).

Example 13.4.29. In the additive group of the integers, the multiples n· Z of a fixed number
n form a subgroup. The intersection of m· Z and n· Z is the subgroup lcm (m, n) · Z.

We now consider three special types of subgroups.

Theorem 13.4.30. Let G be a group and X a subset of G. Then each of the following
three subsets of G is a subgroup of G.

• The centralizer of X in G, i.e., the subset of all g ∈ G with g· x = x· g for all x of X.

• The normalizer of X in G , i.e., the subset of all g ∈ G with g· X· g−1 = X.

• The center of G, i.e., the centralizer of G itself.

Proof. We prove that the centralizer C in G of a set X is a subgroup of G. The other cases are
left to the reader.
Assertion. The centralizer C contains the unit element 1.

For each x ∈ X we have 1· x = x = x· 1. Hence 1 ∈ C.

Assertion. C is closed under multiplication.

Suppose g and h are both in C. Then they centralize X, that is, g· x = x· g and h· x = x· h for
all x ∈ X. Consequently, g· h· x = g· h· x = g· x· h = x· g· h = x· g· h and we find that g· h also
centralizes X, and so belongs to C.
Assertion. C is closed under inversion.
208. Sets, Logic and Algebra

Suppose g belongs to C. Then g· x = x· g for all x in X. Multiplying this equality from the
right and left with g−1 we find x· g−1 = g−1 · x. Since this holds for all x in X, we conclude
that g−1 also centralizes X.
Hence the centralizer of X is a subgroup of G.

Example 13.4.31 (Commutative groups). If G is commutative, then centralizer, normalizer

of any subset and center of G are all three equal to G.

Example 13.4.32 (Symmetric groups). The center of Sym(n) is trivial if n > 2. It only con-
sists of the identity. Indeed, if c is an element of the center, it has to commute with the
transposition (1, 2). Hence c(2) = c((1, 2) (1)) = (1, 2) (c(1)). Since c(2) and c(1) are dis-
tinct, we find that c(1) is in the support of (1, 2). The same reasoning with (i, j) instead of
(1, 2) yields that c(i) is in the support of (i, j). Varying j implies that c(i) = i.
How about the case n = 2?

Example 13.4.33 (General linear groups). Consider the group GL(n, R). The center of this
group coincides with the set of diagonal matrices with nonzero determinant. The proof of
this fact is similar to the Example 13.4.32. Fix a basis B consisting of b1 , ..., bn . Let Pi, j be
the linear map that interchanges the basis vectors bi and b j and fixes all other basis elements
of B.
If c is an element in the center, then it commutes with all Pi, j . Suppose n > 2 and let k
be different from i, j. Then c (bk ) = c (Pi, j (bk )) = Pi, j (c (bk )). So c (bk ) is contained in
the 1-eigenspace of Pi, j . Similarly we obtain that c (bk ) is contained in the 1-eigenspace of
Qi, j , the linear map that fixes all bk except for bi and b j , and acts on these two elements as
follows: (b j ) = −(bi ) and Qi, j (bi ) = b j . Thus c (bk ) is contained in the space generated
 Qi, j
by B \ bi , b j . Varying the i and j, we easily find that c (bk ) is a scalar multiple of bk . Hence
c has a diagonal matrix with respect to the basis B. But B was chosen to be an arbitrary basis.
Hence, each vector is an eigenvector of c. It follows that c has only one eigenvalue, and so c
is multiplication by a scalar.
Again the case n = 2 is left to the reader.

Remark 13.4.34. The normalizer of a subset X of G contains the centralizer as a subgroup of

G. Both the normalizer and the centralizer of X contain the center of the group.
The center of a group is commutative.

13.5 Cyclic groups

Cyclic groups, just like cyclic monoids, are well understood.

209. Sets, Logic and Algebra

Theorem 13.5.1. Let G = gk  k ∈ Z}, · , e, x 7→ x−1 be a cyclic group of size n with

  

generator g. If n is infinite, then G is isomorphic to [Z, +, 0, x 7→ −x]. If n is finite,

then G is isomorphic to [Z/nZ, +, 0, x 7→ −x].

Proof.
Assertion. The map f : Z → G given by f (i) = gi is a homomorphism of groups.
For any i, j ∈ Z, gi+ j = gi · g j and g0 = e.
Assertion. If there is no positive integer n such that gn = e, then f is a bijection.

Clearly, f is surjective. Suppose there are distinct positive integers i, j such that gi = g j . Then,
for n = i − j, we have gn = gi− j = e. Thus, f is injective as well, and hence an isomorphism.
Assertion. Otherwise, if n is the minimal positive integer n with gn = e, then G is isomorphic
to Z/nZ.

By the choice of n, the elements gi for i = 0, 1, ..., n − 1, are all distinct. Now for any m =
q· n + r, with q the quotient and r the remainder of m divided by n, we have f (m) = gm =
gq·n+r = gn·q · gr = gr = f (r). In particular, the map f 0 = Z/nZ → G given by f 0 (m + n· Z) =
gm is well defined. It is straightforward to check that f 0 is an isomorphism of groups.

Example 13.5.2. Another incarnation of the finite cyclic group Cn of order n is the subgroup
of Symn generated by (1, 2, ..., n).

Remark 13.5.3. In the case where the cyclic group G is finite of order n, it is isomorphic to
the monoid C0,n defined and studied in the Characterization of cyclic monoids (13.2.23). In
other words, Cn is isomorphic to C0,n .

The size of a finite group or monoid is often referred to as its order.

A cyclic group of order n is denoted by Cn . If n is finite, then we also use Z/nZ for a cyclic
group of order n, as Cn is isomorphic to the additive group of Z/nZ.
Definition 13.5.4. If G is a group and g ∈ G, then the order of g is the smallest positive integer
m with gm = e. If no positive integer m with gm = e exists, we say that the order of g is infinite.

Example 13.5.5. • The order of the identity element is 1.

• The order of the permutation (1, 2, 3) in Sym3 is 3. Indeed, ((1, 2, 3))3 = 1 but ((1, 2, 3))2 =
(1, 3, 2) which is not equal to 1.
• The order of the complex number i is 4.
• The order of 2 in Z/5Z× is 4, as follows from 22 = 4, 23 = 3, and 24 = 1.
210. Sets, Logic and Algebra

Example 13.5.6. • The order of g in G is the size of the subgroup hgiG of G generated by g.
• The notion of order introduced here generalizes the notion of the order of a permutation
defined in Order of a Permutation (8.1.6).

Remark 13.5.7. The order of an element g of a group G is equal to the order of the subgroup
of G generated by g. Both are equal to the size of the set e, g, g2 , ... .

For cyclic groups we can give more detailed information on the order of its elements:

Theorem 13.5.8. Let G be a cyclic group of order n with generator g.

(a) Every subgroup of G is cyclic.

(b) hgk iG = hgd iG for d = gcd (n, k); it is a subgroup of order n/d.
(c) gk generates G if and only if gcd (k, n) = 1.

Proof. Let G be a cyclic group of order n with generator g.

Assertion. Every subgroup of G is cyclic.

Let H be a subgroup of G, and suppose that k is the smallest positive integer such that gk is in
H. Suppose now that gl is also in H for some positive integer l. By the extended Euclidean
algorithm, there exist integers a and b such that m = gcd (k, l) can be expressed as a· k + b· l.

a
b
But then gm , being equal to gk · gl , is an element of H. By the choice of k, we find that
k = m and that l is a multiple of k. In particular, gl is an element of hgk i. This proves that
H = hgk i.
Assertion. hgk iG = hgd iG for d = gcd (n, k); it is a subgroup of order dn .

Let d = gcd (k, n). By the extended Euclidean algorithm there is a relation d = a· k + b· n. So,
for every l we have the relation d· l = a· k· l + b· n· l. This implies that every power of gd is
also a power of gk . On the other hand, as d divides k, every power of gk is also a power of gd .
This shows that
gk and gd generate the same subgroup of G. Since d divides n, the first power of gd equal to
1 is dn . Therefore, the subgroup hgd i of G has order dn .
Assertion. gk generates G if and only if gcd (k, n) = 1.

In view of Part 2 (13.5) and the fact that the value of gcd (k, n) does not change after replace-
ment of k by gcd (k, n), we may assume that k divides n.
But then, by the second assertion of Part 2 (13.5), the order of hgk i is nk . This is equal to n if
and only if k is equal to 1. Part 3 follows since the subgroup hgk i of G coincides with G if
and only if its order is equal to n.
211. Sets, Logic and Algebra

Example 13.5.9. If g is an element of a cyclic group G of order n, then the order of g is a

divisor of n. We can use this to show that 2 generates the multiplicative group of Z/101Z:
Since 101 is prime, the group Z/101Z× of invertible elements of Z/101Z contains 100 ele-
ments. By Fermat‘s little theorem we also have that 2100 ≡ 1 (mod 101). Thus the order of 2
is a divisor of 100. Easy computations show that

• 210 ≡ 14 (mod 101),

• 220 ≡ −6 (mod 101), and

• 250 = (−6) · (−6) · 14 = 504 ≡ −1 (mod 101).

Hence the order of 2 is neither a divisor of 50 nor of 20, and so it is 100.

The above implies that the number of generators in a cyclic group of order n equals Φ(n).
(Here Φ denotes the Euler indicator).
We use this in the following characterization

Theorem 13.5.10 (Characterisation of cyclic groups). Let G be a finite group of order

n.
The group G is cyclic if for each proper divisor m of n, there are exactly m elements g
in G with gm = 1.

Proof. Denote by ψ (m) the number of elements g in G of order m. Then we have

ψ (1) = 1 (13.12)

and

ψ (m) = m − ∑ ψ (d) (13.13)

1≤d<m,d|m

This implies that ψ satisfies the same recursion as the Euler Totient function, see Euler Totient
Theorem (10.3.7). In particular, ψ = euler.
But that implies that G contains Φ(n) > 0 elements of order n and hence G is cyclic.
212. Sets, Logic and Algebra

13.6 Cosets

Let G be a group and H a subgroup of G. For g ∈ G, we write

g· H = {g· h| h ∈ H} (13.14)

Lemma 13.6.1. Let ∼ be the relation on G given by g ∼ k if and only if k−1 · g ∈ H.

• The relation ∼ is an equivalence relation.

• The ∼-equivalence classes are the sets g· H with g ∈ G.

Proof.
Assertion. ∼ is an equivalence relation.
We need to establish that ∼ is reflexive, symmetric, and transitive.

• Reflexivity: g ∼ g, since g−1 · g = 1H .

−1
• Symmetry: If g ∼ k, then k−1 · g ∈ H. But then k−1 · g = g−1 · k is also in H and we find
k ∼ g.

• Transitivity: If g ∼ k and k ∼ h, then k−1 · g, h−1 · k ∈ H. But then also h−1 · k· k−1 · g =
h−1 · g ∈ H. Hence g ∼ h.

Assertion. The ∼-equivalence classes are the sets g· H with g ∈ G.

Let k, g ∈ G. Then k ∼ g is equivalent to the existence of h ∈ H such that g−1 · k = h, which

in turn is equivalent to k = g· h for some element h of H, and so can be rewritten as k ∈ g· H.

Example 13.6.2. Let G be the cyclic (additive) group [Z/nZ, +, 0, −] of order n = p· q, and
let H be the subgroup generated by the residue class of the integer q in Z/nZ. Then H has
order p, and r ∼ s if and only if q divides r − s. In particular, the equivalence class of r
consists of all residue classes in Z/nZ of s ∈ Z such that s ≡ r (mod q).
Taking the specific values n = 15, p = 5, q = 3, we find H = {0, 3, 6, 9, 12} and the equivalence
classes are: H, 1 + H = {1, 4, 7, 10, 13}, 2 + H = {2, 5, 8, 11, 14}.

The ∼-equivalence classes of an equivalence relation partition G. These ∼-equivalence

classes are so important that they deserve a special name:
213. Sets, Logic and Algebra

Definition 13.6.3 (Definition of Cosets). The ∼-equivalence classes g· H with g ∈ G, are

called the left cosets of H in G.
The set of all left cosets g· H of H in G is denoted by G/H.
For g ∈ G, we write

H· g = {h· g| h ∈ H} (13.15)

This set is called the right coset of H containing g.

The right cosets of H partition G. The set of all right cosets of H in G is denoted by G\\H.

Example 13.6.4. Some example of cosets are:

• Cosets of a subspace of a vector space. Let V be a real vector space. The linear subspaces
of V are subgroups of the additive group on V . The left (and right) cosets of a fixed 1 -
dimensional linear subspace L of V are those lines in V that are parallel to L.
• The left cosets of H = Sym2 of G = Sym3
– H,
– (2, 3) · H = {(2, 3) , (1, 3, 2)}, and
– (1, 3) · H = {(1, 3) , (1, 2, 3)}.
• The right cosets of H in G are:
– H,
– H· (2, 3) = {(2, 3) , (1, 2, 3)}, and
– H· (1, 3) = {(1, 3) , (1, 3, 2)}.

We introduce computations with cosets. It is a preparation for the construction of the quotient
group.
Let G be a group. If X,Y are subsets of the group G and a, b ∈ G, then we write a· X =
{a· x| x ∈ G}, X· a·Y = {x· a· y | (x, y) ∈ X ×Y }, a· X· b·Y = {a· x· b· y | (x, y) ∈ X ×Y }, etc.
Let H be a subgroup of G.

Theorem 13.6.5. Suppose that H is a subgroup of G. Then, for all a, b ∈ G

i. a· (b· H) = (a· b)· H;

ii. (a· H)· H = a· H;

iii. If a ∈ b· H, then a· H = b· H.
214. Sets, Logic and Algebra

Proof.
Assertion. a· (b· H) = (a· b)· H
a· (b· H) = a· {b· x| x ∈ H} = {a· (b· x)| x ∈ H} = a· b· H.
Assertion. a· H· H = a· H.

Since H contains the identity element, we clearly have H ⊂ H· H. But H, being a subgroup of
G, is closed under multiplication, so H· H = H. The assertion follows by left multiplication
with a.
Assertion. If a ∈ b· H, then a· H = b· H.

Suppose a ∈ b· H. Then a· H is a subset of b· H. But, as these cosets are classes of an

equivalence relation, they coincide.

Remark 13.6.6. Group multiplication induces a monoid structure on P (G), the collection of
all subsets of G. The identity element is {1G }. The expressions X· a·Y and a· X· b·Y discussed
earlier can be seen as elements of the monoid.

The cosets of H in G are the equivalence classes of the equivalence relation, ∼, called ‘con-
gruence modulo H’ on the set G given by ∼ if and only if b−1 · a ∈ H. Observe that ∼ (a, b)
if and only if a· H = b· H.
The following result is a very important consequence of the fact that the left cosets of a
subgroup partition a group.

Theorem 13.6.7 (Lagrange’s theorem). Let G be a finite group and H a subgroup of

G. Then |G/H| = |G| / |H|. In particular, |H| divides |G|.

Proof. The (left or right) cosets of a subgroup H of G are the equivalence classes of the
equivalence relation ∼. Thus, these cosets partition the set G. As each coset contains |H|
elements we find that |H| divides |G|.

Example 13.6.8. Let G be the cyclic (additive) group Z/nZ of order n = p· q, and H the
subgroup generated by the residue class q ∈ Z/nZ. Then H has order p, and |G/H| = q. The
cosets are of the form r + H with r = 0, ..., q − 1.

Remark 13.6.9. The converse of Lagrange‘s theorem does not hold! The group Alt5 has 60
elements, but does not have a subgroup containing 30 elements.
Here is the proof. Suppose that H is a subgroup of order 30. Then there must be a 3-cycle g
which is not contained in H, since the 3-cycles generate Alt5 . Every (left) coset of H contains
215. Sets, Logic and Algebra

30 elements, so there are only two of them. As soon as an element a is not contained in H,
then H and a· H are the two left cosets. Apply this observation to the elements g and g2 : the
group Alt5 is partitioned into the two left cosets H and g· H, but also into the two left cosets
H and g2 · H. But g2 is not in H, because then g4 , which equals g, would also be in H. This
implies that g· H = g2 · H. We conclude that the element g2 is in g· H, which in turn implies
that g is in H. This is a contradiction.

Remark 13.6.10. The analog of Lagrange’s theorem for right cosets also holds: |H\\G| =
|G| / |H| = |G/H|.

If H is a subgroup of G, then the quotient |G| / |H| is called the index of H in G.

In Order of an Element (13.5.7) we saw that the order of an element g of G is equal to the
order of the subgroup of G generated by g. Thus we find:

Corollary 13.6.11. If G is a finite group and g ∈ G, then the order of g divides |G|.

Proof. Let g be an element of the finite group G. Then the order of g equals the number of
elements in the subgroup hgi of G. In particular, Lagrange’s Theorem implies that the order
of g divides |G|.

The following famous result is a second corollary to Lagrange’s theorem (13.6.7).

Theorem 13.6.12 (Fermat’s little theorem). If p is a prime number, then the multi-
plicative monoid Z/pZ \ {0} is a group. So, for all n not divisible by p, we have
n p−1 ≡ 1 (mod p).

Proof. Since p is a prime, we find Z/pZ× to be a (multiplicative) group of order p − 1.

Hence the order of every element x is a divisor of p − 1, so that x p−1 = 1. This just says that
for every n which is not divisible by p we have that n p equals 1 modulo p.

Example 13.6.13. The multiplicative group of Z/pZ is actually cyclic, as we shall see later.
However, there is no closed expression known for a generator of this group. The residue of
the integer 2 in Z/pZ is a generator when p = 3 or p = 5 but not when p = 7. In the latter
case, 3 is a generator.

In general, left cosets need not coincide with right cosets. If they do, we have a case that
deserves special attention. Let G be a group.
216. Sets, Logic and Algebra

Theorem 13.6.14 (Normality). Let H be a subgroup of G. The following assertions

are equivalent.
(a) g· H = H· g for every g ∈ G.

(b) g· h· g−1 ∈ H for every g ∈ G and h ∈ H.

If H satisfies these properties, it is called a normal subgroup of G.
To indicate that H is a normal subgroup of G we write write H
G or H  G.

Proof.
Assertion. 1 implies 2.
Suppose g· H = H· g for every g ∈ G. Then for each h ∈ H we have an element h0 ∈ H with
g· h = h0 · g. So, g· h· g−1 = h0 , proving g· h· g−1 ∈ H.
Assertion. 2 implies 1.

Suppose for all g ∈ G and h ∈ H we have g· h· g−1 ∈ H. Then g· h can be written in the form
h0 · g for some h0 ∈ H. This shows that g· H is contained in H· g. Now apply this for g−1 .
Hence g−1 · H is contained in H· g−1 . Multiplying by g from the left and by g−1 from the
right yields that H· g is contained in g· H.

Example 13.6.15. Let G be the symmetric group Sym3 . The subgroup

H = {e, (1, 2, 3) , (1, 3, 2)}

of order 3 is a normal subgroup. It has index 2. In fact, more generally, whenever H is a

subgroup of G of index 2, it is a normal subgroup. For then, for g ∈ G, either g ∈ H and so
g· H = H = H· g or or not, in which case g· H = G \ H = H· g.

Example 13.6.16. Let G be the symmetric group Sym4 . The subgroup H = {e, (1, 2) (3, 4) , (1, 3) (2, 4) , (1, 4) (2, 3)}
of order 4 is a normal subgroup. For, it is a subgroup and it is the union of two conjugacy
classes. It has index 6 in G.

Example 13.6.17. Some examples of normal subgroups in familiar groups:

• Symmetric groups:
The alternating group Altn is a normal subgroup of Symn : If h is even, then g· h· g−1 is an
even element of Symn for each g.
• Linear groups:
SL(n, R) is a normal subgroup of GL(n, R): If det (A) = 1, then for every invertible matrix
B, the product B· A· B−1 has determinant 1.
217. Sets, Logic and Algebra

• The center of a group: The center of a group is a normal subgroup since all its elements
commute with every element in the group.
• Commutative groups: Suppose that G is a commutative group and H is a subgroup. Then
for every g ∈ G and h ∈ H, we have g· h· g−1 = h, so H is a normal subgroup of G. This
shows that every subgroup of a commutative group is normal.

Normal subgroups and their cosets play a special role with respect to homomorphisms. See
also Section .

Theorem 13.6.18 (Normal subgroups and Kernels of homomorphisms). Let f : G →

H be a group homomorphism.
Let N be the kernel of f . Then N is a normal subgroup of G.
Moreover, if g ∈ G, then the preimage of f (g) is the coset g· N of N.

Proof. For g in G and n in N we have

f g· n· g−1 = f (g) · f (n) · f g−1 = f (g) · f g−1 = f (1) = 1

(13.16)

which implies g· n· g−1 to be an element of N. So N is indeed a normal subgroup.

Now consider elements g and h of G with f (g) = f (h). Then

( f (g))−1 · f (h) = f g−1 · h = 1

(13.17)

and hence, g−1 · h is in the kernel of f , which is N. But that implies that h is inside the coset
g· N of N.
Clearly all elements of this coset are mapped to f (g) and we find the coset to be the full
preimage of f (g).

13.7 Exercises
Exercise 13.7.1. Show that for an associative and commutative binary operation · the products
((a· a)· ((b· a)· b)) and (a· (a· (b· (a· b)))) are equal.

Exercise 13.7.2. Write an algorithm that takes as input an n × n multiplication table and that
checks for associativity and commutativity of the multiplication.

Exercise 13.7.3. Let (M, ·, e) be a monoid.

Prove: if every element x satisfies x2 = x · x = e, then the monoid M is commutative.
218. Sets, Logic and Algebra

Exercise 13.7.4. Let (S, ·) be a semigroup. We can extend S with an identity element e,
which is not in S. Now consider [S ∪ {e} , ·1 , e], where e·1 x = x = x·1 e for all x ∈ S ∪ {e} and
x·1 y = x · y for all x, y ∈ S.
Is this new structure [S ∪ {e} , ·1 , e] a semigroup? And a monid?
What happens if (S, ·) contains an identity element?

Exercise 13.7.5. Which of the two monoids on 2 elements, Z/2Z with addition or with multi-
plication, is the extension of a semigroup with an identity element as described in the revious
exercise?

Exercise 13.7.6. Show that the direct product of two monoids is again a monoid.

Exercise 13.7.7. Find two submonoids of (Z/6Z, +, 0) such that their union is not a sub-
monoid.

Exercise 13.7.8. If Si is a submonoid of the monoid Mi for each i ∈ {1, 2}, then S1 × S2 is a
submonoid of M1 × M2 . Prove this.

Exercise 13.7.9. Suppose a1 , b1 , a2 , b2 , ..., an , bn are elements of Q, and p is an integer greater

than |b1 · b2 · ...· bn |.

1
• Show that p is not contained in the submonoid of (Q,+,0) generated by a1 , b1 , a2 , b2 , ..., an , bn .

• Prove that Q is not finitely generated.

Exercise 13.7.10. Let X be a nonempty set. If M is a monoid with unit element e, then we
can define a monoid structure on the set F of all maps from X to M as follows.

• If f and g are in F, then their product f · g is defined by f · g (x) = f (x) · g (x)

• The constant map x 7→ e is the identity element.

Prove this.

Exercise 13.7.11. Let M be a cyclic monoid generated by the element c. Suppose that c2 6= e,
c2 6= c6 , and c4 = c8 . With which cyclic monoid Ck,l is M isomorphic?

Exercise 13.7.12. Let M be the cyclic monoid generated by c and isomorphic to Ck,l . Write
an algorithm that rewrites every power of c to a power of c whose exponent i satisfies i ≤ k +l.

Exercise 13.7.13. Suppose that f : M → N is a homomorphism. Prove that the image of f is

a submonoid of N and that the kernel of f , i.e., {m ∈ M| f (m) = 1N }, is a submonoid of M.

Exercise 13.7.14. Determine up to isomorphism all monoids on three elements.

Exercise 13.7.15. On R we define the operation ∗ by x ∗ y = x + y − x· y.

(a) Is ∗ commutative?
219. Sets, Logic and Algebra

(b) Is ∗ associative?
(c) Is there an identity element in R with respect to ∗?

Exercise 13.7.16. Consider the monoid M consisting of n by n matrices over the reals whose
multiplication is matrix multiplication. Which of the following sets are submonoids?

(a) The set consisting of only the zero matrix.

(b) The set consisting of only the identity matrix.

(c) The set of all matrices with determinant 1.
(d) The set of matrices with trace 0.

(e) The set of upper triangular matrices.

Exercise 13.7.17. Determine, for every m ∈ {3, 4, 5}, the integers k and l such that the sub-
monoid of [Z/mZ, · , 1] generated by 2 is isomorphic to Ck,l .

Exercise 13.7.18. Prove that the monoid [Z/8Z, · , 1] cannot be generated by less than 3 ele-
ments.
Prove that it can be generated by 3 elements.

Exercise 13.7.19. Let [M, · , 1] be a monoid. Define a new multiplication · on M by x· y = x· y.

Prove that [M, · , 1] is also a monoid.

Exercise 13.7.20. Prove that in the monoid [Z/nZ, · , 1] an elementm has an inverse if and
only if gcd (m, n) = 1.

Exercise 13.7.21. Let M1 , M2 be monoids. Prove that the invertible elements of M1 × M2 are
of the form (m1 , m2 ) with m1 invertible in M1 and m2 invertible in M2 .

Exercise 13.7.22. What are the invertible elements of Ck,l ?

Exercise 13.7.23 (Exercise 32). Determine the invertible elements of the following monoids.

(a) [Z/2Z × Z/3Z, · , 1].

(b) The multiplicative monoid of Q [X] /(X 2 )Q [X].

(c) The multiplicative monoid of Z/16Z.

Exercise 13.7.24. Consider the group G of invertible elements in the multiplicative monoid
of Z/26Z.

(a) How many elements does G have?

(b) G is cyclic. Find all possible single generators.

220. Sets, Logic and Algebra

Exercise 13.7.25. Is the following true? If G is a group of order n, and m is a positive divisor
of n strictly smaller than n, then G contains an element of order m.

Exercise 13.7.26. Let G be a finite group. Show that each element of G appears exactly once
in each column and each row of the multiplication table (also called Cayley-table) of G.

Exercise 13.7.27. Let I be the identity matrix of size n, i.e., the n by n matrix with ones on the
diagonal and zeros outside the diagonal. For any matrix A we denote by AT the transposed
matrix of A.
Let R be a commutative ring. Prove that the set O (n, R) = {A ∈ GL(n, R)|A· AT = I} is a
subgroup of GL(n, R).

Exercise 13.7.28. Prove that the groups C2 ×C3 and C6 are isomorphic.
Show that these two groups are not isomorphic to Sym3 .

Exercise 13.7.29. (a) Show that the map f = Z → Z, (x, y) 7→ x − 2· y is a morphism of the
additive groups. What is the image of this homomorphism?
(b) Let G be a group and g an element of G. Prove that the map f = Z → G, k 7→ g2·k is
a homomorphism of groups. What is the image of f if the order of g equals 6 or 7,
respectively?
(c) Determine all homomorphisms of the additive group Z/4Z to itself. Which of these
are isomorphisms?
(d) If f = G → K and h = K → L are homomorphisms of groups, then the composition
h ◦ f = G → L is also a homomorphism of groups. Prove this. Deduce furthermore that
if G is isomorphic with K and K with L, then G is isomorphic with L.

Exercise 13.7.30. Determine the order of the element (1, 2) (3, 4, 5) in Sym5 .
Prove that, in general, the order of a permutation equals the least common multiple of the
cycle lengths occurring in a disjoint cycle decomposition.

Exercise 13.7.31. Let G be a group and H a nonempty finite subset of G closed under multi-
plication. Prove the following statements.

(a) For h in H, the elements h1 , h2 , h3 , · · · are not all distinct.

(b) The identity element belongs to H.
(c) Every element of H has finite order.
(d) H is a subgroup of G.

Exercise 13.7.32. Let G be a finite group of order m Let g be in G. Suppose that for each
m
prime divisor p of m the element g p is not the identity. Prove that the group G is generated
by g.

Exercise 13.7.33. Let G be a cyclic group with generator g.

221. Sets, Logic and Algebra

(a) Show that the map f = Z → G, k 7→ gk is a homomorphism of groups.

(b) Suppose that G has order n. Show that the map f = Z/mZ → G, k 7→ gk is well defined
and is an isomorphism of groups.

Exercise 13.7.34. Consider the additive group G = Z × Z.

(a) Prove that this group is not cyclic, but can be generated by the elements (2, 3) and
(3, 4).
(b) Prove that (a, b) and (c, d) generate the group if and only if a· d − b· c ∈ {1, −1}.

Exercise 13.7.35. Let G be a group of order 4. Prove the following statements.

(a) If G contains an element of order 4, then G is cyclic and isomorphic to C4 .

(b) If G contains no element of order 4, then G is commutative and isomorphic to C2 ×C2 .

Exercise 13.7.36. Let p be a prime. Then the multiplicative group Z/pZ× is cyclic. (This
will be proved in Multiplicative group of a field (14.7.5).) Write an algorithm that determines
a generator for Z/pZ× . Determine all odd primes p less than 10.000 such that 2 is a generator
for this group. (It is a conjecture of Artin that there are infinitely many primes p for which
2 generates the group Z/pZ× . Although very likely, as of April, 2011, it is not known to be
true.)

Exercise 13.7.37. Determine the left and right cosets of Sym3 in Sym4 .

Exercise 13.7.38. The kernel of a group homomorphism is a normal subgroup as follows

from Normal subgroups and Kernels of homomorphisms (13.6.18). Can you provide such a
homomorphism for the normal subgroups discussed in Example 13.6.17?

Exercise 13.7.39. Suppose G and H are finite groups admitting a surjective homomorphism
from G to H .
Show the the order of H divides the order of G.

Exercise 13.7.40. Suppose G is a group and H a subgroup of index 2. Prove that H is normal
in G.
Is the same true if the index equals 3? Give a proof or a counterexample.

Exercise 13.7.41. Suppose G is a group and H a subgroup.

If K is a subgroup of G normalising H, i.e., contained in the normaliser of H, then H· K is a
subgroup of G. Prove this.
222. Sets, Logic and Algebra

Chapter 14

Rings and fields

We continue the study of structures. Having dealt with two basic examples, monoids and
groups, we now focus on two structures in which they play a significant role: rings and fields.

14.1 Rings

Multiplication turns each of the sets Z, Q, R, C, Z [X] , Q [X] , R [X] , C [X] into monoids, whereas
addition defines a group structure. These two structures are combined in the notion of a ring.
Definition 14.1.1. A ring is a structure [R, +, 0, −, · , 1] consisting of a set R for which [R, +, 0, −]
is a commutative group and [R, · , 1] is a monoid, in such a way that the following laws hold
for all x, y, z ∈ R:

• 0 6= 1;

• x· (y + z) = x· y + x· z (left distributivity);
• (y + z) · x = y· x + z· x (right distributivity).

The ring is called commutative if the monoid [R, · , 1] is commutative.

Example 14.1.2 (Usual arithmetic). Each of Z, Q, R, C, with the usual addition and multipli-
cation, is a commutative ring.

Example 14.1.3 (Modular arithmetic). Addition and multiplication as defined in the Modular
Addition and Multiplication Theorem (10.1.6) determine a commutative ring structure on
Z/nZ. The zero element is the class of 0, the identity element is the class of 1.

Example 14.1.4 (Polynomial rings). Let R be one of the rings Z, Q, R, C or Z/nZ. Then
R [X], with the usual addition and multiplication is a commutative ring.
223. Sets, Logic and Algebra

Example 14.1.5 (Residue class rings). If R is a commutative ring as in Example 14.1.4 and f
is a polynomial in R [X], then R [X] /( f )R [X], as defined in Operations modulo a Polynomial
(12.2.1), is a commutative ring. The zero element is 0 + ( f )R [X], the identity element is
1 + ( f )R [X].

Example 14.1.6 (The Gaussian integers). The subset R = Z + Z· i of the complex numbers is
a ring with the usual addition and multiplication, with zero element 0 = 0 + 0· i and identity
element 1 = 1 + 0· i. Most ring properties, like associativity of the multiplication, are ‘in-
herited’ from the ring C: since they hold in the complex numbers they hold a fortiori in the
subset R. A crucial issue for R to be a ring, is that R is closed with respect to the operations.
For instance, (a + b· i) · (c + d· i) = a· c − b· d + (a· d + b· c) · i shows that the set R is closed
with respect to multiplication, since a· c − b· d and a· d + b· c are integers if a, b, c, d are. The
ring R is called the ring of Gaussian integers.

Example 14.1.7 (Matrix rings). Let R be a ring. Then the following structure is a ring: S =
[Mn (R) , +, 0, −, · , 1], where Mn (R) is the set of n by n matrices with coefficients in R, where
0 is short for the zero matrix, 1 is short for the identity matrix, + denotes matrix addition
and · denotes matrix multiplication. If n > 1, it is easy, and left to the reader, to find matrices
A, B such that A· B and B· A are distinct. Thus, S is not commutative for n > 1 even if R is
commutative.

Example 14.1.8 (The quaternions). Take 1, i, j, k to be a set of four vectors (think of a standard
basis) of the 4-dimensional real vector space H = R· 1 + R· i + R· j + R· k. On H we define
the operations + and · as follows. For x = a· 1 + b· i + c· j + d· k and x0 = a0 · 1 + b0 · i + c0 · j +
d 0 · k let x + x0 be the vector sum of x and x0 and set x· x0 = p· 1 + q· i + r· j + s· k where p =
a· a0 − b· b0 − c· c0 − d· d 0 , q = a· b0 + b· a0 + c· d 0 − d· c0 , r = a· c0 − b· d 0 + c· a0 + d· b0 , and
s = a· d 0 + b· c0 − c· b0 + d· a0 . Now H is a ring. (It is quite tedious to check associativity,
etc.) Since i· j = k = − j· i, the ring is not commutative. The ring H is called the ring of real
quaternions.

Example 14.1.9. Here is an application of the ring of the Gaussian integers R = Z + Z· i.

Suppose that the integers k and l can both be written as sums of two squares of integers:
k = a2 +b2 and l = c2 +d 2 . Then the product k· l is also a sum of squares. You may find it hard
to show this from scratch. Here is how the ring R comes into play: k = (a + b· i) · (a − b· i)
and l = (c + d· i) · (c − d· i) so k· l = (a + b· i) · (c + d· i) · (a − b· i) · (c − d· i). Expanding the
product of the first two factors gives a· c − b· d + (a· d + b· c) · i and the product of the last two
factors is a· c − b· d − (a· d + b· c) · i. This yields k· l = (a· c − b· d)2 + (a· d + b· c)2 .

Example 14.1.10. An argument, similar to the one in Example 14.1.9, using the quaternions
can be used to show that if two integers can be written as sums of four squares of integers,
then so can their product. The equality (a + b· i + c· j + d· k) · (a − b· i − c· j − d· k) = a2 +
b2 + c2 + d 2 plays a role in the proof.

Notation and terminology for a ring [R, +, 0, −, · , 1]:

• + is called the addition,

• · is called the multiplication (the symbol · is often omitted),
224. Sets, Logic and Algebra

• 0 is the zero element,

• 1 is the identity element of the ring.

Definition 14.1.11. A subring of a ring [R, +, 0, −, · , 1] is a subset S of R containing 0 and 1

such that, whenever x, y ∈ S, we have x + y, −x and x· y ∈ S.
In other words, a subring is a subset S of R closed under all operations of R.

Example 14.1.12 (Usual arithmetic). The ring Z is a subring of each of the rings Z, Q, R, C.
It is the smallest possible subring.
The ring Q is a subring of R and of C.
The ring R is a subring of C.

Example 14.1.13 (Modular arithmetic). Let m be an integer, m > 1. Suppose that S is a

subring of Z/mZ. Then S contains 1, hence each integer multiple of 1, hence the whole ring
Z/mZ. Therefore, the only subring of Z/mZ is the ring itself. In other words, there are no
proper subrings.

Example 14.1.14 (Polynomial rings). The coefficient ring R is a subring of R [X].

Also, the polynomials in which only even powers of X occur, form a subring of R [X].

Example 14.1.15 (Residue class rings). Let R be a commutative ring and let f be a monic
polynomial in R [X] (so its leading coefficient is equal to one). If the degree of f is positive,
then, by a Lemma on Coefficient Ring (12.2.8), R is a subring of R [X] /( f ).

Example 14.1.16 (The Gaussian integers). The ring Z is a subring of R = Z + Z· i .

Example 14.1.17 (Matrix rings). The upper triangular matrices form a subring of Mn (R).

Example 14.1.18 (The Quaternions). The subset R· 1 of H is a subring. In fact 1 is the identity
element, and the ring is just a copy of R. The symbol 1 is often left out from R· 1 so as to
interpret R as a subring of H.
Also R + R· i is a subring, and so are R + R· j and R + R· k.

Remark 14.1.19. For the set S to be a subring of a given ring it suffices that 0, 1, x − y, and
x· y are in S for all x ∈ S and y ∈ S. Indeed, then 0 − x = −x is also in S, and similarly for
x + y = x − (−y). A subring, supplied with the restrictions of all operations of the ambient
ring R, is itself a ring.
For instance, as x· (y + z) = x· y + x· z holds for all x, y, z ∈ R, it also holds for all elements in
the subset S of R.

In other words, [S, +, 0, −] and [S, · , 1], where + and · are the restrictions to S × S, are again
a group and a monoid, respectively.
Let R be a ring. Addition defines a group structure on R. So every element a has an inverse
with respect to the addition. This inverse is denoted −a and is called the opposite of a.
225. Sets, Logic and Algebra

Theorem 14.1.20. The following properties hold for all a, b ∈ R.

(a) a· 0 = 0· a = 0;

(b) a· (−b) = −(a· b) = (−a) · b;

(c) (−a) · (−b) = a· b;
(d) (−1) · a = −a.

Proof. We prove each of the fours parts individually.

Assertion. a· 0 = 0· a = 0.

By left distributivity and the role of the zero element we can write a· 0 + a· 0 = a· (0 + 0) =
a· 0 = a· 0 + 0 so that a· 0 + a· 0 = a· 0 + 0. The Cancellation law (13.3.8) for groups allows
us to conclude: a· 0 = 0, as required. Similarly one shows 0· a = 0.
Assertion. a· (−b) = −(a· b) = (−a) · b.

Clearly, a· (b − b) = a· 0 = 0. Using distributivity to expand the left-hand side, we find:

a· b + a· (−b) = 0, from which we derive −a· b = a· (−b).
The other equality is proved similarly.
Assertion. (−a) · (−b) = a· b.

By the previous assertion, (−a) · (−b) = − (−a) · b, so (−a) · (−b) is the inverse of (−a) · b.
But from the previous part we also conclude that a· b is the inverse of (−a) · b. Since (additive)
inverses are unique, we are done.
Assertion. (−1) · a = −a.

By distributivity, a + (−1) · a = 1· a + (−1) · a = (1 + −1) · a = 0· a = 0. Therefore (−1) · a is

the additive inverse of a, i.e., −a = (−1) · a.

Example 14.1.21. The ring laws lead to rules for calculations which are familiar from the
usual examples.
For instance, if, in a product, one factor is 0, then the whole product is 0.
Another example: (−(a1 )) · (−(a2 )) · ...· (−(an )) = (−1)n · a1 · a2 · ...· an .

Recall that a ring R is a monoid with respect to multiplication. It is not necessarily the case
that every (nonzero) element has an inverse with respect to multiplication. Those elements
226. Sets, Logic and Algebra

of R that do have an inverse are called the invertible elements of R. The inverse of a in R is
denoted by a−1 .

Theorem 14.1.22. The invertible elements of R form a multiplicative group (i.e., a

group with respect to multiplication). This group is denoted by R× .

Proof. This is a direct consequence of Arithmetic Properties in Rings (14.1.20).

Example 14.1.23 (Usual arithmetic). Z× = {1, −1}. Every nonzero element of Q, R, and C
is invertible. (In other words, these rings are fields.)

Example 14.1.24 (Modular arithmetic). Z/nZ× consists of the classes m + n· Z of Z/nZ for
which m is an integer such that gcd (m, n) = 1.

Example 14.1.25 (Polynomials rings). Z [X]× = {1, −1} and Q [X]× = Q \ {0}. Similarly
for R and C. To prove these statements you will need to involve the degree. We leave this to
the reader.

Example 14.1.26 (Residue class rings). If R = Q, R, or C, and f is a polynomial in R [X] of

positive degree, then R [X] /( f )R [X]× consists of the residue classes of those polynomials g
in R [X] for which gcd (g, f ) = 1.
If R = Z, then it is harder to describe the invertible elements of R [X] /( f )R [X] for general f .

Example 14.1.27 (Gaussian integers). (Z + (Z· i ))× = {1, −1, i, −i}. If a + b· i is invertible,
then there exists an element c + d· i such that (a + b· i) · (c + d· i) = 1. Using
the property
|z| · |w| = |z· w| for the absolute value of complex numbers, we infer that a2 + b2 · c2 + d 2 =

1. Since a, b, c, d are integers, we find that the integer a2 + b2 divides 1. The conclusion is
that a + b· i must be one of the four elements 1, −1, i, −i, as stated.

Example 14.1.28 (Matrix rings). Let R be a commutative ring. The invertible elements of
Mn (R) are those matrices whose determinant is invertible in R. This follows from Cramer’s
rule, which expresses the inverse of a matrix in terms of minors (elements of R) and the
inverse of the determinant.

Example 14.1.29 (The Quaternions). H× = {x ∈ H|N (x) ∈ R× } where N (x) = a2 + b2 +

c2 + d 2 if x = a· 1 + b· i + c· j + d· k. As for the proof: write C (x) = a· 1 − (b· i + c· j − d· k).
Then C (x) · x = N (x) So, if N (x) is invertible, then (N (x))−1 ·C (x) is the inverse of x.
Also, if N (x) is not invertible, it is zero and so x is zero or a zero divisor; in particular, it is
not invertible.

Let R and R0 be rings.

Definition 14.1.30. A map f : R → R0 is called a (ring) homomorphism from R to R0 if f is
227. Sets, Logic and Algebra

• a homomorphism of additive groups R → R, and

• a homomorphism R → R of multiplicative monoids.

Let f : R → R0 be a homomorphism.

• The kernel of f is the set {a ∈ R| f (a) = 0}. It is denoted by Ker ( f ).

• The image of f is the set f (R) = { f (a)| a ∈ R}. It is denoted by Im ( f ).

Example 14.1.31 (Left multiplication by an integer). The map f : Z → Z given by f (a) = 3· a

is not a homomorphism of rings because f (1) is not equal to 1.

Example 14.1.32 (Modding out an integer). The map f : Z → Z/6Z given by f (a) = a + 6· Z
is a homomorphism of rings:

• f (0) = 0 + 6· Z,
• f (1) = 1 + 6· Z,
• f (a + b) = a + b + 6· Z = a + 6· Z + (b + 6· Z) = f (a) + f (b), and
• f (a· b) = a· b + 6· Z = (a + 6· Z) · (b + 6· Z) = f (a) · f (b).

The kernel of the map is exactly 6· Z.

Example 14.1.33 (Complex conjugation). Complex conjugation is a homomorphism of rings

C → C. In fact, it is an isomorphism: It is its own inverse.

Example 14.1.34 (Modding out a divisor). The map f : Z/6Z → Z/2Z given by f (a + 6· Z) =
a + 2· Z is a homomorphism of rings. The kernel consists of all a + 6· Z for a ∈ Z such that
a = rem(0, 2). The kernel is therefore {0, 2, 4}. It is not hard to verify that f is surjective.

Example 14.1.35 (Modding out a polynomial). The homomorphism f : Q [X] → Q [X] /(X 2 )Q [X]
which sends a polynomial to its class modulo X 2 is a homomorphism. This is easily verified.
The kernel of this homomorphism consists of all polynomials that are divisible by X 2 . The
homomorphism is surjective, so the image is the whole ring Q [X] /(X 2 )Q [X].

Example 14.1.36 (Gaussian numbers as polynomial residues). The map f : Q [X] /(X 2 +
1)Q [X] where i is the usual imaginary number (square root of −1), is defined by g + (X 2 +
1)Q [X] 7→ g (i), for every residue class g + (X 2 + 1)Q [X] ∈ Q [X] /(X 2 + 1)Q [X]. Observe
that it is indeed well defined. This follows from the fact that if g − h is divisible by X 2 + 1,
then g (i) = h (i). So g + (X 2 + 1)Q [X] = h + (X 2 + 1)Q [X] implies g (i) = h (i). This map is
in fact an isomorphism. The inverse map is given by a + b· i 7→ a + b· X + (X 2 + 1)R, as can
be easily checked.

Example 14.1.37 (From  quaternions to matrices). The map f : H → M2 (C) given by a +
a + b· i c + d· i
b· i + c· j + d· k 7→ is a homomorphism of noncommutative rings. Its
−c + d· i a − b· i
kernel is {0}.
228. Sets, Logic and Algebra

Example 14.1.38 (Subrings). If S is a subring of the ring R, then the map f : S → R, a 7→ a is

a homomorphism, the so-called inclusion map. It is usually convenient to view the inclusion
of rings as a homomorphism in this way.

Apparently, a map f : R → R is a homomorphism if the following conditions are satisfied.

• f (0) = 0;
• f (a + b) = f (a) + f (b);

• f (1) = 1;
• f (a· b) = f (a) · f (b).

The first of these four conditions follows directly from the second.

Theorem 14.1.39. Let R and S be rings. For every homomorphism f : R → S the

following holds.
(a) If a ∈ R is invertible, then so is f (a), in which case its inverse is f a−1 .

(b) If f is an isomorphism, then so is its inverse f −1 : S → R.

(c) The image Im ( f ) is a subring of S.
(d) The kernel Ker ( f ) is an additive subgroup of R. If a is in Ker ( f ), then r· a is in
Ker ( f ) for all r ∈ R.
(e) The map f is injective if and only if Ker ( f ) = 0.

Proof.
Assertion. If a ∈ R is invertible, then so is f (a), in which case its inverse is f a−1 .

If a is invertible with inverse b, then a· b = 1. Applying f gives f (a· b)
= f (1) = 1 and so

f (a) · f (b) = 1, i.e., f (a) is invertible and its inverse is f (b) = f a−1 .
Assertion. If f is an isomorphism, then so is its inverse f −1 : R → S.

Suppose that f is a bijection from R to S . Then we show that f −1 respects multiplication

and leave other details to the reader. Suppose a0 , b0 ∈ S. As f is surjective, there are a, b ∈ R
such that f (a) = a0 and f (b) = b0 . The fact that f is a homomorphism implies f (a· b) =
f (a) · f (b). Applying f −1 to both sides gives a· b = f −1 ( f (a) · f (b)). Substituting f −1 (a0 )
for a and f −1 (b0 ) for b in the left-hand side, and a0 for f (a) and b0 for f (b) in the right-hand
side, we find f −1 (a0 ) · f −1 (b0 ) = f −1 (a0 · b0 ), as required.
Assertion. f (R) is a subring of S.
229. Sets, Logic and Algebra

This is direct from the conditions given before the theorem.

Assertion. Ker ( f ) is an additive subgroup of R. If a is in Ker ( f ), then r· a is in Ker ( f ) for
all r ∈ R.

Ker ( f ) is an additive subgroup of R. This follows directly from the conditions given before
the theorem. Let r ∈ R and a ∈ Ker ( f ). Then f (r· a) = f (r) · f (a) = f (r) · 0 = 0, whence
r· a ∈ Ker ( f ).
Assertion. f is injective if and only if Ker ( f ) = 0.

If f is injective and a belongs to Ker ( f ), then f (a) = 0 = f (0), and injectivity implies a = 0.
Conversely, if Ker ( f ) = {0}, and f (a) = f (b), then f (a − b) = 0 so that a − b = 0 and a = b.

Example 14.1.40 (The identity). For any ring R, the identity map R → R is an isomorphism,
which is its own inverse.

Example 14.1.41 (Modding out an integer). The homomorphism f : Z → Z/6Z given by

f (a) = a + 6· Z is not injective as its kernel is 6· Z. The invertible elements of Z are 1, −1 ;
they are mapped onto the invertible elements of Z/6Z.

Example 14.1.42 (Complex conjugation). Complex conjugation is an isomorphism of rings

C → C.

Example 14.1.43 (Modding out a polynomial). The homomorphism f : Q [X] → Q [X] /(X 2 )Q [X]
is surjective, but not injective. The residue class of 1 + X is invertible in Q [X] /(X 2 )Q [X] (its
inverse is the class of 1 − X ), but its inverse image does not contain an invertible element in
Q.

Example 14.1.44 (Gaussian numbers as polynomial residues). The map f : Q [X] /(X 2 +

root of −1),
1)Q [X] where i is the usual imaginary number (square is defined by g + (X 2 +
2 2
1)Q [X] 7→ g (i), for every residue class g + X + 1 ∈ R [X] /(X + 1)R [X]. This map is an
isomorphism. It demonstrates that two completely different looking rings may nevertheless
carry the same ring structure.

14.2 Constructions with rings

Let [R, +, 0, −, · , 1] and [R0 , +, 00 , −, · , 10 ] be rings. Just like the product of two monoids
(respectively, groups) is a monoid (respectively, group), the product of two rings is a ring.

Theorem 14.2.1. The direct product R × R0 with coordinatewise addition and multi-
plication and with zero element (0, 00 ) and identity (1, 10 ) is a ring.
230. Sets, Logic and Algebra

Proof. The proof is a routine verification. Here are the different parts.
Assertion. [R × R0 , · , (1, 10 )] is a monoid.

Application of the direct product construction for monoids.

Assertion. [R × R0 , +, (0, 00 ) , −], where the binary operation − is defined coordinatewise, is
a commutative group.

The structure is a group by application of Direct Product of Groups (13.4.14).

Observe that the direct product of two commutative groups is again commutative: (a, a0 ) +
(b, b0 ) = (a + b, a0 + b0 ) = (b + a, b0 + a0 ) = (b, b0 ) + (a, a0 )
Assertion. The structure is left distributive.

By Cartesian addition, Cartesian multiplication, and left distributivity for R and R0 , we have
(a, a0 ) · ((b, b0 ) + (c, c0 )) = (a, a0 ) · (b + c, b0 + c0 ) =
(a· (b + c) , a0 · (b0 + c0 )) = (a· b + a· c, a0 · b0 + a0 · c0 ) =
.
(a· b, a0 · b0 ) + (a· c, a0 · c0 ) =
0 0 0
(a, a ) · (b, b ) + (a, a ) · (c, c ) .0

Assertion. Right distributivity.

Just like left distributivity.

Example 14.2.2 (Sample computation). In the product Z × Z/6Z we have (3, 4) · (2, 3) =
(6, 0) and (3, 4) + (2, 3) = (5, 1).

Remark 14.2.3 (Multiple direct products). The process of taking direct products can be re-
peated to obtain rings like R × S × T , or the n-fold product of a ring with itself: Rn =
R×R×...×R (n factors). There is of course the question whether, say R×S×T and R×S×T
yield the same result. The answer is ’yes’ in the sense that they are isomorphic.
The ring is called the direct product of R and S and often denoted by R × S (instead of the full
information with multiplication, addition, zero, and unit).

Example 14.2.4 (Chinese Remainder Theorem). The Chinese Remainder Theorem (10.2.4)
can be nicely phrased in terms of direct products: If m and n are positive integers greater than
1 with gcd (m, n) = 1, then Z/(m· n)Z is isomorphic with Z/mZ × Z/nZ; the isomorphism is
given by the map a(mod m· n) 7→ (a(mod m), a(mod n)).
Hence, given an element x = (b(mod m), c(mod n)) in Z/mZ × Z/nZ there is a unique ele-
ment in Z/(m· n)Z that is mapped onto x.

Theorem 14.2.5. R × S× = R× × S× .
231. Sets, Logic and Algebra

Proof.
Assertion. If a ∈ R has inverse b and a0 ∈ R0 has inverse b0 , then (a, a0 ) has inverse (b, b0 ).
(a, a0 ) · (b, b0 ) = (a· b, a0 · b0 ) = (1, 1), and similarly for (b, b0 ) · (a, a0 ).
Assertion. Conversely, if (a, a0 ) has inverse (c, c0 ), then a has inverse c and a0 has inverse c0 .

By the same kind of equalities as in the proof of the previous assertion.

Example 14.2.6. In the direct product Z × Z/6Z, the invertible elements are (1, 1), (1, 5),
(−1, 1), and (−1, 5), i.e., all elements in which both the first and the second coordinate are
invertible.

Example 14.2.7. The multiplicative formula for the Euler Totient Function, see Euler Totient
Theorem (10.3.7), can be explained by a combination of the Chinese Remainder Theorem
(10.2.4) and the Invertible Elements in Direct Products of Rings (14.2.5) with R = Z/mZ and
S = Z/nZ for positive integers m and n such that gcd (m, n) = 1. We have

Φ(m· n) = Z/m· nZ×  = Z/mZ× × Z/nZ×  = Z/mZ×  · Z/nZ×  = Φ(m)· Φ(n) (14.1)
       

The notion of generators, known for monoids, is similar for rings.

Theorem 14.2.8. Let R be a ring.

If C is a collection of subrings of R, then ∩ c is also a subring of R.
c∈C

Proof. Let S denote the intersection ∩ c of which we must prove that it is a subring of R.
c∈C
We verify the conditions for S to be a subring.
Assertion. 0, 1 ∈ S.

Since each H ∈ C is a subring, we have 0, 1 ∈ H. Hence 0, 1 belong to the intersection over

all H, that is, to S.
Assertion. The set S is closed under multiplication and addition.

Suppose a, b ∈ S. Then, for each H ∈ S, we have a, b ∈ H, whence (as H is a subring)

a + b ∈ H. It follows that a + b ∈ S.
The proof for multiplication is very similar and therefore omitted.

Remark 14.2.9. • If C is the empty collection, the intersection over C is taken to be R.

232. Sets, Logic and Algebra

• The theorem is the analog for rings of the result for monoids. In fact, the result holds for
any structure. The proof remains basically the same: if each substructure of a collection is
closed under all operations, then so is the intersection. For this reason, when dealing with
fields later on, we shall not treat the result any more as a separate theorem.

Intersection of subrings is a subring (14.2.8) shows that the smallest subring containing a
given set D exists: it is the intersection of all subring containing D. Therefore, the definition
below makes sense.
Definition 14.2.10. Let D be a subset of a ring R. The smallest subring of R that contains D,
denoted hDiR is called the subring generated by D.

Explicitly, the subring hDiR of a ring R consists of all finite sums of products of elements
from D or −D = {x ∈ R| − x ∈ D} including 0 (the empty sum) and 1 (the empty product). If
a ring can be generated by finitely many elements, it is called finitely generated.
Example 14.2.11 (Usual arithmetic). The ring Z is generated by the empty set. For, 0, 1
always belong to a subring; but then also −1 (because the additive structure is a group) and
2 = 1 + 1. Now, by induction, n = n − 1 + 1 belongs to the subring, and hence also its additive
inverse −n.
The ring Q is not even finitely generated (that is, generated by a finite subset): to see this, use
that there are infinitely many primes and study the possible denominators of elements from a
finitely generated subring.
Similarly, neither R nor C are finitely generated.

Example 14.2.12 (Modular arithmetic). The ring Z/nZ is generated by the empty set.

Example 14.2.13 (Polynomials rings). The ring Z [X] is generated by X. More generally, if
R is Q, R, or C, its polynomial ring R [X] is generated by R ∪ {X}.

Example 14.2.14 (Residue class rings). If R is Q, R, or C, and f is a polynomial in R [X],

then R [X] /( f )R [X] is generated by R ∪ {x}, where x is the residue class of X.

Example 14.2.15 (The Gaussian integers). The ring R = Z + Z· i of Gaussian integers is gen-
erated by i.

Example 14.2.16 (Matrix rings). The matrix ring Mn (R) is generated by all upper and lower
triangular matrices. It is even generated by all upper triangular matrices and permutation
matrices.

Example 14.2.17 (The Quaternions). The ring of quaternions H = R + R· i + R· j + R· k is

generated by R ∪ {i, j}.

Remark 14.2.18. The subring of a ring R generated by the empty set is the same as the
subring generated by 0 and 1, since these two elements belong to any subring.

Let R be a ring and let X be an indeterminate. By R [X] we denote the set of all polynomials
in X with coefficients in R, compare Definition of polynomial ring (11.1.5).
233. Sets, Logic and Algebra

Let a = a0 + a1 · X + ... + an · X n and b = b0 + b1 · X + ... + bm · X m be two elements of R [X].

By adding, if necessary, some terms 0· X k we may assume n = m.
The sum of these polynomials is a + b = a0 + b0 + (a1 + b1 ) · X + ... + (an + bn ) · X n
The product of these polynomials is a· b = c0 + c1 · X + ... + cn+m · X n+m where ck = a0 · bk +
a1 · bk−1 + ... + ak · b0 .
The symbol · is often omitted.

Theorem 14.2.19. The sum and product of polynomials define the structure of a com-
mutative ring on the set R [X] of all polynomials in X with coefficients in R. The zero
element is the zero polynomial 0; the identity element is the polynomial 1.

Proof. We must prove that [R [X] , +, 0, −] is a commutative group, that [R [X] , · , 1] is a com-
mutative monoid and that distributivity holds.
Since most verifications are very similar, we restrict to one typical verification, that of left
distributivity.
Let a = a0 + a1 · X + ... + an · X n , b = b0 + b1 · X + ... + bm · X m , and c = c0 + c1 · X + ... + cl · X l
be three polynomials. The coefficient of X k in a· (b + c) equals

a0 · (bk + ck ) + a1 · (bk−1 + ck−1 ) · ...· ak · (b0 + c0 )

and can be rewritten by commutativity and distributivity in R as

(( a0 · bk ) + (a1 · bk−1 ) + ... + (ak · b0 )) + ((( a0 · ck ) + (a1 · ck−1 ) + ... + (ak · c0 )))

which is the coefficient of X k in a· b + a· c.

Example 14.2.20. Let R be a ring and take S to be the polynomial ring R [X]. Then the
polynomial ring S in the indeterminate Y is the same as the ring R [X,Y ] of polynomials in the
two indeterminates X,Y . So its elements are of the form ∑(i, j)∈N×N ai, j · X i ·Y j , with ai, j ∈ R,
nonzero for only a finite number of pairs (i, j). The element X·Y is equal to the product Y · X.
This emphasizes that there are two ways to build this ring with indeterminates X and Y from
R: As R [X] [Y ] and as R [Y ] [X]. To emphasize the symmetry in X and Y , we usually write
R [X,Y ] for this ring.

Example 14.2.21. Notions like degree are of course valid for all polynomial rings. But weird
things may happen if the coefficient ring R is not a field: (2· X)· (2· X) = 0 in Z/4Z [X]. Here
the degree of the product of two polynomials of degree 2 is not 4.

The ring R [X] is called the polynomial ring over R in the indeterminate X. The ring R is
called the coefficient ring of R [X].
234. Sets, Logic and Algebra

14.3 Domains and fields

Although some of the definitions and results presented in this and the following sections are
valid for general rings, we concentrate on commutative rings. So, from now on, unless the
contrary is stated explicitly, all rings will be considered to be commutative.
Definition 14.3.1. Let R be a commutative ring.

• An element x of R is called a multiple of an element y if there exists z ∈ R such that x = y· z.

• A zero divisor in R is an element a 6= 0 of R for which there exists b ∈ R \ {0} with a· b = 0.
• A ring without nonzero zero divisors is called a domain.

Example 14.3.2 (Modular arithmetic). In Z/6Z, the element 2 + 6· Z is a multiple of 4 + 6· Z:

(4 + 6· Z) · (2 + 6· Z) = 2 + 6· Z.

Example 14.3.3 (Residue class rings). Let R = Q [X]. If f ∈ R is irreducible, then any nonzero
polynomial g ∈ R of degree less than the degree of f has an invertible residue class in R/( f )R,
and so g + ( f )R divides 1.

Example 14.3.4 (The Gaussian integers). In Z + Z· i, the element 1 + i is a divisor of 2 since

(1 + i) · (1 − i) = 2.
The ring Z + Z· i is a domain. For, suppose (a + b· i)
· (c + d· i)
= 0. Multiply both sides with
(a − b· i) · (c − d· i), to obtain the equation a2 + b2 · c2 + d 2 = 0 involving integers only,
from which it is clear that a = b = 0 or c = d = 0, i.e., a + b· i = 0 or c + d· i = 0.

Remark 14.3.5. The notions introduced in Definition of divisor, zero divisor and domain
(14.3.1) generalize the familiar notions of divisor and multiple in the integers and in polyno-
mial rings.

If x is a multiple of y, then y is also called a divisor of x.

Theorem 14.3.6. Let R be a commutative ring.

(a) A zero divisor is never invertible.

(b) The ring R is a domain if and only if for all a and b in R we have that a· b = 0
implies a = 0 or b = 0.

Proof.
Assertion. A zero divisor of R is never invertible.
Suppose that a is an invertible element of R and suppose that b is an element such that a· b =
0. Multiply the latter equality on both sides by a−1 to obtain a−1 · (a· b) = 0. Using the
235. Sets, Logic and Algebra

associativity of multiplication gives b = (a−1 · a· b) = a−1 · (a) · b = 0, so b = 0. In particular,

a is not a zero divisor.
Assertion. The ring R is a domain if and only if for all a and b in R a· b = 0 implies a = 0 or
b = 0.

This is a restatement of the definition of domain.

Example 14.3.7 (Usual arithmetic). The rings Z, Q, R, C are all domains. It is sufficient to
note that C is a domain, since then a forteriori all of its subrings are domains.

Example 14.3.8 (Modular arithmetic). The ring Z/nZ is a domain if and only if n is a prime.

Example 14.3.9 (Polynomial rings). The polynomial ring R [X] is a domain if and only if R
is a domain. See Polynomial rings over a domain are domains (14.3.14).

Example 14.3.10 (Residue class rings). Let R be a field. Then the residue class ring R [X] /( f )R [X]
is a domain, if and only if the polynomial f is irreducible in R [X]. So, R [X] /( f )R [X] is a
domain if and only if it is a field.

Example 14.3.11 (The Gaussian integers). The Gaussian integers Z + Z· i is a domain. It is a

subring of the domain C.

Remark 14.3.12. It is a common misconception to think that each element of a ring would
be either a zero divisors or an invertible element. The element 4 in the ring Z is an example
of an element that is neither invertible nor a zero divisor.

Example 14.3.13. Suppose x ∈ R (the reals) is a solution of the equation x5 − 8· x4 + 16· x3 +

3· x2 − 14· x = 4. Using more advanced methods than treated so far, real polynomials can
be factored. Bringing 4 to the left hand

side and factoring the resulting polynomial, we find
x2 − 3· x − 1 · x3 − 5· x2 + 2· x + 4 = 0. Since R is a domain, we conclude x2 − 3· x = 1 or

x3 − 5· x2 + 2· x = −4. So x is a solution of one of two equations of smaller degree.

Clearly, a subring of a domain is a domain.

Here is a way to construct a domain out of a given one.

Theorem 14.3.14. If R is a domain, then so is R [X].

Proof. Suppose that f , g are nonzero polynomials in R such that f · g = 0. Let m = degree ( f )
and n = degree (g). Then m and n are non-negative integers (since f and g are nonzero). The
corresponding top coefficients of f and g are nonzero, so (as R is a domain) the coefficient of
X m+n in f · g is nonzero, showing that f · g 6= 0. Therefore, R [X] is a domain.
236. Sets, Logic and Algebra

Example 14.3.15. Let R be a domain. By applying the proposition twice, we see that R [X,Y ]
is a domain.

Remark 14.3.16 (Converse). Since R is a subring of R [X], for the latter to be a domain it is
of course necessary that R be a domain.

The following property is an important reason why domains are good to work with.

Theorem 14.3.17 (Cancellation law for domains). Let R be a domain. If a is a nonzero

element of R, then a· x = a· y implies x = y.

Proof. From a· x = a· y we deduce a· (x − y) = 0. Since R is a domain and a is nonzero, we

conclude that x − y = 0, i.e., x = y.

Example 14.3.18. Suppose x ∈ Z + Z· i, the ring of Gaussian integers, is a solution of the

equation (2 + i) · x = 5. Then, by the cancellation law, the equation is equivalent to the one
obtained by left multiplication with 2 − i on both sides: 5· x = 5· (2 − i). Applying the can-
cellation law once more, we find x = 2 − i.

Remark 14.3.19 (Converse). If a ring has zero divisors, the cancellation law need not hold.
For instance, in Z/6Z, we have 2· 2 = 2· 5, but 2 6= 5.

We now give a more formal approach to fields than before.

Definition 14.3.20. A field is a commutative ring in which every nonzero element has a mul-
tiplicative inverse.

Example 14.3.21 (Usual arithmetic). The ring Z is not a field: most of its elements are not
invertible.
On the other hand, Q, R, and C are fields.

Example 14.3.22 (Modular arithmetic). The ring Z/nZ is a field if and only if n is a prime
number.

Example 14.3.23 (Polynomial rings). The rings Q [X] , R [X] , C [X] are not fields: X does not
have an inverse.

Example 14.3.24 (Residue class rings). If R = Q, R, C, or Z/pZ for some prime p, and f is
a polynomial in R [X], then R [X] /( f )R [X] is a field if and only f is irreducible in R [X].

Example 14.3.25 (The Gaussian integers). The ring R = Z + Z· i of Gaussian integers is not
a field. For instance, the element 1 + i has no inverse: if a + b· i were its inverse, then 2· a +
2· b· i = (a + b· i) · 2 = (a + b· i) · (1 + i) · (1 − i) = 1 − i, whence 2· a = 1, which contradicts
237. Sets, Logic and Algebra

a ∈ Z. The variation Q + Q· i however, is a field. Can you find the inverse of an arbitrary
nonzero element?

Since by definition every nonzero element is invertible, the nonzero elements of a field K
form a group with respect to the multiplication: K × = K \ {0}.
Since an invertible element cannot be a zero divisor, every field is a domain. The converse is
not necessarily true: Z is a domain but not a field. For finite domains, however, the converse
does hold.

Theorem 14.3.26. Every finite domain is a field.

Proof. Let R be a finite domain and a a nonzero element of R. We need to show that a is
invertible. To this end, consider left multiplication by a, that is, the map La : R → R, x 7→ a· x.
Since R is a domain, it follows from the Cancellation law for domains (14.3.17) that La is
injective. Since R is a finite set, the pigeon hole principle says that the map is necessarily
surjective. In particular, there exists y ∈ R such that La (y) = 1. This means a· y = 1, as
required for a to be invertible in R.

Example 14.3.27. Consider the ring R = Z/3Z + Z/3Z· i, where i is the square root of −1;
so i2 = −1.
R is a field. To see this, suppose that x = a + b· i and y = c + d· i, with a, b, c, d
∈ Z/3Z satisfy
x· y = 0. Multiplying this equation by (a − b· i) · (c − d· i), we find a2 + b2 · c2 + d 2 = 0.

Both factors are in Z/3Z, which is (a field and hence) a domain. Therefore, at least one of
them is zero, say the first (the argument for the second is similar). This means a2 = −(b2 ),
that is, a = b = 0, as is easily checked within Z/3Z and x = 0. We conclude that R is a finite
domain, whence a field.

Let F be a field. The following definitions are completely standard; compare them with those
for monoids, groups, and rings given so far.
Definition 14.3.28. A subfield of the field F is a subring of F which is closed under inverses
of nonzero elements. If X is a subset of F, the subfield of F generated by X is the intersection
of all subfields containing X.

Example 14.3.29 (Usual arithmetic). Q is a subfield of R and R is a subfield of C.

Example 14.3.30 (Modular arithmetic). There are no proper subfields of Z/pZ for p prime.
For any subfield contains 1 and hence all its multiples and thus the complete field Z/pZ.

Example 14.3.31 (Polynomial rings). Q is a subring of the polynomial ring Q [X]. Since Q
by itself is a field, one might speak of a subfield here, although the ambient ring Q [X] is not
a field.
238. Sets, Logic and Algebra

Later we shall see how to "extend" the domain Q [X] to a field. Similar remarks hold for R
and C instead of Q.

Example 14.3.32 (Residue class rings). Let f = X 4 − 2 be a polynomial in Q [X] and consider
F = Q [X] /( f )Q [X]. Since f is irreducible in Q [X], this is a field. Now consider the element
b = X 2 + ( f )Q [X] of F. The subfield of F generated by Q and b is K = Q + Q· b. (To see
this, notice that b2 = 2 and b−1 = b/2.) Thus, the field F, which is a 4-dimensional vector
space over Q has a subfield K, which is a 2-dimensional linear space of Q.

Example 14.3.33 (The Gaussian numbers). The field Q + Q· i is a 2-dimensional vector space
over Q. An obvious subfield is Q. This is the only proper subfield of Q + Q· i, as will become
clear later, from the fact that any subfield contains Q.

Remark 14.3.34. By now we assume that you are aware from previous cases like monoids
and rings that the intersection of any collection of subfields is a subfield. This fact is of course
used in the definition.

Remark 14.3.35. Another description (again, as usual) of the subfield generated by X is that
it is the smallest subfield containing X.

We now focus on subfields of the field C of complex numbers. Let K be a subfield of C. If a

f (a)
is an element of K, and f , g are polynomials in Q [X], then g(a) is an element of K whenever
g (a) 6= 0. The set of all these fractions makes up the smallest subfield of C that contains a and
L. Of course, instead of polynomials in Q, we could have chosen f and g with coefficients in
any subfield L of K. In general we obtain the following.

f (a)
Theorem 14.3.36. If a ∈ C and L a subfield of C, then K = { g(a) ∈
 
2
C| ( f , g) ∈ L [X] ∧ (g (a) 6= 0)} is the subfield of C generated by a and L.

Proof. We must show two things:

Assertion. K is a subfield.

• K contains the elements 0 (take f = 0 and g = 1 ) and 1 (take f = 1 and g = 1).

f (a) f (a)·l(a)+g(a)·h(a)
• K is closed under addition: g(a) + h(a)
l(a) = g(a)·l·a ; here the polynomials f · l + g· h
and g· l are used.
f (a) h(a) f (a)·h(a)
• K is closed under multiplication: g(a) · l(a) = g(a)·l(a) ; here the polynomials f · h and g· l
are used.
f (a) −( f (a))
• The additive inverse of g(a) is g(a) ; here the polynomials − f and g are used.
239. Sets, Logic and Algebra

f (a) g(a)
• Every nonzero element in K has its multiplicative inverse in K: the inverse of g(a) is f (a) .
Note that f (a) 6= 0 .

Assertion. K is the smallest subfield of C containing a and L.

To show that K is the smallest field containing a and L, we note that any field containing a and
L also contains f (a) for every polynomial f ∈ L [X], since f (a) arises by repeated addition
and multiplication starting from a and elements of L. But if the subfield contains f (a) and
1
g (a), with nonzero g (a), then it also contains the product of f (a) and the inverse g(a) , that
f (a)
is, the quotient g(a) . In conclusion, the subfield must contain K.

The subfield of C generated by a and the subfield L is often denoted by L (a).

More generally, if K is a field, L a subfield of K and a an element (or set of elements) of K,
then the subfield of K generated by L and a is denoted by L (a).
√
Example 14.3.37. Let a be the (positive) square root of 2 in R. Thus, a = 2. We will
determine the subfield of R generated by a. Since a2 = 2, for every polynomial f ∈ Q [X], the
c+d·a
number f (a) is of the form c + d· a. So Q (a) consists of the quotients g+h·a , with c, d, g, h ∈
Q. These expressions can be simplified even further: multiply numerator and denominator√ 
by g − h· a to conclude that Q (a) = {x + y· a| (x, y) ∈ Q × Q}. In other terms, Q 2 =
√
Q + Q· 2.

Remark 14.3.38. The field K is readily seen to be a vector space over L. If there is a polyno-
mial h ∈ L [X] such that h (a) = 0, then K is a finite-dimensional vector space. If there is no
such polynomial, then K is an infinite-dimensional vector space over L. For instance, there is
no polynomial in Q [X] having π as a zero (nontrivial; we give no proof here!), and so K is
infinite-dimensional if a = π and L = Q.

Let R be a domain. On the set of pairs (t, n) from R with n 6= 0, we define an equivalence
relation eaq (equal as quotient): ((t, n) eaq (t 0 , n0 )) ⇔ (t· n0 = t 0 · n)
We call t the numerator and n the denominator of the pair (t, n). Denote the equivalence class
containing (t, n) by nt , and the set of equivalence classes by Q (R). Addition and multiplica-
tion on these classes are defined as follows:

t
• addition: n + ms = n·s+t·m
n·m ;

• zero element: 10 ;
• multiplication: nt · ms = t·s
n·m ;

• idenitity element: 11 .

It is readily checked that these operations are well defined and that Q (R) is a ring. Even more
is true:
240. Sets, Logic and Algebra

Theorem 14.3.39. Let R be a domain. The structure Q (R), with operations defined
as above, is a field.
This field is called the field of fractions of R.

Proof. The first three parts of the proof suffice to establish that Q (R) is a ring, the last part
that it is a field.
Assertion. [Q (R) , +, 0, x 7→ −x] is an additive group.

a
Let
 a, b, c, d, e,  f ∈ R, with d, e, f 6= 0. Then, by associativity of + on R, we have d +
(( be ) + ( cf )) = da + (b· f + c· e/e· f ) = a·e· f +b·d· f +c·d·e
d·e· f = a·e+b·d c a b c
d·e + f = (( d ) + ( e )) + f
0
We have shown that + is associative on Q (R). We leave the (easier) verifications that n is the
zero element, that −t t
n is the inverse of n and that + is commutative to the reader.
Assertion. [Q (R) , · , 1] is a commutative monoid.

Let a, b, c, d, e, f ∈ R, with d, e, f 6= 0. Then, by associativity of · on R, we have ( da · be )· cf =

a·b c (a·b)·c a·(b·c)
d·e · f = (d·e)· f = d·(e· f )
b·c
= da · e· a b c
f = d · ( e · f ). We have shown that · is associative on Q (R).
1
We leave the (easier) verifications that · is commutative and that 1 is the identity element to
the reader.
Assertion. Distributivity.
 
Let a, b, c, d, e, f ∈ R, with d, e, f 6= 0. Then, by distributivity of R, we have da · b
e + c
f =
a b· f +c·e ((a·b· f )+(a·c·e)) ((a·d·b· f )+(a·d·c·e)) a·b a·c a b a c
d · e· f = =
d·e· f = + =
d 2 ·e· f
+ d· e
We have shown left
d·e d· f d· f .
distributivity. In view of commutativity of ·, there is no need to prove right distributivity.
Assertion. Each nonzero element of Q (R) has a multiplicative inverse.

a r
Let r be a nonzero element of Q (R). Then a is a nonzero element of R and so a belongs to
a ·r
a·r 1 a
Q (R) and r
a = r·a = 1. This establishes that r is invertible in Q (R) with inverse ar .

x
The map R → Q (R) , x 7→ 1 is an injective homomorphism of rings. Thus, R may be viewed
as a subring of Q (R).
0
Remark 14.3.40. Note that the addition and multiplication of nt and nt 0 , with n and n0 nonzero,
0 t·t 0
is well defined because R is a domain. For, in the product nt · nt 0 = n·n 0 we have a nonzero
0
denominator since both n and n are nonzero. Similarly for addition.

Example 14.3.41 (The integers). The field of fractions of the integers is the field of rational
numbers.
241. Sets, Logic and Algebra

In this case there is a unique representative (t, n) for each class with the properties

• gcd (t, n) = 1;

• n > 0.

It is obtained from an arbitrary representative by dividing both numerator and denominator

by their common gcd, and also by −1 if necessary to obtain a positive denominator.
√
Example 14.3.42 (The Gaussian integers). Let R = Z + Z· i where i = −1. We claim
Q (Z + Z· i) = Q + Q· i. For, a+b·i a·c−b·d a·d+b·c
c+d·i = c2 +d 2 + c2 +d 2 · i.

Example 14.3.43 (Polynomial rings). Let K be a field, then the ring K [X] is a domain, and
we can form its fraction field. This fraction field is denoted by Q (X), and called rational
f (X)
functions field over K in X. This elements of this field can be described as: g(X) with g (X) 6=
0.

Remark 14.3.44. Suppose that we know how to work with elements of a domain R on com-
puter. Can we work with elements of Q (R)? Clearly, a fraction nt can be represented by
the pair (t, n), and the given formulas work for defining product and addition in terms of the
0
operations for R. Equality amongst fractions also requires a computation: nt = nt 0 is verified
by determining whether t· n0 = t 0 · n holds.

14.4 Fields

Let K be a field. Every subfield of K contains 0 and 1, and so it also contains 1 + ... + 1 and
−1 − 1 − ... − 1.
The subfield therefore contains all integral multiples of 1 and −1 as well as all fractions of
these multiples (as long as the denominator is nonzero). These elements make up a subfield
themselves.

Theorem 14.4.1. A field generated by the empty set (or by 0 and 1), is isomorphic with
Q or Z/pZ for some prime number p. In particular, every field contains a subfield
isomorphic with Q or Z/pZ for some prime number p.

Proof. Let L be the subfield of K generated by the empty set ∅. Then it containts 0 and 1, and
so it is also generated by these two elements. For every positive integer m the element m· 1 =
1 + 1 + ... + 1 (m terms) belongs to L, and therefore also the element (−m) · 1 = −m· 1 =
m· (−1).
Put A = {x ∈ N| (x > 0) ∧ (x· 1 = 0)}. We distinguish according to A being the empty set or
not.
242. Sets, Logic and Algebra

Assertion. If A = ∅, then L is isomorphic to Q

The map Z → L that sends m to m· 1 is an injective homomorphism. It is easy to see that this
map extends to an injective homomorphism Q → L, mn 7→ m·1
n·1 . This map identifies Q with L.
Assertion. If A is not empty, then it contains a smallest positive element p. Then L is isomor-
phic to Z/pZ.

Since 0 and 1 are distinct, p > 1. If p were not prime, then there exist positive integers
b, c < p such that b· c = p. It follows that (b· 1)· (c· 1) = (b· c)· 1 = p· 1 = 0 so that at least one
of b· 1, c· 1 equals 0, contradicting the minimality of p. But then the obvious map Z/pZ → L
is injective and maps Z/pZ isomorphically onto L.

Example 14.4.2 (Usual arithmetic). The ring Q of rational numbers has no proper subfields.
In case of R, C, or any subfield of C, the smallest subfield is Q.

Example 14.4.3 (Modular arithmetic). The field Z/pZ has no smaller subfields.

Example 14.4.4 (Rational fields). Q is the smallest subfield of Q (X) and of R (X).

Example 14.4.5 (Residue class fields). If p is a prime number, Z/pZ is the smallest subfield
of Z/pZ [X] /( f )Z/pZ [X] where f is irreducible in Z/pZ [X].

Example 14.4.6 (The Gaussian numbers). The smallest subfield of Q + Q· i is Q.

We consider the smallest subfield L of K (it is generated by 0 and 1).

Definition 14.4.7. If L is isomorphic with Q, then K is said to have characteristic 0. If L is
isomorphic with Z/pZ, then K is said to have characteristic p.

Example 14.4.8 (Usual arithmetic). The characteristic of R, Q, C, or any subfield of C is 0.

Example 14.4.9 (Modular arithmetic). Of course, Z/pZ has characteristic p.

Example 14.4.10 (Fields of rational functions). If R is a field, then the characteristic of the
field of rational functions R (X) is equal to the characteristic of R.

Example 14.4.11 (Residue class fields). If F is a field and f an irreducible polynomial in F

of positive degree, then the residue class ring F [X] /( f )F [X] is a field whose characteristic
is that of F.

Example 14.4.12 (The Gaussian numbers). The characteristic of Q + Q· i is 0.

By the above theorem, the characteristic of a field is either zero or a prime number.
Let K be a field. The next theorem gives a connection between linear algebra (see the prereq-
uisites) and elements of a field extension.
243. Sets, Logic and Algebra

Theorem 14.4.13. If L is a subfield of the field K, then the following two statements
hold.
(a) K is a vector space over L.

(b) For each x ∈ K, multiplication with x is a linear transformation of this vector

space over L.

Proof.
Assertion. K is a vector space over L.
K is a ring and addition on K is a commutative group structure. Scalar multiplication L ×K →
K is given by ordinary multiplication in K. We need to verify the following laws.

• For x ∈ K, we have 1· x = x; this holds because of the multiplication laws in K.

• Associativity: For x, y ∈ L and z ∈ K , we have x· y· z = x· y· z simply because K is associa-
tive.
• Distributivity: For x ∈ L and y, z ∈ K, we have x· (y + z) = x· y + x· z simply because of
distributivity in K.
• Distributivity: For x, y ∈ L and z ∈ K , we have (x + y) · z = x· z + y· z again because of
distributivity in K.

Assertion. For each x ∈ K, multiplication with x is a linear transformation of this vector space
over L.

Let x ∈ K. By Lx we denote left multiplication with x on K. The fact that Lx is a linear

transformation of the vector space K over L follows from

• Lx respect vector addition because of distributivity: Lx (y + z) = x· (y + z) = x· y + x· z =

Lx (y) + Lx (z) for y, z ∈ K,
• and Lx respects scalar multiplication because of commutativity: Lx (y· z) = x· (y· z) = y· (x· z) =
y· Lx (z) for y ∈ L and z ∈ K.

Example 14.4.14 (R ⊂ C). This corresponds to the familiar view of C as the ’complex plane’,
a 2-dimensional vector space over R with basis 1, i.

Example 14.4.15 (Q ⊂ R). This is an infinite-dimensional vector space. For instance, the
√
numbers p, for p prime numbers in N, form an infinite set of linearly independent elements.
But not a basis, as elements such as e and π and are still not in their linear span.
244. Sets, Logic and Algebra

Example 14.4.16 (Z/2Z ⊂ Z/2Z [X] /(X 2 + X + 1)). This is the situation described before;
we are dealing here with a 2-dimensional vector space over Z/2Z, and so with a field of 4
elements.

Here is a consequence of the previous theorem for finite fields: their orders form a proper
subset of the natural numbers.

Corollary 14.4.17. If F is a finite field, then there is a prime p and a natural number
n such that |F| = pn .

Proof. By the first theorem of this section, the subfield generated by the empty set is isomor-
phic to Z/pZ for some prime p. By the previous theorem, F inherits the structure of a vector
space over Z/pZ. If the dimension of this vector space is n, then every element of F can
be uniquely represented as a Z/pZ linear combination of n given basis vectors, and so the
number of elements of F is pn .

The fact that, for every prime power, there is a field of that order, has been stated before.
Later we shall prove this as well as the fact that all fields of a given order are isomorphic.
Example 14.4.18. Suppose that K is a field of order 4. Then L = {0, 1} is a subfield of order
2. Take y ∈ K \ L. The theorem tells us that K is a 2-dimensional vector space over L, and so
1, y is a basis of K over L. In particular, there are a, b ∈  that y2 = a+b· y. Now consider
L such 
0 a
the linear transformation x 7→ y· x of K. It has matrix with respect to the basis 1, y.
1 b
As y must be invertible, we have a 6= 0. But then a = 1. There remain two possibilities for b.
Suppose b = 0. Then y2 = 1. But from this we deduce (y + 1)2 = 0, and so y + 1 = 0, that
is, y = 1, a contradiction with y ∈ / L. Hence b = 1, and so y satisfies y2 = y + 1. We conclude
that K = {0, 1, y, y + 1} with the multiplication determined by the rule y2 = y + 1.
The above argument gives a glimpse of why there is just one field of order 4.
Here is another way of interpreting the result. The element y is a zero of the irreducible
polynomial X 2 + X + 1. Thus, it behaves in the same way as the residue of X in the field
L [X] /(X 2 + X + 1)L [X]. In fact, K is isomorphic with this field.

Many properties of the polynomial ring K [X] discussed before for special fields like K =
Q, R, C and Z/pZ with p a prime, are in fact valid for arbitrary fields K. For instance,

• division with remainder,

• Euclid‘s algorithm,
• gcd and lcm,
245. Sets, Logic and Algebra

• unique factorization.

Proofs can be copied verbatim, so we shall not repeat them. An important consequence is
that we can compute modulo a polynomial d in K [X] and construct the residue class ring
K [X] /(d)K [X]. This allows us to construct new fields.

Theorem 14.4.19. Let K be a field and d a polynomial in K [X].

(a) The residue class a + (d)K [X] has an inverse in K [X] /(d)K [X] if and only if
gcd (a, d) = 1.
(b) If d is irreducible in K [X], then K [X] /(d)K [X] is a field.

Proof.
Assertion. Part 1.
If the residue class a+(d)K [X] ∈ K [X] /(d)K [X] has inverse b+(d)K [X], then a· b = 1 (mod
d ). Hence there is a polynomial p with a· b + p· d = 1.
But that implies that gcd (a, d) = 1.
On the other hand, if gcd (a, d) = 1, then the extended Euclidean algorithm leads to a method
for finding polynomials b and p such that a· b + p· d = 1. But then b represents an inverse of
the residue class a + (d)K [X].
Assertion. Part 2.

By the first statement, every nonzero element in K [X] /(d)K [X] has an inverse.

Example 14.4.20. We take K any field and d = X n with n > 1. Then the residue class of a
polynomial a is invertible in K [X] /(d)K [X] if and only if a1 , the constant term of a, differs
from 0.

Let K be a field. In the sequel we need the following general result, which extends a previous
lemma.

Lemma 14.4.21. Let g ∈ K [X].

(a) If x ∈ K is a zero of g, then X − x divides g.

(b) If g has degree n, then g has at most n zeros in K.
246. Sets, Logic and Algebra

Proof. By parts.
Assertion. If x ∈ K is a zero of g, then X − x divides g.

Computing rem(g, X − x), we find the constant g (x), which is zero by the assumption that x
is a zero of g. Hence X − x divides g.
Assertion. If g has degree n, then g has at most n zeros in K.

By the first part of this lemma, each zero x of g corresponds to a linear factor X − x, and so
distinct zeros correspond to distinct linear factors. Since g has degree n, it can have at most n
distinct linear factors.

Example 14.4.22 (Fewer zeros than the degree). Consider X 2 + 1 in Q [X]. Since there is no
element in Q squaring to −1, there are no zeros of X 2 + 1 in Q. Since each non-constant
proper divisor of X 2 + 1 must have degree 1, the above theorem implies that this polynomial
is irreducible in Q [X].

Example 14.4.23 (The Fundamental Theorem of Algebra). The fundamental theorem of al-
gebra says that every polynomial in C has a zero. Equivalently: every polynomial in C is a
product of linear factors. We shall give no proof of this fact. One reason is that it is hard,
another that we have given no rigorous treatment of C anyway.

Remark 14.4.24 (Converse). Consider X 3 − X ∈ Z/6Z. It has more than 3 zeros in Z/6Z.
Apparently, for the lemma to hold it is essential that the coefficient ring is a domain.

Let K be a field and S a ring. Homomorphisms can be used to construct subfields.

Theorem 14.4.25. f : K → S is a ring homomorphism.

(a) The homomorphism f is injective.

(b) The image of f is a subring of S isomorphic to K.
(c) If S = K, then {x ∈ K| f (x) = x} is a subfield of K.

Proof. By parts.
Assertion. The homomorphism f is injective.

Suppose that x ∈ K satisfies f (x) =
0. By an
[?] it suffices to

show x = 0. If x 6= 0, then x
is invertible. But then 1 = f x−1 · x = f x−1 · f · x = f x−1 · 0 = 0 a contradiction. Hence
x = 0.
Assertion. The image of f is a subring of S isomorphic to K.
247. Sets, Logic and Algebra

This is a direct consequence of the first part.

Assertion. If S = K, then {x ∈ K| f (x) = x} is a subfield of K.

Put L = {x ∈ K| f (x) = x}. Clearly, f (0) = 0 and f (1) = 1, so 0, 1 ∈ L. Suppose that x, y ∈ L.

Then, as f is a homomorphism,

• f (−x) = f (0 − x) = f (0) − f (x) = 0 − x = −x,

• 1 = f (1) = f x· x−1 = f (x) · f x−1 = x· f x−1 , so f x−1 = x−1 ,

• f (x· y) = f (x) · f (y) = x· y,

• f (x + y) = f (x) + f (y) = x + y,

whence −x, x−1 , x· y, x + y ∈ L. This suffices to establish that L is a subfield of K.

Example 14.4.26 (Usual arithmetic). The embedding of Q in R and of R in C are homo-

morphisms of fields. Complex conjugation is a homomorphism c : C → C. The subfield
{x ∈ C|c (x) = x} coincides with R.

Example 14.4.27 (Modular arithmetic). By definition, for each field K of characteristic p,

there is an injective morphim Z/pZ → K.

Example 14.4.28 (Rational function field). Let R be a field, and h ∈ R [X]. Then the map
f (X) f (h(X))
R (X) → R (X) , g(X) 7→ g(h(X)) is a homomorphism. Its image is the subfield of R (X) of all
fractions of polynomials that can be written as a polynomial in h.

Example 14.4.29 (The Gaussian numbers). On the Gaussian number field Q + Q· i, we have
complex conjugation: c : Q + Q· i → Q + Q· i, a + b· i 7→ a − b· i. The subfield {x ∈ C|c (x) =
x} coincides with Q.

Remark 14.4.30. • A homomorphism of fields is nothing but a homomorphism of the un-

derlying rings. Observe that if x is invertible, a homomorphism of rings takes x−1 to the
inverse of the image of x.
• A homomorphism of fields f : K → S need not be surjective, not even when K = S. For
instance, let K and S be the rational functions field Z/2Z (X). Then X is not in the image
of the map x 7→ x2 .
• If K is finite and of characteristic p, then, by the pigeon hole principle, the homomorphism
x 7→ x p is surjective and hence an isomorphism.
• In fact, the fixed points of a homomorphism R → R of rings also form a subring of R.

The subfield in Part 3 of Theorem on Field Homomorphisms (14.4.25) is called the fixed field
of the homomorphism f . A fixed point of f is an element x ∈ K such that f (x) = x. Thus, the
fixed field of f consists of all fixed points of f .
We apply the above result to the case where K has positive characteristic.
248. Sets, Logic and Algebra

Theorem 14.4.31. Suppose that K is a field of characteristic p > 0. Let L be the

smallest subfield of K (isomorphic to Z/pZ) and let q be a power of p. Then the
following statements hold.

(a) (x + y)q = xq + yq for all x, y ∈ K.

(b) The map x → xq is a homomorphism K → K.

(c) For each g ∈ L [X], we have g (X p ) = (g (X)) p .

(d) The subset {x ∈ K|xq = x} is a finite subfield of K.
(e) {x ∈ K|x p = x} = L.

Proof. By parts:
Assertion. (x + y)q = xq + yq for all x, y ∈ K.

By Newton‘s binomium, and the fact that all but the two extreme binomial coefficients are
zero, (x + y) p = x p + x p . To prove the equation with q instead of p, we can use induction
on the number a such that q = pa . Above we have estabished the case a = 1. Suppose we
have dealt with the case a − 1. Then, using the induction hypothesis and qp = pa−1 , we find
 q p  q q p
(x + y)q = (x + y) p = x p + y p = xq + yq .

Assertion. The map x → xq is a homomorphism K → K.

We need to verify:

• (x· y)q = xq · yq .
• (x + y)q = xq + yq .

• 0q = 0, 1q = 1.

The first and third statement are obvious. The second has just been proved in Part 1 and the
fact that x p = x for x ∈ Z/pZ (known as Fermat’s Little Theorem (10.3.1)).
Assertion. For each g ∈ L [X], we have g (X p ) = (g (X)) p .

x 7→ xq is a homomorphism by Part 2.
Assertion. The subset {x ∈ K|xq = x} is a finite subfield of K.

The subfield result follows from the Theorem on Field Homomorphisms (14.4.25). Finiteness
follows from Zeros of Polynomials (14.4.21).
249. Sets, Logic and Algebra

Assertion. {x ∈ K|x p = x} = L.

Write M = {x ∈ K|x p = x}. By Part 4, M is a subfield of K. Clearly, the smallest subfield

L of K is contained in M, so we only need show that M has no more than p elements. But
elements of M are zeros of the polynomial X p − X, and so there are at most p solutions by
Zeros of Polynomials (14.4.21).

Example 14.4.32. Consider the polynomial f = X 4 + X + 1 ∈ Z/2Z [X]. Since it is irre-

ducible, the residue class ring K = Z/2Z [X] /( f )Z/2Z [X] is a field. It has order 16. The
map x 7→ x4 is a homomorphism K → K. We wish to determine its fixed field M = {x ∈
K|x4 = x}. Put y = X + ( f )K [X]. Suppose g =
a· y3 + b· y2 + c· y + d ∈ M Then, using
y4 = y + 1, y8 = y2 + 1, and y12 = (y + 1) · y2 + 1 = y3 + y2 + y + 1, we find g4 = a· y3 +
2 + c) · y + (a + b + c + d) From g4 = g we derive a = 0, b = c. Thus, M =
 + b)2· y + (a
(a
2
0, 1, y + y, y + y + 1 , a subfield of order 4.

Remark 14.4.33. Part 3 need not hold if we replace L by an arbitrary field of characteristic p.
For instance, let L be the rational function field Z/pZ (Y ). Then the polynomial g (X) = Y · X
satisfies (g (X)) p = (Y · X) p = Y p · X p whereas g (X p ) = Y · X p .

Remark 14.4.34. If K is finite, of order say q, it may happen that, for different powers r, s of
p, the maps x 7→ xr and x 7→ xs are identical. For instance, r = 1 = p0 and s = q both represent
the identity on K.

Definition 14.4.35. Complex numbers that are zeros of nonzero polynomials in Q are called
algebraic.
√ √
Example 14.4.36 ( 3). Clearly, 3 is a zero of X 2 − 3. So it is algebraic.
2·π·i 2·π·i
Example 14.4.37 (e 5 ). e 5 is a zero of X 5 − 1 = 0. But it is not a zero of the linear factor
X − 1, so it is a zero of the quotient: X 4 + X 3 + X 2 + X + 1.
2·π·i (−2)·π·i
2·π 2·π



Example 14.4.38 (2· cos 5 ). The number 2· cos 5 is equal to e 5 +e 5 and also
√ 2·i
−1+ 5
to 2 . Put a = e . Then, as we have seen in the previous example,
5 + a2 + a4 + a3
2
a + 1 = 0. Multiply by a−2 and replace a2 + a−2 by (a + (a−1 )) − 2. Then we have



2
(a + (a−1 )) − 2 + a + a−1 + 1 = 0, from which we conclude that 2· cos 2·π = a + a−1



5
is a zero of X 2 + X − 1.

Remark 14.4.39. • Note that a polynomial of C [X] lies in Q [X] if and only if it has rational
coefficients.
• An algebraic number is characterised by the fact that it generates a subfield of C that is
finite-dimensional, when viewed as a vector space over Q. For instance, e and π are known
not to be algebraic (although the proof is not easy).
• If a is algebraic, then there is a polynomial of minimal degree of which a is a zero. For, if
f and g are both nonzero polynomials of which a is a zero, then so is gcd ( f , g).
250. Sets, Logic and Algebra

• The notion of algebraic element exists for any field K with a subfield L: an element of K is
called algebraic over L if it is a zero of a nonzero polynomial in K.

If x is algebraic, then Q (x) has finite dimension as a vector space over Q. The converse is
also true.

Theorem 14.4.40. The set of all algebraic numbers in C is a subfield of C.

Remark 14.4.41. The crux of the matter is the following fact: Given two polynomials f , g ∈
Q [X], there are polynomials h, k ∈ Q [X], such that

• the sum of each root of f and each root of g is a root of h,

• the product of each root of f and each root of g is a root of k.

The proof of these statements is beyond the scope of these notes. But constructions of such
polynomials were given in several examples.
√ √
Example 14.4.42 ( 3 + 1). The number 3 + 1 is a zero of the polynomial X 2 − 2· X − 2.
√ √ √ √
Example 14.4.43 ( 3 + 2). 3 + 2 is a zero of the polynomial X 4 − 10· X 2 + 1.
√ √
We show how to find such a polynomial for a = 3 + 2.
√
We look for a Q-linear relation between the powers of a. First form a2 = 5 + 2· 6. The
three 2
√ elements
√ √ 1, a, a are written as Q-linear combinations of the independent elements
1, 2, √ 3, 6. Because
√ we cannot yet expect a linear relation, we calculate the
√ next power:
a3 = 9· 3 + 11· 2. Still no linear relation, so we continue: a4 = 49 + 20· 6. But now
a4 = 10· a2 − 1, so a is a root of X 4 − 10· X 2 + 1 = 0.
1 1 1 1
Example 14.4.44 (2 3 + 2 2 ). The number 2 3 + 2 2 is a zero of the polynomial X 6 − 6· X 4 −
4· X 3 + 12· X 2 − 24· X − 4.
√ √
We show how to find a polynomial of which b = 3 2 + 2 is a root. Computing powers of
1
b, we find Q-linear combinations of powers of 2 6 . Therefore, we determine a 7 × 6 matrix
1 5
whose rows are the powers of b, written out with respect to the basis 1, 2 6 , ..., 2 6 :
 
1 0 0 0 0 0
0 0 0 0 1 1
 
0 0 2 0 0 0
 
1 2 2 6 6 2 (14.2)
 
0 0 4 0 2 8
 
1 2 8 4 0 4
0 2 0 4 1 0

Next, we look for a linear relation between the rows. This amounts to finding a vector in the
kernel of the transposed matrix. As a row vector, this is (−4, −24, 12, −4, −6, 0, 1), which
251. Sets, Logic and Algebra

means that the polynomial f = X 6 − 6· X 4 − 4· X 3 + 12· X 2 − 24· X − 4 is as required. It is

straightforward now to verify f (b) = 0.

14.5 Ideals
Ideals appear in the study of ring homomorphisms. They are very useful in the study of
polynomial equations, and in the construction of rings by means of residue classes, in much
the same way we have seen them come about in modular and polynomial arithmetic. As
before, we only consider commutative rings. So, let R be a commutative ring.
Definition 14.5.1 (Definition of Ideal). A nonempty subset I of R is an ideal of R if, for all
a, b ∈ I and all r ∈ R we have a + r· b ∈ I.
An equivalent definition for I to be an ideal is the following:

• 0 ∈ I;
• for all a ∈ I and b ∈ I we have a + b ∈ I;
• for all a ∈ I and r ∈ R we have r· a ∈ I;

Example 14.5.2 (Usual arithmetic). In the ring of integers Z, the subset n· Z of all multiples
of n is an ideal: if a· n and b· n are multiples of n, then a· n + b· n = (a + b) · n is a multiple of
n. If furthermore r is in Z and a· n is a multiple of n then r· (a· n) = (r· a)· n is a multiple of n.

Example 14.5.3 (Modular arithmetic). In the ring Z/nZ, where n is a multiple of m ∈ Z, the
set of all residue classes of multiples of m is an ideal of Z/nZ, denoted again by (m)Z/nZ or
by m· Z/nZ.

Example 14.5.4 (Polynomial rings). In the polynomial ring R [X], the multiples of a given
polynomial f form an ideal.
In Z [X] the subset { f ∈ Z [X] | f (2) = 0} is an ideal:

• if f (2) = 0 and g (2) = 0, then (( f + g)) · 2 = f (2) + g (2) = 0 + 0 = 0, and

• if f (2) = 0 and r is an element of Z [X], then r· f (2) = r (2) · f (2) = 0.

Example 14.5.5 (Residue class rings). In the polynomial ring R [X] /( f )R [X], the set of all
multiples of the residue class of a divisor g of f is an ideal, denoted by (g)R [X] /( f )R [X] or
g· R [X] /( f )R [X].

Example 14.5.6 (The Gaussian integers). In the ring R = Z + Z· i, the set of all elements
a + b· i with a ≡ b (mod 2) is an ideal.

Remark 14.5.7. Suppose R is a non-commutative ring. Then there are three notions of ideal:

• Left ideal: A nonempty subset I of R such that, for all a, b ∈ I and all r ∈ R, we have
a + b ∈ I and r· a ∈ I.
252. Sets, Logic and Algebra

• Right ideal: A nonempty subset I of R such that, for all a, b ∈ I and all r ∈ R, we have
a + b ∈ I and a· r ∈ I.
• Two-sided ideal: A subset of R that is both left and right ideal.

Each ideal contains 0. The subsets {0} and R of R are both ideals of R.
If a subset V of R is contained in an ideal I, then every combination r1 · v1 + r2 · v2 + ... + rn · vn ,
with r1 , r2 , ..., rn ∈ R and v1 , v2 , ..., vn ∈ V , also belongs to I. In fact, all these combinations
form an ideal themselves.

Theorem 14.5.8. Let V be a nonempty subset of R. The subset of R consisting of all

combinations of the form r1 · v1 +r1 · v1 +...+rn · vn with r1 , ..., rn ∈ R and v1 , ..., vn ∈ V ,
is an ideal of R.

Proof. Let M be the indicated subset of R. We show that M satisfies the three defining
properties of an ideal.
Assertion. 0 ∈ M.

Taking n = 1, r1 = 0, and v1 any element of V , we find 0 = r1 · v1 to be an element of M.

Assertion. If x, y ∈ M, then x + y ∈ M.

Suppose that r = r1 · v1 +r2 · v2 +...+rn · vn and s = s1 · w1 +s2 · w2 +...+sm · wm are elements of

M, with all vi and w j in V . Then r +s = r1 · v1 +r2 · v2 +...+rn · vn +s1 · w1 +s2 · w2 +...+sn · wn
also belongs to M.
Assertion. For each r ∈ R and m ∈ M, we have r· m ∈ M.

If m = r1 · v1 + r2 · v2 + ... + rn · vn is an element of M, with vi ∈ V , then for r ∈ R, we have

r· m = r· r1 · v1 + r· r2 · v2 + ... + r· rn · vn , which obviously belongs to M.

Example 14.5.9. Let a ∈ R and put V = {a}. The ideal of the theorem is the set of all
multiples of a; in formula: {r· a| r ∈ R}. In the cases R = Z and R = Q, these are exactly the
elements equivalent to 0 modulo a. We shall see shortly that this is no coincidence. Notation:
a· R or (a)R, as usual for, e.g., R = Z and Q [X].

Example  14.5.10. Different sets

of generators
 V may lead to the same ideal. For example
take V = X 2 ·Y − 1, X·Y 2 − 1 and W = X −Y, X 3 − 1 in
the ring R = Q [X,Y
]. Then
{V }R = {W }R.
To see this, we write X − Y = Y · X 2 ·Y − 1 − X· X·Y 2 − 1 and X 3 −

1 = X 2 ·Y + 1 · X 2 ·Y − 1 − X 3 · X·Y 2 − 1 from which we derive that V is contained in

{W }R, which implies that {V }R is contained in {W }R.

Conversely, X 2 ·Y −1 = −(X 2 ) · (X −Y )+X 3 −1 and X·Y 2 −1 = −X·Y − X 2 · (X −Y )+

X 3 − 1 whence the equality {V }R = {W }R.

253. Sets, Logic and Algebra

Example 14.5.11. Suppose that v1 , ..., vn ∈ R [X,Y ] are polynomials. Then v1 (x, y) = ... =
vn (x, y) = 0 is a set of equations with unknown x, y ∈ R. Now, for any polynomial f ∈ R [X,Y ],
we also have f (x, y) = 0. The reason is that f , being in {[v1 , ..., vn ]}R [X,Y ], can be written
as r1 · v1 + r2 · v2 + ... + rn · vn for suitable r1 , ..., rn ∈ R [X,Y ], so that f (x, y) = r1 · v1 (x, y) +
r2 · v2 (x, y) + ... + rn · vn (x, y) = 0.
This means that we can try and derive a lot of "easier" equations from the given one as a
first step to solve the set of equations. For example, suppose that we have v1 = X 2 ·Y − 1
and v2 = X·Y 2 − 1, so that the system of equations is x2 · y = 1, x· y2 = 1. Then also f =
Y · v1 − X· v2 = X −Y belongs to the ideal generated by v1 and v2 , and so we also have x = y.
Substituting this result in v2 (x, y) = 0, we find x3 = 1, which is readily solved.
Of course, ad hoc methods may lead to the same result here. The indicated method however
is part of an algorithm that works in all cases to bring the set of equations in a better form.

Remark 14.5.12. If V is a subset of R, then the ideal generated by V could also be defined as
the intersection of all ideals containing V .
To see that the ideal defined in the theorem is exactly that, note that, if I is an ideal containing
V , then I contains V . This implies that V is contained in the intersection of all ideals contain-
ing V . On the other hand, the ideal defined in the theorem clearly contains V and so coincides
with the intersection.

It is called the ideal generated by V . Notation {V }R or {V }R.

Let R be a ring. Just like with subrings and submonoids, we can also describe generation of
ideals by means of intersections.

Theorem 14.5.13. If C is a collection of ideals of R, then ∩ c is also an ideal of R.

c∈C

Proof. Write M = ∩ c. We verify three criteria that suffice for M to be an ideal.

c∈C

Assertion. 0 ∈ M.

Each I ∈ C is an ideal and so contains 0. Hence 0 ∈ ∩ c, and so 0 ∈ M.

c∈C

Assertion. If x, y ∈ M, then x + y ∈ M.

Each I ∈ C is an ideal containing both x and y, whence x + y, and so x + y ∈ ∩ c.

c∈C

Assertion. For each r ∈ R and m ∈ M, we have r· m ∈ M.

Each I ∈ C is an ideal containing m and hence r· m. Therefore ∩ c also contains r· m.

c∈C
254. Sets, Logic and Algebra

Example 14.5.14 (Usual arithmetic). In the ring of integers Z, the intersection of the ideals
m· Z and n· Z, for given integers m, n, is the ideal generated by lcm (m, n). For, this is clear
if at least one of m, n is zero. Otherwise, if a ∈ (m)Z ∩ (n)Z, then a is a multiple of both m
and n, and hence also of lcm (m, n). Thus, a is in the ideal {lcm (m, n)}Z. This proves that
the intersection (m)Z ∩ (n)Z is contained in the ideal {lcm (m, n)}Z. The other inclusion is
obvious.

Example 14.5.15 (Modular arithmetic). In the ring Z/nZ, the intersection of the ideals (g)Z/nZ
and (h)Z/nZ is (lcm (g, h))Z/nZ.
This follows by a similar reasoning as used in the previous Example 14.5.14.

Example 14.5.16 (Polynomial rings). Just as for integers, the intersection of ( f )R [X] and
(g)R [X] is (lcm ( f , g))R [X].

Example 14.5.17 (Residue class rings). Let d be a polynomial in R [X]. In the residue class
ring R [X] /(d)R [X], just as for modular arithmetic, the intersection of ( f )R [X] /(d)R [X] and
(g)R [X] /(d)R [X] is (lcm ( f , g))R [X] /(d)R [X].

Example 14.5.18 (The Gaussian integers). In the ring R = Z + Z· i, the intersection of the
ideals 1 + i and 2 is 1 + i, as 2 = (1 − i) · (1 + i).

Suppose that V is a subset of R. We claim that {V }R, the ideal generated by V , coincides
with M, the intersection over all ideals containing V . As noted (14.5.8), the ideal {V }R is
contained in M. But also, {V }R contains V , so is one of the ideals over which the intersection
forming M is taken, so M is contained in {V }R. Thus, {V }R = M.
In a ring R, the complete ring itself is an ideal.
The following is a characterization of this special ideal.

Theorem 14.5.19 (Characterization of the ring as an ideal). Suppose that I is an ideal

of R. The following are equivalent.
(a) I = R.
(b) 1 ∈ I.
(c) I contains an invertible element.

(d) There are v1 , ..., vn ∈ I and r1 , ..., rn ∈ R such that 1 = r1 · v1 + ... + rn · vn .

Proof.
Assertion. Part 1 implies Part 2.
Suppose I = R. Then obviously, as 1 ∈ R, also 1 ∈ I.
Assertion. Part 2 implies Part 3.
255. Sets, Logic and Algebra

Clearly, 1 is an invertible element of I.

Assertion. Part 3 implies Part 4.

Assume that v is an element of I with inverse r. Then 1 = r· v is an expression as required in

Assertion 4.
Assertion. Part 4 implies Part 1.

Suppose that Assertion 4 holds: there are v1 , v2 , ..., vn ∈ I and r1 , r2 , ..., rn ∈ R such that 1 =
r1 · v1 + r2 · v2 + ... + rn · vn . By the theorem on the previous page, the right-hand side belongs
to I. As this expression is equal to 1, the identity element also belongs to I.

Example 14.5.20. Let R be a field and I an ideal of R distinct from 0. Then there is an element
in I \ {0}, which must be invertible (as R is a field). By the theorem, I = R. We conclude that
in fields there are no proper nonzero ideals.

Example 14.5.21. Suppose that v1 , v2 , ..., vn ∈ R [X,Y ] are polynomials and consider the cor-
responding set of equations (cf. the Characterization of the ring as an ideal (14.5.19)).
v1 (x, y) = v2 (x, y) = ... = vn (x, y) = 0 with unknown x, y ∈ R.
If 1 belongs to the ideal generated by the vi , then there are no solutions. For then 1 can be
written as r1 · v1 + r2 · v2 + ... + rn · vn for suitable r1 , r2 , ..., rn ∈ R [X,Y ], so that the existence of
a solution (x, y) ∈ R2 would lead to 1 = 1 (x, y) = r1 · v1 (x, y) + r2 · v2 (x, y) + ... + rn · vn (x, y) =
0, a contradiction.
For example, suppose that we have v1 = X 2 ·Y − 1, v2 = X·Y 2 − 1, v3 = X −Y − 1 Then also
1 = Y · v1 − X· v2 − v3 belongs to the ideal generated by v1 , v2 , v3 , and so the system x2 · y =
1, x· y2 = 1, x − y = 1 has no solutions.

We encountered generation as a means of constructing ideals. Here we discuss two more

ways of obtaining ideals. Let R be a commutative ring. For subsets X and Y of R, the sum
X +Y is the subset {a + b| (a, b) ∈ X ×Y } of R.

Theorem 14.5.22. If I and J are ideals of R, then the sum I + J is an ideal of R.

Proof. We verify the three laws for I + J to be an ideal.

Assertion. 0 ∈ I + J.

Clearly, 0 = 0 + 0 ∈ I + J.
Assertion. If u, u0 ∈ I + J, then u + u0 ∈ I + J.

Suppose u, u0 ∈ I + J. Then there are x, x0 ∈ I and y, y0 ∈ J such that u = x + y and u0 = x0 + y0 ∈

J. By commutativity of +, we find u + u0 = x + x0 + y + y0 ∈ I + J.
256. Sets, Logic and Algebra

Assertion. If r ∈ R and u ∈ I + J, then r· u ∈ I + J.

Suppose r ∈ R and u = x + y ∈ I + J with x ∈ I and y ∈ J. Then r· u = r· x + r· y ∈ I + J.

Example 14.5.23 (Usual arithmetic). In the ring of integers Z, the sum of the ideals (m)Z and
(n)Z, for given integers m, n, is the ideal (gcd (m, n))Z. To see this, let a and b be integers
such that a· m + b· n = gcd (m, n) (they can be found by means of the Extended Euclidean
Algorithm (9.2.5)). This equality shows that gcd (m, n), and therefore every multiple of it,
belongs to the ideal generated by m and n. This shows that the ideal (gcd (m, n))Z is contained
in the ideal (m)Z + (n)Z. On the other hand, every element c· m + d· n of the sum ideal
(m)Z + (n)Z is a multiple of gcd (m, n), since both m and n are multiples of this gcd.

Example 14.5.24 (Modular arithmetic). Fix a nonzero integer d > 1. Suppose m, n are inte-
gers representing residue classes of the ring Z/dZ. If m and n divide d, then the sum of the
ideals (m)Z/dZ and (n)Z/dZ of Z/dZ is the ideal (gcd (m, n))Z/dZ.

Example 14.5.25 (Polynomial rings). Just as for integers, in the polynomial ring R [X], with
R a field, the sum of the ideals f and g equals the ideal (gcd ( f , g))R [X] whenever f , g 6= 0.

Example 14.5.26 (Residue class rings). Let d be a polynomial in R [X], where R a field. In the
residue class ring R [X] /(d)R [X], just as for modular arithmetic, the sum of ( f )R [X] /(d)R [X]
and (g)R [X] /(d)R [X] is (gcd ( f , g))R [X] /(d)R [X].

Example 14.5.27 (The Gaussian integers). In the ring R = Z + Z· i, the sum of the ideals
(1 + i) and (1 − i) is (1 + i)R, as 1 − i = (−i) · (1 + i).

Remark 14.5.28. The ideal I + J can also be described as the ideal generated by I and J.

Let S also be a commutative ring. The kernel of a homomorphism f : R → S is the subset

{x ∈ R| f (x) = 0} of R.

Theorem 14.5.29 (The Kernel of a Ring Homomorphism is an Ideal). If f : R → S is

a homomorphism of rings, then the kernel Ker ( f ) is an ideal of R.

Proof. We verify the three laws for Ker ( f ) to be an ideal:

Assertion. 0 ∈ Ker ( f ).

Clearly, f (0) = 0, so 0 ∈ Ker ( f ).

Assertion. If u, v ∈ Ker ( f ), then u + v ∈ Ker ( f ).

Suppose u, v ∈ Ker ( f ). Then f (u + v) = f (u) + f (v) = 0 + 0 = 0, so u + v ∈ Ker ( f ).

257. Sets, Logic and Algebra

Assertion. If r ∈ R and u ∈ Ker ( f ) , then r· u ∈ Ker ( f ).

Suppose r ∈ R and u ∈ Ker ( f ). Then f (r· u) = f (r) · f (u) = f (r) · 0 = 0, so r· u ∈ Ker ( f ).

Example 14.5.30 (Usual arithmetic). The kernel of the natural homomorphism Z → Z/mZ
is the ideal (m)Z.

Example 14.5.31 (Modular arithmetic). If m divides n, then there is a homomorphism Z/nZ →

Z/mZ, x + (n)Z 7→ x + (m)Z Its kernel is the ideal generated by the residue class of m.

Example 14.5.32 (Polynomial rings). Fix x ∈ Q. The kernel of the homomorphism Q [X] →
Q, f (X) 7→ f (x) is the ideal generated by X − x. Prove this!

Example 14.5.33 (Residue class rings). Just like the modular arithmetic case: If f , g are
polynomials in Q [X] such that g divides f , then there is a homomorphism Q [X] /( f )Q [X] →
Q [X] /(g)Q [X] , h + ( f )Q [X] 7→ h + (g)Q [X] Its kernel is generated by the residue class of g.

Example 14.5.34 (The Gaussian integers). The map f = Z + Z· i → Z/2Z, a + b· i 7→ a + b is

a homomorphism. Check:

• f (1) = f (0 + i) = 1.
• f ((a + b· i) · (c + d· i)) = f (a· c − b· d + (a· d + b· c) · i) = a· c+b· d +a· d +b· c = (a + b) · (c + d) =
f (a + b· i) · f (c + d· i).

Its kernel is the ideal generated by 1 + i.

Remark 14.5.35. Theorem 14.5.29 is crucial in what follows. It will be used to describe the
image ring Im ( f ) fully in terms of R.

We shall see later that every proper ideal of R can be seen as the kernel of some homomor-
phism.
For a positive integer n, the ring Z/nZ is a domain if and only if n is a prime. This notion
of prime will be generalized to arbitrary ideals. Later, the notion of residue classes will be
extended beyond Z/nZ and Q [X] /(d)Q [X] to residue class rings with respect to arbitrary
ideals, and it will turn out that primality has the same role as for Z/nZ.
Let R be a commutative ring and let I be an ideal of R. We say that I is proper if it is not equal
to R.
Definition 14.5.36. • I is called a prime ideal if it is proper and, for all a, b ∈ I the equation
a· b = 0 implies a ∈ I or b ∈ I.
• I is called maximal if it is proper and if there exists no proper ideal strictly containing I.

Example 14.5.37 (Usual arithmetic). A simple example of a prime ideal is the ideal 0 in the
ring Z : if a· b = 0, then of course a = 0 or b = 0. In fact, the same argument shows that in
any domain the zero ideal is prime. The ideal (6)Z of multiples of 6 in Z is not a prime ideal:
258. Sets, Logic and Algebra

2· 3 = 6 and neither 2 nor 3 is a multiple of 6. For every prime number p the ideal (p)Z of
multiples of p in the ring Z is maximal: if an ideal J strictly contains (p)Z, then it contains
an integer m which is not a multiple of p. But then p and m are relatively prime and, by the
Extended Euclidean Algorithm (9.2.5), there is a relation a· m + b· p = 1. But this implies
that 1 is contained in the ideal J and that J = Z. Hence each ideal that strictly contains p
coincides with Z, so (p)Z is maximal. The ideal (0)Z of Z is prime but not maximal: for
example, the ideal (2)Z is proper and contains (0)Z.

Example 14.5.38 (Modular arithmetic). The ideal (m)Z/nZ in Z/nZ is prime if and only if
gcd (m, n) is a prime number. If n is prime, then, as Z/nZ is a field, the only maximal ideal
of Z/nZ is (0)Z/nZ. If p is a proper prime divisor of n, then (p)Z/nZ is a maximal ideal of
Z/nZ.

Example 14.5.39 (Polynomial rings). In Z [X] the ideal (X)Z [X] is prime: if the product of
two polynomials is divisible by X, then at least one of them is already divisible by X.
In the ring R [X], the ideal (X)R [X] is maximal: if the ideal J strictly contains (X)R [X], then
it contains a polynomial f with a nonzero constant term a. But then it follows that the ideal J
contains a itself and so also the element 1. We conclude from Characterization of the ring as
an ideal (14.5.19) that J = R.

Example 14.5.40 (Residue class rings). This case is very similar to modular arithmetic.
For example, the ideal generated by X 2 + 1 is prime in Q [X] /(X 4 − 1)Q [X], but not in
C [X] /(X 4 −1)C [X]. The same ideal is maximal in Q [X] /(X 4 −1)Q [X], and not in C [X] /(X 4 −
1)C [X]. In the latter case, X − i and X + i are two maximal ideals containing X 2 + 1.

Example 14.5.41 (The Gaussian integers). In the ring R = Z + Z· i, the ideal generated by
i − 2 is prime and maximal. Of course this requires an argument. The ideal generated by 2 is
not prime: (1 − i) · (1 + i) = 2.

Example 14.5.42. To show that an ideal M is maximal, one often reasons as follows: suppose
that there is an ideal J that strictly contains M. Then try to show (using that there are elements
in the ideal J that are not contained in M) that J contains the identity element and therefore
equals the whole ring.

Although the definitions of prime and maximal ideals look very different, there are important
connections between the two notions. For instance one implies the other.

Theorem 14.5.43. A maximal ideal is prime.

Proof. Suppose that M is a maximal ideal of the commutative ring R. Let a and b be elements
of R such that a· b ∈ M.
If neither a nor b belongs to M, then R = a + M and R = b + M, because of the maximality
of M. This implies the existence of elements r, s ∈ R and m, n ∈ M such that 1 = a· r + m, 1 =
b· s + n.
259. Sets, Logic and Algebra

Multiplying left-hand sides and right-hand sides yields 1 = a· b· r· s + a· r· n + b· s· m + m· n.

As a· b, m, n ∈ M, we find 1 ∈ M, a contradiction.
Hence a or b belongs to M, proving that M is a prime ideal.

Example 14.5.44. If R is a field, then the only proper ideal of R is {0}. It is both maximal
and prime.

Remark 14.5.45 (Converse). The converse does not hold. If R = Z [X], then the ideal of R
generated by 2 and the ideal of R generated by X are prime ideals; but they are not maximal,
the ideal of R generated by both of these being a bigger proper ideal.

14.6 Residue class rings

In this section, arithmetic modulo an integer n or modulo a polynomial d is generalized to

arithmetic modulo an ideal.
Let I be an ideal in the commutative ring R. Two elements a, b ∈ R are called congruent
modulo I if their difference a − b belongs to I. Notation if I is clear from the context: a ≡ b

Theorem 14.6.1. Congruence modulo I is an equivalence relation.

Proof. To show that the relation is indeed an equivalence relation we have to check that the
relation is reflexive, symmetric, and transitive.
Assertion. Congruence is reflexive

a ≡ a, since a − a = 0 and so belongs to I.

Assertion. Congruence is symmetric

Suppose
a ≡ b. Then a − b belongs to I and hence so does −(a − b) = b − a. But this means b ≡ a.
Assertion. Congruence is transitive

Suppose
a ≡ b and b ≡ c. Then a − b and b − c belong to I and then so does their sum a − b + b − c =
a − c. But this means that a ≡ c.
260. Sets, Logic and Algebra

Example 14.6.2. If R = R [X] and I = {{X − x,Y − y}}R for certain x, y ∈ R, then f and g are
congruent modulo I in R if and only if f (x, y) = g (x, y).

Remark 14.6.3. Equivalence modulo I generalizes both

• Congruence mod n in Z. For a, b ∈ Z we have a ≡ b (mod n) if and only if a and b are

congruent modulo (n)Z.
• Congruence mod d in Q [X]. For a, b ∈ Q we have a ≡ b if and only if a − b ∈ (d)Q [X].

An equivalence class is called a residue class. The set of all residue classes is denoted by
R/I. An element of R/I is denoted by a + I when we are precise, and simply by a if there is
no danger of confusion.

Theorem 14.6.4. The set R/I inherits from R the following ring structure:
• addition: a + I + (b + I) = a + b + I,

• multiplication: (a + I) · (b + I) = a· b + I,
• identity element: 1 + I,
• zero element: 0 + I.

Proof. The definitions involve implicitly the choices of representatives, so we need to check
that they do not depend on these choices.
Suppose a0 + I = a + I and b0 + I = b + I. Then a0 = a + r and b0 = b + s for some r, s ∈ I.
Now both a0 + b0 − (a + b) = r + s and a0 · b0 − a· b = a· s + r· b + r· s clearly belong to I. We
conclude that a0 + b0 + I = a + b + I and a0 · b0 + I = a· b + I, so that addition and multiplication
are well defined.
It remains to check the definitions of the ring axioms. These are routine checks and are left
to the reader.

Example 14.6.5. Let R = Z/4Z [X] /{ 2, X 2 }Z/4Z [X]. Its elements are (represented by)
 
2
0, 1, X, X + 1. The product
 2
 X· (X + 1) is (represented by) X, for X· (X + 1) − X is equal to X ,
which belongs to { 2, X }Z/4Z [X]. We write down the multiplication table of this ring.

Instead of 0 + I, we also write just I. In particular, we might work with the identifications
0 = 0 + I = I, which exemplify computing modulo I: as if all elements of I are equal to zero.
The ring R/I is called the residue class ring or quotient ring of R modulo I.
Homomorphisms relate rings modulo an ideal. Let R and S be commutative rings. The image
of a homomorphism R → S can be entirely described in terms of R.
261. Sets, Logic and Algebra

· 0 1 X 1+X
0 0 0 0 0
1 0 1 X 1+X
X 0 X 0 X
1+X 0 1+X X 1

Theorem 14.6.6 (First isomorphism theorem). If f : R → S is a homomorphism of

rings, then R/Ker ( f ) is isomorphic to the image Im ( f ).

Proof. Put I = Ker ( f ). By The Kernel of a Ring Homomorphism is an Ideal (14.5.29), this
is an ideal of R. We shall prove the following two assertions.
Assertion. There is a homomorphism f 0 : R/I → S such that, for each x ∈ R we have f (x + I) =
f (x).

The map f` is determined by the requirement f`(x + I) = f (x). It needs to be verified that f`
is well defined. For, if x + I = y + I, then x − y ∈ I and, as I = Ker ( f ), we find f (x − y) = 0.
As f is a homomorphism, it follows that f (x) = f (y). Thus, indeed, the definition of f`does
not depend on the choice of y ∈ x + I. It is easy to see that f 0 is a homomorphism.
Assertion. The homomorphism f 0 is injective.

By The Kernel of a Ring Homomorphism is an Ideal (14.5.29), it suffices to prove that

Ker ( f 0 ) = {0}. Suppose, to this end, that x + I ∈ Ker ( f 0 ). Then f (x) = 0, and so x ∈ Ker ( f ),
which is I. Consequently, x + I = I = 0 ∈ R/I. So indeed, Ker ( f 0 ) = 0.
As the images of f and f 0 coincide, the above two statements prove the theorem.

Example 14.6.7 (Usual arithmetic). The kernel of the natural homomorphism f : Z → Z/nZ
is (n)Z. This homomorphism is surjective, and has kernel n. Application of the theorem now
gives the obvious fact that Z/nZ is isomorphic to Z/(n)Z.

Example 14.6.8 (Modular arithmetic). If n is a multiple of m, then there is a homomorphism

Z/nZ → Z/mZ, x + (n)Z 7→ x + (m)Z. This homomorphism is surjective and its kernel is
(m)Z/nZ, so the theorem implies that that there is an isomorphism Z/nZ/(m) → Z/mZ.

Example 14.6.9 (Polynomial rings). Let x ∈ C. Consider the homomorphism f : Q [X] →

Q [x] , g 7→ g (x). Clearly, f is surjective. Let us determine its kernel. Observe that g ∈ Q [X]
lies in Ker ( f ) if and only if x is a zero of g. Thus, Ker ( f ) = 0 if x is not algebraic. Otherwise,
there is a unique polynomial d ∈ Q with leading coefficient 1 of minimal degree such that
d (x) = 0. By the Extended Euclidean Algorithm for Polynomials (11.2.18) it readily follows
that Ker ( f ) = (d)Q [X].
262. Sets, Logic and Algebra

Example 14.6.10 (Residue class rings). Similarly to the modular arithmetic case, we find, for
g a divisor of f , that Q [X] /( f )Q [X] /(g) → Q [X] /(g)Q [X] is an isomorphism.

Example 14.6.11 (The Gaussian integers). Consider the homomorphism Z [X] → Z+Z· i, f (X) 7→
f (i). Clearly, X 2 + 1 is in the kernel of this homomorphism. On the other hand Z [X] /(X 2 +
1)Z [X] / is readily seen to be isomorphic to Z + Z· i. A close analysis of the proof of the
theorem gives that the kernel of the homomorphism must coincide with (X 2 + 1)Z [X].

Let R be a commutative ring with ideal I. Here is what prime ideals and maximal ideals mean
in the context of quotient rings:

Theorem 14.6.12. The quotient ring R/I is

• a domain if and only if the ideal I is prime;

• a field if and only if the ideal I is maximal.

Proof. Observe that for two elements a, b ∈ R the following holds: a· b ∈ I if and only if
(a + I) · (b + I) = I. For, the left hand side is equal to a· b + I
There are four assertions to be verified.
Assertion. I prime implies R/I is a domain.

Suppose that I is a prime ideal. We need to show that the quotient ring has no zero divisors.
Suppose that a+I and b+I are elements whose product is the zero element: (a + I) · (b + I) =
I. This comes down to a· b belonging to I. As I is a prime ideal a or b belongs to I. In other
words: a + I = I or b + I = I. This shows that R/I is a domain.
Assertion. R/I is a domain implies I prime Suppose that R/I is a domain.

If a· b ∈ I, then it follows that a + I = I or b + I = I. But this means a ∈ I or b ∈ I.

Assertion. If I is maximal then R/I is a field.

Suppose that I is a maximal ideal. Let a + I be a nonzero element of R/I; that is, a does not
belong to I. Then the ideal a + I is strictly bigger than I. Maximality of I implies a + I = R.
In particular, there exist b ∈ R and c ∈ I with a· b + c = 1. Thus, a· b + I = 1 + I, from which
we derive (a + I) · (b + I) = 1 + I. Hence a + I is invertible in R/I. This establishes that R/I
is a field.
Assertion. R/I is a field implies that I is maximal.

Conversely, suppose that R/I is a field. Let J be an ideal of R strictly containing I. Then
there is a ∈ J \ I, so a + I 6= I. Thus being nonzero, a + I has a multiplicative inverse: for
263. Sets, Logic and Algebra

some b ∈ R we have (a + I) · (b + I) = 1 + I. But then a· b − 1 ∈ I, that is, 1 ∈ a + I, so 1 ∈ J,

whence J = R. This establishes that I is a maximal ideal.

Example 14.6.13. Consider R = Z [X] and f = X 2 + 1 in R. Then ( f )R is a prime ideal, since

f is irreducible in Q, and so R/( f )R is a domain. Observe that R/( f )R is isomorphic to the
Gaussian integers, which were shown page 222 be a domain. The ideal ( f )R is not maximal,
as R/( f )R, the Gaussian integers, do not form a field.
The quotient ring obtained from R by modding out the ideal {X + 1}R/( f )R leads to the
residue class ring Z + Z· i/(i + 1)Z + Z· i, which is isomorphic to Z/2Z, a field. Therefore,
{X + 1}R/( f )R is a maximal ideal.

Remark 14.6.14. The theorem generalises two known cases:

• Ideals in Z. The ideal n of Z is prime if and only if n is prime; then Z/(n)Z is a field, so
then (n)Z is even maximal.
• Ideals in polynomial rings. Similar to the previous case, each ideal of K, where K is a field,
is of the form f for some polynomial f . The ideal is prime if and only if it is maximal, in
which case f is irreducible.

In the next section, we shall take a closer look at finite fields.

14.7 Finite fields

For p a prime number and f an irreducible polynomial of degree n in Z/pZ [X], the quo-
tient ring Z/pZ [X] /( f )Z/pZ [X] is a field with pn elements. We will see that any field is
essentially of this form.
Let F be a finite field of order q. By Order of a finite field (14.4.17), we know that q = pa ,
the power of a prime number p. We start our investigation of F with yet another (but more
general) version of Fermat’s little theorem.

Theorem 14.7.1 (Fermat’s little theorem). Each x ∈ F satisfies the equation

xq = x (14.3)
In particular, we have

X q − X = ∏ (X − x) (14.4)
x∈F
264. Sets, Logic and Algebra

Proof. If x = 0, then clearly, xq = x. Suppose, therefore, x 6= 0.

Since F \ {0} consists of invertible elements, the multiplicative group F × of F has order
q − 1. Now x belongs to this group. By Order of an element (13.6.11), we find that xq−1 = 1.
The required equation follows when we multiply both sides by x.
The above implies that for each x in F the linear polynomial X − x is a factor of X q − X. As
gcd (X − x, X − y) = 1 for x, y ∈ F with x 6= y, their product ∏x∈F (X − x) divides X q − X. But
both polynomials are of degree q, and their leading coefficients are both 1, so they are equal.

Example 14.7.2 (Fields of order 9). Each element of a field of order 9 is a zero of the poly-
nomial X 9 − X ∈ Z/3Z [X]. The elements 0, 1, and 2 of Z/3Z are zeros of this polynomial
and correspond to the linear factors X, X − 1, X − 2. Dividing out these factors, we find a
polynomial of degree 6 that factors into a product of three quadratic polynomials as follows:

X 2 + X + 2 · X 2 + 2· X + 2 · X 2 + 1




(14.5)

Each of these factors can be used to define a field of order 9.

In the Classification of finite fields (14.7.19) we shall see that they all lead to the same field up
to isomorphism. That means that the fields Z/3Z [X] /(X 2 +X +2)Z/3Z [X], Z/3Z [X] /(X 2 +
2· X + 2)Z/3Z [X], and Z/3Z [X] /(X 2 + 1)Z/3Z [X] are isomorphic to each other.
On the other hand, Fermat’s little theorem says that if we pick one of these fields, say the first
F = Z/3Z [X] /(X 2 + X + 2)Z/3Z [X], then all three quadratic factors are reducible, consid-
ered as polynomials over F.
Let x denote the residue class in F of X. Then, by construction, x is a zero of X 2 + X + 2.
Since, by Frobenius Automorphisms (14.4.31) taking third powers is an automorphism of F
preserving this quadratic polynomial, x3 = −x + −1 is the other zero. Computing remainders
we find x4 = 2. Consequently, x2 is a zero of the third quadratic polynomial, and, by an
argument as before, so is its third power x6 = −(x2 ). We have accounted for all powers xi
that may occur except for i = 5, 7. It is readily checked that they are zeros of the second
quadratic polynomial and that one is the third power of the other.

Example 14.7.3. • In Frobenius Automorphisms (14.4.31), we saw that, for any power r =
pb of p, the subset {x ∈ F|xr = x} is a subfield of F. Apparently,

– for r = q, the subfield coincides with F;

– the subfield only depends on the value of rem(b, a), where q = pa .
• Note that xq−1 = 1 for nonzero x in F.

We derive some more properties of finite fields. But first a lemma.

265. Sets, Logic and Algebra

Lemma 14.7.4. Suppose that m and n are positive integers. Then

gcd (X m − 1, X n − 1) = X gcd(m,n) − 1 (14.6)

In particular, m divides n if and only if X m − 1 divides X n − 1.

Proof. We first prove the special case: if m divides n then X m − 1 divides X n − 1.

So suppose that m divides n. Then the following identity holds:

X n − 1 = (X m − 1) · X n−m + X n−2m + ... + X m + 1

(14.7)

In particular X m − 1 divides X n − 1.
Next we derive the general case:

gcd (X m − 1, X n − 1) = X gcd(m,n) − 1 (14.8)

Suppose n = q· m + r Then, by the above,

gcd (X m − 1, X n − 1) = gcd (X m − 1, X n − 1 − X r · (X q·m − 1)) = gcd (X m − 1, X r − 1) (14.9)

Thus, n can be replaced by the remainder of division of n by m. But this is the first step of
Euclid’s algorithm, which can be repeated and repeated, until one of the arguments of the gcd
is X gcd(m,n) − 1, and the other 0.
This proves the lemma.

We use Fermat’s little theorem (14.7.1) to prove the following result, announced before.

Theorem 14.7.5 (Multiplicative group of a field). The multiplicative group of a finite

field of order q is cyclic of order q − 1.
In particular, every finite field contains a primitive element.

Proof. Let F be a finite field of order q. By Order of a finite field (14.4.17) there is a prime
number p and a positive integer a such that q = pa .
Suppose m is a natural number dividing q − 1. We show that the number of elements x ∈ F ×
with xm = 1 equals m. It is precisely the number of solutions of X m − 1 in F. As m|q − 1,
266. Sets, Logic and Algebra

the polynomial X m − 1 divides X q−1 − 1, whence also X q − X, see Lemma on polynomials

(14.7.4). By a Fermat’s little theorem (14.7.1), the latter polynomial decomposes into a prod-
uct of linear factors in F. But then its divisor X m − 1 is also a product of m linear factors.
Hence, there are m solutions of X m − 1 in F. In other words, the number of elements x ∈ F ×
with xm = 1 equals m.
Finally, we apply the Characterisation of cyclic groups (13.5.10) to conclude that F × is cyclic.
Any generator of this cyclic group is then a primitive element for F.

Example 14.7.6. Suppose that K is a field of order 32. Then K × is a group of order 31. Each
element distinct from 1 in K × has order 31, as its order is a divisor of 31 and distinct from 1.
Consider the polynomial f = X 31 − 1. In Z/2Z [X], the polynomial f factors into

f = (1 + X) · 1
+ X 2 + X 5 · 1 + X 3 + X 5
· 1 + X + X 2 + X 3 + X 5
·

1 + X + X2 + X4 + X5 · 1 + X + X3 + X4 + X5 · 1 + X2 + X3 + X4 + X5 .

Let a be an element of K which is a zero of 1 + X + X 2 + X 3 + X 5 . Then an elementary

calculation shows that a2 is also a zero of this polynomial. Indeed, this follows from 1 +

2
X 2 + X 4 + X 6 + X 8 + X 10 = 1 + X + X 2 + X 3 + X 4 + X 5 . The five zeros of the polynomial
are therefore a, a2 , a4 , a8 , a16 . This result could also have been derived by applying Frobenius
Automorphisms (14.4.31) with the Frobenius map x 7→ x2 .

By the theorem, there are always primitive elements in finite fields. If g is a primitive element
of the finite field F, then  the
 elements can be easily enumerated by their exponents with
respect to g : F = {0} ∪ gi  i ∈ {0, ..., q − 2}}. When written in this form, multiplication on
the nonzero elements of F is given by modular arithmetic, with modulus q − 1. This is very
efficient, but addition is less convenient. Thus, we have the opposite to the usual form, where
addition is a minor effort, but multiplication is harder.
The following algorithm checks whether an element is primitive, it is used in the second
algorithm which provides us with a prmitive element.
Algorithm 14.7.7 (Is Primitive?). • Input: an element a in a field F of order q for which the
prime divisors p1 , ..., pk of q − 1 are known.
• Output: true if a is primitive, false otherwise.
267. Sets, Logic and Algebra

IsPrimitive := procedure(a)
local variables
t := 1
k
p1, ..., pk 
q−1
while a pt 6= 1 ∧ (t ≤ k) do
t := t + 1

if t > n
then
return
true
else
return
f alse

Algorithm 14.7.8 (Primitive element). • Input: field F of order q for which the prime divi-
sors p1 , ..., pk of q − 1 are known.
• Output: primitive element a of F .
PrimitiveElement := procedure(F)
local variables
a := RandomElement (F)
while ¬ (IsPrimitive (a)) do
a := RandomElement (F)

return
a

Theorem 14.7.9 (Characterization of subfields of finite fields). Let F be a field of

order q = pn , where p is a prime. Suppose K is a subfield of F. Then

K = {x ∈ F|xr = x} (14.10)
for some r = pm , where m divides n.
The subfield K is thus the unique subfield of order r.

Proof. Suppose K is a subfield of F. Then the order of K equals r = pm for some m. By

Fermat’s little theorem (14.7.1) every element x of K is a root of X r − X. As this polynomial
has at most r roots, we can write K as the set {x ∈ F|xr = x}.
268. Sets, Logic and Algebra

Moreover, we also see that X r − X divides X q − X and hence X r−1 − 1 divides X q−1 − 1. Now
Lemma on polynomials (14.7.4) implies that r − 1 = pm − 1 divides q − 1 = pn − 1. Applying
Lemma on polynomials (14.7.4) once more, we find that m divides n.
The uniqueness of K follows immediately.

Suppose K is a subfield of the field F and a is an element of F. Then K (a) denotes the
smallest subfield of F containing K and a.
We will give a description of K (a) as a quotient of a polynomial ring over K. To this end we
introduce the concept of minimum polynomial:
Definition 14.7.10. Suppose K is a subfield of the field F and a is an element of F. Then
a polynomial f in K [X] is called a minimal polynomial for a if f is a monic polynomial of
minimal degree having a as root.

Example 14.7.11. In some cases a minimal polynomial does exist, in other cases not.
For
√ example, X 2 + 1 is a minimal polynomial over R for i ∈ C. The minimal polynomial for
3
2 over Q is X 3 − 2.
The elements in C that do have a minimal polynomial over Q are precisely the algebraic
elements in C. So, the elements π and e do not have a minimal polynomial over Q. Indeed,
these elements are not algebraic.

Theorem 14.7.12 (Uniqueness and irreducibility of the minimal polynomial). If an

element a has a minimal polynomial over the field K then this polynomial is the unique
minimal polynomial for a, it is irreducible, and divides every other polynomial that
has a as a root.

Proof. Let f be a minimal polynomial for a. If g is another minimal polynomial for a,

then both polynomials are of the same degree. Moreover a is also a root of f − g. As this
polynomial is of lower degree than f , it has to be 0. So f = g, proving uniqueness of the
minimal polynomial.
If the polynomial f can be written as a product g· h with g and h both monic and of positive
degree, then a is a root of g or h, both contradicting that f is a minimal polynomial of a. This
proves f to be irreducible.
If g is a polynomial with a as a root, then the remainder of g divided by f has also root a. As
the degree of this remainder is smaller than the degree of f , we find a contradiction, unless
the remainder is 0. This proves that f divides g.
269. Sets, Logic and Algebra

If K is a subfield of the finite field F, then, by Characterization of subfields of finite fields

(14.7.9), there is a prime power q such that the order of K equals q and the order of F is qn
for some n.
The Frobenius map

φ : F → F, x 7→ xq (14.11)

fixes precisely those elements that are in K.

Now let a be an element in F with minimal polynomial f . Then we find that elements a,
φ (a), φ 2 (a), ... are all roots of f .
Denote by t the smallest positive integer with φ t (a) equal to a. Such t exists, as φ n (a) = a,
as follows from Fermat’s little theorem (14.7.1).
The elements φ (a), φ2 (a),...,φ
t (a) are all distinct roots of f . So f has degree at least t. On
i
the other hand, ∏ti=1 X − aq is a polynomial invariant under the Frobenius automorphism
φ . This implies the following result:

Proposition 14.7.13. Let a be an element from the finite field F.

The minimal polynomial of a equals
t  
i
∏ X − aq (14.12)
i=1
t
where t is the smallest positive integer with aq equal to a.

The above result also provides an algorithm to find the minimal polynomials.
Algorithm 14.7.14 (Minimal polynomial). • Input: element a in a finite field F.
• Output: minimal polynomial of a over the a subfield of order q of F.
MininalPolynomial := procedure(a, q)
local variables
t := 1
 X −a 
f :=
t
while ¬ aq = a do
 t

f := f · X − aq , t := t + 1

return
f

We are now in a position to give the following description of the field K (a) in terms of the
minimal polynomial of a.
270. Sets, Logic and Algebra

Theorem 14.7.15 (Subfields and minimal polynomials). Let K be be subfield of F.

Suppose a is an element of F with minimal polynomial m over K.
Then K (a) is isomorphic to K [X] /(m)K [X].

Proof. Consider the map

rho : K [X] /(m)K [X] → K (a) , f + (m)K [X] 7→ f (a) (14.13)

Notice that this map is well defined.
The map rho is homomorphims of fields. The image of rho contains a and is contained in
K (a). Hence K [X] /(m)K [X] is isomorphic to its image K (a) under the map rho.

To test whether an element is in a subfield can be done using the following algorithm.
Algorithm 14.7.16 (Subfield membership test). • Input: elements a and b in a finite field F
and a subfield K.
• Output: true if
b is an element of the a subfield K (a) of F, false otherwise.
Membership := procedure(a, b)
local variables
m := MinimalPolynomial (a, |K|)
d := degree (m)
qd
if b = b
then
return
true
else
return
f alse

By Irr (d, p) we denote the set of all monic and irreducible polynomials f ∈ Z/pZ [X] of
degree d.

Theorem 14.7.17 (Product of irreducible polynomials). If f ∈ Z/pZ [X] is an irre-

n
ducible polynomial of degree n, then f divides X p − X.
More precisely,
n
Xp −X = ∏ f (14.14)
f ∈{g∈Irr(d,p)|d|n}
271. Sets, Logic and Algebra

Proof. Let f be an irreducible polynomial in Z/pZ [X] of degree d. Then consider the field
Z/pZ [X] /( f )Z/pZ [X]. Inside this field we find that the element X + ( f )Z/pZ [X] is a zero
d
of f . This implies that over Z/pZ (X) the gcd of f and X p − X is nonzero. As f is irre-
d
ducible, this gcd equals f , from which we deduce that f is a divisor of X p − X.
n
Now Lemma on polynomials (14.7.4) implies that f divides X p − X if and only if d divides
n.
On the other hand, if d divides n then any irreducible polynomial f of degree d divides
n
X p − X and hence has a root r in Z/pZ [X] /( f )Z/pZ [X]. As the multiplicity of this root r
n n
as zero of X p − X is one, we find that f 2 does not divide X p − X. So indeed, as the leading
pn pn
coefficient of X − X is 1, we find that X − X is equal to the product of all irreducibles in
Irr (d, p) with d dividing n.

Example 14.7.18. In Z/2Z [X], the polynomial X 4 − X factors as the following product of
irreducibles:

X 4 − X = X· (X − 1) · X 2 + X + 1


(14.15)

proving that X 2 + X + 1 is the unique irreducible polynomial of degree 2 in Z/2Z [X].

In Z/3Z [X] we find

X 9 − X = X· (X − 1) · (X + 1) · X 2 + 1 · X 2 − X − 1 · X 2 + X − 1




(14.16)

We deduce that there are exactly three monic irreducible polynomials of degree 2 in Z/3Z [X],
namely, X 2 + 1, X 2 − X − 1 and X 2 + X − 1.
2
In general, since X p − X is the product of all monic irreducible polynomials of degree 1
and 2 from Z/pZ [X], and the fact that there are p monic polynomials of degree 1, there are
2
exactly p 2−p monic irreducible polynomials of degree 2 in Z/pZ [X].

The results obtained so far lead to the following theorem, which is the main result of this
section.

Theorem 14.7.19 (Classification of finite fields). For every prime p and positive in-
teger n there exists a field F of order pn . This field is unique up to isomorphism.
In particular, there exists an irreducible polynomial f in Z/pZ [X] of degree n, and,
for any such polynomial f , the field F is isomorphic with Z/pZ [X] /( f )Z/pZ [X].

Proof. We prove existence and uniqueness.

Assertion. Existence of F.
272. Sets, Logic and Algebra

To show that for every prime power pn there exists a field with exactly pn elements, it suffices
n
to construct a finite field F in which X p − X factors into linear factors: for then the subfield
n
of F of elements x satisfying x p = x has pn elements.
So we start with h = X q − X in Z/pZ [X]. (Here q = pn .) If h factors into linear factors,
we are done. If not, then choose an irreducible factor h1 of h and consider the field K1 =
Z/pZ [X] /(h1 )Z/pZ [X]. In this field, X + (h1 )Z/pZ [X] is a zero of h1 , so h1 , whence also
h1 , has a linear factor in K1 [X]. (Notice the new role of the indeterminate X; we index it
by 1 in order to distinguish it from the previous X.) If h does not completely factor into
linear factors in K1 [X], then choose an irreducible factor h2 of h (irreducible in K1 [X]), and
construct K2 = K1 [X] /(h2 )K1 [X], etc. Since the number of linear factors increases in every
step, this process must terminate and produces a field containing Z/pZ in which h factors
into linear factors, proving the existence of a field of order q.
Assertion. Existence of f .

Let a be a primitive element of F and f its minimal polynomial over the prime field Z/pZ.
This polynomial is irreducible. Moreover, by Subfields and minimal polynomials (14.7.15)
we find that Z/pZ (a), which clearly equals F, is isomorphic to Z/pZ [X] /( f )Z/pZ [X].
This implies that, indeed, there exists an irreducible polynomial f of degree n such that F is
isomorphic to Z/pZ [X] /( f )Z/pZ [X].
Assertion. Uniqueness.

Let g be any other irreducible polynomial of degree n in Z/pZ [X]. Then, by Product of
irreducible polynomials (14.7.17), g divides X q − X. In particular, as the latter polynomial
factors into linear terms over F, we can find a root x in F of g. This implies that the map

rho : Z/pZ [X] /(g)Z/pZ [X] → K, k + (g)Z/pZ [X] 7→ k (x) (14.17)

is well defined. This map is an injective homomorphism of the field into F. As both fields
have the same order, it is an isomorphism.

Example 14.7.20. To construct a field of order 81 = 34 , we look for an irreducible polynomial

f of degree 4 in Z/3Z [X]. According to the theory, f is a divisor of the polynomial X 81 − X.
81 −X
We first divide out the roots belonging to the subfield of order 9: XX 9 −X = X 72 + X 64 +
56 48 40 32 24 16 8
X + X + X + X + X + X + X + 1. This polynomial will factor into 18 irreducible
polynomials of degree 4. We find one by trial and error: Creating a degree 4 polynomial and
checking that it is relatively prime with X 9 − X. The 18 choices for f that may arise are:
X 4 − X 2 − 1, X 4 − X 2 − X + 1, X 4 − X 3 + X 2 + 1, X 4 + X 3 − X + 1, X 4 + X 3 + X 2 − X − 1,
X 4 + X 2 − 1, X 4 − X 3 − 1, X 4 + X − 1, X 4 + X 3 − 1, X 4 − X 3 + X + 1, X 4 − X 3 + X 2 + X − 1,
X 4 + X 2 + X + 1, X 4 − X 3 − X 2 + X − 1, X 4 − X 3 + X 2 − X + 1, X 4 + X 3 − X 2 − X − 1,
X 4 + X 3 + X 2 + X + 1, X 4 − X − 1, and X 4 + X 3 + X 2 + 1.

We end this section with an algorithm testing irreducibility of a polynomial.

273. Sets, Logic and Algebra

Algorithm 14.7.21 (Testing irreducibility). • Input: polynomial f of degree n in the polyno-

mial ring Z/pZ [X]
• Output: true if f is irreducible and false otherwise.
Irreducible := procedure( f )
local variables
t := 1 
t
while gcd f , X p − X = 1 do
t := t + 1

if t = n
then
return
true
else
return
f alse

Proof.
Assertion. Termination.
The while-loop will certainly stop when t reaches the value n; see Product of irreducible
polynomials (14.7.17).
Assertion. Correctness.

If f is reducible, then it will be divisible of some irreducible polynomial of degree t less than
t
n. This implies, by Product of irreducible polynomials (14.7.17) that the gcd of f and X p − X
is not 1. In this case the algorithm will return f alse.

14.8 Exercises

Exercise 14.8.1. Determine in each of the following cases whether the indicated set is a sub-
ring of C.
n √ 
(a) x + y· i· 2  x, y ∈ Z}
n √ 
(b) x + y· 3 2  x, y ∈ Z}.

Exercise 14.8.2. Let R be a ring and let f : R → R be a ring homomorphism. Prove that the
subset S of R consiting of the elements r with f (r) = r form a subring of R.
274. Sets, Logic and Algebra

Exercise 14.8.3. Let a be an invertible element in the ring R and let f : R → R be defined by
f (r) = a· r· a−1 for all r in R. Prove that f is an isomorphism and determine its inverse.

Exercise 14.8.4. For which elements a in the ring R is the map f : R → R given by f (r) =
a· r· a for all r in R a ring homomorphism?

Exercise 14.8.5. Let S be a nonempty set and R a ring. Show that the set of all maps from S
to R is a ring, where the sum and product of two elements f and g is defined as follows:

( f + g) (r) = f (r) + g (r) (14.18)

( f · g) (r) = f (r) · g (r) (14.19)

for all r in R.

Exercise 14.8.6. Prove that the following maps are ring homomorphisms.

(a) f : Q [X] → Q, f 7→ f (2), evaluation in 2.

(b) g : Z [X] → Z/pZ [X], given by reduction of the coefficients of the polynomial modulo
p.

Exercise 14.8.7. Let R, S and T be rings and let f : R → S and g : S → T be ring homomor-
phisms.

(a) Show that the composition g ◦ f : R → T of f and g is a ring homomorphism.

(b) Show that Ker (g ◦ f ) equals Ker ( f ) if g is a ring isomorphism.
(c) Show that Ker (g) equals f (Ker (g ◦ f )) if f is a ring isomorphism.

Exercise 14.8.8. Show that the map F : Z [X] → Q, f 7→ f 12 is a homomorphism of rings.

What is its image and what its kernel?

Exercise 14.8.9. If one replaces every X in a polynomial f in Q [X] by a· X + b, then the new
polynomial can be written as f (a· X + b) and is again an element from Q [X].
Let F : Q [X] → Q [X] , f 7→ f (2· X + 3).
Show that F is an isomorphism of rings and determine its inverse.

Exercise 14.8.10. Prove that Q is not finitely generated.

Exercise 14.8.11. Provide two nonisomorphic rings with 4 elements.

Give a proof that they are nonisomorphic!
275. Sets, Logic and Algebra

Exercise 14.8.12. Prove the converse of the Cancellation law for domains (14.3.17): if for
all nonzero a the implication holds that for all elements r and s in R we have that a· r = a· s
implies that r = s, then R is a domain.

Exercise 14.8.13. Let F be a field and φ : F → F an isomorphism. Then the subset of F

consisting of all elements x with φ (x) = x is a subfield of F . Prove this.

Exercise 14.8.14. What is the set of zero divisors in the cartesian product of two rings R and
S?

Exercise 14.8.15. Prove or disprove:

(a) A subring of a domain is a domain.

(b) A subring of a field is a field.
√ 
Exercise 14.8.16. What is the dimension of Q 3 2 as a vector space over Q? Give a basis
for this vector space.
√ √ √
Exercise 14.8.17. Prove that √12 + 3 and 3 3 − 3 are algebraic numbers.
 √ 
Exercise 14.8.18. Determine all isomorphism from the field Q i· 4 2 to itself.
Find for each such isomorphism the field of fixed points.

Exercise 14.8.19. Let K be a field and R a subring of K. Then R is a domain.

Let Q be the field of fractions of R.
Prove that Q is isomorphic with a subfield of K.

Exercise 14.8.20. In each of the following cases determine the ideal generated by V in the
ring R.

(a) V = {2} in R = Z/6Z;

(b) V = {2, 3} in R = Z/6Z;
(c) V = {2} in R = Z/8Z;
(d) V = {2, X} in R = Z [X].

Exercise 14.8.21. Let I be the subset of Z [X] consisting of all polynomials f with f (0)
divisible by n for some fixed integer n.
Prove that I is an ideal of Z [X].

Exercise 14.8.22. Let f : R → S be a homomorphism between rings and suppose J is an ideal

of S.
Prove that the set f −1 (J) is an ideal of R.
276. Sets, Logic and Algebra

Exercise 14.8.23. In the ring R = Z + Z· i, the ideal generated by i − 2 is prime and maximal.
Prove this.

Exercise 14.8.24. Let I be the subset of Z [X] consisting of all polynomials f with f (0)
divisible by 5
Prove that I is a maximal ideal of Z [X].

Exercise 14.8.25. Which of the following ideals is maximal or prime?

(a) The ideal generated by 3 and X 2 in Z [X].

(b) The ideal generated by 3 and X in Z [X].

(c) The ideal generated by X 2 + 1 in Q [X].

Exercise 14.8.26. Let I be the subset of Z [X] consisting of all polynomials f with f (0)
divisible by 3
Prove that Z [X] /I is a field.

Exercise 14.8.27. Consider the residue class ring R = Z/4Z [X] /{2, X 2 }Z/4Z [X].
How many elements does this quotient ring have?
Is this ring is isomorphic with Z/2Z × Z/2Z or Z/4Z? Or to none of these? Give a proof for
your answer.
2
√
14.8.28. Show that the quotient ring Q [X] /(X + X + 2)Q [X] is isomorphic to
Exercise
Q −7 .
√  √ 
Exercise 14.8.29. Consider the homomorphism Q [X] → Q 2 , f (X) 7→ f 2 . Prove
that the kernel of this homomorphism is a maximal ideal.

Exercise 14.8.30. Determine all the primitive elements in the fields Z/5Z, Z/7Z and Z/11Z.

Exercise 14.8.31.
√ What√ is the minimal polynomial over Q of the following complex numbers:
1 + i, 2 + 3 2 and 2 − i· 3.

Exercise 14.8.32. Construct fields of order 27, 32 and 125.

Exercise 14.8.33. How many subfields has a field of order 64?

277. Sets, Logic and Algebra

Chapter 15

Groups

Groups have been introduced in Definition of a group (13.4.1) as abstract sets with some
operations. However, groups often appear as transformations mapping a set to itself. For
example, in the group of real invertible n × n-matrices, each element determines a bijective
linear map Rn → Rn . Such group actions on a set enable us to analyze the group in a concrete
setting. But it is also a means of unveiling the symmetries of the structures on that set. In
this chapter, we look into the way a group can be represented by letting it act on a set or a
structure.

15.1 Permutation groups

Let X be a set. Recall that Sym(X) denotes the group of all bijections from X to X itself,
multiplication being composition.
Definition 15.1.1 (Definition of a permutation group). A permutation group on X is a sub-
group of Sym(X).

• The elements of the set X are called points.

• The size of X, denoted by |X|, is called the degree of the permutation group.

Example 15.1.2. Let X be the set {1, ..., n}. Then of course the symmetric and alternating
group on X act as permutation groups on X. But there are many more permutation groups on
X.
For example, the cyclic group of order m, where m is at most n can be seen as a permutation
group: it is generated by (1, ..., m).

The following definition expresses what it means to view an arbitrary group as a group of
permutations.
278. Sets, Logic and Algebra

Definition 15.1.3 (Permutation representation). A permutation representation of a group G

on a set X is a homomorphism of groups H → Sym(X).
The size of X, denoted by |X|, is called the degree of the permutation representation.

Given a permutation representation of a group G on a set X, the group G is said to act on X.

We also speak of the action of G on X.

• If f is a permutation representation of the group G on X, and g ∈ G, then we often write

g (x) for the image of x under g, instead of the more complete expression f (g) (x).

• If f : H → Sym(X) is injective, then f determines an isomorphism H → Im ( f ). In this

case, identifying H with its image Im ( f ) under f , we sometimes call the group H itself a
permutation group on X.

Example 15.1.4 (Sym3 acting by conjugation). Consider the group Sym3 acting on its el-
ements by conjugation. If the numbers 1, 2, 3, 4, 5, 6 correspond to the following elements
() , (1, 2) , (2, 3) , (1, 3) , (1, 2, 3) , (1, 3, 2) of Sym3 , then the image of this group in Sym6 con-
sists of the following permutations {() , (2, 3) (5, 6) , (1, 2) (5, 6) , (1, 3) (5, 6) , (1, 2, 3) , (1, 3, 2)}.

Example 15.1.5 (The action of Sym5 on pairs). The group Sym5 is a permutation group on the
set {1, 2, 3, 4, 5}. But Sym5 also permutes pairs from this set. For instance, the permutation
(1, 2, 3) transforms the pair {2, 4} into the pair {3, 4}. Let X be the set consisting of all
subsets of {1, 2, 3, 4, 5} of size 2 (there are 10 such pairs). Because each element g of Sym5
is injective, {g (a) , g (b)} has size 2 whenever {a, b} is a subset of {1, 2, 3, 4, 5} of size 2.
Hence we can define, for each g ∈ Sym5 , the following map:

OnPairs (g) : X → X, {a, b} 7→ {g (a) , g (b)} (15.1)

The map OnPairs (g) is bijective, the inverse of OnPairs (g) being OnPairs g−1 . Indeed, for

an arbitrary element {a, b} of X we have

OnPairs (g) · OnPairs g−1 ({a, b}) = OnPairs (g) OnPairs g−1
({a,




b})
OnPairs (g)
OnPairs g−1 g−1 (a) , g−1 (b)



=
= g g−1 (a) , g g−1 (b)

= {a, b}
(15.2)
and similarly

OnPairs g−1 · OnPairs (g) ({a, b}) = {a, b}

(15.3)

Finally, we check that the map g 7→ OnPairs (g) is a homomorphism Sym5 → Sym(X), so that
we indeed have a permutation representation. Let g, h be arbitrary elements of Sym5 . We
need to verify that OnPairs (g· h) = OnPairs (g) · OnPairs (h), that is, that left and right hand
279. Sets, Logic and Algebra

side represent the same bijection. This is straightforward: for each unordered pair {a, b} in
X we have

OnPairs (g) · OnPairs (h) ({a, b}) = OnPairs (g) (OnPairs (h) ({a, b}))
= OnPairs (g) ({h (a) , h (b)})
= {g (h (a)) , g (h (b))} (15.4)
= {g· h (a) , g· h (a)}
= OnPairs (g· h) ({a, b})

If we name the subsets of {1, 2, 3, 4, 5} of size 2 by letters as follows: a = {1, 2}, b = {1, 3},
c = {1, 4}, d = {1, 5}, e = {2, 3}, f = {2, 4}, g = {2, 5}, h = {3, 4}, i = {3, 5}, j = {4, 5}.
Then we can represent the elements from Sym5 as permutations of these letters. For example:

(1, 2) 7→ (b, e) (c, f ) (d, g) (15.5)

(1, 2, 3) 7→ (a, e, b) (c, f , h) (d, g, i) (15.6)

and

(1, 2, 3, 4, 5) 7→ (a, e, h, j, d) (b, f , i, c, g) (15.7)

Of course we can restrict the action on the pairs of {1, 2, 3, 4, 5} to any subgroup of Sym5 . In
particular to Alt5 .

Example 15.1.6 (The action of Symn on subsets). We generalise the above example
  as fol-
n
lows. Let K be the set of all subsets of {1, ..., n} of size k. Thus, |K| = . Each
k
permutation g in Symn acts on K as follows. The set X in K is mapped to the set

{g (x)| x ∈ X} (15.8)
This defines a bijection gK : K → K, and so gK is an element of Sym(K). The map that assigns
to g in Symn the element gK of Sym(K), is a homomorphism Symn → Sym(K) and hence a
permutation representation of Symn .
Of course we can restrict the action on K to any subgroup of Symn . This way, for instance,
we obtain also permutation representations of Altn .

Example 15.1.7. The general linear group GL(n, R) acts on the set of vectors in Rn . Indeed,
if A is in GL(n, R), then A : Rn → Rn is an invertible map.

Example 15.1.8. The dihedral group Dn acts on the vertices of the regular n-gon. Each ele-
ment of the group Dn of symmetries of the regular n-gon permutes the n vertices of the n-gon.
If we number these vertices 1 to n (counter clockwise), then a rotation over 2·π n induces the
n-cycle (1, 2, ..., n) on these vertices. A reflection in the axis through
the center of the n-gon
and the vertex 1 induces the permutation (2, n) (3, n − 1) ... n2 , 2n + 1 in case n is even, and
280. Sets, Logic and Algebra

 
n−1 (n+1)
(2, n) (3, n − 1) ... 2 , 2 in case n is odd. This yields a permutation representation of
Dn into Symn .

Remark 15.1.9. An important way of describing a permutation group is as a subgroup of

Sym(X) generated by a list A of permutations of X. This means that the subgroup is the
smallest set of permutations of X containing A, closed under multiplication and taking in-
verses, and containing the identity element.

Let G be a group. Three fundamental examples of permutation representations of G into

Sym(X) with X = G are:

• The left regular representation Lg : G → G, x 7→ g· x. Here, the map Lg is left multiplication

by g on G.

• The right regular representation Rg : G → G, x 7→ x· g−1 . Here, the map Rg is right multi-
plication by g−1 on G.
• The conjugation representation Cg : G → G, x 7→ g· x· g−1 . Here, the map Cg is conjugation
by g on G.

In contrast to the usual notation, we write Lg for the image of g under L. This way, the
expressions, which are maps themselves, are better readible when applied to an element of
G: Lg (h) is preferred to L (g) (h).
Similarly, we prefer the notations Rg (h) and Cg (h) to R (g) (h) and C (g) (h), respectively.

Theorem 15.1.10. The maps L, R,C are permutation representations of G on G.

Proof. In order to prove that L, R, and C are permutation representations of G on X = G, we

proceed in two steps.
Assertion. The maps Lg , Rg ,Cg are bijections, so they belong to Sym(G).

If Lg (x) = Lg (y), then g· x = g· y, so, by the cancellation law, x = y. Hence L is injective.

If x ∈ G, then also g−1 · x ∈ G, and Lg g−1 · x = x. Thus, L is also surjective.

We conclude that Lg is a bijection. Therefore, it belongs to Sym(G). The proofs for R and C
are similar.
Assertion. The maps L, R,C are morphisms G → Sym(G), so they are permutation represen-
tations.

We need to verify that, for each g, h ∈ G, we have Lg·h = Lg · Lh . This is indeed the case as,
for each x ∈ G,
281. Sets, Logic and Algebra

Lg·h (x) = (g· h)· x = g· (h· x) = Lg (Lh (x)) = Lg · Lh (x) (15.9)

The proofs for R and C are similar.

Example 15.1.11 (The left regular represenation of Sym3 ). Let G be the group Sym3 . Then
G consists of six elements: e = 1, y = (1, 2, 3), z = (1, 3, 2), a = (1, 2), b = (2, 3), c = (1, 3).
The representation L : G → Sym(G) is written out explicitly as permutations on {a, b, c, e, y, z}.

• La = (a, e) (b, y) (c, z)

• Lb = (b, e) (a, z) (c, y)

• Lc = (c, e) (a, y) (b, z)
• Ly = (y, z, e) (a, c, b)

• Lz = (e, z, y) (a, b, c).

Note that the multiplication of G can be easily recovered from the list. For instance Lc (a) = y
means c· a = y.

Example 15.1.12 (The right regular represenation of Sym3 ). With the notation of Exam-
ple 15.1.11 we can express right multiplication as the following permutations

• Ra = (a, e) (b, z) (c, y)

• Rb = (b, e) (a, y) (c, z)

• Rc = (c, e) (a, z) (b, y)
• Rz = (z, y, e) (a, b, c)
• Ry = (e, y, z) (a, c, b)

Example 15.1.13 (The conjugation representation of Sym3 ). With the notation of Exam-
ple 15.1.11 we can express conjugation by the following permutations

• Ca = (b, c) (y, z)
• Cb = (a, c) (y, z)
• Cc = (a, b) (y, z)

• Cy = (a, b, c)
• Cz = (a, c, b)
282. Sets, Logic and Algebra

Next we study the kernels of these representations. We recall that the center of G is the
subgroup Z(G) = {d ∈ G|∀g. (g ∈ G) ⇒ (d· g = g· d)} of G.

Theorem 15.1.14. The kernels of L and R are trivial.

The kernel of C is the center of G.

Proof. The following three steps suffice.

Assertion. The homomorphisms L and R are injective.

If Lg = L1G , then, in particular, g = g· 1G = Lg (1G ) = L1G (1G ) = 1G · 1G = 1G . Therefore

g = 1G . This shows that the kernel of the homomorphism L : G → Sym(G) is trivial. It
follows that the homomorphism L : G → Sym(G) is injective. The proof for R is similar.
Assertion. The kernel of the homomorphism C is the center of G.

If Cg = C1G , then, for all x ∈ G, we have Lg (x) = L1G (x), so g· x· g−1 = x. Thus, g belongs to
the kernel of C if and only if, for all x ∈ G, we have g· x = x· g, that is, if and only if g ∈ Z(G).

Example 15.1.15. Let G be the group Sym3 . Then G consists of six elements: e = 1, y =
(1, 2, 3), z = (1, 3, 2), a = (1, 2), b = (1, 3), c = (2, 3). By the theorem, the left and right
regular representations are injective. What about C? By the theorem, Cg is the identity if and
only if it commutes with every element of Sym3 . Since each conjugacy class distinct from
1G consists of more than one element, we find Z(G) = Ker (C) = {1G }.

Since the left regular representation L has a trivial kernel, every group G is isomorphic with
its image under L and hence with a subgroup of some symmetric group.

Theorem 15.1.16. Every group is isomorphic with a permutation group.

 
Proof. As L is injective, the group G is isomorphic with its image Lg  g ∈ G} in Sym(G).
The image is a permutation group.

The permutation representations L, R, and C all have degree |G|. There do exist methods for
constructing lower-degree permutation representations.
Remark 15.1.17. Although the theorem asserts that we can write every group as a group of
permutations, it does not give us a practical presentation of the group. Think of the symmetric
group on n letters: the proof of the theorem realizes Symn as a group of permutations of n!
letters, while the natural permutation presentation of this group is on n letters.
283. Sets, Logic and Algebra

The following theorem shows two ways of obtaining a permutation representations from a
given permutation representation.
The restriction of a map f : X → Y to a subset Z of X is the map
f ↓ Z : Z → Y, h 7→ f (h) (15.10)

Theorem 15.1.18. Let f : G → Sym(X) be a permutation representation.

i. If H is a subgroup of G, then the restriction f ↓ H of f to H is also a permutation

representation.
ii. Let Y be a subset of X such that for all g ∈ G and all y ∈ Y , also f (g) (y) ∈ Y .
Then every g ∈ G determines by restriction to Y a bijection f (g) ↓ Y of Y . The
resulting map G → Sym(Y ), g 7→ f (g) ↓ Y is a permutation representation.

Proof.
Assertion. If H is a subgroup of G, then the restriction f ↓ H of f to H is also a permutation
representation.
Let g, h ∈ H. Since g, h ∈ G and f is a morphism of groups, we have f (g· h) = f (g) · f (h),
so the restriction f ↓ H of f to H is also a morphism of groups.
Assertion. Let Y be a subset of X such that for all g ∈ G and all y ∈ Y , also f (g) (y) ∈ Y .
Then every g ∈ G determines by restriction to Y a bijection f (g) ↓ Y of Y . The resulting map
G → Sym(Y ), g 7→ f (g) ↓ Y is a permutation representation.

We first show that f (g) ↓ Y is a bijection for g ∈ G.

Let y ∈ Y . Then there is an
element x ∈ X with f (g) (x) = y. Since y ∈ Y and g has inverse
g−1 in G, we have f g−1 (y) ∈ Y , and so x ∈ Y . Since f (g) ↓ Y (x) = y, this proves that
f (g) ↓ Y is surjective.
Clearly, f (g) ↓ Y is injective because f (g) is.
It remains to show that the map g 7→ f (g) ↓ Y is a morphism. Let h ∈ G and y ∈ Y . Then
f (g· h) ↓ Y (y) = f (g· h) (y) = f (g) ( f (h) (y)) = f (g) ↓ Y ( f (h) ↓ Y (y)) = f (g) ↓ Y · f (h) ↓
Y (y) proving f (g· h) ↓ Y = f (g) ↓ Y · f (h) ↓ Y .

Example 15.1.19 (The general linear group and special linear group acting on vectors). The
group G = GL(n, R) of real invertible n × n-matrices acts as a permutation group on the set
of vectors of Rn : the element g of G is mapped to the bijection g : Rn → Rn , v 7→ g (v), an
element of Sym(Rn ). See a previous example. As the zero vector is fixed by all matrices in
G, the group G is also a permutation group on the set of nonzero vectors. Also the special
linear group SL(n, R), which consists of the n × n-matrices with determinant 1, acts on the
nonzero vectors in Rn .
284. Sets, Logic and Algebra

Example 15.1.20 (A subgroup of Sym(X) acting on all subsets of X). Suppose G acts on X.
Then there is an action of G on the set of all subsets of X. If Y = {x1 , ..., xk } is a subset of
X of size k, its image under the permutation g is g (Y ) = {g (x1 ) , ..., g (xk )}. Verify that this
defines a permutation representation indeed! Let Z be the set of all subsets of X of size 2.
Then Z is G-invariant, that is, for each g in G, the image g (Y ) of a 2-set Y is again a 2-set.
Thus, we find a permutation representation of G on Z.

A set Y as in the theorem is called invariant under G. We also say Y is G-invariant or, if G is
clear from the context, just invariant.

15.2 Orbits

Definition 15.2.1. Let G → Sym(X) be a permutation representation of the group G on X.

Suppose x, y ∈ X. If there is g ∈ G with g (x) = y, then we say that x and y are in the same
orbit, and write itso (x, y).

• The relation itso, being in the same orbit, is an equivalence relation.

• Its equivalence classes are called orbits of G on the set X.
• The group G is said to be transitive on X if it has only one orbit on X.

Proposition 15.2.2. The relation itso, being in the same orbit, is an equivalence rela-
tion.

Proof. In order to show that itso is an equivalence relation on X we verify the three basic
properties of an equivalence relation.
Assertion. itso is reflexive.

For g equal to the identity, we have g (x) = x, whence x is in the same orbit as x.
Assertion. itso is symmetric.

Suppose that x, y are in the same G-orbit. Then g (x) = y, for some element g of G. Conse-
quently g−1 (y) = x, so itso (x, y).
Assertion. itso is transitive.

Suppose itso (x, y) and itso (y, z). Then there are elements g, h of G such that g (x) = y and
h (y) = z. Then h· g (x) = z, and so itso (x, z).
285. Sets, Logic and Algebra

Example 15.2.3 (The symmetric group on 3 letters acting on pairs of elements). Let X be
the set consisting of the 15 subsets of Sym(3) having exactly two elements. The map
L : Sym(3) → Sym(X) with Lg ({a, b}) = {g (a) , g (b)} is a permutation representation (it
was treated once before ). The orbit of {e, (1, 2)} consists of 3 elements:

{e, (1, 2)} , {(1, 3) , (1, 2, 3)} , {(2, 3) , (1, 3, 2)} .

Can you describe the other orbits of the given action L ?

Example 15.2.4 (The general linear group on vectors). The group GL(n, R), with n > 1, is not
transitive on the set of all vectors of Rn . For, the zero vector 0 can only be transformed into
itself. The group is transitive on the set of nonzero vectors: if v1 and w1 are two such vectors,
then v1 (respectively w1 ) can be extended to a basis v1 , ..., vn (respectively w1 , ..., wn ) of Rn
and determine an invertible linear map a : Rn → Rn by a· (r1 · v1 + ... + rn · vn ) = r1 · w1 + ... +
rn · wn . The map a belongs to GL(n, R) and satisfies A· v1 = w1 , and so indeed v1 and w1 are
in the same orbit. Conclusion: there are precisely two orbits, viz., Rn \ {0} and {0}.

Example 15.2.5 (Conjugation of the symmetric group on itself). The orbits in a group G of
the group G acting by conjugation on itself are the so-called conjugacy classes. Since {1} is
a single orbit, the action is transitive only if G is the trivial group 1. We determine the conju-
gacy classes of G = Sym(3). They are {1} , {(1, 2) , (1, 3) , (2, 3)} , {(1, 2, 3) , (1, 3, 2)}. More
generally, for Sym(X) the conjugacy classes consist of all elements of a given cycle type,
see the Conjugation Theorem (8.2.11). Above, the cycle structure 1, 1, 1 belongs to 1 (the
identity), the type 2, 1 to the class of (1, 2), and the type 3 to the class of (1, 2, 3). The cycle
structures are nothing but the partitions of n. For n = 4, the partitions are 4, 31, 22, 211, 1111.
Representative elements from the corresponding conjugacy classes are: (1, 2, 3, 4), (1, 2, 3),
(1, 2) (3, 4), (1, 2), 1.

Example 15.2.6. Let G be the permutation group on X = {1, ..., 8} generated by (1, 3) (2, 4),
(5, 6), (2, 7), and (1, 8).
The orbits of G are {1, 3, 8}, {2, 4, 7} and {5, 6}.
Clearly, these sets partition X. Moreover, they are invariant under the generators of G, and
hence also under G itself. Using the generators of G one can also easily check that the sets
are contained in single G-orbits.

The fact that itso is an equivalence relation implies that a G-orbit is equal to Gx = {g (x)| g ∈
G} for any point x in this orbit.
The observation that itso is an equivalence relation leads to the following algorithm for a
permutation group G on a finite set X.
Algorithm 15.2.7 (Orbit algorithm). • Input: a set B of generators of G and an element x of
X;
• Output: the G-orbit of x.
286. Sets, Logic and Algebra

Orbit := procedure(G, x)
local variables
O
L
N
O := {x} L := {x} while L 6= ∅ do
N := {g (a)| (g, a) ∈ B × L} , L := N \ O , O := L ∪ O
return
O

Proof.
Assertion. Termination
The subset O increases by the set L disjoint to O at each pass of the while loop. As these are
subsets of the finite set X, we must have L = ∅ at the end of some while loop pass. Hence
termination is guaranteed.
Assertion. Correctness

If y ∈ Gx, then there are b1 , ..., bn ∈ B such that y = b1 · ...· bn (x). By construction, O is
invariant under each of the elements in B, so also b1 · ...· bn (x) belongs to O. In particular, Gx
is contained in the output O.

The behaviour of a permutation representation f : G → Sym(X) can be recorded inside G.

The first step is to relate a point x of X to a particular subgroup of G.
Definition 15.2.8. If x ∈ X, then the stabilizer of x in G is the subgroup Gx of G given by
Gx = {g ∈ G|g (x) = x}
If g (x) = x, then g is said to fix or to stabilize x.

Example 15.2.9 (G = Sym5 acting on {1, 2, 3, 4, 5}). The stabilizer of 3 consists of all per-
mutations g with g (3) = 3. These are all permutations of {1, 2, 4, 5}. Hence, the stabilizer is
Sym({1, 2, 4, 5}), which is isomorphic with Sym4 .

Example 15.2.10 (G = Sym5 acting on the set X of subsets of {1, 2, 3, 4, 5} of size 2). The
stabilizer of the set {4, 5} consists of all elements g of Sym5 with g (4) ∈ {4, 5} and g (5) ∈
{4, 5}. In the disjoint cycle decomposition of such an element g, we find either the cycle
(4, 5), or no cycle at all in which 4 or 5 occurs. Thus, such an element g is either of the form
h or h· (4, 5), for some h ∈ Sym3 . Hence, the stabilizer of {4, 5} is the subgroup Sym3 ×
Sym({4, 5}). More precisely, the stabilizer is the image of the natural morphism Sym3 ×
Sym({4, 5}) → Sym5 , [g, h] 7→ g· h. Thus, the stabilizer has order 6· 2 = 12.

Example 15.2.11 (G = GL(3, R) acting on vectors). Let x be the first standard

 basis vector.
1 ∗
Then Gx is the subgroup of G of all invertible matrices of the form .
0 ∗
287. Sets, Logic and Algebra

Example 15.2.12 (Conjugation). Let x ∈ G. Then the stabilizer of x in G under conjugaction

is CG (x), the subgroup of G of all elements g with g· x = x· g. This subgroup is called the
centralizer of x in G. Observe that CG (1) = G.

Example 15.2.13 (G = Dn on the vertices of a regular n-gon). Let G be the group Dn acting
on the n vertices of a regular n-gon. Let x be a vertex. Among the n rotations in G only the
identity fixes x. The only reflection fixing x is the reflection in the axis through x and the
center of the n-gon. So in this case Gx consists of two elements.

Remark 15.2.14. The notation Gx does not explicitly use f . But the stabilizer does depend
on it. For instance, if G = Sym4 and x = (1, 2), then

• Gx = 1 if f = L, left multiplication (or R, right inverse multiplication);

• Gx = {1, (1, 2) , (3, 4) , (1, 2) (3, 4)} if f = C, conjugation.

If a group G acts as a permutation group on a set X, we can associate to each point x in X the
stabilizer in G of x. The next step is to construct permutation representations from within G.
Suppose H is a subgroup of G. We shall construct a transitive permutation representation of
G on G/H with H as point stabilizer.

Theorem 15.2.15. For g ∈ G, let Lg be the map G/H → G/H specified by

∀h.Lg (h· H) = g· h· H. Then L : G → Sym(G/H), g 7→ Lg is a transitive permutation
representation. Moreover, the stabilizer in G of the element H of G/H is H.

Proof. Regarding the map L : G → Sym(G/H), g 7→ L (g) given by Lg · x· H = g· x· H, we

need to show the following.

• For each g ∈ G, the image Lg is a bijection G/H → G/H. As, for each x ∈ G, Lg−1 (Lg (x· H)) =
g−1 · g· x· H = x· H, we have Lg −1 = Lg−1 . So indeed, L is a bijection.
• The map L is a morphism of groups. Let g, h ∈ G. We need to show Lg · Lh = Lg·h . For each
k· H we have Lg·h · k· H = (g· h)· k· H = Lg (h· k· H) = Lg (Lh (k· H)) = Lg · Lh (k· H). So the
map L is indeed a morphism. In other words, G → Sym(G/H), g 7→ L (g) is a permutation
representation.
• The permutation representation L is transitive. Let g· H and h· H be two elements of G/H.
Then Lh·g−1 maps g· H onto h· H.
• The stabilizer of the element H of G/H coincides with H. The stabilizer is K = {k ∈
G|k· H = H}. If k ∈ K, then there are h, h0 ∈ H with k· h = h0 , and so k = h0 · h−1 ∈ H,
proving K ⊂ H. Conversely, if h ∈ H, then h· H = H, so h ∈ K, proving H ⊂ K. Hence
H = K.
288. Sets, Logic and Algebra

Example 15.2.16. The kernel K of L need not be trivial: If G = Z and H = 3· Z, then the
kernel is equal to 3· Z. For, L· (m + 3· Z) = n + m + 3· Z describes the action on the cosets and
it is clear that L· (m + 3· Z) = m + 3· Z holds for all m if and only if n ∈ 3· Z. Thus, K = H. It
is true, however, that the kernel is always a subgroup of H. Do you see why?

Example 15.2.17. The construction is a generalisation of the left regular representation of

G. The latter is the special case where H = {1}, the trivial subgroup of G. If g· H is a
left coset of H, then  the stabilizer of g· H is the conjugate of H by g, i.e. the stabilizer
equals g· H· g−1 = g· h· g−1  h ∈ H}. Indeed, for each element g· h· g−1 , with h ∈ H, we


have g· h· g−1 · g· H = g· h· H = g· H. On the other hand, if k ∈ G satisfies k· g· H = g· H, then

there is an h ∈ H with k· g = g· h, from which we deduce k = g· h· g−1 .

We are now ready for the final step. It will establish that any transitive permutation represen-
tation G → Sym(G/H) can be identified with the permutation representation L as above for
H the stabilizer of an element x of X.
Let f : G → Sym(X) be a permutation representation. Fix x ∈ X. We can identify X with the
set of cosets of G with respect to the stabilizer of an element of X, provided f is transitive.

Theorem 15.2.18. Suppose that f is transitive. Then the map t : G/Gx → X, g· Gx 7→

f (g) (x) is a well-defined bijection and satisfies f (h) ◦ t = t ◦ Lh for every h ∈ G. If,
moreover, G is finite, then |G| = |Gx | · |X|.

Proof. Write H = Gx . We split the proof in the following steps.

Assertion. The map t is well defined.

Suppose g and g0 are in the same coset g· H. Then there is h ∈ H, such that g0 = g· h. As
H = Gx , we have f (h) (x) = x, whence f (g0 ) (x) = f (g· h) (x) = f (g) · f (h) (x) = f (g) (x).
This proves that the assigment g· H 7→ f (g) (x) does not depend on the choice of g0 ∈ g· H.
Assertion. The map t is injective.

Suppose g, g0 ∈ G satisfy t (g· H) = t (g0 · H). Then f (g) (x) = f (g) (x), so x = f g−1 · g0 (x),

that is, g−1 · g0 ∈ Gx . Since Gx = H, this shows g−1 · g0 · H = H, and so g0 · H = g· H. Hence t

is injective.
Assertion. The map t is surjective.

Let y ∈ X. As f is transitive, there is g ∈ G with y = g (x). But then t (g· H) = y. Hence t is

surjective.
Assertion. For each h ∈ G, we have f (h) ◦ t = t ◦ Lh .

Let g ∈ G. Then t ◦ Lh (g· H) = t (h· g· H) = f (h· g) (x) = f (h) ◦ f (g) (x) = f (h) ( f (g) (x)) =
f (h) (t (g· H)) = f (h) ◦ t (g· H). Hence the assertion.
289. Sets, Logic and Algebra

|G|
Assertion. If G is finite, then |H| = |X|.

|G|
If G is finite, then Lagrange’s theorem gives that |G/H| = |H| . As t is a bijection, we also
have |G/H| = |X|.

Example 15.2.19 (G = Sym5 on pairs of {1, 2, 3, 4, 5}). The stabilizer in Sym5 of {4, 5} is
equal to a group H isomorphic to Sym3 × h(4, 5)i. The index |G/H| of this subgroup in Sym5
5!
is equal to 3!·2! = 10. This is equal to the number of subsets of {1, ..., 5} of size 2. Under the
bijection of Identification of orbit with cosets (15.2.18), the coset (1, 2, 3, 4, 5) · H is mapped
onto {1, 5}. This image can be computed by use of any element from the coset; for example

• (1, 2, 3, 4, 5) maps {4, 5} to (1, 2, 3, 4, 5) ({4, 5}) = {1, 5};

• but also (1, 2, 3, 4, 5) · (4, 5) · (1, 2, 3) ({4, 5}) = {1, 5}.

Example 15.2.20 (Existence of elements of order 2 in a group of order 10). Let G be a group
of order 10. It acts by left multiplication on the set X consisting of the 45 subsets of G of size
2. By the theorem, the number of elements in an orbit is a divisor of |G| and hence equal to
1, 2, 5, or 10. An orbit cannot be a singleton (do you see why?). As |X| is odd, there must be
an orbit of size 5. The stabilizer of an element from this orbit as order 2. This establishes that
G has a subgroup, and thus also an element, of order 2. Later, we shall repeat this argument
in greater generality to show that if p is a prime dividing |G|, there is an element of order p
in G.

Example 15.2.21 (Conjugation). Let x ∈ G. Then the centralizer CG (x) of x in G is the

stabilizer of x in the conjugation action. Hence the number of conjugates of x equals the
index of CG (x) in G and is a divisor of the order of G.

Example 15.2.22 (The dihedral group). Let D be the dihedral group of order 2· n, acting on
the n vertices of a regular n-gon. The group D is transitive on the n vertices. So, the stabilizer
of a vertex in D consists of |D|
n = 2 elements. One element is the identity element, the other
is a reflection with respect to a line through the vertex.

Let B be an orbit of the permutation representation f : G → Sym(G/H) of the finite group G.

|G|
If x is an element of B, then, by the theorem, |G x|
= |B|. In particular, the number of elements
of B is a divisor of |G|, and the order |G| of the stabilizer of x does not depend on the choice
of x in B.
The condition t· L = h·t for each h ∈ G is often phrased as ‘the map t commutes with the
group action’. It means that t does not just establish an identification of G/Gx and X as sets,
but even of the permutation representations L on G/Gx and f on X.
The last assertion of the theorem says that, for finite groups G, the degree of a transitive
permutation representation is equal to the index of a point stabilizer in G.
290. Sets, Logic and Algebra

15.3 Permutation group algorithms

Consider a permutation representation of G on a set X. By Identification of orbit with cosets

(15.2.18), the order of a permutation group G can be determined once we know the order of
the stabilizer Gx in G of a point x ∈ X. Since Gx is a smaller permutation group if the G-orbit
of x is nontrivial, the result leads to a recursive computation.
Definition 15.3.1. A base for G on X is a sequence B of elements of X such that the stabilizer
GB in G of each element of B is the trivial group.

Example 15.3.2 (Bases for the groups Sym(X) and Alt(X)). Let G be a subgroup of Sym(X).
Then the sequence [1, ..., n − 1] is a base for G. If G = Symn , then we cannot replace the base
by a smaller one. If G = Altn , then [1, ..., n − 2] is a base. For, the only nontrivial permutation
in Symn stabilizing each of the elements 1, ..., n − 2 is the transposition (n − 1, n). But this is
element is odd and so does not belong to Altn .

Example 15.3.3 (GL(V )). Let V be a vector space of dimension n. Consider G = GL(V )
acting on the vectors of the vector space V . If v1 , ..., vn is a base of V , then [v1 , ..., vn ] is a base
of G acting on V . For, a linear transformation fixing a basis of V is the identity.

Example 15.3.4 (Dn ). Consider G to be Dn acting on the n vertices of the n-gon. Any two
vertices that are not opposite form a base for G.

If G is a subgroup of Symn and B = [b1 , · · · , bm ] is a base for G acting on X = {1, ..., n}, then
the order of G is equal to the size of the G-orbit of B. Alternatively, we can determine the
order as follows, where Gx stands for the orbit of G on x.

Theorem 15.3.5
 (Order theorem). If B = [b1 , ..., bm ]is a base for G acting on X, then
|G| = ∏m−1


G[b ,··· ,b ] bi+1 
i=1 1 i

         
Proof. |G| = Gb1  · |Gb1 | = Gb1 ,b2  · Gb1 b2  · |Gb1 | = Gb1 ,b2 ,...,bn−1 bn  · ...· Gb1 b2  · |Gb1 |.

Example 15.3.6. Let F be a finite field of size q and put V = F 3 for the 3-dimensional vector
space over F. Consider G = GL(V ), the group of all invertible linear mappings on V , acting
on the vectors of the vector space V . By Example 15.1.7, we know that the q3 − 1 nonzero
vectors form an orbit.
Moreover, in Example 15.2.4 we noticed that every basis of V is a base for the action of G on
the nonzero vecotors of V .
Since G is transitive on bases (indeed the matrix whose columns consist of the vectors of a
basis B maps the standard
bases to B),

its order
equals the number of distinct bases. But that
implies that |G| = q3 − 1 · q3 − q · q3 − q2
291. Sets, Logic and Algebra

Can you find the order of GL(n, F), the group of invertible n × n matrices with coefficients in
F?

A handicap in applying this theorem to a group generated by a set of permutations is that we

have no way (yet) of determining the stabilizer. This is taken care of by Schreier’s lemma
(15.3.15).
A permutation group G on X = {1, ..., n} can be conveniently represented by a (small) gener-
ating set of permutations. Most algorithms for permutation groups take such a generating set
as input. Let S be a generating set for G.
Definition 15.3.7. A Schreier tree with root x for a list S of generating elements of G is a tree
rooted at x with the following properties:

• Its vertices are the elements of the orbit Gx.

• Each edge i, j with i closer to the root x than j is labeled by a generator s ∈ S such that
s (i) = j.

Example 15.3.8. Consider the permutation group G = ha, bi where a = (1, 2) (3, 4) and b =
(1, 3) (2, 4). The following graph describes the action of both a and b fully. A Schreier tree
with root 1 results from deletion of any one of the four edges.

Remark 15.3.9. For a given permutation group G acting on a set X, and generated by a set
S of permuations, one can draw a labeled directed graph, in which an edge [x, y] is labeled g,
if g ∈ S and g satisfies g (x) = y. Now the orbits of G on X are the connected components of
this graph. Moreover, a spanning tree of the component containing x is a Schreier tree for S.

A Schreier tree T can be represented by a triple [V, L,W ], where V is the ordered list of
vertices of T starting with the root x of the tree, L is a list of labels, starting with a dummy 0
which is followed by elements form S or their inverses, and the third list W also starts with
0 which is followed by vertices from the tree. The elements in the three lists are ordered in
such a way that the unique neighbour of a vertex v in T , being at position i ≥ 2 in V , on the
path to the root x is the vertex w at the same position i in W . The edge on v and w carries the
label s, where s is the element at position i in L. The triple is called the Schreier data for the
tree T .
We present an algorithm to find Schreier trees. This algorithm is a slight extension of the
Orbit algorithm (15.2.7).
Algorithm 15.3.10 (Schreier tree algorithm). • Input: list S of generators of G and x ∈ X.
• Output: Schreier data for a Schreier tree for S with root x.
292. Sets, Logic and Algebra

SchreierTree := procedure(S, x)
local variables
pnt, j, im, bpnt := x , gens := S , J := {1, ..., Length(B)} , orbit := [bpnt]
new := [bpnt] , newest, svect := [0] , bpnts := [0]
while new 6= ∅ do
for i1 := 1 while i1 ≤ Length(new) with step i1 := i1 + 1 do
for i2 := 1 while i2 ≤ Length(gens) with step i2 := i2 + 1 do
pnt := i1new , j := i2J , im := pnt jgens , newest := ∅
if ¬ (im ∈ orbit)
then

Add (orbit, im) , Add (newest, im) , Add svect, jgens , Add (bpnts, pnt)
−1
im := pnt( jgens )
if ¬ (im ∈ orbit)
then
Add (orbit, im) , Add (newest, im) , Add (svect, − j) , Add (bpnts, pnt)

new := newest
return
[orbit, svect, bpnts]

Proof. The proof is similar to the proof of the orbit algorithm.

Assertion. Termination

Since X is a finite set, and the vertex set of T is a subset of X which increases strictly at each
pass of Step 3 with nonempty N, termination is guaranteed.
Assertion. After termination, T is a tree with the right labels.

By construction, the vertex set of T is the G-orbit of x. See the orbit algorithm.

Example 15.3.11. Suppose the group G is generated by the list S = [a, b] where a = (1, 2) (3, 4)
and b = (1, 3) (2, 4). We create a Schreier tree following the Schreier tree algorithm (15.3.10).
Take x = 1 and set orbit = [1]. Now create a new generation of elements in orbit. This yields
the new elements 2 and 3 which can be added to orbit, which becomes svect = [1, 2, 3]. The
lists svect and bpnt both starting with a zero are now extended by to svect = [0, a, b] and
bpnt = [0, 1, 1]. The new points are now 2 and 3.
Applying both a and b yields only one new point, namely 4 as the image of 2 under b. We add
this element to the list and obtain svect = [1, 2, 3, 4], svect = [0, a, b, b] and bpnt = [0, 1, 1, 2].
Clearly no new elements will be added in the next step, so the algorithm stops.
293. Sets, Logic and Algebra

Let S be a generating set for the group G and T a Schreier tree for S with root x. If a ∈ Gx,
then a is a vertex of T . Hence there is a unique path from x to a in the tree. This path is
helpful in finding an element in G mapping x to a.
Definition 15.3.12. Let G is a permutation group acting transtively on the set X. Suppose S
is a generating set of permutations for G and T a Schreier tree with respect to S rooted at the
point x ∈ X. If the labels of the edges in the unique path from x to a are b1 , ..., bk , respectively,
then the element ta = bk · ...· b1 of G satisfies ta (x) = a. The map t : X → G obtained in this
way is the Schreier transversal for G (determined by T ).

Example 15.3.13. Consider the permutation group G = ha, bi where a = (1, 2) (3, 4) and b =
(1, 3) (2, 4). Take the following Schreier tree with root 1. We compute the various transversals
for the Schreier tree from Example 15.3.11: t1 = 1, t2 = a, t3 = b, and t4 = b· a.

Schreier transversals will turn out to be useful tools to construct generators for stabilizer
subgroups.
Algorithm 15.3.14 (Schreier transversal). • Input: Schreier data D for a Schreier tree T and
a vertex v of the tree.
• The image tv of v under the Schreier transversal of T .
SchreierTransversal := procedure(D, v)
local variables
V := D[1] , L := D[2] , W := D[3]
i := 1 , p := v , t := 1 , root := V [1]
while p 6= root do
while V [i] 6= p do
i := i + 1

t := L[i]·t , p := W [i] , i := 1
return
t

Let S be a generating set of permutations for the group G acting on the set X. Let T be a
Schreier tree with respect to S rooted at the point x of X. Let V be the vertex set of T . Finally
let t : V → G be the Schreier transversal for G determined by T .

Theorem 15.3.15
n  (Schreier’s lemma). The stabilizer Gx is generated by

−1
ts(v) · s·tv  (s, v) ∈ S ×V }.


n
−1 
Proof. Let M be the set ts(v) · s·tv  sv ∈ S ×V }.


Assertion. M is contained in Gx .
294. Sets, Logic and Algebra

−1
We show tg(v) · g·tv ∈ G for all g ∈ Gx . Then certainly for all g ∈ S the statement is true.

−1
−1
Indeed, tg(v) · g·tv (x) = tg(v) · g (v) = x.
Assertion. M generates Gx .

Suppose g ∈ Gx . Then g ∈ G and so it can be written as a product of elements of S and their

inverses. Thus, g = gr · ...· g1 with gi ∈ A ∪ A−1 . We will show with induction on r, that g can
be written as a product of elements from M.

−1
If r = 1, then g ∈ S and g (x) = x. As tx = 1, we find g = tg(x) · g·tx , and so g ∈ M, as
required.
Assume, therefore, r > 1. Let j be the maximal index such that

x, g1 (x) , g2 · g1 (x) , ..., g j · ...· g2 · g1 (x)

is a path in T with the labels g1 , g2 , ..., g j . Observe that j < r as T has no cycles. Put

−1 −1
a = g j · ...· g2 · g1 (x). Then ta = g j · ...· g2 · g1 . Now consider the element g· th(a) · h·ta ,

−1 −1
where h = g j+1 . Rewrite this element as g· th(a) · h·ta = gr · ...· g j+2 ·th(a) . Now re-
peat the above argument on this element; it also belongs to Gx . As th(a) corresponds to a path
in the Schreier tree T , we find an expression of the form

−1 −1 
−1 0 −1
g· th(a) · h·ta · th0 (a0 ) · h ·ta0 = gr · ...· g j0 +2 ·th0 (a0 )

with j0 > j. Thus, we can repeat the argument at most r − j times; each time the head
gr · ...· g j0 +2 becomes shorter and shorter. We finish with a Schreier element t in the right hand
side. However, since the left hand side is a product of g and (inverses of) elements stabilizing
x, also t belongs to Gx . But this is only possible if t = 1. Consequently, g is a product of
elements from M and their inverses. Hence the theorem follows.

Example 15.3.16. Consider the permutation group G = ha, bi where a = (1, 2) (3, 4) and
b = (1, 3) (2, 4). Take the Schreier tree with root 1 and edges (1, 2, a), (1, 3, b), (2, 4, b).
Consequently, t1 = 1, t2 = a, t3 = b, t4 = b· a.
Using this knowledge we compute the generators for G that are indicated by Schreier’s lemma
(15.3.15). (t2 )−1 · a·t1 = 1, (t3 )−1 · b·t1 = 1, (t1 )−1 · a·t2 = 1, (t4 )−1 · b·t2 = 1, (t4 )−1 · a·t3 = 1,
(t1 )−1 · b·t3 = 1, (t3 )−1 · a·t4 = 1, (t2 )−1 · b·t4 = 1. We conclude that G1 = {1} and |G| = 4.

Often, many of the |X| · |A| generators of G are redundant. Unfortunately, we cannot say in
advance which.

Algorithm 15.3.17 (Stabilizer Algorithm). • Input: list of generators S of a permutation

group G acting on a set X and a point x.
295. Sets, Logic and Algebra

• Output: List of generators for the stabilizer in G of x.

Stabilizer := procedure(S, x)
local variables
Tree := SchreierTree (S, x) , Vertices := Tree[1] , i, j, Stab, s, v, t, t1
while i ≤ Length(S) do
while j ≤ Length(V ) do
s := S[i] , v := V [ j] , t := SchreierTransversal (Tree, v)
t1 := SchreierTransversal (Tree, s (v))
if (t1 )−1 · s·t 6= 1
then hh ii
Stab := Stab ∪ (t1 )−1 · s·t

j := j + 1

i := i + 1
return
Stab

The algorithms presented so far enable us to compute the order of a permutation group G
acting on a finite set X, once we are given a set of generating permutations for G.
For convenience we assume the set X to be the set {1, ..., n}.
Algorithm 15.3.18 (Order algorithm). • Input: a list S of generating permutations for the
permutation group G on {1, ..., n}.
• Output: the order of G.
Order := procedure(S)
local variables
order := 1
gens := S
i := 1
while gens 6= ∅ do
order := order· Length(Orbit (gens, i)) , gens := stabilizer (gens, i) , i := i + 1
return
order

Proof.
Assertion. Termination
The algorithm stops since the set of points fixed by G becomes larger every time one passes
Step 2. Eventually the stabilizer of all these points will be trivial and the points form a basis.
Assertion. Correctness

The Order theorem (15.3.5) implies that the output of the algorithm is the order of G.
296. Sets, Logic and Algebra

15.4 Automorphisms
A regular triangle looks more symmetric than a nonequilateral triangle in the plane. The
notion of symmetry can be attached to any mathematical object or set with some additional
structure. This structure need not necessarily be algebraic, but can also be, for example, a
graph. An isomorphism mapping the structure into itself is called an automorphism. The set
of all automorphisms of a structure is a group with respect to composition of maps. This group
represents the symmetry of the structure. We will study automorphism groups of various
structures. Such symmetry groups are important for determining and investigating regular
structures in nature, like molecules and crystals.
We recall that a graph consists of a vertex set V and an edge set E, whose elements are subsets
of V of size 2.
Definition 15.4.1 (Automorphisms). • An automorphism of a graph (V, E) is a bijective map
f : V → V satisfying if {v, w} ∈ E then {g (v) , g (w)} ∈ E.
• Let K be a ring, field, group or monoid. An automorphism of K is an isomorphism K → K.

Example 15.4.2 (Inner automorphisms of a group). Let G be a group. For g ∈ G, conjugation

by g, that is, the map x 7→ g· x· g−1 , is an automorphism of G. These automorphisms are also
called inner automorphisms of the group G.

Example 15.4.3 (Automorphisms of a finite field). Suppose p is a prime. By Frobenius Au-

tomorphisms (14.4.31), the map x 7→ x p is an automorphism of a field of characteristic p.

Example 15.4.4 (Automorphisms of the rational numbers). There is exactly one automor-
phism of the field Q : the identity.
For an automorphism φ : Q → Q, we have φ (1) = 1, so φ (2) = φ (1 + 1) = 1 + 1 = 2, etc.
By induction, φ (m) = m for positive integers m. From φ (0) = 0 it follows that φ (0) =
φ (m + (−m)) = φ (m) + φ (−m) = m + φ (−m) = 0 and so φ (−m) = −m for all positive
integers m (here use we that is an automorphism of the additive group of Q).
For ba ∈ Q, with b positive,
a = b· ab . This implies a = φ (a) = φ b· ab = φ (b) · φ ab =

b· φ ba . In particular, φ ba = ba .

If Q is a subfield of the field K then the same argument shows that every automorphism of K
fixes all elements in Q.

Example 15.4.5 (Automorphisms of the cyclic group of order n). Let C be a group of order
n generated by g. An automorphism of C is determined by the image of g, which, must be of
the form g j for an integer j with gcd ( j, n) = 1. For, otherwise the element g j does not have
the same order as g. On the other hand, for each such exponent j prime to n the map g 7→ g j
is an automorphism.

Remark 15.4.6. There is some ‘asymmetry’ between the definition of automorphism for
graph on the one hand and group, ring, field, etc., on the other. This is not necessary.
One could define a morphism of graphs (V, E) → (V 0 , E 0 ) as a map f : V → V 0 such that
{ f (x) , f (y)} ∈ E 0 whenever {x, y} ∈ E. Then an isomorphism of graphs is a bijective mor-
phism whose inverse is also a morphism (in contrast to the ring case, this requirement is
297. Sets, Logic and Algebra

necessary), and an automorphism of the graph (V, E) is an isomorphism (V, E) → (V, E). We
stayed away from this approach as we do not use the notions any further.

Theorem 15.4.7. Let K be a graph, a ring, a field, a group, or a monoid. The set
of all automorphisms of K is a subgroup of Sym(K). It is denoted by Aut(K) and is
called the automorphism group of K.

Proof. Automorphisms of K are bijective and so belong to Sym(K).

The subset of all automorphisms is not empty as the identity is an automorphism.
If g is an automorphism of K, then so is g−1 (by definition if K is a graph, by a Isomorphisms
of monoids (13.2.21) if K for the other structures).
Likewise, if g and h are automorphisms of K, then so is the composition g· h.

Example 15.4.8. The automorphism group of a regular n-gon in the plane. We have
already met the example of the group Dn , which is the group of symmetries of a regular n -
gon in the plane. We have seen that this group is also a subgroup of the automorphism group
of the n - gon as a graph. In fact, it is the full automorphism group of the graph. Prove this!

Example 15.4.9 (The Petersen graph). Let P be the Petersen graph. The vertices of P can
be identified with the pairs of elements from {1, 2, 3, 4, 5}. Two vertices {x, y} and {u, v} are
adjacent if and only if their intersection {x, y} ∩ {u, v} is empty. The group Sym5 acts on the
set {1, 2, 3, 4, 5}, but also on the vertex set of P. For, if g ∈ Sym5 , then the map g2 defined by
g2 ({x, y}) = {g (x) , g (y)} defines a permutation of the 10 vertices of P. See Example 15.4.8
This implies that the automorphism group G of P contains a subgroup, denoted by H, iso-
morphic to Sym5 . This subgroup acts transitively on the vertex set of the graph.
The triple B consisting of the vertices {1, 2} , {1, 3} , {2, 4} is a basis for G. For, if an element
of G fixes these vertices, then it also fixes the unique common neighbour {4, 5} of {1, 2} and
{1, 3} and, similarly, {3, 5} the unique common neighbour of {1, 2} and {2, 4}.
Since each further vertex of the Petersen graph is connected with a unique vertex from the
pentagon with vertices {1, 2}, {1, 3}, {2, 4}, {4, 5} and {3, 5}, the element fixes all vertices
of P. This argument establishes that the stabilizer in G of B is indeed trivial.
The G-orbit of B contains at least the 120 images of B under the group H. But as the Petersen
graph contains precisely 30 ordered edges, and for each such edge, there are only 4 points
nonadjacent to any vertex of the edge, the G-orbit of B contains at most 120 images of B. We
can conclude that the order of G equals 120. In particular, G equals H and is isomorphic to
Sym5 .

Example 15.4.10 (The cyclic group of order n). Let C be a group of order n generated by g.
By Example 15.4.5, the order of Aut(C) is the Euler indicator Φ(n) of n. The group Aut(C)
is commutative but need not be cyclic: a counterexample occurs for n = 8.
298. Sets, Logic and Algebra

Example 15.4.11 (Symmetries of the 5-gon). When we look at the regular pentagon in the
plane, we can consider symmetries in two ways:

• as automorphisms of the Euclidean plane (rotations, reflections, etc.) that leave invariant
the pentagon;
• as a group of permutations of the graph with vertex set

{1, 2, 3, 4, 5} (15.11)
and edge set

{{1, 2} , {2, 3} , {3, 4} , {4, 5} , {1, 5}} (15.12)

Naturally the former symmetry group (subject to more restrictions) is contained in the latter.
Remarkably enough, the two groups coincide. They are both the dihedral group D5 of order
10. The elements of order 5 correspond to rotations around the origin with angle a multiple
of 72 degrees, and the elements of order 2 to reflections in an axis through the center and one
of the vertices of the pentagon.

We will have a closer look at automorphisms of fields.

Theorem 15.4.12. Let K be a subfield of L and let f ∈ K [X] be an irreducible poly-

nomial. If x, y are two roots of f in L, then there is an isomorphism h : K (x) → K (y)
with h (x) = y.

Proof. Write L = K [X] /{ f }K [X] and consider the maps r : L → K (x) , g 7→ g (x) and s =
L → K (y) , g 7→ g (y).
These maps are well defined since x and y are roots of f .
We proceed in three steps.
Assertion. The maps r and s are surjective.

First we claim that K (x) consists of the elements g (x) with g ∈ K [X]. For if g (x) 6= 0,
then g is not divisible by f as f has x as a root. Thus, there are polynomials a, b in K with
a· f + b· g = 1. Substitution of x for X yields: (g (x))−1 = b (x). Therefore, the inverse of
g (x) also belongs to K. Thus, the expressions of the form g· x, where x ∈ K form a subfield
of K (x) containing x. As K (x) is the smallest field containing x, the claim follows.
Assertion. The maps r and s are isomorphisms, so L ∼
= K (x) and L ∼
= K (y).

Consider the substitution map K [X] → K (x) , g 7→ g (x). It is easily seen to be a morphism.
By the first part of the proof, it is surjective. Its kernel is the ideal generated by f , since x is
a zero of f and the latter is irreducible. The First isomorphism theorem (14.6.6) then gives
that there is an isomorphism as required. The proof for s is similar.
299. Sets, Logic and Algebra

Assertion. The map s ◦ r−1 is the required isomorphism.

By the previous part, the composition r ◦ s−1 is an isomorphism K (x) → K (y).

√
Example 15.4.13 (Gaussian numbers). K = Q (i), where i = −1. Each element of K is of
the form a + b· i with a, b ∈ Q. The map Q (i) → Q (i) , a + b· i 7→ a − b· i is an automorphism.
This follows from the rules for complex conjugation. The square of this map is equal to
the identity. In fact, the group of automorphisms consists of the identity and the conjugation
map. In order to see this, note that, for each automorphism s, we have s (a + b· i) = a + b· s (i),
so the automorphism is fully determined by the image of i. Now i2 = −1, so i is a root of
X 2 + 1. Also −i is a root of this polynomial. Both roots of X 2 + 1 correspond indeed to
an automorphism of K, namely i corresponds to the identity and −i corresponds to c. So
Aut(K) is a group of order two and hence isomorphic to C2 . The possible automorphisms are
apparently connected to the zeros of the polynomial X 2 + 1.
√
Example 15.4.14 (Cubes roots of 2). Consider K = Q (x), where x = 3 2. Let s be an auto-
morphism of K. If it fixes x, then it is obviously the identity. If s is not the identity, it must
move x to another solution of X 3 − 2. These solutions do not exist in K. An intuitive way of
2·π·i 4·π·i
seeing this runs as follows: the other solutions are e 3 · x and e 3 · x, and these are complex
imaginary numbers, whereas K is a subfield of R. Thus, s must fix x and, since x generates
K, the automorphism group of Q (x) is trivial. In particular, it is strictly smaller than the
dimension of Q (x) over Q.

The isomorphism constructed in [?] fixes every element of the subfield K of L.

On the other hand, each isomorphism K (x) → K (y) which fixes K elementwise, is determined
by the image of x. Hence we can determine automorphism groups of finite fields.

Theorem 15.4.15 (Automorphisms of finite fields). Let p be a prime number and

q = pa a power of p. If K is a finite field of order q, then Aut(K) is a cyclic group of
order a generated by the map K → K, x 7→ x p .

Proof. Let z ∈ K be a primitive element of K.

An automorphism of K is determined by the image of z.
Let f be the minimal polynomial of z over Z/pZ. Then f has degree a.
Let g be an automorphism of K. Then g (z) is a zero of f . Hence there are at most a possibil-
ities for g (z).
2 a−1
On the other hand, a possibilities occur: z, z p , z p , ..., z p .
So Aut(K) is a cyclic group of order a generated by the automorphism sending z to z p .
300. Sets, Logic and Algebra

Example 15.4.16 (The field of order 8). Consider K = Z/2Z [X] /(X 3 + X + 1)Z/2Z [X]. The
polynomial X 3 + X + 1 ∈ Z/2Z [X] is irreducible, so K is a field of order 8.
Put x = X + (X 3 + X + 1)Z/2Z [X], so that K = Z/2Z (x).
The polynomial X 3 +X +1 has 3 roots in K, viz., x, x2 , and x+x2 . Each of them leads to an au-
tomorphism. For example, the root x2 corresponds to the map sigma : K → K sending x to x2 .

2
That is, sigma a + b· x + c· x2 = a + b· x2 + c· x4 = a + c· x + (b + c) · x2 = a + b· x + c· x2 .

(Verify!) The automorphism sigma2 satisfies sigma2 (x) = s x2 = x4 = x + x2 . Apparently,

this is the automorphism sending x to the third root of X 3 + X + 1.

The group of automorphisms of K has order 3, and hence is isomorphic to C3 .

15.5 Quotient groups

We will introduce computations modulo a normal subgroup and the corresponding construc-
tion of the quotient group.
Let G be a group and let N be a normal subgroup of G. The notions of left and right coset (a
set of the form g· N) and right coset (a set of the form N· g) of N in G coincide since normal
subgroups satisfy g· N = N· g for all g ∈ G. Thus, we can just speak of cosets.

Theorem 15.5.1 (Multiplying cosets of normal subgroups). Suppose that N is a nor-

mal subgroup of G. Then, for all a, b ∈ G we have a· N· b· N = a· b· N;

Proof. a· N· b· N = a· N· b· N = a· b· N· N = a· b· N· N = a· b· N

Example 15.5.2. Let G be the symmetric group Sym(3). The subgroup H = h(1, 2, 3) (1, 3, 2)i
of order 3 is a normal subgroup. It has index 2.
More generally, whenever H is a subgroup of G of index 2, it is a normal subgroup. For then,
for g ∈ G, either g ∈ H and so g· H = H = H· g or or not, in which case g· H = G \ H = H· g.

Example 15.5.3. Let G be the group of all motions in the plane. The subgroup T of all
translations of the plane is a normal subgroup. Fix a point p of the plane. The subgroup H of
G of all elements fixing the point p is a complement of T in the sense that

• H ∩ T = {1}.
• G = H· T .

As a consequence, setwise G can be identified with the Cartesian product of H and T . But
groupwise, it is not the direct product of these two groups.
301. Sets, Logic and Algebra

Due to Multiplying cosets of normal subgroups (15.5.1), the set G/N of cosets admits a group
structure.
Definition 15.5.4 (Definition of quotient group). We call the group G/N with

• multiplication: g· N· g0 · N = g· g0 · N

• unit: N
• inverse: g· N → g−1 · N

the quotient group of G with respect to N.

Remark 15.5.5. Normal subgroups play the same role for groups as ideals do for rings. The
procedure for making a quotient group is similar to the construction of a residue class ring.

Example 15.5.6. If G is a commutative group, then each subgroup H of G is a normal sub-

group. Thus, the quotient group G/H always exists. Moreover, it is commutative.

Example 15.5.7. The additive group of Q is commutative. Therefore, the subgroup Z is a

normal subgroup of Q. The cosets of Z in Q are the sets of the form ab + Z, where a, b in Z
and b 6= 0. For example, 12 + Z. Computing in the quotient Q/Z comes down to ‘computing
modulo integers’. For example 43 + Z + 65 + Z = 12 7


+ Z.

Computing modulo a normal subgroup behaves well, as becomes clear by the following re-
sult.

Theorem 15.5.8. Let N be a normal subgroup of the group G. The map φ : G →

G/N, g 7→ g· N is a surjective homomorphism with kernel N.

Proof. Clearly, φ is surjective. Moreover φ is a homomorphism of groups, Indeed, for all

g, h ∈ G we have φ (g· h) = g· h· N = g· N· h· N = φ (g) · φ (h).
The kernel of φ consists of the elements g ∈ G satisfying φ (g) = N, that is, g· N = N. Since
g· N = N is equivalent to g ∈ N, we find the kernel of φ to be equal to N. .

 15.5.9. Let G be the set of all 2 × 2 matrices with entries from a field F of the form
Example

1 x
, where x is an arbitrary element of F and y a nonzero element of F. Then G is
0 y  
1 x
a subgroup of GL(2, F). The subgroup N of all matrices of the form is a normal
0 1
subgroup of G. The quotient group G/N is isomorphic to the multiplicative group on F \ {0}.
Observe that N is the kernel of the determinant, viewed as a homomorphism.
302. Sets, Logic and Algebra

In Normal subgroups and Kernels of homomorphisms (13.6.18) it was shown that the kernel
of a group homomorphism is a normal subgroup. A normal subgroup is the kernel of a
hommorphism (15.5.8) states the converse, namely that every normal subgroup is the kernel
of a homomorphism.
Let f : G → H be a surjective group homomorphism with kernel N. According to a previous
proposition, N is a normal subgroup of G.

Theorem 15.5.10 (First isomorphism theorem for groups). If G and H are groups and
f : G → H is a surjective homomorphism with kernel N, then the map f 0 : G/N → H
defined by f 0 (g· N) = f (g) is an isomorphism.

Proof. The important steps in the proof are the following two.
Assertion. The map f 0 is well defined.

Suppose g0 ∈ g· N. Then there is n ∈ N with g0 = g· n. Consequently, f (g0 ) = f (g· n) =

f (g) · f (n) = f (g) · 1 = f (g). Thus f (g· N) does not depend on the choice of g0 ∈ g· N.
Assertion. f 0 is injective.

Suppose g ∈ G satisfies f 0 (g· N) = 1. Then f (g) = 1, so g ∈ N, whence g· N = N, which is

the identity element of G/N. We have shown that Ker ( f 0 ) is trivial, so, f 0 is injective.

Example 15.5.11 (Cyclic groups). The classification of cyclic groups can be handled easily
with the theorem. Because G is cyclic, there exists g ∈ G with h{g}iG = G. Consider the map
f : Z → G, i 7→ gi . It is a surjective homomorphism with kernel n· Z for some non-negative
integer n. The assertion that every cyclic group is isomorphic to either Z (the case where
n = 0) or Cn for some positive integer n now follows directly from the First isomorphism
theorem for groups (15.5.10) applied to f .

Example 15.5.12 (Different groups with same quotient and kernel). Let G be a group and N
a normal subgroup of G distinct from 1 and from G. The groups G/N and N are both smaller
than G. A lot of information about G can be obtained from study of these two smaller groups.
However, the exact structure of G is not completely determined by G/N and N. For instance,
the groups C4 and C2 × C2 both have a normal subgroup isomorphic with C2 , and in both
cases the quotient group is isomorphic with C2 .

Example 15.5.13 (The quotient of the symmetric group by the alternating group). The group
Symn /Altn is isomorphic with C2 . For, the map permutation1.sign : Symn → {1, −1} is a
surjective homomorphism of groups with kernel Altn . Here, {1, −1} is the group of invertible
elements of the monoid [Z, · , 1]. This group is isomorphic with C2 .
303. Sets, Logic and Algebra

Example 15.5.14 (The general linear group). The quotient group GL(n, R)/SL(n, R) is iso-
morphic to the multiplicative group R× . The subgroup SL(n, R) is the kernel of the determi-
nant map linalg1.determinant : GL(n, R) → R× .

15.6 Structure theorems

We introduce some common (series of) groups, some of which occur in the Classification of
groups of order at most 11 (15.6.22)
Definition 15.6.1 (Dihedral and quaternion groups). • The dihedral group of order 2· n is the
group Dn generated by two elements a and b with multiplication determined by bn = a2 = 1
and a· b = bn−1 · a.
• The quaternion group is the group of order 8 consisting of the following invertible quater-
nions. Q8 = {1, −1, i, −i, j, − j, k, −k}.

Example 15.6.2. The group Dn has been introduced in Example 13.4.9 as the symmetry group
of the regular n-gon in the plane. The element b is clockwise rotation over 2·πn degrees.
The element a is a reflection with mirror through a vertex. The corresponding permutation
representation is described in the Example 15.1.8.

Example 15.6.3 (The quaternion group as a permutation group). Left multiplication in the
quaternion group gives the transitive permutation representation determined by the following
assignments:

i 7→ (1, i, −1, −i) ( j, k, − j, −k) , j 7→ (1, j, −1, − j) (i, −k, −i, k) , k 7→ (1, k, −1, −k) (i, j, −i, − j, k) .

Replacing the elements by numbers {1, ..., 8}, a more usual description is obtained.

Example 15.6.4 (The quaternion  groupby means

 of matrices).
 An injective morphism  Q→ 
i 0 0 1 0 i
GL(2, C) is determined by i 7→ , j 7→ . Verify that this forces k 7→ .
0 −i −1 0 i 0

Remark 15.6.5. The groups introduced in Dihedral and quaternion groups (15.6.1) are mu-
tually non-isomorphic. Since |Dn | = 2· n and |Q8 | = 8, the only two groups which might be
isomorphic to each other are D4 and Q8 . But they are not: D4 has only two elements of order
4, viz., b and b3 , whereas Q8 has 6 elements of order 4, namely all but 1 and −1.

We will present some powerful structure theorems about finite groups, starting with some
properties of finite commutative groups.
304. Sets, Logic and Algebra

Lemma 15.6.6. Let G be a group.

i. If every non-identity element of G has order 2, then G is commutative.

ii. If G is a commutative group and n is a natural number, then T (G, n) = {x ∈

G|xn = 1G } is a subgroup of G. It is called the n-torsion of G.
iii. Each finite commutative group is isomorphic to a direct product of commutative
groups of prime power order.

Proof.
Assertion. If every non-identity element of G has order 2, then G is commutative.
Suppose x, y ∈ G. Since x and y have order 1 or 2, we have x−1 = x and y−1 = y. Consequently,
x−1 · y−1 · x· y = x· y· x· y = (x· y)2 = e. Multiplying the extreme sides by y· x from the left, we
find x· y = y· x.
Assertion. If G is a commutative group and n is a natural number, then T (G, n) = {x ∈ G|xn =
1G } is a normal subgroup of G.

Clearly, the identity element of G belongs to T (G,
n). Suppose a, b ∈ T (G, n). Then, because
n
G is commutative, (a· b)n = an · bn = 1G and a−1 = (an )−1 = 1G −1 = 1G . Thus, a· b, a−1 ∈
T (G, n), proving that T (G, n) is a subgroup of G.
The subgroup T (G, n) is normal in G, as the order of an element g in G is invariant under
conjugation.
Assertion. Each finite commutative group is isomorphic to a direct product of finite commu-
tative groups of prime power order.

Suppose that G is a finite commutative group of order |G| = a· b where a and b are positive
integers which are mutually prime. Then T (G, a) and T (G, b) are normal subgroups of G
intersecting in the identity element. If g is an element in T (G, a) and h of T (G, b), then
g· h· g−1 · h−1 is contained in both T (G, a) and T (G, b) and hence trivial. This implies that
g· h = h· g. So, G = T (G, a) × T (G, b).

Example 15.6.7. The group C2 n has only elements of order 2 and 1.

Example 15.6.8. There exist commutative groups of the same prime power order that are not
isomorphic. Indeed, a cyclic group of order pn , where p is prime and n is at least 2 is not
isomorpic to the direct product of n copies of the cyclic group of order p.

Remark 15.6.9. Of course there are commutative groups with elements that do not have order
2. Indeed, any cyclic group is commutative.
305. Sets, Logic and Algebra

We prove two more preliminary results for the important theorems that will appear soon.

Lemma 15.6.10. Let G be a finite group.

i. If |G| is a prime, then G is cyclic.
ii. If q is the highest power of the prime p dividing |G| and S is a normal subgroup
of G of order q, then every subgroup of G whose order is a power of p is a
subgroup of S.

Proof.
Assertion. If |G| is a prime, then G is cyclic.
By the Lagrange’s theorem (13.6.7), there is g ∈ G of order p = |G|. But then the subgroup of
G generated by g has the same size as G and so coincides with G. Therefore g is a generator
of G and G ∼
= Cp .
Assertion. If q is the highest power of the prime p dividing |G| and S is a normal subgroup
of G of order q, then every subgroup of G whose order is a power of p is a subgroup of S.

Let K be a subgroup of G whose order is a power of p. Since S is a normal subgroup of G, the

product S· K is a subgroup of G. (See (13.7.41).) Clearly, S is also a normal subgroup of S· K.
By First isomorphism theorem for groups (15.5.10), the quotient group S· K/S is isomorphic
to K/S ∩ K. But by Lagrange’s theorem (13.6.7) the order of this group is a divisor of |K| and
so a power of p. Consequently, the order of S· K is also a power of p. But this group contains
S of order q, the highest power of p occurring in |G|, so we must have S· K = S, proving that
K is contained in S.

Example 15.6.11. If p is a prime, all nontrivial elements of the group (C p )n have order p.

Example 15.6.12. The group D p with p a prime has order 2· p and contains reflections of
order 2 and rotations of order p.
The subgroup of the p rotations is normal in D p and contains all elements of order p.

Sylow’s theorem presented below is a very powerful result, with which we can analyse the
structure of finite groups. It enables us for example to obtain a Classification of finite com-
mutative groups (15.6.20), as well as a Classification of groups of order at most 11 (15.6.22).
306. Sets, Logic and Algebra

Theorem 15.6.13 (Sylow’s theorem). Let G be a finite group, p a prime number

dividing |G|, and let q be the highest power of p dividing |G|.

i. G has an element of order p.

ii. G has a subgroup of order q.
iii. If H is a subgroup of G whose order is a power of p, then H is a subgroup of a
subgroup of G of order q.
iv. Any two subgroups of G of order q are conjugate.

Proof. Let G be a finite group, p a prime number dividing |G|, and let q be the highest power
of p dividing |G|.
Assertion. G has an element of order p.

This is a direct consequence of the second statement. Indeed, by Lagrange’s theorem (13.6.7),
any non trivial element of a subgroup of order q in G has order a (nontrivial) divisor of q. So,
an approprate power of the element has order p.
Assertion. G has a subgroup of order q.

Recall that |G| = q· m with gcd (q, m) = 1. If m = 1, we can take G itself to be the required
subgroup. Hence the result for m = 1.
We proceed by induction on |G|. Assume the truth of the assertion for all groups of order
smaller than |G|. Consider the set X of all subsets of G of size q. The group G acts on X
by leftmultiplication:
 the element g ∈ G carries the subset Y of G to {g (y)| y ∈ Y }. Now
m· q
|X| = , which, by a binomial argument is nonzero mod p. Hence, there is an orbit
q
of G on X of size not divisible by p. So, every element Y of this orbit in X has a stabilizer, say
S, in G of order divisible by q. On the other hand, S cannot be all of G, as left multiplication
is transitive on G, and so left multiplication by G does not leave invariant the subset Y of size
q. Hence the induction hypothesis applies to S, yielding that it contains a subgroup of order
q; but then so does G.
Assertion. If H is a subgroup of G whose order is a power of p, then H is a subgroup of a
subgroup of G of order q.

Consider the collection T of subgroups of G of order q. Take S a subgroup as in Part 2. Then

S ∈ T , so T is non-empty. The group G acts on T by conjugation.
Restrict this action to the subgroup H and consider its orbits. By Lagrange’s theorem (13.6.7),
each nontrivial H-orbit has size a multiple of p. Suppose that H fixes a member M of T in its
conjugation action. Then H is contained in the normalizer N in G of M. Since M is a normal
307. Sets, Logic and Algebra

subgroup of N and M is a subgroup of N of order q, by Lemma on subgroups of prime power

order (15.6.10) implies that H is a subgroup of M.
Let us now take S for H in the previous argument. Then S stabilizes S in the conjugation
action, and so the argument applies, giving that S is a subgroup of M. But both are of order
q, so they coincide. We have found that S has only one fixed point. Since all other S-orbits
have sizes a multiple of p, it follows that the size of T is 1 modulo p.
Coming back to the arbitrary subgroup H of G of order a power of p, we see that it must fix
a member of T in its conjugation action because otherwise the size of T would be a multiple
of p, contradicting that is 1 modulo p. By the above, this shows that H is contained in the
subgroup M of G of order q.
Assertion. Any two subgroups of G of order q are conjugate.

Take S as in Part 2. Let U be the G-orbit containing S (in the collection T of subgroups of G
of order q). Since S is the only fixed member of U, the size of U is 1 modulo p. Let M be an
arbitrary subgroup of G of order q. If M does not fix a member of U, then the size of U, being
a union of nontrivial M-orbits, is a multiple of p, a contradiction. Hence M fixes a member
of U, which, by the above argument, must coincide with M. In particular, M is in the same
G-orbit as S.

Example 15.6.14. Consider the group Sym5 . This group has order 120 = 23 · 3· 5.
The subgroup generated by the permutations (1, 2, 3, 4) and (1, 2) (3, 4) is a Sylow 2-subgroup
of order 8. It is isomorphic to a dihedral group of order 8.
All Sylow 2-subgroups of Sym5 are conjugate to this subgroup. There are exactly 15 Sylow
2-subgroups in Sym(5).
Each 3-cycle generates a Sylow 3-subgroup and each 5-cycle a Sylow 5-subgroup. The num-
ber of Sylow 3-subgroups equals 10, the number of Sylow 5-subgroups is equal to 6.

Remark 15.6.15. Of course there are commutative groups with elements that do not have
order 2. Indeed, any cyclic group is commutative.

A subgroup of G of order q is called a Sylow p-subgroup of G.

Notice that if S is a Sylow p-subgroup of G, then so is g· S· g−1 for any g in G. Sylow’s
theorem implies that all Sylow p-subgroups can be obtained in this way.

Corollary 15.6.16. Let G be a finite group and p a prime number dividing |G|. The
number of Sylow p-subgroups of G is a divisor of |G| and equal to 1 modulo p.

Proof. The size 1 modulo p is immediate from the arguments in Parts 3 and 4 of the proof of
Sylow’s theorem (15.6.13).
308. Sets, Logic and Algebra

The fact that the number of Sylow p-subgroups of G divides the order of G follows from the
Identification of orbit with cosets (15.2.18) and assertion 4 of Sylow’s theorem (15.6.13).

Example 15.6.17. Let G be a group of order 100. Then G is not simple. (Here simple meens
that it does not have any normal subgroup, except for the trivial normal subgoups being the
subgroup containing only the identy element or the whole group.) This can be shown as
follows.
Let S be a Sylow-5 subgroup. Then S has order 25. The number of Sylow-5 subgroups is a
divisor of 100
25 and equal to 1 modulo 5. This implies that S is the only Sylow-5 subgroup of
G. In particular, S is a normal subgroup of G.

Example 15.6.18. The number of Sylow 2-subgroups of Sym5 is equal to 15, see Exam-
ple 15.6.14, which divides 120 the order of Sym5 , and is equal to 1 modulo 2.
Also the number of Sylow 3-subgroups and Sylow 5-subgroups, viz. 10 and 6, are divisors
of 120 and are equal to 1 modulo 3 and 5, respectively. See Example 15.6.14.

Remark 15.6.19. In a commutative group the number of Sylow p-subgroups is one for every
divisor p of the order of the group.
The converse is not true: The dihedral group D4 of order 8 but is not commutative and has
exactly one Sylow 2-subgroup, viz., D4 itself.

Theorem 15.6.20 (Classification of finite commutative groups). Each finite commu-

tative group is isomorphic to a direct product of cyclic groups of prime power order.

Proof. Let G be a commutative finite group.

Assertion. Suppose that |G| is a power of the prime p and that C is a maximal cyclic subgroup
of G. If G is not cyclic, then there is a subgroup N of G of order p with C ∩ N = {1G }.

Let c in G be a generator of C. Write r for the order of c. By Lagrange’s theorem (13.6.7)

each element has order a power of p. So s is of the form pk for some natural number k.
C is a normal subgroup of G (as G is commutative), so there is a commutative quotient group
G/C.
Take d ∈ G \C such that its image in G/C is of maximal order, say q.
Now d q belongs to C and therefore, d q = cs for some natural number s. Since r is the largest
r r s·r
order occurring in G, we have 1G = d r = (d q ) q = (cs ) q = c q which implies that r divides
s·r
q . Therefore, q divides s. Since q is a positive power of p, this implies that p divides s.
q −s
Consider now the element x = d p · c p . It satisfies x p = d q · c−s = 1G , so it has order p. In
q
view of the definition of q, the element d p does not belong to C, so neither does x. Hence the
subgroup N = hxiG is as required.
309. Sets, Logic and Algebra

Assertion. Suppose that |G| is a power of the prime p and C is a cyclic subgroup of G of
maximal order. Then there is a subgroup D of G such that G = C × D.

We prove the assertion by induction on |G|. If |G| = 1, there is nothing to show. (If |G| = p,
the assertion follows from an earlier assertion, but we do not need this here.)
Let N be a subgroup as in the previous assertion. That is, it has order p and meets C only in
1G .
In the quotient group G/N, the image of C under the quotient morphism is again a cyclic
subgroup of maximal order. But the size of G/N is strictly less than |G|, so by the induction
hypothesis, there is a subgroup K of G/N such that G/N = C/N × K. Let D be the full
inverse image of K in G. Then C ∩ D maps onto C/N ∩ K, which is the identity according to
a property of the direct product. Hence C ∩ D ⊂ C ∩ N. But, by construction of N, we have
C ∩ N = {1G }. This establishes C ∩ D = {1G }.
Furthermore, the subgroup C· D of G maps surjectively onto G/N as its image contains both
C/N and K, and contains the kernel N of the quotient map, so it must coincide with G. This
shows that G is indeed the direct product of C and D.
Assertion. Suppose that |G| is of prime power order. Then G is a direct product of cyclic
groups.

By the previous assertion and induction on the size of G.

The theorem now follows from the combination of the fact that commutative groups are a
direct product of groups of prime power, Properties of commutative groups (15.6.6), and the
last assertion.

Example 15.6.21 (Commutative groups of order 12). A commutative group G of order 12 is

isomorphic to either C4 × C3 or C2 × C2 × C3 . Observe that C12 is isomorphic to the first of
these.

We have gathered enough knowledge to determine all groups of order at most 11. We do this
up to isomorphism: for each isomorphism class, we give one representative.

Theorem 15.6.22 (Classification of groups of order at most 11). The table below
contains, up to isomorphism, all groups of order at most 11.

Proof.
Assertion. No two groups from the table are isomorphic.
This is easily verified by use of the following remarks:

• a commutative group is not isomorphic with a non-commutative group;

310. Sets, Logic and Algebra

order group number

1 {e} 1
2 C2 1
3 C3 1
4 C4 , C2 2 2
5 C5 1
6 C6 , D6 , 2
7 C5 1
8 C8 , C4 ×C2 , C2 3 , Q8 , D8 5
9 C9 , C3 2 2
10 C10 , D10 2
11 C11 1

Table 15.1: Groups of order at most 11.

• two isomorphic groups have the same number of elements of a given order.

We now determine the isomorphism types of the groups of order 2, 3, 4, 5, 6, 7, 8, 9, 10, 11.
Assertion. If |G| is a prime, then G is cyclic.

This follows from the Lemma on subgroups of prime power order (15.6.10).
This handles the cases where the order G is equal to 2, 2, 5, 7, or 11.
Assertion. Suppose |G| = 4. If G is not cyclic, then G is isomorphic to C2 2 .

By (13.6.5) each element distinct from e has order 2. By Properties of commutative groups
(15.6.6), we find G to be commutative and to be isomorphic to a direct product of two cyclic
groups of order 2.
Assertion. Suppose |G| = 6. If G is not cyclic, then G is isomorphic to D6 .

Suppose that G is not cyclic. By Lagrange’s theorem, the elements of G have order 2 or 3.
By the Sylow’s theorem, the number of elements of order 2 equals 1 or 3. If there is only one
such element, say a then for every element b we have b· a· b−1 = a and hence b· a = a· b. But
then we find that (a· b)2 = a2 · b2 = b−1 , and (a· b)3 = a3 · b3 = a are not the identity element
and hence the element a· b is an element of order 6. This contradicts our assumptions.
Hence we can assume that there are three elements of order 2 in G. Moreover, by Sylow’s
theorem, the group acts transitively on the set of these three elements. This permutation rep-
resentation of G provides us with a homomorphism from G into Sym3 . If this representation
is an isomorphism, then G is isomorphic with Sym3 . Otherwise, the kernel is equal to hai.
But then hai is a normal subgroup of G, contradicting that a has three conjugates.
Assertion. Suppose G has order 8 and is not cyclic. Then G is isomorphic to C4 ×C2 ,
C2 3 , Q8 , or D4 .
311. Sets, Logic and Algebra

Each element of G has order 1, 2, or 4. If G is commutative then it is a direct product of cyclic

groups and hence isomorphic to C4 ×C2 or C2 3 .
So assume that G is not commutative. This implies that G contains an element b of order 4.
Choose an element a not commuting with b. Note that G = ha, bi. As hbi has index 2 in G, it
is a normal subgroup of G. In particular, a· b· a−1 ∈ hbi. As a does not commute with b and
any conjugate of b has order 4, we find a· b· a−1 = b−1 . Now assume that the element a can
be chosen in such a way that its order is 2 Then consider the action of G by left multiplication
on the 4 (left) cosets of the subgroup hai of G. These cosets are hai, b· hai, b2 · hai, b3 · hai.
Numbering these cosets 1, 2, 3, 4, respectively, we find L (b) = (1, 2, 3, 4) and L (a) = (2, 4).
Hence, the image of G in Sym4 is isomorphic to the group generated by these two permu-
tations. This latter group is isomorphic to D4 , the dihedral group of order 8. As this order
equals the order of G, we find the two groups to be isomorphic.
It remains the case that there is no element of order 2 in G that does not commute with b.
In particular, any element not in hbi has order 4. Pick an element a of order 4, not in hbi.
Then a2 = b2 , the only element of order 2 in G. Moreover, as we already noticed above,
a· b· a−1 = b−1 . The map f : G → Q8 with f (a) = i and f (b) = j is now easily seen to be an
isomorphism between G and the quaternion group Q8 .
Assertion. If G has order 9 and is not cyclic, then G ∼
= C3 2 .

Each element distinct from e has order 3. Let a be such an element and consider the permuta-
tion representation L : G → Sym(G/hai). Its kernel is contained in hai. On the other hand it
cannot be trivial, for otherwise, the image of G under L would be a subgroup of Sym(G/hai)
of order 9, and so, by Lagrange’s theorem (13.6.7), 9 would divide the order of Sym(G/hai),
which is 6. Hence, the kernel of L is hai. Consequently, hai
is a normal subgroup of G. In
particular, the conjugacy class C of a is contained in e, a, a2 . Clearly, e cannot be conjugate


to a. Therefore, C has at most 2 elements. But, by Identification of orbit with cosets (15.2.18),
the number of elements of C is a divisor of 9, so C consist only of the element a. So, for each
element b ∈ G, we have b· a· b−1 = a, that is, a· b = b· a. In other words, a lies in the center
of G. As the element a was chosen arbitrarily, this implies that G is commutative and hence
isomorphic with C3 ×C3 ; see Classification of finite commutative groups (15.6.20).
Assertion. Let G be a group of order 10. If G is not cyclic, then it is isomorphic with D5

Suppose that G has order 10 and is not cyclic. Then it contains an element a of order 5 and an
element b of order 2. The group G is not commutative, for otherwise, it would be generated
by a· b and hence cyclic. So, a and b do not commute. The subgroup hai has index 2 in G and
is a normal subgroup. In particular, b· a· b−1 belongs to hai. This means that b· a· b−1 = ak
for some k ∈ {2, 3, 4}. But then
 k
a = b· (b· a)· b−1 · b−1 = b· ak · b−1 = ak (15.13)

from which we deduce that k = 4.

This implies that G is indeed isomorphic to the dihedral group D5 .
312. Sets, Logic and Algebra

Example 15.6.23 (Groups of order 2· p with p prime). A group G of order 2· p, with p prime,
contains an element a of order p and an involution (element of order 2) b. The subgroup
hGi[a] is normal in G. If the element b commutes with a, then G is cyclic and hence iso-
morphic to C2·p . If b does not commute with a, then b· a· b−1 = ak for some k. But then

k 2
a = b· b· a· b−1 · b−1 = b· ak · b−1 = ak = ak . But that means that k2 ≡ 1 (mod p) and
hence k ≡ −1 (mod p). In particular, b· a· b−1 = a−1 and G is isomorphic to D p .

Example 15.6.24 (Groups of order 12). We have already met a cyclic group C12 , a direct
product of cyclic groups C2 × C6 , the dihedral group D6 , the direct product C2 × Sym3 and
the alternating group Alt4 . Up to isomorphism, there is one more group of order 12. Let
groupname1.generalized_quaternion_group (3) bethe subgroup of SL(2, C) generated by the
√
  
x 0 0 −1
following two matrices: A = −1 and B = , where x equals −1+i·
2
3
. The el-
0 x 1 0
ement A is of order 3 and the element B is of order 4. Furthermore, B· A = A2 · B. Hence, every
element in groupname1.generalized_quaternion_group (3) can be written as Ak · Bl , where k is
in {0, 1, 2} and l in {0, 1, 2, 3}. In particular, groupname1.generalized_quaternion_group (3)
has order 12. The group groupname1.generalized_quaternion_group (3) is not commutative
and contains elements of order 4. Hence, it is not isomorphic to one of the examples above.
It is not very easy to prove that each group of order 12 is isomorphic to one of the examples
mentioned here.

15.7 Exercises

Exercise 15.7.1. Determine in GL(2, R)

(a) a matrix A mapping the vector (1, 0)T onto (0, 1)T ,
(b) a matrix B mapping (1, 0)T onto (1, 1)T , and

(c) a matrix C mapping (0, 1)T onto (1, 1)T .

Exercise 15.7.2. Let G be a group and suppose g is in G. In analogy with the map Lg (left
multiplication by g), we define a map R0 g = G → G by: R0 g (h) = h· g (for h in G ).

(a) Prove that for each g in G the map R0 g is in Sym(G).

(b) Does the map from G to Sym(G), given by g 7→ R0 g , define a morphism?

Exercise 15.7.3. Let G be a group.

(a) Show that, for each g ∈ G, the map C0 g = G → G, x 7→ g−1 · x· g is in SymG .

(b) Is the map C0 = G → Sym(G), g 7→ C0 g permutation representation?
(c) Can you make a permutation representation with M : G → G, x 7→ g· x· g ?
313. Sets, Logic and Algebra

Exercise 15.7.4. Let X = {x ∈ R4 |x1 + x2 + x3 +x4 = 0}. Define a permutation  representation

of Sym4 on X by setting, for g ∈ Sym4 , g (x) = xg−1 (1),g−1 (2),g−1 (3),g−1 (4) .

(a) Prove that this indeed a permutation representation.

(b) Show that each g in Sym4 acts as a linear transformation on X and even as an orthogonal
transformation.

(c) Show that (1, 2) acts as a reflection and (1, 2, 3, 4) as a product of a reflection and a
rotation.

Exercise 15.7.5. Describe the left regular representation L = G → Sym(H/G) in each of the
following cases.

(a) G = Sym3 and H = h[(1, 2)]iSym3 .

(b) G = Sym4 and H is a subgroup of order 4. (There are two different subgroups of order
4 !)

Exercise 15.7.6. Suppose G is a subgroup of Sym(X) for some set X. Then being in an orbit
of G defines an equivalence relation. This does not hold when G is a monoid and not a group
as will be clear from the following. Let X be the set Z and M the monoid [N, +, 0]. Define
f = M → Sym(Z) by f (n) = k 7→ k + 3· n.

(a) Show that f is a morphism of monoids.

(b) Define the relation ˜ on Z by x y if and only if there exists an n in N with f (n) (x) = y.
Show that this relation is not symmetric.

Exercise 15.7.7. A square matrix A is called orthogonal if the product A· AT is the identity
matrix. The group O(n, R) of all orthogonal n by n matrices acts on Rn by left multiplication.
Show that an orbit consists of all vectors of Rn with a fixed length. So there infinitely many
orbits.

Exercise 15.7.8. Matrices in GL(2, R) transform lines through the origin in R2 into lines
through the origin. Determine the stabilizer H of the x-axis. Determine also the stabilizer in
H of the y-axis. What is the kernel of the action on the lines?

Exercise 15.7.9. Consider the permutation representation of Sym3 on the left cosets in h[(1, 2, 3)]i/Sym3 .
What is the kernel and what is the image of this permutation representation?

Exercise 15.7.10. Let G be a group.

(a) Determine the conjugacy class of the unit element e.

(b) In this part, G = Sym4 . Determine the conjugacy classes of each of the following
elements: (1, 2, 3) , (1, 2, 3, 4) , (1, 2) · (3, 4).
314. Sets, Logic and Algebra

(c) Show that each conjugacy class consists of a single element if G is commutative. Prove
also the converse: if each conjugacy class consists of exactly one element, then G is
commutative.
(d) Prove that all elements from the same conjugacy class have the same order.

Exercise 15.7.11. The center, denoted by Z(G), of a group G is the set Z(G) = {x ∈ G|∀g. (g ∈ G) ⇒
(x· g = g· x)}.

(a) Show that Z(G) is a normal subgroup of G.

(b) Determine the center of the group Sym3 .
(c) What is the center of a commutative group?

(d) Determine the conjugacy class of an element from the center.

(e) If a is an element of G of order 2 and h[a]iG is a normal subgroup of G, then a is an
element of Z(G).
(f) Show that scalar multiplication by a nonzero a is contained in the center of GL(2, R).

(g) Prove that the center of GL(2, R) consists of scalar matrices only.

Exercise 15.7.12. Let G be the group C2 ×C2 . Call its nontrivial elements a, b, c and, as usual,
let e be the unit element.

(a) Describe the left regular representation of G.

(b) Describe the action by left multiplication on the set X of subsets of G consisting of two
elements. Is the action transitive?

Exercise 15.7.13. Consider Symn and let X be the set of all subsets of {1, ..., n}. There is
an obvious permutation representation f = G → Sym(X) defined by f (g) ({a1 , a2 , ..., an }) =
{g (a1 ) , g (a2 ) , ..., g (an )}, where {a1 , a2 , ..., an } is a subset of X. Determine the orbits of
Symn . Do the same for Altn acting on X. (Watch out for n = 2.)
 
Exercise 15.7.14. Define a map Sym2 → Sym(R2 ) = by f (g) ((x1 , x2 )) = xg−1 (1),g−1 (2) for
g in Sym2 .

(a) Show that f is a permutation representation.

(b) What are the orbits of Sym2 on R2 ?

(c) Of which vectors in R2 is the stabilizer equal to Sym2 ?
(d) What is the geometric significance of the action of (1, 2) ?
315. Sets, Logic and Algebra

Exercise 15.7.15. Report on similar questions as in Exercise

 26 for the action  of Sym3 on
R3 via f = Sym3 → Sym(R3 ) with f (g) ((x1 , x2 , x3 )) = xg−1 (1),g−1 (2),g−1 (3) for g in Sym3 .
Determine also the vertices for which the stabilizer is equal to h[(1, 2)]iSym4 . Which per-
mutations act as a rotation on R3 (determine the axis and angle of rotation)? Which act as
reflections?

Exercise 15.7.16. Consider G = Z × Z. Define f = G → Sym(C) by f ((m, n)) (z) = z· im+n .

(a) Show that f is a permutation representation.

(b) Determine the kernel of f .
(c) Determine the orbits of g on C.
2·i
(d) Same questions as in part 1, but with i replaced by e 5 .

Exercise 15.7.17. Let V = {xi | i ∈ {1, ..., 6}} in {x ∈ Z/2Z6 |x1 + x2 + ... + x6 = 0}. Define
 a
permutation representation f = Sym6 → Sym(V ) by g (x) = xg−1 (1) , xg−1 (2) , ..., xg−1 (6) .

(a) Show that this is indeed a permutation representation.

(b) Show that the stabilizer of (1, 1, 0, 0, 0, 0) is isomorphic to Sym2 × Sym4 .
(c) Determine the orbit of (1, 1, 0, 0, 0, 0).

(d) Generalise to the case where the group Symn , with n even, acts on the set {x ∈ Z/2Z6 |x1 +
x2 + ... + xn = 0}. Deduce from this, by studying the orbits, that
n! n! n!
2n−1 = 1 + 2!·(n−2)! + 4!·(n−4)! + (n−2)!·2! +1

Exercise 15.7.18. Let S1 = {z ∈ C| |z| = 1}, the circle of radius 1 around 0 in C.

(a) Define a map f = Z → Sym(S1 ) by f (n) (z) = in · z (in short, n· z = in · z). Show that f
is a permutation representation and determine its kernel.
(b) Show that the vertices on S1 of a square form an invariant set.
(c) Describe the action of the subgroup 2· Z of Z on S1 . What are the invariant subsets of
S1 under the action of 2· Z ?

Exercise 15.7.19. Let G = GL(3, R) and let X be the set of all pairs {u, v} such that u and v
are independent vectors in R3 .

(a) Show that, for each A ∈ GL(2, R), the map X → X, {u, v} 7→ {A (u) , A (v)} is a bijection.
(b) Define a permutation representation of G on X as suggested by the previous part. Is it
injective? Is it transitive?

(c) Same questions as before for X consisting of triples of independent vectors in R3 .

316. Sets, Logic and Algebra

Exercise 15.7.20. Suppose G is a group. Let g be an element of G. The centralizer CG (g) of g

is the set of elements in G commuting with g, that is, (d ∈ CG (g)) ⇔ ((d ∈ G) ∧ ((d, g) = (g, d))).

(a) Show that CG (g) is a subgroup of G containing hgi.

(b) What is the centraliser of g if G is commutative?
(c) When do we have |CG (g)| = 1?

(d) Compute the centraliser of (1, 2) in Sym4 .

|G|
(e) Prove that the number of elements in the conjugacy class of g is equal to |CG (g)| . Con-
clude that this number is a divisor of |G|.

Exercise 15.7.21. Determine a basis for the automorphism group of the square. Determine
the order of the automorphism group of a square. Describe also the action of this group on
the two diagonals of the square.

Exercise 15.7.22. Prove that h[(1, 2) , (1, 2, 3, 4)]iSym4 = h[(2, 3) , (1, 2, 3, 4)]iSym4 = Sym4 . What
is the order of the subgroup H = h[(2, 4) , (1, 2, 3, 4)]iSym4 of Sym4 ? Provide an isomorphism
from the group H to the group D4 of automorphisms of the square.

Exercise 15.7.23. Show that a group of order n cannot act transitively on a set with more than
n elements.

Exercise 15.7.24. Consider a transitive permutation group G on a set X. Show that, for
each x and y from X, the stabilizers Gx and Gy are conjugate, that is, there is g ∈ G with
g· Gx · g−1 = Gy .

Exercise 15.7.25. Let G be a permutation group on the set X. The group G is called t -
transitive, where t in N, if it is transitive on the ordered t - tuples from X.

(a) Prove that G is t-transitive if and only if the stabilizer of each s-tuple of elements from
X (where s < t ) is transitive on the remaining elements of X.
(b) Show that
Symn is n - transitive and that Altn is n − 2 - transitive on {1, ..., n}.

Exercise 15.7.26. Suppose that G is a 2 - transitive permutation group on {1, ..., n} with n > 1.

(a) Show that G = Symn if G contains a transposition.

(b) Show that G = Altn or G = Symn if G contains a 3-cycle.

Exercise 15.7.27. Let n > 2. The group GL(n, R) can be viewed as a permutation group on
the set X of 1 - dimensional subspaces of Rn . If g ∈ G and x ∈ X, then g (X) = {g (v)| v ∈ X}.

(a) What is the kernel of this permutation representation?

317. Sets, Logic and Algebra

(b) Show that if n = 2, the group G acts 3 - transitively on X.

(c) For n > 2, the group G is 2 - transitive but not 3 - transitive. Prove this.

Exercise 15.7.28. Label the vertices as in the following figure and consider the game in which
you are allowed to rotate each of the 4 small triangles. Prove that these moves generate the
subgroup Sym6 of Sym6 .

Exercise 15.7.29. Label the vertices of a 2 by 2 by 2 cube with the integers 1, 2, 3, 4, 5, 6, 7, 8

as shown in the figure. Consider the following game: each single move consists of turning
a face of the cube over 90 degrees (clockwise or counter clockwise). How many different
positions can be obtained by applying such moves?

Exercise 15.7.30. Show that the group Dn of symmetries of a regular n-gon contains n rota-
tions and n reflections. Determine a basis for Dn . What is the order of Dn ?

Exercise 15.7.31. Let G be the automorphism group of the tetrahedron. Determine a basis
for G and use it to find the order of G. Same question for the cube. Describe also the action
of the automorphisms on the 4 diagonals of the cube.

Exercise 15.7.32. Let a be the positive real fourth root of 2 so that a is a root of X 4 − 2.
Determine all automorphisms of Q· a.

Exercise 15.7.33. Consider the quotient group Q/Z.

(a) Show that each element of the group has finite order.
(b) Establish that the group itself has infinite order.
28
(c) What is the order of the element 16 +Z ?
(d) What is the order of an arbitrary element ab + Z ?

Exercise 15.7.34. The quotient group Sym4 /K, where K = h[(1, 2) (3, 4) , (1, 3) (2, 4)]iSym4 is
Klein‘s Vierergroup, is isomorphic with a group of order 6. Which one? Sym3 or C6 ?

Exercise 15.7.35. Let C× be the multiplicative group of the complex numbers distinct from
0.

(a) Show that H = {x ∈ C| |x| = 1} is a subgroup of C× .

(b) Show that the map f = R → H,t 7→ exp (2· i·t) is a surjective morphism.
(c) Prove that R/Z is isomorphic to H.

Exercise 15.7.36. Consider the automorphism group G of a regular octahedron.

(a) Show that the automorphism group acts transitively on the set of vertices.
(b) Show that the stabilizer of each vertex has order 8. What is the connection with the
automorphisms of a square? What is the order of G ?
318. Sets, Logic and Algebra

(c) Describe the action of G on the three diagonals of the octahedron. Is the morphism
G → Sym(D), where D is the set of diagonals, surjective?
(d) Is the action of G on the centers of gravity of the 8 faces of the octahedron an injective
permutation representation? Do you spot a connection with the cube?

(e) Does G act transitively on the set of all unordered pairs of vertices?

√15.7.37. In this exercise we determine the automorphisms of the field Q (a), where
Exercise
a = i + 2.

(a) Show that a2 − 2· i· a = 3. Deduce from this that i ∈ Q (a).

√
(b) Prove that 2 also belongs to Q (a).
 √ 
(c) Conclude that Q (a) = C i, 2 .

(d) Determine a polynomial f ∈ Q of degree 4 having a as a root.

(e) What are the zeros of f in C ?
(f) Determine all automorphisms of Q (a) ; describe such an automorphism by its image
on a.

(g) Construct the multiplication

√ table of this group. Is it a cyclic group? Indicate the
images of i and 2 under each automorphism.
2·i
Exercise 15.7.38. Let z = e 5 .

(a) Show that z is a root of the polynomial X 5 − 1 in Q. What are the roots of this polyno-
mial in C ?
(b) Determine a polynomial f ∈ Q of degree 4 having root z.

(c) Determine the automorphism group of Q (z) and show that this group is cyclic.

Exercise 15.7.39. Prove the following equivalence for a subgroup N of G : g· N = N· g for all
g in G iff g−1 · n· g in N for all g in G and n in N.

Exercise 15.7.40. Let f = G → H be a morphism of groups. Show, by means of an example,

that the image f (G) need not be a normal subgroup of H.

Exercise 15.7.41. The subgroup h[(1, 2) (3, 4) , (1, 3) (2, 4)]i of Sym4 is called Klein‘s Vier-
ergroup.

(a) Establish that K has order 4 and is a normal subgroup of Sym4 as well as Alt4 .

(b) Verify that K is isomorphic to C2 ×C2 .

(c) Give a non-normal subgroup of Sym3 that is also isomorphic to C2 ×C2 .
319. Sets, Logic and Algebra

Exercise 15.7.42. Let H be a subgroup of the group G.

(a) Show that each normal subgroup N of G contained in H is also contained in the kernel
of the morphism L = G → Sym(G/H).
(b) Show that H is a normal subgroup if G has order 9.

Exercise 15.7.43. In which of the following cases is the group N a normal subgroup of the
group G?

(a) G = Sym4 and N = h[(2, 3)]iSym4 .

(b) G = Sym4 and N = h[(1, 2, 3, 4)]iSym4 .

(c) N is the subgroup of all rotations in the automorphism group G of a regular 5 - gon.

Exercise 15.7.44. Determine all normal subgroups of Sym3 .

Exercise 15.7.45. Put G = GL(2, R).

(a) Show that the diagonal matrices D form a subgroup which is not a normal subgroup of
G.

(b) Prove that the diagonal matrices of the form a· I with nonzero a do form a normal
subgroup of G.
(c) Is the set of upper triangular matrices a normal subgroup of G ?

Exercise 15.7.46. Let G be a group.

(a) Prove: if N and M are normal subgroups of G, then so is N· M.

(b) Prove: if N is a normal subgroup of G and H a subgroup of G, then N· H is a normal
subgroup of H.
(c) Show, by means of the groups G = Sym4 , H = Alt4 , and a suitable subgroup H of G,
that N· H need not be a normal subgroup of N.
(d) Show, by means of an example, that the following assertion does not hold in general:
If N is a normal subgroup of H and H a normal subgroup of G, then N is a normal
subgroup of G.
(e) Show: If H is a subgroup of G and g ∈ G, then g−1 · H· g is also a subgroup of G.

(f) If, moreover, H is the only subgroup of G of order n, then H is a normal subgroup of
G.

Exercise 15.7.47. Let G be a finite group, generated by the set B and suppose H is a subgroup
of G generated by A. Show that H is a normal subgroup of G if and only if b−1 · a· b in H for
all b ∈ B and all a ∈ A.
320. Sets, Logic and Algebra

Exercise 15.7.48. Suppose f = G → H is a morphism of groups.

(a) Prove: if N is a normal subgroup of H, then f −1 · N is a normal subgroup of G.

(b) If f is surjective and N is normal in G, then f · N is normal in H. Show, by means of an
example, that the surjectivity condition cannot be removed.

Exercise 15.7.49. If G is a group and H a subgroup of G of index 2, then H is normal in G.

Prove this in each of the following two ways:

(a) By comparing left cosets and right cosets of H in G,

(b) By use of the left regular representation G → Sym(H/G).

Establish also that, for each g, h ∈ G the intersection {g, h, g· h} ∩ H is not empty.

Exercise 15.7.50. Let G be a group and X a subset of G. The normaliser NG (X) of X in G is

the set of elements g of G with g· X· g−1 = X. Notice that NG (X) is a subgroup of G. Show
that hXiG is a normal subgroup of
NX (G).

Exercise 15.7.51. Determine all normal subgroups of Sym4 .

Exercise 15.7.52. Prove in each of the following cases that N is a normal subgroup of G, and
that H is isomorphic to G/N.

(a) G = C× , N = {z ∈ C| |z| = 1}, and H = {z ∈ R|z > 0}, with the operation multiplica-
tion.
(b) G = R× , N = {−1, 1}, and H = {z ∈ R|z > 0}, with the operation multiplication.
(c) G = C× ,
N = {z ∈ C| |z| = 1} and H = {z ∈ R|z > 0}.
(d) G = Z × Z, N = m· Z × n· Z, and H = Cm ×Cn .
(e) G = Q8 , the quaternion group, N = {1, −1}, and H = C2 ×C2 .
(f) G is the set of all invertible 2 × 2 matrices with entries from Z/7Z; N is the subgroup
of those matrices having determinant in {1, −1}, and H = C3 .

Exercise 15.7.53. Let C× be the multiplicative group of the complex numbers distinct from
0.

(a) Show that H = {x ∈ C| |x| = 1} is a subgroup of C× .

(b) Show that the map f = R → H,t 7→ exp (2· i·t) is a surjective morphism.
(c) Prove that R/Z is isomorphic to H.
321. Sets, Logic and Algebra

Exercise 15.7.54. Use the table of groups of order at most 10 as given in Section 8. 6 when
answering the following questions.

(a) Which groups from the table are commutative?

(b) Let G be a group of order 8 generated by two elements a and b of order 2 with (a· b)4 =
e. With which group of order 8 from the table is G isomorphic?
(c) Which groups of order 8 are (isomorphic to) subgroups of Sym4 ?

Exercise 15.7.55. Determine all groups of order 15 up to isomorphism.

Exercise 15.7.56. Let G be a group of order 2· p where p is an odd prime number.

(a) Show that G contains a normal subgroup H of order p.

(b) Prove that G contains an element, g say, of order 2.

(c) If h ∈ H is not 1, and g· h = h· g, then g· h is an element of order 2· p. Give a proof of
this assertion and conclude that in this case G is cyclic and hence isomorphic to C2·p .
(d) Let h ∈ H. Prove: If g· h 6= h· g, then g· h0 6= h0 · g for all h`∈ H with h 6= 1G .

(e) Show that for all h ∈ H, the element g· h· g belongs to H ; derive from this that g· h· g· h =
h· g· h· g.
(f) Let f = g· h· g· h. Prove that g· f = f · g.
(g) Verify that, for all h ∈ H : If g· h 6= h· g, then g· h· g = h−1 .

(h) Show that G is isomorphic to D2·.p , the automorphism group of a regular p-gon, if G is
not cyclic.