Galois Inverse

INVERSE GALOIS THEORY

MASTER'S THESIS

by

Jennifer ANDREOTTI

Supervisors:

Prof. Eva BAYER-FLUCKIGER and Dr. Lara THOMAS

Spring semester 2009

Contents

1 Preliminary Results 81.1 Field extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 81.2 Algebraic extensions . . . . . . . . . . . . . . . . . . . . . . . 91.3 Splitting �eld of a polynomial . . . . . . . . . . . . . . . . . . 91.4 Normality and Separability . . . . . . . . . . . . . . . . . . . . 101.5 Perfect Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.6 Galois extension . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Abelian Groups 142.1 Cyclotomic �elds . . . . . . . . . . . . . . . . . . . . . . . . . 142.2 Abelian Groups as Galois Groups . . . . . . . . . . . . . . . . 18

3 Symmetric group Sn 243.1 Useful tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.1.1 Ring of integers . . . . . . . . . . . . . . . . . . . . . . 243.1.2 Rami�cation in number �elds . . . . . . . . . . . . . . 253.1.3 Trace, Norm and Characteristic polynomial . . . . . . 273.1.4 Norm of an ideal . . . . . . . . . . . . . . . . . . . . . 283.1.5 Integral Closure . . . . . . . . . . . . . . . . . . . . . . 313.1.6 Rami�cation theory for Galois extensions over Q . . . 32

3.2 The group Sn as a Galois group . . . . . . . . . . . . . . . . . 38

4 The semidirect product Z/pZ×ϕ Z/(p− 1)Z 484.1 Semidirect products of groups . . . . . . . . . . . . . . . . . . 48

4.1.1 Description of the group Z/pZ×ϕ Z/(p− 1)Z . . . . . 484.1.2 Short exact sequences of groups . . . . . . . . . . . . . 494.1.3 Group extensions . . . . . . . . . . . . . . . . . . . . . 50

4.2 Realization of the group Z/pZ×ϕ Z/(p− 1)Z as a Galois group 51

5 Groups of order 8 565.1 Classi�cation of all groups of order 8 . . . . . . . . . . . . . . 56

2

CONTENTS 3

5.2 Galois extensions of order 8 . . . . . . . . . . . . . . . . . . . 585.2.1 The group Z/8Z . . . . . . . . . . . . . . . . . . . . . 585.2.2 The group Z/4Z× Z/2Z . . . . . . . . . . . . . . . . . 595.2.3 The group Z/2Z× Z/2Z× Z/2Z . . . . . . . . . . . . 595.2.4 The dihedral group D4 . . . . . . . . . . . . . . . . . . 615.2.5 The quaternion group H8 . . . . . . . . . . . . . . . . 67

6 The Alternating group An 696.1 The groups A4 and A3 . . . . . . . . . . . . . . . . . . . . . . 696.2 The group A5 . . . . . . . . . . . . . . . . . . . . . . . . . . . 716.3 The general group An . . . . . . . . . . . . . . . . . . . . . . . 74

7 Elliptic curves and the group GL2(Fp) 777.1 Elliptic curves . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

7.1.1 The projective space Pn(K) . . . . . . . . . . . . . . . 777.1.2 Homogeneous polynomials, projective curves and ellip-

tic curves . . . . . . . . . . . . . . . . . . . . . . . . . 807.1.3 The Weierstrass equation of an elliptic curve . . . . . . 817.1.4 Singular points . . . . . . . . . . . . . . . . . . . . . . 837.1.5 Points at in�nity . . . . . . . . . . . . . . . . . . . . . 857.1.6 Points of intersection between an elliptic curve and a

straight line . . . . . . . . . . . . . . . . . . . . . . . . 857.1.7 The group structure of an elliptic curve . . . . . . . . . 867.1.8 The group of rational points of an elliptic curve . . . . 89

7.2 Construction of GL2(Z/pZ) as a Galois group . . . . . . . . . 907.2.1 Automorphisms of the points of an elliptic curve . . . . 917.2.2 Points of order dividing n . . . . . . . . . . . . . . . . 937.2.3 The Galois extensions Q(E[n])/Q . . . . . . . . . . . . 967.2.4 Division polynomials . . . . . . . . . . . . . . . . . . . 987.2.5 Some Galois representation theory . . . . . . . . . . . . 997.2.6 Construction of GL2(Z/3Z) as a Galois group . . . . . 102

7.3 Elliptic curves with complex multiplication . . . . . . . . . . . 1087.3.1 Complex multiplication . . . . . . . . . . . . . . . . . . 1087.3.2 Properties of the complex multiplication on E . . . . . 1147.3.3 The Galois extension Q(i)(E[n])/Q . . . . . . . . . . . 1187.3.4 The structure of the group Gal(Q(E[3])/Q) . . . . . . 119

8 Survey on Known Results and Open Problems 1238.1 Hilbert's Irreducibility Theorem . . . . . . . . . . . . . . . . . 1238.2 Nilpotent and solvable groups . . . . . . . . . . . . . . . . . . 1268.3 Computing Galois groups . . . . . . . . . . . . . . . . . . . . 128

CONTENTS 4

8.3.1 The resolvent method . . . . . . . . . . . . . . . . . . 1288.3.2 Kronecker Analysis and Dedekind's Theorem . . . . . . 1328.3.3 Explicit polynomials with a given Galois group . . . . 135

A Code PARI/GP and SAGE 139A.1 Code PARI/GP . . . . . . . . . . . . . . . . . . . . . . . . . . 139A.2 Code SAGE . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

B The Weierstrass function 145B.1 The isomorphism C/Λ ∼= EΛ . . . . . . . . . . . . . . . . . . . 145

Introduction

Galois theory is the interplay between polynomials, �elds and groups.In particular, if we focus on polynomials over the rationals numbers, anyseparable polynomial can be associated with its splitting �eld K. Then theFundamental Theorem of Galois Theory, published in the 1840's after Galois'death, states a precise correspondence between the �eld extension K/Q andthe Galois group formed by the �eld automorphisms which permute the rootsof the polynomial.The �rst important result achieved by Galois was to prove that in generala polynomial of degree 5 or higher is not solvable by radicals. Precisely, hestated that a polynomial is solvable by radicals if and only if its Galois groupis solvable.

According to the Fundamental Theorem of Galois Theory, there is a cor-respondence between a polynomial and its Galois group, but this correspon-dence is in general very complicated. Even using today's powerful computeralgebra systems, modern mathematicians can compute the Galois group ofa general separable polynomial only up to degree about 15. Identifying theGalois group with the permutation group of the roots of the polynomial,this means that the full correspondence between equations of degree n andsubgroups of Sn can be worked out completely only for small integers n.The inverse Galois problem deals with this complexity. In particular, sinceit is di�cult to consider the case of a general separable polynomial of degreen, for any integer n, the inverse Galois theory treats the converse question:is it possible to realize any subgroup of Sn as a Galois group?Usually, we restrict to the case of transitive subgroups of Sn, which corre-spond to the case of irreducible separable polynomials of degree n.

The aim of this report is not only to prove some of the results known onthis subject, but also to present di�erent methods to realize a given group asa Galois group. Indeed, in every chapter we realize a given group as a Galoisgroup using a di�erent argument. Clearly this report is not exhaustive on

6

CONTENTS 7

the subject of inverse Galois theory, but it presents a nice variety of possiblemethods used in this subject.

In Chapter 1 a short recall of Galois theory is given. In Chapter 2 we provethat any abelian group can be realized as a Galois group. Then, Chapter 3 isconcerned with the realization of the symmetric group Sn as a Galois group,for any integer n. Further, Chapter 4 deals with the case of the semidirectproduct Z/pZ×ϕ Z/(p− 1)Z and in Chapter 5 all groups of order 8 are clas-si�ed and realized as a Galois group. In Chapter 6 we present some resultsrelated to the case of the alternating group An, for integers n ≥ 3 and inChapter 7 we develop some theory concerning elliptic curves and we use itto realize the group GL2(Z/pZ), for a prime number p, as a Galois group.Finally, in Chapter 8 we will end up with a short survey of the principal re-sults known today on the inverse Galois problem and we will present a shortlist of questions that still remain open on this subject.

Chapter 1

Preliminary Results

In what follows we give the main de�nitions and statements of Galoistheory, which will be used in this report. All these results are proved andexplained in [1] which generally refers to [22] and [26].

1.1 Field extensions

De�nition 1.1.1 (Field extensions). Let K and L be two �elds.If K ⊆ L, we say that L is an extension of K and we write L/K. Then, L isa K-vector space.

De�nition 1.1.2 (Degree of an extension). Let L/K be a �eld extension.

- The degree [L : K] of the �eld extension L/K is de�ned as the dimen-sion of L as a K-vector space.

- A �eld extension L/K is �nite if its degree is �nite.

De�nition 1.1.3 (Simple extension). Let L/K be an extension of �eld.

- Let α ∈ L be some element. We say that L is generated by α over K,and we write L = K(α), if L is the smallest sub�eld of L containing Kand α.

- The �eld extension L/K is called simple if L = K(α), for some elementα ∈ L.

Proposition 1.1.4. Let K be a �nite �eld or a �eld of characteristic 0 andL a �nite extension of K. Then there exists an element x ∈ L such thatL = K(x). Such an element x is called a primitive element of L/K.

8

1.2 Algebraic extensions 9

1.2 Algebraic extensions

De�nition 1.2.1 (Algebraic element). An element α of L is said to bealgebraic over K if there is a nonzero polynomial p(t) ∈ K[t] such thatp(α) = 0.In particular, for any algebraic element α there exists a polynomial mα(t) ∈K[t] with the following properties:

- mα(t) is a monic polynomial;

- mα(α) = 0;

- the degree of mα(t) is minimal; i.e. if p(t) ∈ K[t] is such that p(α) = 0,then deg(p) ≥ deg(m). In particular, we have m(t) | p(t).

De�nition 1.2.2 (Algebraic extension). A �eld extension L/K is said to bealgebraic, if all elements of L are algebraic over K.

In particular, for any �eld K there exists an algebraic extension, in whichevery polynomial of K[t] can be completely decomposed into linear factors.

De�nition 1.2.3 (Algebraic closure of a �eld). Let K be a �eld. The ex-tension �eld L of K is an algebraic closure of K, if L is algebraically closed,i.e. if any polynomial in K[t] of degree at least one as at least one root in L.

We will admit the following important result.

Proposition 1.2.4. Every �eld K has an algebraic closure.

Denote K an algebraic closure of the �eld K. By now on we consider only�nite algebraic extensions L/K. Hence, every extension �eld L is a sub�eldof K.

Proposition 1.2.5. Let K(α)/K be a simple algebraic extension and letm ∈ K[t] be the minimal polynomial of α over K. Then K(α) is isomorphicto K[t]/〈m〉 and the degree of the extension K(α)/K is deg(m(t)).

1.3 Splitting �eld of a polynomial

De�nition 1.3.1 (Splitting �eld). Let K be a �eld and p(t) ∈ K[t] a nonconstant polynomial. Consider a �eld extension L/K such that p(t) splits inL[t] in linear factors of the form (t− xi), with xi ∈ L. Then we say that p(t)splits in L.We say that L is the splitting �eld of p(t) if p splits in L[t] and does notsplits over any proper sub�eld K ′ of L.

1.4 Normality and Separability 10

Proposition 1.3.2. Let p(t) ∈ K[t] be a non constant polynomial. Thenp(t) has a unique splitting �eld (up to isomorphism).

1.4 Normality and Separability

Next we give two properties, which characterize Galois �eld extensions,as well as some criteria to detect these properties.

De�nition 1.4.1 (Normality). Let L/K be an algebraic �eld extension. Ifany irreducible polynomial f(t) ∈ K[t] that has at least one root in L splitsin L[t], then the extension L/K is said to be normal.

Theorem 1.4.2. The �eld extension L/K is �nite and normal if and onlyif L is the splitting �eld of some polynomial f(t) ∈ K[t].

De�nition 1.4.3 (Separability). (i) A polynomial p(t) ∈ K[t] is said to beseparable if it splits into linear distinct factors in its splitting �eld.

(ii) Let L be an algebraic extension of K. Then α ∈ L is a separable elementover K if the minimal polynomial mα(t) of α over K is separable.

(iii) Let L be an algebraic extension of K. Then L is separable if everyα ∈ L is a separable element over K.

Theorem 1.4.4. The �eld extension L/K is a �nite separable extension ifand only if L is obtained from K by adjoining root(s) of a separable polyno-mial f(t) ∈ K[t].

1.5 Perfect Field

In many cases we prove a more generally property about the �eld Kinstead of prooving separability of a �eld extension L/K.

De�nition 1.5.1 (Perfect �eld). LetK be a �eld. We say thatK is a perfect�eld if any algebraic extension of K is separable.

Theorem 1.5.2. Let K be a �eld. K is a perfect �eld if and only if char(K) =0 or char(K) = p and K = Kp, where p is a prime number.

1.6 Galois extension 11

1.6 Galois extension

De�nition 1.6.1 (Galois group). Let L be an algebraic extension of K. TheGalois group Gal(L/K) is the group of all automorphisms of L that restrictto the identity on K. These automorphisms are called K-automorphisms ofL.

De�nition 1.6.2 (Fixed �eld). Let G be a subgroup of the automorphismgroup of L. Then the �xed �eld of G is

LG := Fix(G) := {k ∈ L | σ(k) = k, ∀σ ∈ G}.

In particular, if G = Gal(L/K) then LG is a sub�eld of L containing K.

De�nition 1.6.3 (Galois extension). Let L be an algebraic extension of K.Then L is called a Galois extension of K if Fix(Gal(L/K)) = K.

Next we give an important result about the degree of a Galois extension.

Theorem 1.6.4. Let Σ = {σi|i = 1, . . . , n} be a group of mutually distinctautomorphisms of a �eld L and let K = Fix(Σ). Then [L : K] = n.

Finally we present two major results of the semester project [1] whichgives some relations between a polynomial and in particular its roots, the�eld extension de�ned by these roots and the associated Galois group.

Theorem 1.6.5. Let L be a �nite extension of K. The following areequivalent:

(i) L is a Galois extension of K;

(ii) L is a normal and separable extension of K;

(iii) L is the splitting �eld of a separable polynomial f(t) ∈ K[t].

Theorem 1.6.6. Let L be a �nite Galois extension of K and let G =Gal(L/K).

(i) There is a one-to-one correspondence between intermediate �elds K ⊆M ⊆ L and subgroups {1} ⊆ GM ⊆ G given by

M = Fix(GM).

(ii) An intermediate �eld K ⊆ M ⊆ L is a normal extension of K if andonly if GM is a normal subgroup of G. This is the case if and only ifM is a Galois extension of K. In particular in this case we have anisomorphism of groups:

Gal(M/K) ∼= G/GM .

1.6 Galois extension 12

(iii) For each sub�eld K ⊆ M ⊆ L, [M : K] = [G : GM ] and [L : M ] =|GM |.

Chapter 2

Abelian Groups

The aim of this chapter is to show that every abelian group G can berealized as the Galois group of a Galois �eld extension K/Q. To prove thisresult we should �rst study the �eld Q(ε), where ε is a primitive n-th root ofunity for a �xed positive integer n. Therefore in the �rst part of this chapterwe present properties of cyclotomic �elds.We �x an algebraic closure Q of Q. Every algebraic extension K/Q that wewill consider is a sub�eld of Q.

2.1 Cyclotomic �elds

Fix a positive integer n > 0. Denote by ε a primitive n-th root of unityin Q, i.e εn = 1 and εm 6= 1, for all 0 < m < n. The objective of this sectionis to prove that Q(ε)/Q is a Galois �eld extension. This extension will beused later on to realize any abelian group G as a Galois group.Before considering the �eld Q(ε) we must prove that such an ε exist for anypositive integer n.

Proposition 2.1.1. Let K be a �eld of characteristic 0 or p > 0, with p notdividing n. Denote by C the splitting �eld of the polynomial tn− 1 ∈ K[t] insome algebraic closure of K. Then we have the two following properties:

(i) There exists a primitive n-th root of unity in C.

(ii) If ε ∈ C is some primitive n-th root of unity, then C = K(ε).

Proof. (i) The polynomial f(t) = tn − 1 has only simple roots. Indeed, anymultiple root z of f(t) would also be a root of f ′(t) = ntn−1 (see [1]section 3.1). As n 6= 0 in K, the only root of f ′(t) is 0, which is nota root of f(t). Therefore C contains n distinct n-th roots of unity.

14

2.1 Cyclotomic �elds 15

Let a, b ∈ C∗ be two of these roots. Then (ab)n = anbn = 1 is also aroot of unity. Also a−1 = an−1 satisfy (an−1)n = (an)n−1 = 1. Thisproves that the set G of n-th roots of unity form a �nite subgroup ofC∗. Hence G is a cyclic group. Indeed, denote d the exponent of thegroup, i.e. d is the minimal positive integer such that for all g ∈ Gwe have gd = 1. Clearly d|n = |G|, because the order of every elementdivides |G|. Suppose d < n. Then every g ∈ G is a d-th root of unityand this is impossible, because there are only d distinct d-th root ofunity. Therefore d = n and by a result of group theory as G is abelianthere is an element ε ∈ G of order d = n. This element ε is a primitiven-th root of unity.

(ii) Let ε be a primitive n-th root of unity. Then for any positive integerm < n, we have εm 6= 1 and moreover: (εm)n = (εn)m = 1. Thereforethe powers of ε are distinct and n-th roots of unity. This proves thatK(ε) contain all the n roots of unity. Moreover, K(ε) is the smallest�eld containing ε and the splitting �eld C must contain ε. Hence wehave C = K(ε).

Later on, we will focus on extensions of the rational �eld Q, but we willprove that the splitting �eld of the polynomial tn − 1 is a Galois extensionover more general basis �elds.

Proposition 2.1.2. Let K be a �eld of characteristic 0 or p > 0, with p notdividing n and �x an algebraic closure K of K. Denote by ε a primitive n-throot of unity and consider the polynomial f(t) = tn − 1. Then K(ε)/K is aGalois extension.Moreover for any σ ∈ Gal(K(ε)/K), there exists an element i ∈ (Z/nZ)∗

such that σ(ε) = εi and we have the following injective group homomorphism

τ : Gal(K(ε)/K) → (Z/nZ)∗

σ 7→ [i],

where i is such that σ(ε) = εi.

Proof. By the previous proposition we know that f(t) is separable. Thereforeits splitting �eld K(ε) is a Galois extension of K (see Theorem 1.6.5).Moreover, the n roots of f(t) are given by εi, for i = 0, . . . , n−1. In particular,the primitive roots are the εi such that i is prime to n. Indeed, if gcd(i, n) = 1and (εi)r = εri = 1, then n divides ri. But gcd(i, n) = 1 implies that n mustdivide r. On the other hand, if gcd(i, n) = d 6= 1, we have n = kd and i = ld,


with k, l, d, i < n. Then (εi)k = (εn)l = 1 and εi is not primitive.By the properties of �eld homomorphism every element σ ∈ Gal(K(ε)/K)must satisfy the properties

σ(1) = 1 and σ(ε)r = σ(εr).

As σ is injective, these two properties prove that σ(ε)r 6= 1, for all r < n andσ(ε)n = 1. Hence every σ ∈ Gal(K(ε)/K) maps ε to another primitive n-throot of unity. The two arguments give a characterization of the elements ofthe Galois groups: σ ∈ G is such that σ(ε) = εi, with gcd(i, n) = 1 andσ|K = Id.

The elements i relatively prime to n form the multiplicative group (Z/nZ)∗

and with the properties described it is easy to prove that τ is a group homo-morphism.Moreover, τ is injective. In fact, τ(σ) = [1]⇔ σ(ε) = εk+1, with k = dn. Butthen σ(ε) = ε and σ is the identity over K(ε).

The next result that we want to prove is that if K = Q, then τ is alsosurjective and Gal(Q(ε)/Q) ∼= (Z/nZ)∗.Consider from now on the case K = Q and let us start by de�ning then-th cyclotomic polynomial over Q. The extension Q(ε) is called the n-thcyclotomic �eld.

De�nition 2.1.3 (Cyclotomic polynomial). Let n be a positive integer anddenote by R = µn(Q) the set of primitive n-th roots in Q of Φ(t) = tn − 1.Then the cyclotomic polynomial Φn(t) is de�ned by

Φn(t) =∏ε∈R

(t− ε).

The idea is to decompose the polynomial Φ(t) into a product of irreduciblefactors. Indeed, for any divisor d of n we know that (td − 1) | Φ(t) and bythe de�nition given we have

Φ(t) = tn − 1 =∏d|n

Φd(t),

because every n-th root of unity is a primitive d-th root of unity for a uniqued dividing n.

In the previous proposition we proved that any primitive root of unity is


of the form εi, with i relatively prime to n. The number of these elements isgiven by the Euler ϕ function

ϕ(n) = {0 < i < n | gcd(i, n) = 1}.

Therefore Φn is of degree ϕ(n). Moreover ϕ(n) = Card((Z/nZ)∗.

As we proved already that the homomorphism τ given in Proposition 2.1.2is injective and as we consider two �nite groups, to prove that τ is onto wethus only need to prove that card(Gal(Q(ε)/Q)) = [Q(ε) : Q] = ϕ(n). Toprove this it is su�cient to show that Φn(t) is irreducible over Q.Indeed, we know already that ε is a root of Φn(t) and therefore that theminimal polynomial m(t) of ε divides Φn(t). If Φn(t) is irreducible, thenΦn(t) = m(t) and Q(ε) will be the splitting �eld of Φn. Hence we will have[Q(ε) : Q] = deg(Φn(t)) = ϕ(n) (see Proposition 1.2.5 ).

Proposition 2.1.4. Let n be a positive integer and Φn(t) the n-th cyclotomicpolynomial. Then Φn(t) is irreducible over Q.

Proof. Suppose Φn(t) is not irreducible. Then as Φn(t) ∈ Z[t], there existsf(t), g(t) ∈ Z[t] such that Φn(t) = f(t)g(t). Moreover suppose f(t) is monicand irreducible. We know that all roots of f(t) are primitive n-th roots ofunity. We will prove that every primitive n-th root of unity is a root of f(t).

Denote by ε a root of f(t). It has been proved that every other primitiven-th root is of the form εi, with gcd(i, n) = 1. We prove that εi is a root off(t) as well, for any i < n such that gcd(i, n) = 1.Considering the decomposition into prime numbers of i and n, it is easy tosee that gcd(i, n) = 1 ⇒ i is a product of prime number not dividing n.Then it is su�cient to prove that if ε is a root of f(t), εp is also a root, for allprime integer p such that gcd(n, p) = 1. Indeed, if i = p1 · · · pr we can applythis argument r times starting by using this argument on ε and p1 and thecontinuing with ε′ = εp1 and p2 and so on.

Suppose p is a prime number not dividing n such that f(εp) 6= 0. Thenεp is a root of g(t), because it is a root of Φn(t). Equivalently ε is aroot of g(tp), hence g(tp) and f(t) have a common root. This means that(t − ε) | gcd(f(t), g(tp)) and in particular we have h(t) = gcd(f(t), g(tp)) ∈Z[t] is not trivial. Reducing modulo p we �nd h(t) = gcdFp

(f(t), g(tp)) 6= 1,because f and g are both monic and so will be their gcd. Hence its degreecannot be reduced modulo p.The �nite �eld Fp is of characteristic p and using similar arguments as in

2.2 Abelian Groups as Galois Groups 18

Proposition 28 in [1] we �nd that g(tp) = (g(t))p. Indeed, suppose

g(t) = tr + ar−1tr−1 + · · ·+ a0,

with ai ∈ Fp, for all i = 0, . . . , r − 1. Then we have

(g(t))p = (tr + ar−1tr−1 + · · ·+ a0)p = (tr)p + apr−1(tr−1)p + · · ·+ ap0,

because developing the power using Newton's development we will �nd thatall other coe�cients are multiples of p and hence equal to 0 in Fp (for moredetails see [1], Proposition 28).Moreover, by Fermat's Little Theorem we have ap = a, for every a ∈ Fp. Sowe obtain

(g(t))p = (tr)p + ar−1(tr−1)p + · · ·+ a0 = g(tp).

Then as h(t) is not trivial, we know in particular that f(t) and g(tp) = (g(t))p

have a common root in Fp. But then f(t) and g(t) have a common root in Fpand this implies that tn − 1 has a multiple root in Fp, which contradict theproof of Proposition 2.1.1. Therefore the factors f(t), g(t) of Φn(t) cannotexist and Φn(t) is irreducible over Q.

By the arguments preceding this result, we also obtain the following corol-lary.

Corollary 2.1.5. Let ε be a primitive n-th root of unity. Then

Gal(Q(ε)/Q) ∼= (Z/nZ)∗.

2.2 Abelian Groups as Galois Groups

In the previous section we constructed the isomorphism Gal(Q(ε)/Q) ∼=(Z/nZ)∗, where ε is a primitive n-th root of unity. This isomorphism willbe useful to realize any abelian group G as a Galois group of some Galoisextension of Q.To prove this theorem we will use some important results from group theoryand number theory. These result are recalled in what follows and we referthe reader to [7] for more details.

Theorem 2.2.1 (Dirichlet Theorem). Let a, b be two relatively prime inte-gers. Then there exist in�nitely many prime numbers p satisfying the follow-ing relation

p = a+ nb, with n ∈ N or equivalently p ≡ a mod b.


Theorem 2.2.2 (Primary decomposition). Every abelian group H is thedirect product of some cyclic groups.

Theorem 2.2.3 (Chinese Remainder Theorem). Suppose n =∏s

i=1 ni apositive integer with the factors ni are pairwise relatively prime,i.e. gcd(ni, nj) = 1, for all i 6= j.Then there exists an element x, which is unique modulo n, that satis�es thefollowing relation :

x ≡ ai mod ni, for everyi = 1, . . . , s and ai ∈ Z.

In particular this theorem proves the existence of an isomorphism ofgroups

(Z/nZ)∗ ∼= (Z/n1Z)∗ × · · · × (Z/nsZ)∗,

which will be used to prove the main result of this chapter.

Theorem 2.2.4. Let G be an abelian group. Then G is a Galois group overQ.

Proof. We start by proving that there exists an integer N ≥ 1 such that Gis isomorphic to a quotient of the multiplicative group (Z/NZ)∗.Using the Primary Decomposition Theorem of abelian groups, we know thatG is isomorphic to a product of cyclic groups

G =r∏i=1

Z/niZ.

Every cyclic group Z/niZ is a quotient subgroup of Z/(pi − 1)Z, where pi isa prime number such that pi ≡ 1 mod ni. Indeed, this relation modulo niproves that ni divides pi − 1. Hence (pi − 1)Z is a normal subgroup of niZand we can take the quotient modulo niZ/(pi − 1)Z of Z/(pi − 1)Z. By theThird Isomorphism Theorem, this quotient is isomorphic to Z/niZ.Notice that for every i = 1, . . . , r, there are in�nitely many prime numberspi satisfying this relation by Theorem 2.2.1. Hence we can choose a set ofdistinct primes (pi)1≤i≤r satisfying this relation for every i = 1, . . . , r.The canonical projection of each cyclic group Z/(pi − 1)Z on its quotientZ/niZ, for every i = 1, . . . , r gives a surjective homomorphism

Ψ :r∏i=1

Z/(pi − 1)Z→ G.

De�ne N :=∏r

i=1 pi.For every i ∈ {1, . . . , r}, the multiplicative group (Z/piZ)∗ is isomorphic to


the abelian cyclic group of order pi−1. Indeed, Z/piZ is a �eld and therefore(Z/piZ)∗ = Z/piZ− {[0]}. Moreover, by a similar argument to the one usedin Proposition 2.1.1, we have that the order of every element x ∈ (Z/piZ)∗

divides pi−1 and it follows that the exponent of (Z/piZ)∗ is pi−1. Moreoverwe can �nd an element of order equal to the exponent and which will be thegenerator of the cyclic group. Therefore the group ((Z/piZ)∗, ·) is isomorphicto (Z/(pi − 1)Z,+) and we have the group isomorphism

r∏i=1

Z/(pi − 1)Z ∼=r∏i=1

(Z/piZ)∗.

As all pi are prime and distinct we can apply the Chinese Remainder Theoremto conclude that we have an isomorphism:

(Z/NZ)∗ ∼=r∏i=1

(Z/piZ)∗.

Using the surjective homomorphism Ψ of∏r

i=1 Z/(pi−1)Z onto the group Gconstructed in the �rst part of the proof and the two previous isomorphisms,we deduce that there exists a surjective homomorphism of (Z/NZ)∗ into thegroup G.By Corollary 2.1.5 of the previous section, we also have the isomorphism

Gal(Q(ε)/Q) ∼= (Z/NZ)∗,

where ε is a primitive N -th root of unity. This implies that there exists asurjective homomorphism

Φ : Gal(Q(ε)/Q)→ G.

Particularly by the First Isomorphism Theorem we have that

Gal(Q(ε)/Q)/ ker(Φ) ∼= G.

We conclude the proof using the correspondence given by the FundamentalTheorem of Galois Theory. Denote H = ker(Φ) and K = Fix(H). Then asH is a normal subgroup of Gal(Q(ε)/Q). According to Theorem 1.6.6, K/Qis a Galois �eld extension with Galois group satisfying

Gal(K/Q) ∼= Gal(Q(ε)/Q)/H ∼= G.

This proves that G is the Galois group of a Galois extension of Q.


We conclude this chapter with the statement of Kronecker-Weber The-orem which is an important result related to Galois extensions having acommutative Galois group.

Theorem 2.2.5 (Kronecker-Weber). Let K/Q be a �nite algebraic �eld ex-tension with Galois group G. Suppose G is abelian, then K is a sub�eld of acyclotomic �eld Q(ε), where ε denotes a primitive root of unity.

Notice that considering the main result of this chapter and Kronecker-Weber Theorem, we can conclude that every abelian group is the Galoisgroup of a Galois extension K/Q, where K is a sub�eld of a cyclotomicextension.

Example 2.2.6. The proof of Theorem 2.2.5 in the general case is quitedi�cult. We prove it in the particular case of a quadratic number �eldK = Q(

√p), where p is a prime number. Then K is the splitting �eld of

the polynomial t2 − p ∈ K[t], which is separable. Hence K/Q is a Galoisextension since as [K : Q] = 2, the only possibility is Gal(K/Q) ∼= Z/2Z.Theorem 2.2.5 is the statement that K is a sub�eld of a cyclotomic extensionQ(ε): this is what we are proving in this example.

First consider an odd prime number p and a primitive p-th root of unityε ∈ Q.The map s : (Z/pZ)∗ → (Z/pZ)∗ de�ned by s(x) = x2 is a homomomorphismof groups with kernel ker(s) = {1, p− 1}. Hence the image of s is

R = Im(s) = {y ∈ (Z/pZ)∗|∃ x ∈ (Z/pZ)∗ such that x2 = y}

and it is a normal subgroup of (Z/pZ)∗, thus R and N = (Z/pZ)∗ − R areboth sets of size (p− 1)/2.De�ne

γ =∑

c∈Z/pZ

εc2

, α =∑a∈R

εa and β =∑b∈N

εb.

We want to compute γ. By the previous remarks on the map s it is easy tosee that γ = 2α + 1.

We haveα + β =

∑a∈(Z/pZ)∗

εa = −1.

Indeed, tp−1 = (t−1)(tp−1 + · · ·+ t+1). Since ε 6= 1, we have: εp−1 + εp−2 +· · ·+ 1 = 0 and then εp−1 + · · ·+ ε = −1.


Moreover S = α − β =∑

a∈(Z/pZ)∗

(ap

)εa, where

(ap

)denotes the Legendre

symbol given by

(a

p

)=

0, if a ≡ 0 mod p1, if a 6= 0 is a square mod p−1, if a 6= 0 is not a square mod p

(see [16], Section 5.5 for more details). To compute S, the easier way is tocalculate S2. We have

S2 = (∑

a∈(Z/pZ)∗

(a

p

)εa)(

∑b∈(Z/pZ)∗

(b

p

)εb) =

∑a∈(Z/pZ)∗

∑b∈(Z/pZ)∗

(ab

p

)εa+b

As p is a prime number we can �nd c ∈ Z/pZ such that b = ca, so we obtain:

S2 =∑

a∈(Z/pZ)∗

∑c∈(Z/pZ)∗

(a2c

p

)εa(1+c) =

∑a∈(Z/pZ)∗

∑c∈(Z/pZ)∗

(c

p

)εa(1+c),

because a2 is a square, i.e.(a2

p

)= 1. Now consider the sum

∑a∈(Z/pZ)∗ ε

a(1+c).

If gcd(1+c, p) = 1, then the multiplication-by-(1+c) map, m : x 7→ x(1+ c),is an automorphism of Z/pZ and we �nd∑

a∈(Z/pZ)∗

εa(1+c) =∑

d∈(Z/pZ)∗

εd = −1.

As p is prime, this is the case for all c 6= p− 1.For c = p− 1 we have

∑a∈(Z/pZ)∗ ε

a(1+c) =∑

a∈(Z/pZ)∗ εap = p− 1. Therefore

we have

S2 =∑

1≤c≤p−2

(c

p

)(−1) +

(p− 1

p

)(p− 1).

Using the fact that N and R have the same cardinality, we have∑1≤c≤p−1

(cp

)(−1) = 0 and �nally

S2 =

(p− 1

p

)+ (p− 1)

(p− 1

p

)= p

(p− 1

p

).

The value of(p−1p

)depends on p and in particular we have

S2 =

{p, if p ≡ 1 mod 4−p, if p ≡ 3 mod 4

.


Hence

γ = 2α+1 = (α+β)+(α−β)+1 = −1+S+1 =

{ √p, if p ≡ 1 mod 4

i√p, if p ≡ 3 mod 4

.

For p ≡ 1 mod 4, we conclude directly that Q(√p) = Q(γ) ⊂ Q(ε).

For p ≡ 3 mod 4, we de�ne ε′ as a 4p-th primitive root of unity. Then Q(ε′)contains all roots of the polynomial t4p − 1 and in particular i, ε lie in Q(ε′).Therefore we have [Q(ε, i) : Q] ≤ [Q(ε′) : Q] = ϕ(4p) = 2(p − 1). Also,by the same argument [Q(ε) : Q] = p − 1 and d = [Q(ε, i) : Q] = p − 1 or2(p − 1), because t2 + 1 annihilate i. Suppose d = (p − 1). Then we wouldhave i ∈ Q(ε) and iε would lie in Q(ε) as well. Since ε and i are 4p-th roots ofunity, the same is true for iε. In particular, iε is a primitive root of unity oforder 2, 4, p, 2p or 4p. We have (iε)2 = −ε2 6= 1, (iε)4 = ε4 6= 1, because p 6= 2and so p does not divide 4. Also (iε)p = ±i, because p is odd and �nally(iε)2p = −1. It follows that iε is a primitive 4p-th root of unity. Hence, ifi ∈ Q(ε), we would have Q(ε) = Q(iε) ∼= Q(ε′) and this is a contradiction,because of the degree of the two extensions.Thus i 6∈ Q(ε) and [Q(ε, i) : Q] = 2(p − 1). It follows that Q(ε, i) ∼= Q(ε′).Therefore we have Q(

√p) ⊂ Q(i,

√−p) = Q(i, γ) ⊂ Q(i, ε) = Q(ε′).

Hence for any odd prime number p, Q(√p) is a sub�eld of a cyclotomic �eld.

For the case of p = 2 consider the root ρ = e2iπ/8. One can check easilythat

√2 = ρ2 + ρ−2 and thus that Q(

√2) is a sub�eld of the cyclotomic �eld

Q(ρ).

Chapter 3

Symmetric group Sn

In this chapter, our goal is to prove that the symmetric group Sn canbe expressed as a Galois group. More precisely, for each integer n we willexhibit a polynomial whose splitting �eld is a Galois extension of Q withGalois group isomorphic to Sn.

3.1 Useful tools

In order to prove the main theorem, we �rst recall some properties ofnumber �elds. In particular, we start this section with some de�nitionsand properties concerning the ring of integers of a number �eld as well asrami�cations of a �nite �eld extension. Most of the statements given in thissection are not proved, since a more advanced theory on this subject wouldhave to be developed and this is not the aim of this report. We refer the readerto [16] for the proofs of these results and for more details on �eld extensions.In what follows we restrict ourselves to the consideration of number �elds.

3.1.1 Ring of integers

De�nition 3.1.1 (Integer element of a number �eld). Let K be a number�eld. An element x ∈ K is said to be an algebraic integer element (over Q)if its minimal polynomial m(t) ∈ Q[t] has all coe�cients in Z.Equivalently, x is an algebraic integer if it is the root of a monic polynomialwith coe�cients in Z.

We resume in the following theorem two important properties of the setof integers of a number �eld.

Theorem 3.1.2. Let K be a number �eld and denote by A the set of integerelements of K over Q. Then we have

24

3.1 Useful tools 25

(i) A is a Dedekind ring.

(ii) A is a free Z-module of rank [K : Q], i.e.there exists a basis {e1, . . . , en} of A such that for any a ∈ A, thereare a1, . . . , an ∈ Z satisfying a = a1e1 + · · · + anen. Moreover, thisbasis is free, i.e. a1e1 + · · · + anen = 0 if and only if ai = 0, for alli ∈ {1, . . . , n}.

Remark 3.1.3. - Usually the ring of integers of a number �eld is de-noted by OK , but in this report we will often denote it by A.

- Recall that a Dedekind ring is a commutative and unitary domain,Noetherian, integrally closed and such that every nonzero prime idealis maximal.

3.1.2 Rami�cation in number �elds

Theorem 3.1.4. Let A be a Dedekind ring and let P be the set of all primeideals of A. Then every fractional ideal I of A can be written as a productof prime ideals in essentially a unique way:

I =∏p∈P

pep(I),

where ep(I) are integers and only �nitely many of them are non-zero.

Once again the result is not needed in its whole generality for our aim.Indeed we will essentially apply it to the ring of integers of some number�eld and its ideals. Note that for every ideal of A all the integers ep(I) arepositive.Moreover we have the following property:

I ⊂ J ⇔ ep(I) ≥ ep(J), where I, J are fractional ideals of A and p ∈ P.(3.1)

To understand this property for some ideals I and J , notice that all primeideals in the decomposition of I contain I and that for any prime ideal p wehave pi ⊆ pj, if i ≥ j, by the property de�ning an ideal.

Let K be a number �eld. We set A = OK . Clearly Z ⊆ A. We con-sider an ideal of the form pA generated by some prime number p ∈ Z. ByTheorem 3.1.4 we have the following decomposition of pA in primes idealsp1, . . . , pq of pA:

pA =

q∏i=1

piei ,

3.1 Useful tools 26

where all pi are distinct and ei ≥ 1, for i = 1, . . . q. We then introduce thefollowing notions with regards to this decomposition:

De�nition 3.1.5 (Rami�cation). For every i = 1, . . . , q:

- We say that every prime ideal pi is a prime ideal dividing p,

- The exponent ei is called the index of rami�cation of the prime idealpi,

- The �eld A/pi is a �nite Z/pZ-vector space. The degree fi = [A/pi :Z/pZ] is called the residual degree of pi over Z.

We now give two general properties before considering the particular caseof Galois extensions over Q.

Proposition 3.1.6. The prime ideals pi dividing pA are precisely the primeideals ℘ of A such that ℘ ∩ Z = pZ.

Proof. To prove this result we show that the relation ℘∩Z = pZ is equivalentto pA ⊆ ℘, for a prime ideal ℘ of A.Suppose we have ℘ ∩ Z = pZ, then clearly p ∈ ℘ and since ℘ is an ideal wehave pA ⊆ ℘. Conversely if pA ⊆ ℘, we have pZ ⊂ ℘ ∩ Z. Moreover, weknow that ℘ ∩ Z is a prime ideal of Z. Indeed, for every a, b ∈ Z such thatthe product ab ∈ ℘ ∩ Z, then a ∈ ℘ ∩ Z or b ∈ ℘ ∩ Z, because a, b ∈ Z ⊂ Aand also ℘ is prime in A and then a or b is in ℘. But in Z all non-zero primeideals are maximal, so pZ = ℘ ∩ Z.To conclude the proof we apply the property of decomposition of ideals in aDedekind ring given in Equation 3.1 to I = pA and J = ℘. Then ep(pA) ≥ep(℘). Taking p = ℘ we conclude that the index of rami�cation of ℘ in thedecomposition of pA is greater or equal to 1. Indeed e℘(pA) ≥ e℘(℘) = 1, so℘ is a prime ideal dividing p.

This proposition is useful to understand how the �eld Z/pZ can be identi-�ed to a sub�eld of A/pi in order to de�ne the residual degree (see De�nition3.1.5). Indeed, we know that Z ⊂ A. Then one can construct an injectionof Z/Z ∩ pi onto A/pi and up to isomorphism we have Z/Z ∩ pi ⊂ A/pi. Bythe proposition this is equivalent to Z/pZ ⊂ A/pi, because pi is above pA.As pZ and pi are prime ideals in Z and A respectively, both quotients are�elds and A/pi is a Z/pZ-vector space.

3.1 Useful tools 27

3.1.3 Trace, Norm and Characteristic polynomial

Before starting to consider Galois extensions we still need to de�ne traceand norm and some properties related to these notions.

De�nition 3.1.7 (Trace, Norm, Characteristic polynomial). Let R be a ringand S a subring of R such that R is a free S-module of �nite rank n. Forany x ∈ R we consider the following multiplication-by-x endomorphism

mx : R → R

y 7→ xy.

Let Mx denote the matrix of mx in a �xed basis B of R. Then:

(i) The trace of x ∈ R over S, denoted by TrR/S(x), is the trace of Mx; i.e.

TrR/S(x) = Tr(mx) = Tr(Mx) =n∑i=1

(Mx)ii

, where (Mx)ii denotes the i-th diagonal element of the matrix Mx.

(ii) The norm of x ∈ R over S, denoted by NR/S(x), is de�ned as thedeterminant of Mx: NR/S(x) = det(Mx).

(iii) The characteristic polynomial of x ∈ R relative to R and S is de�nedas the characteristic polynomial of the linear application mx.

In the case of a �eld extension, the following proposition gives equivalentde�nitions which will be more useful for us.

Proposition 3.1.8. Let K be a �nite �eld or a �eld of characteristic 0 andlet L be an extension of degree n of K. Suppose x ∈ L and x1, . . . , xn theroots of the minimal polynomial of x over K each one repeated [L : K(x)]times. Then:

- TrL/K(x) = x1 + · · ·+ xn,

- NL/K(x) = x1 · · ·xn,

- The characteristic polynomial of x over L relative to L and K iscL/K(t) = (t− x1) . . . (t− xn).

3.1 Useful tools 28

Remark 3.1.9. Notice that the characteristic polynomial is the [L : K(x)]-th power of the minimal polynomial m(t) of x over K and that NL/K(x)and TrL/K(x) are respectively the coe�cients of tn−1 and t of the polynomialcL/K . Therefore if we consider a number �eld K and its integer ring A, thenfor any x ∈ A the norm and trace are in Z, because the minimal polynomialhas coe�cients in Z.

Consider again a number �eld extension K/Q of degree n and let A beits integer ring. Then using any basis of A as a Z-module we can de�ne theabsolute discriminant of K as follows.

De�nition 3.1.10 (Absolute discriminant). Consider a basis {x1, . . . , xn} ofA as Z-module. Denote by T the matrix with coe�cients Tij = TrK/Q(xixj).The absolute discriminant of K/Q is given by

DK/Q = det(T ).

Equivalently, one can consider the n embeddings of K onto C (see Remark3.1.11) and denote them by σ1, . . . , σn. Denote by S the matrix with coe�-cients Sij = σi(xj). Then the absolute discriminant is given by

DK/Q = det(S).

Remark 3.1.11. - Both de�nitions given are independent from the choiceof the basis {x1, . . . , xn} of A.

- For a reminder on the construction of the n embeddings of K into C,see the beginning of Section 7.2.

3.1.4 Norm of an ideal

In this subsection we de�ne the notion of norm of an ideal and we presentsome properties related to this notion.

De�nition 3.1.12 (Norm of an ideal). Let K be a number �eld and A itsring of integers. Let I ⊆ A be a non-zero ideal. Then the norm of the idealI is de�ned as N(I) = |A/I|.

In order to prove that the norm of an ideal is always �nite we will usethe following general result on Z-modules.

Theorem 3.1.13. Let M be a free Z-module of rank n <∞ and let N be asubmodule of M . Then:

3.1 Useful tools 29

(i) N is also a free Z-module of rank l ≤ n.

(ii) There exists a basis {e1, . . . , en} of M and some non-zero elementsa1, . . . , al ∈ Z such that {a1e1, . . . , alel} is a basis of N and ai | ai+1,for 1 ≤ i ≤ l − 1.

Proof. Omitted. See ([16], Section 1.5, Theorem 1).

Using the previous result we can prove that the norm of an ideal in thering of integers of a number �eld is �nite.

Proposition 3.1.14. Let K be a number �eld and A its ring of integers. LetI be an ideal of A. Then A/I is �nite.

Proof. (1) We �rst consider the case of a principal ideal, i.e. I = aA, forsome a ∈ A−{0}. We consider the multiplication-by-a map de�ned as

ma : A → aA

x 7→ ax.

Since A is a domain the mapma is one-to-one. Also, the map is onto, byde�nition of aA andma. Since A is a free Z-module of rank n = [K : Q](see Theorem 3.1.2(ii) ), according to Theorem 3.1.13 aA is also a freeZ-module. Moreover, as we have an isomorphism aA is of rank n. Inparticular, using part (ii) of the theorem we know that there exists abasis {e1, . . . , en} of A and a1, . . . , an ∈ Z such that

A ∼= e1Z⊕ · · · ⊕ enZ and aA ∼= a1e1Z⊕ · · · ⊕ anenZ.

Hence

A/I ∼= (e1Z⊕· · ·⊕enZ)/(a1e1Z⊕· · ·⊕anenZ) ∼= Z/a1Z⊕· · ·⊕Z/anZ.

and A/I is �nite with cardinality a1 · · · an.

(2) Next we can consider any ideal I of A. There exists an element a ∈I−{0} and aA ⊆ I. The quotient I/aA is an ideal of A/aA and takingthe quotient we �nd

(A/aA)/(I/aA) ∼= A/I.

In particular |A/I| = |(A/aA)/(I/aA)| ≤ |A/aA|. According to part(1) of this proposition, |A/aA| is �nite, so |A/I| is also �nite.

3.1 Useful tools 30

Remark 3.1.15. Note that this property implies that any prime ideal p ofA is maximal. Indeed, since p is prime, A/p is a �nite domain. Thus, A/p isa �eld and p is maximal.To prove in full details that a �nite domain D is a �eld, one can prove thatthe multiplication-by-d map is an isomorphism, for any non-zero d ∈ D.Then 1D is the image of some x ∈ D, so that dx = 1D ⇒ x = d−1.

Moreover, one can prove the following properties related to the norm ofan ideal:

Proposition 3.1.16. With the previous notation:

(i) The norm de�ned on ideals of A is multiplicative, i.e. for some idealsI, J ⊆ A we have N(IJ) = N(I)N(J).

(ii) The norm of a principal ideal aA is N(aA) = |NK/Q(a)|.Proof. Omitted. See ([16], Section 3.5, Proposition 1 and 2).

Remark 3.1.17. Suppose a ∈ Z. Since A is a Z-module, the multiplication-by-a map is a scalar matrix and by de�nition NK/Q(a) = an (see Subsection3.1.3 ). Hence N(aA) = |an|.Theorem 3.1.18. With the previous notation we have

q∑i=1

eifi = n,

where n is the degree of the �eld extension K/Q.

Proof. Let p be a prime number and consider the ideal pA ⊆ A. Accordingto Theorem 3.1.4 we have the following decomposition into prime ideals ofA:

pA =

q∏i=1

peii .

According to Proposition 3.1.16 the norm satisfy the equality:

N(pA) =

q∏i=1

N(pi)ei .

By the previous remark N(pA) = pn. Also, we have seen in Subsection 3.1.2that A/pi is a Z/pZ-vector space of dimension fi. Hence |A/pi| = pfi . Thenwe have

N(pA) = pn =

q∏i=i

peifi ⇒ n =k∑i=1

eifi.

3.1 Useful tools 31

We will consider this equation more in detail in the case of a Galois �eldextension of Q later on.

3.1.5 Integral Closure

In this section we de�ne more generally integral elements over a ring.Also we de�ne the integral closure of a ring and state some results related tothis notion.

De�nition 3.1.19 (Integer element, integrally closed). Let A be a ring andB a subring of A.

• We say that an element x ∈ A is an integral element over B if it is aroot of a monic polynomial p(t) with coe�cients in B.

• The ring C of all integral elements of A over B is called the integralclosure of A. If B = C, then B is said to be integrally closed in A.

If we consider �elds instead of rings we can give an analog de�nition foralgebraic elements and the algebraic closure of a �eld.

As in the case of a number �eld, we have the following property:

Proposition 3.1.20. Let A be an integral ring and let K be its �eld offractions. Let L be a �nite extension of K and x ∈ L an integer elementover A. Suppose K is of characteristic 0. Then:

- The coe�cients of the characteristic polynomial of x over K are inte-gers over A.

- Suppose A is integrally closed. Then the coe�cients of the characteris-tic polynomial of x over K belong to A.

We will apply this proposition to a number �eld K and to the integralclosure A of K over Z. For that purpose, we �rst have to prove the followingproposition:

Proposition 3.1.21. Let K be a number �eld and A its integral closure overZ. Then K is the fraction �eld of A.

Proof. Let us denote by Frac(A) the fraction �eld of A. By de�nition thefraction �eld of A is the smallest �eld containing A. To construct it weconsider an equivalence relation on A× (A− {0}) given by (a, b) ∼ (a′b′)⇔ab′ = a′b. In particular we have that for every b ∈ Frac(A), there exists ana ∈ A such that ab ∈ A.

3.1 Useful tools 32

As A ⊆ K, the de�nition of Frac(A) proves already that Frac(A) ⊆ K.We show the inverse inclusion. Consider k ∈ K. We want to show thatk ∈ Frac(A), i.e. there exists a ∈ A such that ak ∈ A. Consider the minimalpolynomial m(t) of k over Q, we have

m(k) = kn + an−1kn−1 + · · ·+ a1k + a0,

with ai ∈ Q, for all i = 1, . . . , n − 1. Write ai = bi/ci, then multiplying byM = c0 · · · . . . cn−1 we �nd a polynomial p(t) = Mm(t) with coe�cients inZ and such that p(k) = 0. Multiplying again this polynomial by Mn−1 andevaluating it in t = k we �nd

Mn−1p(k) = Mnkn +Mn−1c0 . . . cn−2bn−1kn−1 + · · ·+ b0M

n−1c1 . . . cn−1 = 0.(3.2)

Denote by r(t) the polynomial

r(t) = tn + c0 . . . cn−2bn−1tn−1 + · · ·+ b0M

n−1c1 . . . cn−1 ∈ Z[X].

Then equation 3.2 is equivalent to r(Mk) = 0, which proves that Mk is aroot of a polynomial with coe�cients in Z, i.e. Mk ∈ A and k ∈ Frac(A),because M ∈ Z ⊂ A.Hence K = Frac(A) and the result is proved.

3.1.6 Rami�cation theory for Galois extensions over QFrom now on we consider a Galois extension K of Q and we denote by G

its Galois group and by A its integers ring. Recall that G is a subgroup ofthe automorphisms group Aut(K). We now prove several properties whichwill be useful in the proof of the �nal result of this section.In the �rst proposition we prove that any element of G �xes the ring A.

Proposition 3.1.22. For any element of the Galois group σ ∈ G we haveσ(A) = A.

Proof. Consider an element x ∈ A. By de�nition all coe�cients of its minimalpolynomial m(t) ∈ Q[t] are in Z. Moreover, we know that for any σ ∈ G wehave σ|Q = IdQ, where σ|Q denote the restriction of σ to Q. We have

m(t) = antn + · · ·+ a1t+ a0,

with ai ∈ Z, for all i = 1, . . . , n.We know that m(x) = 0. We consider σ(m(t)) for σ ∈ G and we �nd

σ(m(t)) = anσ(t)n + · · ·+ a1σ(t) + a0 = m(σ(t)),

3.1 Useful tools 33

by properties of homomorphisms of �elds and because Z ⊂ Q. So we havem(σ(x)) = σ(m(x)) = 0 and σ(x) is a zero of m(t), for every σ ∈ G. Butm(t) is irreducible, so m(t) is the minimal polynomial of σ(x) and this provesthat σ(x) ∈ A. Hence σ(A) ⊆ A.As G is a group, σ−1 ∈ G and the �rst part shows that σ−1(A) ⊆ A. Applyingσ we obtain A = σσ−1(A) ⊆ σ(A). Hence we have σ(A) = A.

Remark 3.1.23. Notice that by the above argument we know that for everyσ ∈ G, σ(x) is a root of the minimal polynomial of x. Suppose y ∈ K isanother root ofm(t). Then asm(t) is irreducible and monic, it is the minimalpolynomial of y over Q as well. Then there exists an isomorphism τ fromQ(x) to Q(y) mapping x to y and such that τ |Q = IdQ. Moreover τ can beextended to a Q-automorphism of K. For more details, we refer the readerto ([1], sections 2.2, 3.1).This shows that every root of the minimal polynomial m(t) is given by σ(x),for some σ ∈ G.

We can now prove that the image of a prime ideal of A by any σ ∈ G isalso a prime ideal of A.

Proposition 3.1.24. With the same notation as above, let σ ∈ G be anautomorphism of K and let I be a prime ideal of A. Then σ(I) is a primeideal of A as well.

Proof. Suppose the product a′b′ ∈ σ(I), for some a′, b′ ∈ A. By the previousresult we have σ(A) = A and σ is bijective, so we can �nd a, b ∈ A suchthat σ(a) = a′ and σ(b) = b′. As σ is an homomorphism of rings, we haveσ(a)σ(b) = σ(ab) = a′b′ ∈ σ(I). This shows that ab ∈ I. As I is prime, eithera or b is in I. Suppose a ∈ I, then σ(a) ∈ σ(I) and the result is proved.

Using these two �rst results and the characterization of the prime idealsdividing pA given in Proposition 3.1.6, we can see that for any σ ∈ G andany pi dividing pA, we have that σ(pi) divides pA as well. Indeed, σ(pi)∩Z =σ(pi) ∩ σ(Z) = σ(pi ∩ Z), because σ is the identity on Z. But then, by thesame argument, σ(pi) ∩ Z = σ(pZ) = pZ and σ(pi) divides pA.

De�nition 3.1.25 (Conjugates). For any σ ∈ G and any prime ideal p, theelements σ(p) are called the conjugates of p.

The argument given above shows that if pi is in the decomposition of pA,then all its conjugates are in the decomposition as well.

3.1 Useful tools 34

Moreover, using the fact that σ(A) = A and σ(p) = p we have that σ(pA) =pA. Therefore, we have

pA = σ(pA) =

q∏i=1

σ(pi)ei ,

for any σ ∈ G. This proves that all conjugates of pi appear with the sameexponent ei.We now prove a more general result which require the following technicallemma.

Lemma 3.1.26. Let R be a ring and p1, . . . , pk a �nite family of prime idealsof R. Suppose I is an ideal of R such that I 6⊂ pi, for all i = 1, . . . , k. Thenthere exists an element x ∈ I such that x 6∈ pi, for all i = 1, . . . , k.

Proof. Omitted (see [16] Section 6.2, Lemma 1).

Proposition 3.1.27. Let p be a prime number. Then the prime ideals pi ofA dividing pA are all conjugates and have the same rami�cation index e andthe same residual degree f . In particular we obtain

pA = (

g∏i=1

pi)e and n = efg.

Proof. We have already shown that all conjugates of every pi are in thedecomposition. It thus remains to prove that, for a given index i, the set ofall conjugate ideals of pi is precisely the set of the ideals dividing pA.Set p = pi and suppose that there is some pj, with j ∈ {1, . . . , g} that isnot a conjugate of p. Denote by q such a pj. Then for every σ in the Galoisgroup G we have q 6= σ(p). As both ideals are maximal we have in particularq 6⊂ σ(p). Therefore by Lemma 3.1.26 there exists an element x ∈ q suchthat x 6∈ σ(p), for all σ ∈ G. Considering the remark following Proposition3.1.22 and since x ∈ A the norm of x in K/Q is

NK/Q(x) =∏τ∈G

τ(x) ∈ Z.

Moreover, since Id ∈ G and because q is an ideal, we have NK/Q(x) ∈ q.Thus x ∈ q ∩ Z = pZ, because q divides pA.On the other hand, τ−1 ∈ G and so x 6∈ τ−1(p)⇒ τ(x) 6∈ p, for all τ ∈ G. Asp is prime in A, this proves that NK/Q(x) 6∈ p. But this is a contradiction,because p ∩ Z = pZ, i.e. pZ ⊂ p and we have shown that NK/Q(x) ∈ pZ.Hence all ideals dividing pA are conjugates to each other.

3.1 Useful tools 35

Finally, we still have to prove the relation efg =∑g

i=1 eifi = n. We have al-ready seen that each σ ∈ G preserves the index e. Moreover, σ preservesthe residual degree f , because every algebraic relation is preserved. In-deed, denote by f = [A/p : Z/pZ] and by fσ = [A/σ(p) : Z/pZ], thenf = [A/p : Z/pZ] = [σ(A)/σ(p) : σ(Z)/σ(pZ)] = [A/σ(p) : Z/pZ] = fσ, bythe properties already shown. As all prime ideals dividing pA are conjugates,this gives n =

∑gi=1 eifi = efg.

The following step is to �x a prime ideal p of A dividing pA and to focuson the �eld extension (A/p)/(Z/pZ) to show that it is a Galois extension.

De�nition 3.1.28 (Decomposition group). Let D be the set of elements ofthe Galois group σ ∈ G such that σ(p) = p. Then D is a group and is calledthe decomposition group of p.

Let us denote by g the number of conjugates of p and consider the actionof the group G on the set C of all conjugates of p. Then D is the subgroupStabG(p) and the orbit Orb(p) is the whole C by de�nition. Therefore bythe classes formula we have Card(D) = Card(G)/Card(Orb(p)) = n/g andby the previous theorem this is Card(D) = ef .Moreover, for every σ ∈ D we have σ(A) = A and σ(p) = p. Therefore everyσ ∈ D de�nes an automorphism of A/p by

σ : A/p → A/p

x 7→ σ(x).

Notice that for every x ∈ Z we have σ(x) = x. Therefore, for everyx ∈ Z/pZ ⊂ A/p we have σ(x) = x. Hence σ is a Z/pZ-automorphismof A/p. Using the group homomorphism σ 7→ σ we can thus de�ne theinertia subgroup of p as follows:

De�nition 3.1.29 (Inertia group). With the previous notation we considerthe homomorphism of groups mapping σ to σ. The inertia group of D is thekernel of this homomorphism:

I = {σ ∈ D | σ = IdA/p} = {σ ∈ D | σ(x)− x ∈ p, ∀x ∈ A}.

Next, with the same notation as above, we can prove that (A/p)/(Z/pZ)is a Galois extension.

Proposition 3.1.30. The �eld A/p is a Galois extension of Z/pZ of degreef with Galois group G′. De�ne α : D → G′ the homomorphism mappingσ ∈ D to σ ∈ Aut(A/p). Then α is surjective. Moreover, Card(I) = e.

3.1 Useful tools 36

Proof. Let KD be the sub�eld of K �xed by D, i.e. KD is given by

KD = {k ∈ K | σ(k) = k, ∀σ ∈ D}.

Denote the integral closure of A in KD by AD = A∩KD and the prime idealpD = p∩AD. Notice that pD ∩Z = p∩Z = pZ, because Z ⊂ AD. Thereforeby Proposition 3.1.6 pD is a prime ideal dividing pAD.

Recall that we consider a Galois extension K/Q of degree n and A denotesthe ring of integers of K. Also e and f are respectively the index of rami�-cation and the residual degree of p in the decomposition of pA.Then KD is an intermediate �eld Q ⊆ KD ⊆ K and by the Fundamen-tal Theorem of Galois theory we have a correspondence with G ⊇ D ⊇ 1through the relation KD = Fix(D). In particular, K/KD is a Galois �eldextension with D as Galois group (see Corollary 37 in [1]) and we haveCard(D) = [K : KD]. Therefore, by the argument preceding the theorem,we have ef = Card(D) = [K : KD].

As A is a Dedekind ring we can consider the decomposition of pDA in primeideals of A as in Theorem 3.1.4. We know that pD ⊂ p, so pDA ⊂ p and p isin the decomposition with all its conjugates. But by de�nition of D there isno conjugate of p di�erent from itself. Therefore we have the decomposition

pDA = pe′with f ′ = [A/p : AD/pD].

According to Theorem 3.1.18 we have [K : KD] = e′f ′ and hence ef = e′f ′.Now, as Z ∩ pD = pZ, AD ∩ p = pD and Z ⊂ AD ⊂ A, we have up toisomorphism Z/pZ ⊂ AD/pD ⊂ A/p. Therefore f ′ ≤ f . Moreover we havee = ep(pA) and e′ = ep(pDA). Using Property 3.1 on Dedekind rings andthe inclusion pA ⊂ pDA we have e ≥ e′. This inclusion is true, becausepAD ⊆ pD and hence pADA = pA ⊆ pDA. Hence as ef = e′f ′ we have e = e′

and f = f ′.In particular, it means that A/p has the same dimension over Z/pZ and overAD/pD, as a vector space. Since there is a copy of Z/pZ in AD/pD, Z/pZ andAD/pD are isomorphic as Z/pZ-vector spaces. As they are �nite �elds, thisis su�cient to conclude that Z/pZ and AD/pD are isomorphic as �elds as well.

Moreover, since Z/pZ is a perfect �eld, all its extensions are separable (see1.5.2). In particular, the �eld extension (A/p)/(Z/pZ) is separable. Henceto prove that (A/p)/(Z/pZ) is a Galois extension, we only need to prove thatit is a normal extension.Also there exists a primitive element x ∈ A/p, i.e. A/p = Z/pZ(x). Let

3.1 Useful tools 37

x ∈ A be a representative of the class x ∈ A/p and write

mx(t) = tr + ar−1tr−1 + · · ·+ a1t+ a0

its minimal polynomial over KD. Now, since x belongs to A, the minimalpolynomial of x over Q has coe�cients in Z ⊂ AD. In particular, x is inte-gral over AD, because it is a root of a polynomial with coe�cients in Z. AsAD is a Dedekind ring and KD is its fraction �eld by Proposition 3.1.21 weconclude that mx(t) has coe�cients in AD (see Proposition 3.1.20).Moreover as K/KD is a Galois extension with Galois group D, the set ofroots of mx(t) is the set S of distinct elements of {σ(x) | σ ∈ D}. Reduc-ing mx(t) modulo pD we �nd mx(t) = tr + ar−1t

r−1 + · · · + a1t + a0 and asZ/pZ ∼= AD/pD we can consider the coe�cients ai, for i = 0, . . . , r as ele-ments of Z/pZ. Denote Mx the minimal polynomial of x over Z/pZ. Sincemx(x) = m(x)x = 0 ∈ Z/pZ, we have that Mx(t) divides mx(t).

Clearly, we have σ(x) = σ(x) ∈ A/p, for all σ ∈ D. Notice that as we havean injection of AD/pD onto A/p, we can associate the class of σ(x) modulopD to σ(x).

Moreover mx(t) splits in K and we have

mx(t) =∏σ∈S

(t− σ(x)).

Taking the quotient modulo pD we obtain

mx(t) =∏

σ=α(σ), σ∈S

(t− σ(x))

which proves that mx splits over A/p. It follows that Mx also splits in A/p.As A/p is the smallest extension of Z/pZ containing x, this proves thatA/p is the splitting �eld of Mx(t) over Z/pZ and thus, by Theorem 1.4.2,(A/p)/(Z/pZ) is a normal �eld extension and hence a Galois extension (seeTheorem 1.6.5).

Furthermore, all roots of Mx are of the form σ(x). This proves that each(Z/pZ)-automorphisms of A/p is of the form σ, for some σ ∈ D. Hence themap α is onto and the Galois group of the �eld extension (A/p)/(Z/pZ) isisomorphic to D/ kerα = D/I. The degree of the extension is f = [A/p :Z/pZ]. As we have a Galois extension, f is also the cardinality of the Ga-lois group which is Card(D)/Card(I) = f . Hence ef/Card(I) = f and soCard(I) = e.

3.2 The group Sn as a Galois group 38

In particular, one can state the following corollary to this theorem whichwill be useful later on.

Corollary 3.1.31. A prime ideal p has no rami�cation in A if and only ifthe inertia group I is trivial.

Proof. Recall that an ideal p is said to have no rami�cation in K/Q if itsrami�cation index is e = 1. By the previous theorem Card(I) = e, thereforeI is trivial if and only if p has no rami�cation.

Moreover we can prove the following relation between the decompositionand inertia groups of p and those of its conjugates.

Proposition 3.1.32. With the same notation as above, let p be a prime idealof A dividing pA and denote by Dp its decomposition group and Ip its inertiagroup. Then for every automorphism σ of the Galois group G, we have:

Dσ(p) = σDpσ−1 and Iσ(p) = σIpσ

−1.

Proof. Suppose τ ∈ Dp. We start by proving that for any σ ∈ G, we haveστσ−1 ∈ Dσ(p), i.e. στσ

−1(σ(p)) = σ(p). We have στσ−1(σ(p)) = στ(p) =σ(p), because τ preserves p. Hence σDpσ

−1 ⊆ Dσ(p).To prove the inverse inclusion we simply use that σ−1 ∈ G and we ap-ply the previous argument to σ−1 and Dσ(p): we thus obtain the inclusionσ−1Dσ(p)σ ⊆ Dp which is equivalent to Dσ(p) ⊆ σDpσ

−1, thereby the equality.

We proceed similarly for the inertia group. Suppose τ ∈ Ip, then for ev-ery x ∈ A we have τ(x)− x ∈ p. For any σ ∈ G, we have

στσ−1(x)− x = στ(σ−1(x))− σσ−1(x) = σ(τ(σ−1(x))− σ−1(x)) ∈ σ(p),

because τ(σ−1(x)) − σ−1(x) ∈ p. Hence σIpσ−1 ⊆ Iσ(p). As in the previous

case, to prove the equality we repeat the same argument using σ−1 and Iσ(p).

3.2 The group Sn as a Galois group

We have now all necessary tools to prove that the polynomial

f(t) = tn − t− 1 ∈ Q[t]

is an irreducible polynomial generating a Galois extension having Sn hasGalois group. We start by proving that f(t) is irreducible. This is thefollowing proposition which is also the main result of this section. We aregoing to prove it carefully, sparing none of the details.


Proposition 3.2.1. The polynomial f(t) = tn − t− 1 is irreducible over Q.

Proof. (1) We �rst prove that f(t) has no roots in Q. Suppose q = a/b issome reduced fraction such that f(q) = 0, with a, b ∈ Z, then we have

an

bn− a

b− 1 = 0⇔ an − abn−1 = bn ⇔ a(an−1 − bn−1) = bn.

Hence a divides b. Therefore a = 1, because by hypothesis gcd(a, b) =1. Then, by the previous argument, we have 1 − bn−1 = bn, so (1 +b)bn−1 = 1. This proves that b is invertible and so b = ±1, becauseb ∈ Z. Hence q = ±1. But this is a contradiction, because 1 and −1are not roots of f . Therefore f has no roots in Q.

(2) We then prove that f is separable, i.e. f(t) has only simple roots inC. Indeed, if z ∈ C were a multiple root of f(t), then z would be aroot of the derivative f ′ as well (see [1], section 3.1). This means thatnzn−1 = 1 and we would have nzn = z. In other words we could get:

f(z) = 0⇒ nf(z) = z − nz − n = 0⇒ (1− n)z = n.

Then z = n/(1−n) ∈ Q, which is a contradiction, because f(t) has noroot in Q.These arguments prove that f(t) is a separable polynomial.

(3) By now we know that if f(t) is reducible it can be split into factors ofdegree at least 2 and so f(t) could be reducible only for n ≥ 4.For every possible monic factor Q of f(t) with coe�cients in Z and ofdegree d, we denote by R(Q) its set of roots and we consider the sum

S(Q) =∑

z∈R(Q)

(z − 1

z).

Recall that if P (t) =∏d

i=1(t− zi), the elementary symmetric functionsof P are given by the evaluation of the elementary symmetric functionsin the roots of P , i.e.

si = (−1)i∑

(r1,...,ri)∈Si

zr1 . . . zri ,

where Si is the set of all distinct i-tuples.In particular the s′is, with i = 1, . . . , d, are the coe�cients of P . Formore details the reader is referred to Section 4.3 of [1].


Let (s)1≤i≤d denote the elementary symmetric functions of Q and noticethat sd−1/sd = 1/z1 + · · ·+ 1/zd. Therefore

S(Q) = s1 −sd−1

sd.

As the (s)1≤i≤d are the coe�cients of Q(t), we have si ∈ Z, for everyi = 1, . . . d.Moreover, sd = ±Q(0) = ±1, because Q is such that f(t) = Q(t)g(t),for a nonzero polynomial g. Therefore f(0) = Q(0)g(0) = −1 and asQ has coe�cients in Z this proves Q(0) = ±1 and so S(Q) lies in Z aswell. All coe�cients of f(t) are known, so we get that S(f) = 0+1 = 1.

If f(t) were reducible over Q there would be two polynomials Q,Pwith coe�cients in Z such that f(t) = Q(t)P (t), because f has coe�-cients in Z. By the �rst part of the proof, we know that both factorshave degree at least 2. Moreover we have the relation

S(f) = S(Q) + S(P ) = 1,

because the union of the roots of Q and P respectively would be pre-cisely the roots of f(t).Using this relation we will �nd a contradiction. In fact we are going toprove that such factors P,Q cannot exist, by showing that both S(Q)and S(P ) are greater than 1.

Fix a root z = r exp(iθ) of the polynomial factor Q. As f(z) = 0,we have the relation

r2n = |z − 1|2 = r2 + 1 + 2r cos(θ) (3.3)

This implies in particular that r 6= 1. Indeed, suppose r = 1, thencos(θ) = −1/2, so θ = π/3 and z is a cubic root of 1 and is not a rootof f(t).We now consider the real part of this complex number in order to provethe following inequality:

2R(z − 1

z) >

1

r2− 1

First, as 1/z = 1r

exp(−iθ), we have

2R(z − 1

z) = 2 cos(θ)(r − 1

r)


and according to equation 3.3 we have 2cos(θ) = (r2n− r2− 1)/2r andwe �nd

2R(z − 1

z) =

(r2 − 1)(r2n − r2 − 1)

r2=

(r2 − 1)(r2n − r2)

r2− r2 − 1

r2.

The term (r2−1)(r2n−r2)r2

is positive for all r, because both factors arepositive for r > 1 and negative for r < 1. Therefore we obtain theinequality

2R(z − 1

z) >

1

r2− 1. (3.4)

Then, let us denote ri the norm of the root zi of Q, for i = 1, . . . , d.We have Q(0) = ±1, so

1 = |Q(0)|2 =d∏i=1

ri2 ⇒ 1 =

1∏di=1 ri

2=

d∏i=1

1

r2i

.

The inequality between arithmetic and geometric mean gives

1

d

d∑i=1

1

r2i

≥ (d∏i=1

1

r2i

)1/d = 1 (3.5)

and particularly∑d

i=11r2i≥ d. Finally using equations 3.4 and 3.5 and

since S(Q) ∈ Z we conclude that

2S(Q) = 2d∑i=1

R(zi −1

zi) >

d∑i=1

(1

r2i

− 1) ≥ 0.

So S(Q) > 0, but as S(Q) ∈ Z, this is equivalent to S(Q) ≥ 1, thusS(Q) + S(P ) ≥ 2, which yields a contradiction.Hence the polynomial f(t) = tn − t− 1 is irreducible over Q, for everypositive integer n.

We denote by K the splitting �eld of the polynomial f(t) = tn − t− 1 ∈Q[t]. Notice that in the �rst part of the proof we found that f(t) is a separablepolynomial of Q[t]. Therefore, according to Theorem 1.6.5, K/Q is a Galoisextension. Let G denote its Galois group and A denote the ring of integersof K.As f(t) is monic and irreducible, it is the minimal polynomial of each one ofits roots. Therefore for any pair of roots zi, zj of f(t) we have

Q(zi) ∼= Q(zj) ∼= Q[t]/〈f(t)〉.


In particular we can de�ne an isomorphism of �elds φ mapping zi to zj suchthat φ is the identity on Q and φ can be extended to a Q-automorphism ofK (see [1] section 3.1). This automorphism is an element of the Galois groupG of the extension K/Q. Hence the action of G on the set of roots {zi}ni=1

is transitive. In particular, we can associate to each σ ∈ G a permutation ofthe n roots and look at G as a subgroup of Sn.The next step is then to show that G gives the whole Sn. In particular,we will prove two lemma that will be useful to show that G is generated bytranspositions in Sn and so that G is Sn, since G acts transitively of the rootsof f .

Lemma 3.2.2. The Galois group G is generated by the inertia groups Ip∈P ,where P is the set of all maximal ideals of A.

A proof of this lemma is based on the following theorem of Hermite-Minkowski on the rami�cation of number �elds (see Theorem 1 of Section4.3 in [16]).

Theorem 3.2.3. For any number �eld F 6= Q the absolute discriminant dFsatis�es dF 6= ±1.

A �eld extension F/L is said to be unrami�ed if no prime ideal of L isrami�ed in F/L. An important property concerning the absolute discrimi-nant of F states that p is rami�ed in F/L if and only if p | dF (see Theorem1 of Section 5.3 in [16]). Using this property and Theorem 3.2.3 we concludethat there is no unrami�ed �eld extension of Q. Indeed, dF 6= ±1 impliesthat dF has at least one prime factor. Let us now see how these argumentsare used in the proof of the lemma.

Proof. (of Lemma 3.2.2) First recall that according to Remark 3.1.15 anyprime ideal of A is a maximal ideal. Hence P is the set of all prime ideals ofA.Clearly the set of all Ip, with p ∈ P generates a subgroup of G. Let us denoteby H this subgroup. H is a normal subgroup of G. Indeed, for any p ∈ P ,we know that σIpσ

−1 = Iσ(p) ∈ H by Lemma 3.1.32 and σ(p) is a prime idealas well (see Proposition 3.1.24).By the Fundamental Theorem of Galois (see Theorem 1.6.6) there is a Galoisextension K/L, given by L = Fix(H) and such that Gal(K/L) ∼= H. SinceH is a normal subgroup of G, the extension L/Q is also a Galois extensionwith Galois group Gal(L/Q) ∼= G/H.We would like to prove that H = G, or equivalently, that L = Q.By the remark preceding the proof, we can show that any prime number pis unrami�ed in L. According to Theorem 3.2.3 , this will prove that L/Q is


an unrami�ed extension and thus L = Q.

Fix a prime number p and a prime ideal p of A dividing p. Put ℘ = p ∩ Land consider AL = A ∩ L. AL is a Dedekind ring as well and we have℘ ∩ Z = p ∩ Z = pZ. Hence ℘ is a prime ideal of AL dividing pAL. Let Ipand I℘ denote the inertia group of p and ℘ respectively.Consider the morphism of restriction r : G → Gal(L/Q), it is a surjec-tion. For any τ ∈ Ip, we have r(τ) ∈ I℘. Indeed, for any x ∈ L we haver(τ)(x)− x ∈ p ∩ L, because r(τ(x)) = τ(x). Thus r(Ip) ⊆ I℘.Conversely, we are going to prove that I℘ ⊆ r(Ip). For any σ ∈ I℘, one can�nd σ′ ∈ G such that r(σ′) = σ. For such σ, we have r(ασ′) = σ as well forall α ∈ H.Denote by P℘ the subset of conjugate of ℘ in L and write D and D℘ the de-composition group of p and ℘ respectively. One can prove that the followingmap is a well-de�ned bijection.

γ : H|G|D → P℘

HσD 7→ σ(℘),

where H|G|D denotes a structure of double cosets (see Remark 3.2.4). Themap γ is well-de�ned and one-to-one, because the elements of H and D arenot modifying the action on ℘ ⊂ L. Also, the map γ is onto, because themap r is onto.Hence we have proved that the elements of HD map ℘ to ℘. In particular,for any σ ∈ D℘, there exists σ′ ∈ D such that r(σ′) = σ. This proves thatwe have an isomorphism D/(D ∩H) ∼= D℘. In particular, r(D) = D℘.Next, by Proposition 3.1.30, the extensions (A/p)/(Z/pZ) and (AL/℘)/(Z/pZ)are Galois extensions and we have the following diagram:

1 −−−→ Ipi−−−→ D

α−−−→ Gal((A/p)/(Z/pZ)) −−−→ 1

rI

y rD

y π

y1 −−−→ I℘

iL−−−→ D℘αL−−−→ Gal((AL/℘)/(Z/pZ)) −−−→ 1

where α, αL are the maps de�ned in Proposition 3.1.30, i and iL are inclusionmaps and π is the canonical projection. According to the snake Lemma therethus exists an exact short sequence for the cokernels of rI , rD and π. Then,this proves the isomorphism I℘ ∼= Ip/(Ip ∩H). Hence r(Ip) = I℘.

Now, by de�nition of H we have Ip ⊆ H, but L = Fix(H) and thereforer(H) = {Id}. This proves that I℘ = {Id} and by Corollary 3.1.31 p is un-rami�ed in L. As the choice of p was arbitrary we have L = Q, i.e. H = Gwhich proves the lemma.


Remark 3.2.4. - For more details on the structure of double cosets andon properties related to the map γ, we refer the reader to ([11], Chapter1, Section 9).

- The Snake's Lemma is the statement that, in a diagram similar to theone considered, there exist a short exact sequence relating the kernelsand one relating the cokernels of rI , rD and π. This statement and aproof of the lemma can be found in any book on ring and modulestheory.

In the second lemma we consider the inertia group Ip of a �xed primeideal p of A.

Lemma 3.2.5. Let p be a prime number and p a prime ideal of A dividingp. Then the order of Ip satis�es |Ip| ≤ 2. In particular, if Ip is not trivial,then it is generated by a transposition.

Proof. Denote by x the reduction of an element of A modulo p and considerthe reduction of f(t) mod p given by

f(t) =n∏i=1

(t− xi) = tn − t− 1 ∈ A/p[t],

where x1, . . . , xn are the roots of f(t).

Moreover we have f′(t) = ntn−1 − 1 and tf

′ − nf(t) = (n− 1)t+ n which isnon zero, because p cannot divide both n and n− 1.Then denote by d(t) the gcd of f and f

′: d(t) must divide tf

′−nf(t) as well.

In particular, suppose f(t) = d(t)r(t) and f′(t) = d(t)q(t), then we have

(n− 1)t+ n = d(t)(tq(t)− nr(t)).

This proves that d(t) is a polynomial of degree at most 1. But every multipleroot x of f gives a factor of the form (t− x) in d(t), hence f as at most onedouble root.

Next, suppose that the inertia group Ip is not trivial. There exists an el-ement s 6= Id ∈ Ip. As s is not the identity, there exists a root xi of f(t) suchthat s(xi) = xj, with j 6= i. But by de�nition of Ip the element s satis�es

s(x) = x. In particular, for the root xi this implies the relation:

xi = s(xi) = xj.

Then xi is a double root of f . Hence, repeating this argument we see thatfor every root xi such that s(xi) = xj with i 6= j, we obtain a double root


of f . As f has at most one double root, we have that s(xk) = xk, for anyk 6= i, j in {1, . . . , n}. Thus s is the transposition of roots (xi, xj).Moreover, Ip cannot contain another non trivial element, because again wewill �nd at least another multiple root. Therefore Ip = {Id, s} is of order2.

These two lemmas show that G is generated by transpositions of rootsof f . Moreover, as f(t) is irreducible, G is acting transitively on the set ofroots. The next lemma is the statement that a subgroup of Sn with theseproperties is actually the whole group.

Lemma 3.2.6. Let n ≥ 1 be an integer and let G be a transitive subgroup ofSn generated by some transpositions. Then G = Sn.

Proof. Let (a, b) be a transposition in Sn. We denote by T the set of trans-positions that belong to G. We want to prove that (a, b) lies in T . As G actstransitively, we know that there exists an element g ∈ G such that g(a) = b.As G is generated by some transposition we have

g =r∏i=1

ti,

for some t1, . . . , tr ∈ T .We can take t1, . . . , tr such that r is minimal along all lengths of the productsof elements of T that are equal to g. If g 6∈ T , we have r ≥ 2.

Notice that b is not �xed by t1. Indeed, if this were the case, we wouldhave t1g(a) = t1(b) = b. But t1 is a transposition, therefore this is equivalentto t2 · . . . tr(a) = b, which contradicts the minimality of r.Similarly we can prove that no one of the tj satis�es tj(b) = b, for j =2, . . . , r−1. Indeed, denote t′i = t−1

j titj, for all i = 1, . . . , r−1 and for a �xedj. Every t′i is in T as well and we can write g as

g = tj(

j−1∏i=1

t′i)(r∏

i=j+1

ti).

We then apply the same argument used previously for t1 to show that noneof the tj satis�es tj(b) = b. In particular this is true for tr.Moreover, tr does not �x a. Indeed, if tr(a) = a, then we would have t1 ·. . . tr(a) = t1 · . . . tr−1(a) = b, which contradicts the minimality of r.This proves the result. Indeed, any transposition permutes two elements and�xes all the other ones. As a and b are not �xed by tr, we have tr = (a, b).So (a, b) ∈ G and G = Sn.


Using the results proved we �nd that the splitting �eld K of the polyno-mial f(t) = tn − t− 1 over Q has Galois group G ∼= Sn.

Notice that this is not the only possibility to construct Sn as a Galois group.For example, when n = 5, using Lemma 49 and Theorem 51 of [1], we canprove that the splitting �eld C of the polynomial t5 − 6t + 3 over Q is suchthat Gal(C/Q) ∼= S5. Using PARI/GP we can verify that the two extensionsare not isomorphic (see Annexe A).

Chapter 4

The semidirect productZ/pZ×ϕ Z/(p− 1)Z

4.1 Semidirect products of groups

4.1.1 Description of the group Z/pZ×ϕ Z/(p− 1)ZFirst of all we de�ne the semidirect product Z/pZ×ϕZ/(p−1)Z as follow.

Let p be a prime number , a a generator of the multiplicative group (Z/pZ)∗

and ϕ the group homomorphism de�ned by

ϕ : Z/(p− 1)Z → Aut(Z/pZ)

n mod (p− 1)Z 7→ {t 7→ ant, for any t ∈ Z/pZ}.

Then the semidirect product Z/pZ ×ϕ Z/(p − 1)Z is the non abeliangroup de�ned on the cartesian product Z/pZ× Z/(p− 1)Z by the followingmultiplication

((b, c), (d, e)) 7→ (b, c) · (d, e) = (b+ ϕ(c)(d), c+ e),

for all b, d ∈ Z/pZ and c, e ∈ Z/(p− 1)Z.To simplify the notation, we will omit the operator · in general.

Recall that this de�nition can be generalized. Precisely, for any groups N,Hwe can de�ne the semidirect product N ×φ H using an homomorphism ofgroup φ : H → Aut(N) and the multiplication given on N×H. In particularthis is called the extern semidirect product of N and H, when N and H arenot subgroups of a same group G.

48

4.1 Semidirect products of groups 49

4.1.2 Short exact sequences of groups

The aim of this chapter is to realize the semidirect product Z/pZ ×ϕZ/(p − 1)Z as a Galois group of a Galois �eld extension. In particular, wewill use a result on exact sequences to prove that Z/pZ ×ϕ Z/(p − 1)Z isthe Galois group of the �eld extension given by the splitting �eld of thepolynomial f(t) = tp − 2.We then recall the de�nition of short exact sequence.

De�nition 4.1.1. Let G be a group and let N,H be two subgroups of G.We say that two group homomorphisms α : N → G and β : G→ H de�ne ashort exact sequence

1 −→ Nα−→ G

β−→ H −→ 1

if the following conditions are satis�ed :

(i) α is an injective group homomorphism;

(ii) β is a surjective group homomorphism;

(iii) ker(β) = Im(α).

When this is the case, we say that the group G is a group extension of Nand H.Moreover, a section of the short exact sequence is a group homomorphisms : H → G satisfying β ◦ s = IdH .

There exists short exact sequences that do not contain any section s.The main theorem of this chapter is related to the existence of a section fora certain exact sequence. We will also use the following statement.

Proposition 4.1.2. Let G be a group and N a normal subgroup of G. Weconsider the short exact sequence

{1G}−→Ni−→ G

π−→ G/N −→ {1G},

where i denotes the inclusion homomorphism and π denotes the canonicalprojection on the quotient group. Suppose s : G/N → G is a section of thissequence and write H = s(G/N). Then we have

G = HN and N ∩H = {1G}.

4.1 Semidirect products of groups 50

Proof. Suppose g ∈ H ∩ N . Then g ∈ N = kerπ and we have π(g) = N .Moreover, g ∈ H = Im(s), i.e. there exists g′ ∈ G such that s(g′N) = g.But then π ◦ s(g′N) = N . As π ◦ s = IdG/N , we obtain g′N = N . But asπ is a group homomorphism the representative of the unity class N must beg = s(g′N) = s(N) = 1G. Hence N ∩H = {1G}.

We then prove the equality G = HN . Clearly HN ⊆ G. We want toprove the inverse inclusion. Suppose g ∈ G and write h = s(gN). We haveπ ◦ s = IdG/N , therefore we get hN = π(h) = gN . It follows that h−1gN =N ⇔ h−1g ∈ N . Then, any g ∈ G can be written as g = h(h−1g) ∈ HN .Hence G = HN .

4.1.3 Group extensions

The interest of Proposition 4.1.2 for our aim is actually related to thefollowing lemma, which conditions a group G which is an extension of twogroups N and H.

Lemma 4.1.3. Let G be a group with identity element 1G and H,N twosubgroups of G. Suppose that N is a normal subgroup and that the followingrelations are satis�ed

G = HN and H ∩N = {1G}.

Then we have G ∼= N ×Ψ H, where Ψ : H → Aut(N) is the homomorphismwhich associates to h ∈ H the automorphism Ψ(h) mapping n ∈ N to hnh−1.

Remark 4.1.4. Notice that in this lemma we use an inner semidirect prod-uct.

Proof. First of all notice that for any h ∈ H the image Ψ(h) is an automor-phism of N , because N is a normal subgroup of G.To prove the result we de�ne the homomorphism α : N ×Ψ H → G by

(n, h) 7→ hn.

The property G = HN guarantee that α is onto and the injectivity is givenby the property H ∩N = {1G}. Indeed, suppose α((n, h)) = hn = 1G. Thenh = n−1 ∈ H. But then n−1 ∈ H ⇒ n ∈ H ∩ N ⇒ n = h = 1G. Hence(n, h) = (1G, 1G) is the identity element.Moreover we can show that α preserve the multiplication. We have :

α((n, h)(n′, h′)) = α((nΨ(h)(n′), hh′)) = α((nhn′h−1, hh′)) = nhn′h′

4.2 Realization of the group Z/pZ×ϕ Z/(p− 1)Z as a Galois group51

This is equal toα((n, h))α((n′, h′)) = nhn′h′.

Therefore α is a bijective homomorphism and we have G ∼= N ×Ψ H.

4.2 Realization of the group Z/pZ×ϕZ/(p− 1)Zas a Galois group

We can now prove the main result of this chapter. Precisely, we are goingto express the group Z/pZ×ϕZ/(p−1)Z as the Galois group of the splitting�eld of the polynomial f(t) = tp − 2. Our main result is the following:

Proposition 4.2.1. The Galois group of f(t) = tp− 2 over Q is isomorphicto the semidirect product Z/pZ ×ϕ Z/(p − 1)Z, where ϕ : Z/(p − 1)Z →Aut(Z/pZ) is the group homomorphism de�ned at the beginning of Section4.1.

Proof. Denote by ε a primitive p-th root of unity in C and by α a root off(t) in C. Note that for every exponent i ∈ {0, . . . , p− 1} the element εiα isalso a root of f(t). Indeed, as p is a prime number, every εi is a p-th root ofunity and we have f(εiα) = (εiα)p − 2 = εipαp − 2 = 0.Moreover according to the Eisenstein criterion (see Theorem 6 in [1]) thepolynomial f(t) is irreducible over Q. It follows that f(t) is the minimalpolynomial of α over Q.In particular, f(t) is separable, because εi 6= εj, for all i 6= j, 0 ≤ i, j ≤ p−1.

The splitting �eld of f(t) over Q is K = Q(ε, α). Indeed

f(t) =

p−1∏i=0

(t− εiα)

splits overK, which proves that the splitting �eld of f lies inK. On the otherside, K is the smallest �eld extension of Q containing α and ε. Moreover, thesplitting �eld of f(t) must contains all its roots, therefore it must contain α,εα, but also α−1, because it is a �eld. This proves that (εα)α−1 = ε must bein the splitting �eld as well. Hence K is the splitting �eld of f(t) over Q.By Theorem 1.6.5, it follows that K/Q is a Galois extension.

Denote by G the Galois group Gal(K/Q). As Q(ε)/Q is also a Galoisextension (see Proposition 2.1.2), we know by Theorem 1.6.6 that N =


Gal(K/Q(ε)) is a normal subgroup of G. Write also H = Gal(K/Q(α)).We are going to prove the following properties

G = NH and H ∩N = 1G (4.1)

so that Lemma 4.1.3 applies. Then we will prove that G is isomorphic toZ/pZ×ϕ Z/(p− 1)Z.

Let us now prove the relations 4.1.Considering the algebraic extensions Q(α)/Q and Q(ε)/Q we have the fol-lowing relations related to the degree of K/Q:

(i) [K : Q] = [K : Q(α)][Q(α) : Q] = [K : Q(α)]p ⇒ p | [K : Q], becausef(t) is irreducible over Q and so it is the minimal polynomial of α overQ and we have [Q(α) : Q] = deg(f(t)).

(ii) [K : Q] = [K : Q(ε)][Q(ε) : Q] = [K : Q(ε)](p − 1) ⇒ (p − 1) | [K : Q],according to properties of cyclotomic extensions that we recalled inSection 2.1.

Therefore [K : Q] is a multiple of p(p− 1).Moreover, α is a root of f(t). Hence the minimal polynomialm(t) ∈ Q(ε)[t] ofα over Q(ε) must divide f(t). In particular, we have [K : Q(ε)] = deg(m(t)).Hence [K : Q] = k(p− 1), for some integer k ∈ {1, . . . , p}. This proves that[K : Q] = p(p − 1) and by (i) and (ii) we also deduce using Theorem 1.6.6that

|H| = [K : Q(α)] = (p− 1) and |N | = [K : Q(ε)] = p. (4.2)

Now, let σ ∈ N ∩H. Since σ ∈ H, σ(α) = α and since σ ∈ N , we also haveσ(ε) = ε. Then σ is the identity on K, i.e. σ = 1G. Hence H ∩N = {1G}.

We now prove the identity G = HN . Clearly HN ⊆ G. Recall that, asN is normal in G, HN is a subgroup of G. Moreover, by the Second Iso-morphism Theorem, we have that HN/N ∼= H/H ∩N ∼= H. In particularthis proves that |HN/N | = |H| and so we have |HN | = |H||N | = p(p − 1).Hence G = HN .Applying Lemma 4.1.3 we conclude that G is isomorphic to the semidirectproduct N ×Ψ H, where Ψ is the homomorphism mapping h ∈ H to theautomorphism n 7→ hnh−1 ∈ Aut(N).

We still have to prove that the above semidirect product N ×Ψ H is iso-morphic to Z/pZ×ϕ Z/(p− 1)Z.


By de�nition of N , every β ∈ N must �x ε. Moreover, consider the auto-morphism σ ∈ G de�ned by

σ(ε) = ε and σ(α) = εα.

Clearly, σ ∈ N and for every i, j ∈ {1, . . . , p}, we have σi ∈ N , with σi 6= σj

for all i 6= j. Indeed σi(ε) = ε and σi(α) = εiα. Since ε is a primitive p-throot, the p-th powers of σ are p distinct elements of N and it follows that σis a generator of N .Then, recall that ϕ is de�ned as ϕ(n+(p−1)Z) = {t 7→ ant, ∀t ∈ Z/pZ}, forany n + (p− 1)Z ∈ Z/(p− 1)Z, where a is a generator of the multiplicativegroup (Z/pZ)∗. Then we can prove that the automorphism τ ∈ G mappingτ(α) = α and τ(ε) = εa is a generator of H. Indeed, clearly τ belongs to H.Moreover, for every i ∈ {1, . . . , p} we have τ i(α) = α and τ i(ε) = εa

i. These

powers are distinct for all i ∈ {1, . . . , p}, because a is a generator of (Z/pZ)∗

and ε is a primitive p-th root of unity.Using N = 〈σ〉 and H = 〈τ〉 we can de�ne the isomorphism Γ of N ×Ψ Honto Z/pZ×ϕ Z/(p− 1)Z by

Γ((σi, τ j)) = (i+ pZ, j + (p− 1)Z).

First note that by equalities in 4.2 we have |N | = |Z/pZ| and|H| = |Z/(p − 1)Z|. Next, let us show that Γ is an isomorphism of groups.To prove that the multiplication is preserved, we �rst prove that:

Ψ(τ j)(σi) = σaji, ∀i, j

Indeed we haveΨ(τ j)(σ) = τ jστ−j = σa

j

, (4.3)

with τ−j de�ned by τ−j(α) = α and τ−j(ε) = εa(p−j)

, because τ−j must satisfyτ jτ−j = τ−jτ j = Id.We have

• τ jστ−j(α) = τ jσ(α) = τ j(εα) = εajα = σa

j(α) and

• τ jστ−j(ε) = τ jσ(εa(p−j)

) = τ j(εa(p−j)

) = εap

= ε = σaj(ε), because

ap = a.

Using equation 4.3 and the fact that Ψ(τ j) is an automorphism, we thenobtain

Ψ(τ j)(σi) = (Ψ(τ j)(σ))i = (τ jστ−j)i = (σaj

)i = σiaj

. (4.4)

Therefore we have

Γ((σi, τ j)(σk, τ l)) = Γ((σiΨ(τ j)(σk), τ jτ l)) =


= Γ(σiσkaj

, τ j+l) = (i+ kaj + pZ, j + l + (p− 1)Z)

and also

Γ((σi, τ j))Γ((σk, τ j)) = (i+ pZ, j + (p− 1)Z)(k + pZ, l + (p− 1)Z) =

= (i+ ϕ(j)(k), j + l + (p− 1)Z) = (i+ ajk + pZ, j + l + (p− 1)Z).

This proves that Γ is an homomorphism of groups.Moreover, every (i + pZ, j + (p− 1)Z) is the image of (σi, τ j), which provesthat Γ is onto. As the groups we are considering are �nite groups with thesame cardinality this even proves that Γ is an isomorphism.

Therefore, we have isomorphisms of groups

G ∼= N ×Ψ H ∼= Z/pZ×ϕ Z/(p− 1)Z

and hence the semidirect product Z/pZ×ϕ Z/(p− 1)Z is isomorphic to theGalois group G of the extension K/Q, where K is the splitting �eld of f(t) =tp − 2.

Chapter 5

Groups of order 8

The aim of this chapter is to show that every group of order 8 can berealized as a Galois group. For that purpose, we �rst give the classi�cationof all groups of order 8 in Section 5.1. Then we detail the construction ofGalois extensions of degree 8 in Section 5.2.

5.1 Classi�cation of all groups of order 8

There are �ve groups of order 8 up to isomorphism. First, as 8 = 23, bythe classi�cation of abelians �nite groups we have the following three abeliansgroups

Z/8Z Z/4Z× Z/2Z Z/2Z× Z/2Z× Z/2Z.

Then, let G be a non-abelian group of order 8. By Lagrange's Theorem wehave that the order of any element g ∈ G must divide 8. If there existsg ∈ G of order 8, then G = 〈g〉 ∼= Z/8Z. Hence if G is non-abelian everynon-trivial element is of order 2 or 4. Moreover, if every element is of orderat most 2, then we have G ∼= Z/2Z × Z/2Z × Z/2Z. Indeed, in that case,for any a 6= b ∈ G the product ab ∈ G is also of order 2. Then we haveabab = 1g, which is equivalent to ab = b−1a−1 = ba. Hence G is abelian andG ∼= Z/2Z× Z/2Z× Z/2Z.Therefore, as G is non-abelian, there exists in G at least one element, n, oforder 4. Write N = 〈n〉 the subgroup generated by n. N is of index 2 inG, therefore it is a normal subgroup and we can consider the following shortexact sequence

{1G}−→Ni−→ G

π−→ G/N −→ {1G},

56

5.1 Classi�cation of all groups of order 8 57

where i is the inclusion homomorphism and π is the canonical projection onthe quotient G/N .We �rst suppose this short exact sequence has a section s : G/N → G, whichsatis�es π ◦ s = IdGH

. Then by Proposition 4.1.2 and Lemma 4.1.3 we knowthat G ∼= N ×Ψ H, where H = s(G/N) and Ψ : H → Aut(N) maps h ∈ Hto the automorphism of N de�ned by Ψ(h)(m) = hmh−1.We prove that this semidirect product is precisely the dihedral group D4

generated by an element a of order 4 and an element b of order 2 satisfyingthe relation bab = a−1. Actually, it can be proved that elements of D4 are ofthe form aibj, with 0 ≤ i ≤ 3 and 0 ≤ j ≤ 1.Indeed, we know that G/N is of order 2 and so it isH. Denote by h the gener-ator of H. We want to prove that hnh−1 = n−1. Note that Ψ(h)(n) = hnh−1.Hence we have to prove that Ψ(h)(n) = n−1. We know that N is a cyclicgroup of order 4 generated by n. Thus there are only 2 automorphisms ofN : the identity IdN and α : N → N de�ned by α(n) = n−1. Indeed, anautomorphism of N is de�ned by the image of n. As n is of order 4, its imageby an automorphism must also be of order 4 and the only element of order4 di�erent from n is n−1.

Next, suppose that Ψ(h) = IdN . Then we have hnh−1 = n and it followsthat hn = nh and G is abelian, because we have G = HN . As we suppose Gnon-abelian we thus must have Ψ(h) = α and this proves that hnh−1 = n−1.Hence

G ∼= D4 = 〈n, h | n4 = h2 = 1 and hnh1− = n−1〉.

Explicitly we have D4 = {1, n, n2, n3, h, hn, hn2, hn3}. Using that hn = n−1hit is easy to prove that every element di�erent from 1, n and n3 is of order 2.Hence N is the only subgroup of order 4. These properties are important todistinguish D4 and H8 in the following.

Suppose that the short exact sequence

{1G}−→Ni−→ G

π−→ G/N −→ {1G}

has no section. This means that there is no element of order 2 in G − N .Indeed, if there were exist an element h ∈ G − N of order 2, then we couldde�ne an application s : G/N → G as follows:

s(N) = 1G and s(gN) = h,

if gN 6= N . Then s would satisfy π ◦ s = IdG/N , because π ◦ s(N) = π(1G) =N . But, since h 6∈ N we have π ◦ s(gN) = π(h) = gN , which yields a

5.2 Galois extensions of order 8 58

contradiction. Therefore there is no element of order 2 in G−N , i.e. everyelement of G−N is of order 4.Next, consider an element m ∈ G − N of order 4. Then M = 〈m〉 is asubgroup of G of order 4. In particular, we have m2 of order 2 and hencem2 6∈ G−N , i.e. m2 ∈M ∩N . But in N there is a unique element of order 2,which is n2. This proves that m2 = n2. As m 6∈ N , we have m−1 = m3 6∈ N .It follows that both mn and m3n are not in N . Thus we get all elements ofthe group G:

G = {1G, n, n2, n3,m,m3,mn,m3n}.Therefore G is the quaternion group H8. Notice that in H8 there is a uniqueelement of order 2 as well as three distinct subgroups of order 4, i.e. 〈n〉,〈m〉, 〈mn〉.

To sum up, we have found all groups of order 8 (up to isomorphism), whichare:

Z/8Z Z/4Z× Z/2Z Z/2Z× Z/2Z× Z/2Z D4 H8.

5.2 Galois extensions of order 8

In this section we show that each group of order 8 is a solution of theinverse Galois problem. Moreover, for each group G of order 8, we willdevelop di�erent methods and arguments to construct a Galois extension ofgroup G.

5.2.1 The group Z/8ZAccording to Chapter 2, we know that for all abelian groups we have to

consider sub�eld of cyclotomic �elds. In particular, for the cyclic group Z/8Zwe denote ε = exp(2πi

17) a primitive 17-th root of unity. By the results proved

in Chapter 2 we know that Q(ε)/Q is a Galois extension and that we have

Gal(Q(ε)/Q) ∼= (Z/17Z)∗ ∼= Z/16Z,

because 17 is a prime number. As G = Gal(Q(ε)/Q) is abelian, every sub-group GK of G is normal in G and it follows by Theorem 1.6.6 that thesub�eld K ⊂ Q(ε) satisfying the relation K = Fix(GK) gives the two follow-ing Galois extensions:

• Q(ε)/K with Galois group GK ,

• K/Q with Galois group isomorphic to the quotient G/GK .


We consider K = Q(ε + ε−1) = Fix(GK). Every σ ∈ GK must satisfyσ(ε + ε−1) = ε + ε−1. Therefore we have GK = 〈σ〉, where σ is de�ned byσ(ε) = ε−1. The group GK is of order 2, therefore we have [Q(ε+ ε−1) : Q] =|G/GK | = |16/2| = 8. Denote by H the group Gal(Q(ε + ε−1)/Q), we haveproved that H is of order 8 and abelian. Moreover we know that H ∼= G/GK .As GK is of order 2 we have GK

∼= Z/2Z and in G we have

GK∼= Z/2Z ∼= 8Z/16Z.

Therefore we obtain

H ∼= (Z/16Z)/(8Z/16Z) ∼= Z/8Z.

This proves that the cyclic group Z/8Z is a solution of the inverse Galoisproblem. Precisely, for ε = exp(2πi

17), the Galois group of the Galois extension

Q(ε+ ε−1)/Q is isomorphic to Z/8Z.

5.2.2 The group Z/4Z× Z/2ZIn this subsection we consider the group G = Z/4Z×Z/2Z. To construct

a Galois extension whose Galois group is isomorphic to G we use the ideapresented in the proof of Theorem 2.2.4.In particular considering p1 = 5 and p2 = 3 we have the following isomor-phisms

Z/4Z× Z/2Z ∼= (Z/5Z)∗ × (Z/3Z)∗ ∼= (Z/15Z)∗.

In this case we do not need to use a surjection, because we already know thatG ∼= (Z/15Z)∗. Therefore we can consider a primitive 15-th root of unity, ε′.In Chapter 2 we proved that Gal(Q(ε′)/Q) ∼= (Z/15Z)∗. Hence the Galoisgroup of the Galois extension Q(ε′)/Q is isomorphic to G.

5.2.3 The group Z/2Z× Z/2Z× Z/2ZAgain we follow the idea given in Chapter 2 to construct a Galois exten-

sion whose Galois group is G ∼= Z/2Z× Z/2Z× Z/2Z (see Theorem 2.2.4).In this case we consider the surjection

Π : Z/2Z× Z/4Z× Z/6Z � G

given by the identity on the �rst component and respectively the projectionπ1 onto the quotient (Z/4Z)/(2Z/4Z) ∼= Z/2Z for the second component andthe projection π3 onto (Z/6Z)/(2Z/6Z) ∼= Z/2Z for the third component.This is necessary, because we need to have three distinct prime numbers.


By the Chinese Remainder Theorem we have the group isomorphisms

Z/2Z× Z/4Z× Z/6Z ∼= (Z/3Z)∗ × (Z/5Z)∗ × (Z/7Z)∗ ∼= (Z/105Z)∗.

Then, let ε̃ be a primitive 105-th root of unity. We know that the Galoisextension Q(ε̃)/Q has Galois group isomorphic to (Z/105Z)∗. Denote by Jthis group. The homomorphism Π induces a surjection Ψ : J � G and wethus have

J/ ker(Ψ) ∼= G.

In particular, since ker(Ψ) is a normal subgroup of J , the sub�eld of Q(ε̃)�xed by ker(Ψ) ⊆ J is a Galois extension of Q whose Galois group is isomor-phic to G. We now explicit such a homomorphism Ψ in order to describe aGalois extension of Q with Galois group G.

The kernel of the application Π is {[0]2} × 2Z/4Z/ × 2Z/6Z and this isa cyclic group of order 6. In particular, we have

ker(Π) = 〈([0]2, [2]4, [2]6)〉,

where [ ]m denotes the class modulo m.For the multiplicative group (Z/3Z)∗ × (Z/5Z)∗ × (Z/7Z)∗ we can considerthe generator (23, 25, 37), where n denotes the class modulo n in Z/nZ. Thus,we can write:

ker(Π) = 〈([0]2, [2]4, [2]4)〉 ∼= 〈(13, 45, 27)〉.

Moreover, according to the Chinese Remainder Theorem this group corre-spond to the cyclic group 〈79105〉 in (Z/105Z)∗.Then, the isomorphism between (Z/105Z)∗ and the Galois group J is givenby mapping i ∈ (Z/105Z)∗ to σi ∈ J de�ned by σi(ε̃) = ε̃i. Therefore wehave

ker(Ψ) ∼= 〈σ79〉 =: JK .

Computing the powers of 79105 we �nd that

JK = {σ79, σ46, σ64, σ16, σ4, σ1}.

Write K = Fix(JK). The �eld extension K/Q has Galois group isomorphicto J/JK ∼= G. Notice that this is a Galois extension, because JK = ker(Ψ)is a normal subgroup of J .


Next, we are looking for a primitive element of the extension K/Q. Theelements of Q(ε̃) are of the form

k =104∑i=0

aiε̃i,

with ai ∈ Q, for all 0 ≤ i ≤ 104.One can prove easily the following relation

σ79i(ε79j

) = ε79i+j

, with i, j ∈ {0, . . . , 5}.

Denote by δ the sum ε̃ + ε̃4 + ε̃16 + ε̃46 + ε̃64 + ε̃79. Then using the previousrelation it is easy to prove that δ is �xed by any element in JK and henceQ(δ) ⊆ K.

To prove that we have an equality we use an argument on the degree ofthe extension K/Q. We know that K/Q is a Galois extension with Galoisgroup isomorphic to J/JK , therefore we have

[K : Q] = |Gal(K/Q)| = |J |/|JK | = 48/6 = 8,

by Theorem 1.6.6(iii).Moreover we have [Q(δ) : Q] = [Q(δ) : K][K : Q], so if we prove that Q[δ]/Qhas degree 8 we obtain the equality K = Q(δ).As Q(δ)/Q is a simple extension, we also know that [Q(δ) : Q] = deg(mδ(t)),where mδ(t) is the minimal polynomial of δ over Q. Using the softwarePARI/GP (see Annexe A) or SAGE we compute mδ(t) and �nd:

mδ(t) = t8 + t7 − 4t6 + 9t5 + 23t4 − 18t3 − 16t2 − 8t+ 16.

HenceK = Q(δ) andK/Q is a Galois extension with Galois group isomorphicto Z/2Z× Z/2Z× Z/2Z.

5.2.4 The dihedral group D4

To construct a Galois extension K/Q with Galois group isomorphic toD4 we use a more general approach. In particular, we present a criterion toclassify �eld extensions given by the splitting �eld of separable polynomialsof quartic degree.First, consider the polynomial

f(t) =4∏i=1

(t− αi),


where all αi are distinct elements of Q. Denote by Kf the splitting �eld off(t). By Theorem 1.6.5,Kf/Q is a Galois extension because f(t) is separable.

We identify the Galois group Gf of the extension Kf/Q with a subgroupof Sym({α1, α2, α3, α4}) ∼= S4.Moreover, consider the set

V = {1, (12)(34), (13)(24), (14)(23)}

and recall that V is a normal subgroup of S4 (see for example [7]).

We start by looking at the action of S4 on S = {α, β, γ}, with

α = α1α2 + α3α4

β = α1α3 + α2α4

γ = α1α4 + α3α2.

Considering the transposition (23), (24), we can easily see that this action istransitive. Therefore there is a unique orbit of cardinality |S| = 3 and for anys ∈ S we have [S4 : Stab(s)] = 3. It follows that the stabilizer of every s ∈ Sis a subgroup of order 8 of S4. But |S4| = 4! = 24, therefore the stabilizersare the 2-Sylow subgroups in S4. According to the Second Sylow Theoremthese groups are all conjugates and then all isomorphic to each other.Consider for example α. We have Pα = Stab(α) = 〈(12), (1324)〉, which isisomorphic to D4, because the two generators are respectively of order 2 and4 and satisfy the property (12)(1324)(12) = (1423) = (1324)−1. Hence thethree stabilizer Pα, Pβ, Pγ are 2-groups of Sylow. In particular, by the ThirdTheorem of Sylow and as they are all distinct we prove that there is no othersubgroup of order 8 in S4.The normal subgroup V is of order 4 = 22, therefore it is a subgroup of oneof the 2-groups of Sylow. Suppose without loss of generality that V ⊆ Pα.As V is a normal subgroup and the 2-Sylow subgroups are conjugates we can�nd elements g, h ∈ S4 such that

V ⊆ Pα ⇒ gV g−1 = V ⊆ gPαg−1 = Pβ

and similarlyV ⊆ Pα ⇒ V ⊆ hPαh

−1 = Pγ.

Therefore V ⊆ Pα ∩ Pβ ∩ Pγ and in particular V = Pα ∩ Pβ ∩ Pγ, becausethe intersection is a proper subgroup of Pα and it cannot be bigger than V ,because V is of order 4.Each 2-Sylow subgroup �xes an element of S. Therefore V = Pα ∩ Pβ ∩ Pγ�xes α, β and γ.


Remark 5.2.1. For more details concerning Sylow groups we refer the readerto ([7], Chapter 1).

Therefore we can state the following to the extension �eld Q(α, β, γ)/Q:

Lemma 5.2.2. The �eld �xed by Gf ∩ V is Q(α, β, γ). Hence Q(α, β, γ)/Qis a Galois extension with Galois group isomorphic to Gf/(Gf ∩ V ).

Proof. We know already that Kf/Q is a Galois extension and that the groupV ⊆ S4 �xes α, β and γ. As we don't know if all elements of V are in Gf ,we consider the group Gf ∩ V . Clearly Gf ∩ V �xes Q(α, β, γ) as well andso Q(α, β, γ) ⊆ Fix(Gf ∩ V ). Also, there is no other element in Gf �xingS, because this would be a contradiction to the argument preceding thelemma on the cardinality of Stab(s), for s ∈ S = {α, β, γ}. Hence, using thecorrespondence given by Theorem 1.6.6, we have Q(α, β, γ) = Fix(Gf ∩ V ).Moreover, Gf ∩ V is a normal subgroup in Gf , because V is normal in S4.Therefore, by Theorem 1.6.6, Q(α, β, γ)/Q is a Galois extension of Q, withGalois group isomorphic to Gf/Gf ∩ V .

With α, β, γ de�ned as above, we can then de�ne the major tool usedto construct D4 as a Galois group. For more details we refer the reader toSection 4.3 of [1].

De�nition 5.2.3 (Discriminant). Suppose f(t) ∈ Q[t] a monic polynomialof degree n. Denote by K its splitting �eld over Q and by α1, . . . , αn ∈ Kits roots. Write

δ = Πi<j(αi − αj).

The discriminant of f(t) is de�ned as ∆(f) = δ2.

De�nition 5.2.4 (Cubic resolvent). Write M = Q(α, β, γ) and de�ne

g(t) = (t− α)(t− β)(t− γ) ∈M [t].

Then g(t) is called the cubic resolvent of f(t).

Remark 5.2.5. Notice that any element of S4 is a permutation of α1, α2, α3

and α4. Hence it permutes α, β and γ, but g(t) remains �xed. This provesthat the coe�cients of g(t) are in Q.

The next lemma gives a more precise relation between the coe�cients ofg(t) and those of f(t) when deg(f) = 4.


Lemma 5.2.6. Consider the polynomial f(t) = t4 + bt3 + ct2 + dt+ e, witha, b, c, d, e ∈ Q. Then its cubic resolvent cubic is the polynomial

g(t) = t3 − ct2 + (bd− 4e)t− b2e+ 4ce− d2.

Moreover the discriminant of f and g are equal.

Proof. To prove this result we compute every coe�cient of f(t) and g(t).Over the splitting �eld of f , we can write:

f(t) = (t− α1)(t− α2)(t− α3)(t− α4)

and

g(t) = (t− α1α2 − α3α4)(t− α1α3 − α2α4)(t− α1α4 − α3α2).

Then, for example, developing the coe�cient associated to t2 in f(t) we �ndthat

c = α1α2 + α1α3 + α1α4 + α2α3 + α2α4 + α3α4.

We can verify that this is the opposite of the coe�cient c′ associated to t2 ing(t). We then have

c′ = −(α + β + γ) = −(α1α2 + α3α4 + α1α3 + α2α4 + α1α4 + α3α2) = −c.

In a similar way we can compute and compare all the coe�cients and thediscriminant to prove the result. This can be computed easily by a softwarelike PARI/GP.

Consider again the polynomial f(t) de�ned at the beginning of this sec-tion. It is an irreducible polynomial over Q. Then Gf is acting transitivelyon the roots of f(t). Moreover, as f(t) is separable we know that Kf/Q isa Galois extension and that the degree of f divides the degree of the exten-sion (see Lemma 21 in [1]). Write o = |Gf |. We have two conditions on o.First, o | 24, because Gf can be identi�ed with a subgroup of S4. Secondlydeg(f(t)) = 4 | o. Hence we can conclude that o ∈ {4, 8, 12, 24}.For o = 12, 24 the only possibilities are respectively A4 and S4 for Gf .For o = 8, we have already seen that the subgroups of order 8 are the 2-Sylowsubgroups. They are all isomorphic to D4 and they contain V .For o = 4, there are many possibilities. We know that Gf acts transitivelyon the roots of f(t). Hence we could have Gf = V or Gf = 〈(1234)〉 ∼= C4.Notice that any group generated by two disjoints transpositions is of order 4,but it does not act transitively. A group generated by more then two trans-positions, or transpositions and 3-cycles will be one of the other subgroups.


Gf |Gf ∩ V | |Gf/Gf ∩ V |S4 4 6A4 4 3V 4 1D4 4 2C4 2 2

Table 5.1: Possibilities for the group Gf and the intersection Gf ∩ V

We resume the results obtained in the following Table 5.1.

Write M = Q(α, β, γ) using the same notation as before.By Lemma 5.2.2 we know that M/Q is a Galois extension with Galois groupisomorphic to Gf/Gf ∩ V . Moreover M is the splitting �eld of the cubic re-solvent g(t). Therefore, using the cubic resolvent g(t) we can �nd the orderof Gf/Gf ∩ V , which is in general su�cient to de�ne Gf up to isomorphism(see Table 5.1 ).In the case where |Gf/Gf ∩ V | = 2, we �nd that Gf

∼= D4 or Gf∼= C4. We

then consider the Galois extension Kf/M with Galois group Gf ∩ V . There-fore we consider the polynomial f(t) as a polynomial in M [t].If Gf = D4, then Gf ∩ V = V , which acts transitively on the root of f(t).Therefore f(t) is irreducible over M as well (see Remark 5.2.7).Now, if Gf = C4, we have |Gf ∩ V | = 2. Hence Gf ∩ V ∼= C2 which does notact transitively. So f(t) is not irreducible over M .Therefore the study of the irreducibility of f over M enables to distinguishbetween the cases Gf = D4 and Gf = C4.

Remark 5.2.7. Notice that we are using here an argument which is converseto one we already used previously in Section 3.2.Since Gf acts transitively on the roots of f(t) we conclude that f(t) is irre-ducible. Indeed, suppose that h(t) is an irreducible factor of f(t), r a rootof h(t) and r′ any root of f(t). By the hypothesis, there exists σ ∈ Gf suchthat σ(r) = r′. Then we have g(σ(r)) = σ(h(r)) = 0 and r′ is also a root ofh(t). Hence h(t) = f(t), because any root of f(t) is a root of h(t).Therefore we have the equivalence: f(t) is irreducible if and only if Gf isacting transitively on the set of roots of f(t).

We can now use these arguments to prove that if f(t) = t4 − 2, then theGalois extension Kf/Q has Galois group isomorphic to D4.According to the Eisenstein Criterion (see Theorem 6 in [1]) we have that


f(t) is irreducible over Q. Using Lemma 5.2.6 we compute the cubic resol-vent: g(t) = t3 + 8t.Denote byM the splitting �eld of g(t). It is easy to prove thatM = Q(i

√2),

which is an extension of degree 2, because the minimal polynomial of i√

2 ist2 + 2. Therefore we have |Gf/Gf ∩ V | = [M : Q] = 2 and so Gf

∼= V orGf∼= C4.

We now study the irreducibility of f(t) over M = Q(α, β, γ). No root off(t) is in M . Moreover, the factors of order 2 of f(t) are of the form t2±

√2

or t2 ± (i + 1) 4√

2t ±√

2, which are not in M [t], because√

2 6∈ M . Indeed,suppose that

√2 ∈ M . Then i ∈ M as well and Q(i) ⊆ M . But then we

should have M = Q(i), because both extensions are of degree 2. This is notthe case, because

√2 6∈ Q and the elements of Q(i) are of the form a + bi,

with a, b ∈ Q.Hence f(t) is irreducible over M as well. By the arguments presented above,we can conclude that Gf

∼= D4 and thus that Kf/Q is a Galois extensionhaving Galois group isomorphic to D4.

Note that the arguments on the resolvent g(t) of f(t) and on the cardinalityof Gf ∩ V can be used to realize each one of the groups S4, A4, V, C4 as aGalois group (see [10], Section 4) as well. We will use later on this argumentto �nd a polynomial with Galois group isomorphic to the alternating groupA4 (see Section 6.1 ).

Example 5.2.8. To illustrate this, let us verify that the polynomial givenin Chapter 3 satis�es this criterion. Write s(t) = t4 − t− 1, we have alreadyshown that s(t) is irreducible. Denote by Gs its Galois group.The cubic resolvent of s(t) is

r(t) = t3 + 4t− 1

which is irreducible over Q, because its reduction modulo 7 has no roots inZ/7Z (see [1], Section 2.1). Denote by M its splitting �eld and by Gr itsGalois group.In [1], an explicit form of the discriminant of a monic cubic polynomial iscomputed (see [1], Section 4.3). Generalizing this result, one can prove thatthe discriminant of p(t) = at3 + bt2 + ct+ d is given by

D(p) = b2c2 − 4ac3 − 4b3d− 27a2d2 + 18abcd. (5.1)

Hence we �nd D(r) = −256 − 27 = −283, which is not a square in Q. ByProposition 6.1.1 this proves that Gr 6⊆ A3 ⇒ Gr = S3. Indeed, the only


transitive subgroups of S3 are S3 and A3.Thus we have |Gr| = |Gs/(Gs ∩ V )| = 6 and hence Gs

∼= S4, by the resultsin Table 5.1.

5.2.5 The quaternion group H8

In this subsection we are going to prove that the extension generated bythe polynomial

p(t) = t8 − 72t6 + 180t4 − 144t2 + 36

over Q is a Galois extension with Galois group H8. In our argument, we willuse computations that we have got with the software PARI/GP (see [12]).The speci�c commands used are given as annex (see Appendix A).

Both SAGE and PARI/GP have methods already implemented to prove thatp(t) is irreducible over Q.Denote by α a root of p(t). Using PARI/GP we obtain the factorization ofp(t) over Q(α)

p(t) = (t− α)(t+ α)(t− β)(t+ β)(t− γ)(t+ γ)(t− δ)(t+ δ)

with

β =1

2α7 − 215

6α5 + 78α3 − 42α, γ =

−9

8α7 +

961

12α5 − 549

4α3 +

101

2α,

δ =−5

8α7 +

133

3α5 − 261

4α3 + 23α.

In particular this proves that Q(α) is the splitting �eld of p(t). Moreover,p(t) is separable, so Q(α)/Q is a Galois extension of degree 8.Write G = Gal(Q(α)/Q) and σ, τ ∈ G by

σ(α) = β and τ(α) = γ.

Again using PARI/GP it is easy to verify that σ◦τ(α) = −δ and τ ◦σ(α) = δ.Hence the group G is non-abelian. We still have to prove that G ∼= H8.Computing with PARI/GP we �nd that the automorphisms σ and τ areboth of order 4 in G. Since τ 6= σ−1 this concludes the proof, because in D4

there is only one subgroup of order 4.Thus G ∼= H8.

Chapter 6

The Alternating group An

In this chapter we consider the group An, for n ≥ 3. We �rst develop twodi�erent methods to prove that A3, A4 and A5 are solutions of the inverseGalois problem. In the last section, some general results related to An, forall integers n ≥ 4, are presented without proof.

6.1 The groups A4 and A3

We look for a Galois extension having Galois group isomorphic to A4. Tosolve this problem we use the criterion of the cubic resolvent presented inSection 5.2.4. In particular, this case is very similar to the case of the groupS4 (see Example 5.2.8 ).We consider the polynomial

f(t) = t4 − 2t3 + 2t2 + 2,

which is irreducible over Q, according to the Eisenstein criterion with respectto the prime number 2 (see [1] Section 2.1).The resolvent cubic of f(t) is

g(t) = t3 − 2t2 − 8t+ 8,

which is also irreducible over Q, because its reduction modulo 3 is irreducible(see [1] Section 2.1).Denote by Kg the splitting �eld of g(t). Using the same arguments developedin Section 5.2.4 and with the same notations, we can prove that Kg/Q is aGalois extension with Galois group Gg isomorphic to Gf/Gf ∩ V . Moreover,we can compute the discriminant of g(t) using the formula 5.1 for cubicpolynomials, it is:

D(g) = 256 + 2048 + 256− 1728 + 2304 = 3136 = 562,

69

6.1 The groups A4 and A3 70

which is a square in Q. Therefore, according to Proposition 6.1.1 which isproved below, this show that Gg ⊆ A3. But since g(t) is irreducible, we alsoknow that Gg is acting transitively on the set of roots of g(t). The onlyproper subgroup of S3 acting transitively on the set of numbered roots is A3.Hence Gg

∼= A3∼= Z/3Z and in particular |Gg| = 3 and by Table 5.1 this

means that Gf∼= A4.

Here, the central argument in thus concerned with properties related to thediscriminant of a polynomial and the Galois group of its splitting �eld overQ. This is the following proposition that we will also use in other sections.

Proposition 6.1.1. Let f(t) ∈ Q[t] be a monic polynomial of degree n andlet D(f) denote its discriminant. Then:

(i) D(f) = 0 if and only if f has a multiple zero.

Now suppose that f(t) is separable and denote by G the Galois group of theGalois extension Kf/Q, where Kf is the splitting �eld of f(t). Then:

(ii) D(f) ∈ Q

(iii) D(f) is a perfect square in Q if and only if the Galois group G of f(t)is contained in the alternating group An.

Proof.

(i) Recall that by de�nition we have D(f) = δ2, with

δ = Πi<j(αi − αj),

where α1, . . . , αn are the roots of f(t) in some algebraic closure of Q. Supposef(t) has a multiple zero, then we have αi = αj for i 6= j. This implies thatone of the factors of δ is zero and therefore δ = D = 0.Conversely, D = 0 implies that δ = 0 and this is the case if and only if oneof the factors is zero. But then there exists i, j with i < j such that αi = αj,i.e. the polynomial f has at least one multiple root.

(ii) Let σ ∈ Sn and let us write D(f) = D = δ2. Clearly if σ acts on the rootsof f , it will permute the order of the factors of δ and change the sign of someof them.For example, a transposition (ab) with a < b will act as the identity on allαi, αj with i > b and j < a. Precisely it will permute (αi−αa) and (αi−αb)for the �rst and (αa − αj) and (αb − αj) for the second. If we now considerthe e�ect for a < j < b we have that (αj−αa) will be map to (αj−αb). Thischanges the sign of δ. But we also have that (αb−αj) is mapped to (αa−αj)

6.2 The group A5 71

so the sign is changed again. We �nally have to consider that (αb − αa) ismapped to (αa−αb) which changes the sign of δ. Therefore any transpositionmaps δ to −δ. Hence an even permutation, which is a product of an evennumber of transpositions, will �x δ, and an odd permutation will map δ to−δ.In particular σ ∈ Sn has no e�ect when acting on D = δ2.Hence D ∈ Fix(G) = Q, according to the assumptions on G and f(t) and byTheorem 1.6.6.

(iii) Let G be the Galois group associated to f(t) considered as a subgroupof Sn. If D(f) is a perfect square in Q then δ ∈ Q and δ is �xed by everyelement σ ∈ G. But, by (ii), we know that any odd permutation maps δ to−δ. As this never occurs for σ ∈ G, we can conclude that G contains onlyeven permutations. Hence G ⊆ An.Conversely if G ⊆ An, then every σ ∈ G �xes δ. Therefore δ ∈ Fix(G) = Q.Hence D(f) = δ2 is a perfect square in Q.

6.2 The group A5

We start this section by giving two general results. They will be usefulto prove that A5 is the Galois group of a Galois extension of Q.

Lemma 6.2.1. Let G be a group of order 15. Then G ∼= Z/15Z.

Proof. Let k be the number of 5-Sylow subgroups in G. By the theorems ofSylow we have k ≡ 1 mod 5 and k | 3, i.e. k = 1. Let Q denote the unique5-Sylow in G. We have Q ∼= Z/5Z and in Q we have exactly 4 elements oforder 5. In particular, there is no other element of order 5 in G, because itwould generate a di�erent 5-Sylow subgroup.Similarly, denote by R the number of 3-Sylow subgroups. Again we knowthat R | 5 and R ≡ 1 mod 3. Hence R = 1 and G contains precisely 2elements of order 3.The order o(g) of an element g ∈ Gmust divide 15. Hence o(g) ∈ {1, 3, 5, 15}.There is a unique element of order 1, two of order 3 and four of order 5. As15 > 1 + 3 + 5 = 9, it follows that there is some h ∈ G of order 15. HenceG = 〈h〉 ∼= Z/15Z.

Remark 6.2.2. In this proof we use some theory about Sylow subgroups.We refer the reader to ([7], Chapter 1) for more details on this subject.

Proposition 6.2.3 (Dedekind). Let p be a prime number and let f(t) ∈ Z[t]be a separable monic polynomial of degree n. Denote by f its reduction modulo

6.2 The group A5 72

p, i.e. f ∈ Z/pZ[t]. Suppose f is separable and denote

f(t) =r∏i=1

f i(t)

its decomposition in irreducible factors of Z/pZ[t]. For each index i ∈ {1, . . . , r},we denote by ni the degree of fi. We also denote Gf the Galois group asso-ciated to f(t).Then, for 1 ≤ i ≤ r, there exist cycles σi ∈ Sn of order ni with distinctsupports such that

r∏i=1

σi ∈ Gf .

Proof. Omitted. See ([3], Chapter 13, Theorem 13.4.5).

Remark 6.2.4. Recall that the support of a permutation σ is the set ofelements which are not �xed by σ, i.e. the set of x's such that σ(x) 6= x.

Using these results we can prove the main result of this section.

Theorem 6.2.5. Let f(t) be a monic irreducible polynomial of Z[t] of degree5. Suppose that f satis�es the following properties:

(i) The discriminant D(f) is a square in Z.

(ii) There exists a prime number p that does not divide D(f) and such thatthe reduction f(t) ∈ Z/pZ[t] has exactly two roots in Z/pZ.

Then the Galois group Gf associated to f(t) is isomorphic to A5.

Proof. Again, we identify Gf to a subgroup of S5. According to the condition(i) and by Proposition 6.1.1 we know already that Gf ⊆ A5.Moreover as p does not divide D(f), the reduction is still separable overZ/pZ. Indeed, if {α1, . . . , α5} is the set of roots of f(t), the roots of f(t) willbe α1, . . . , α5, where x denotes the class of x ∈ Z in Z/pZ. Since p does notdivide D(f) we have

D(f) =∏i<j

(αi − αj)2 6= 0.

Hence, by the same argument as in Proposition 6.1.1, the roots of f aredistinct and f is separable over Z/pZ.Also, according to condition (ii) the reduction modulo p is the product of twolinear factors and a cubic factor. Then, applying Proposition 6.2.3, we can

6.2 The group A5 73

conclude that there exists a cycle of order 3 in the Galois group Gf of f(t).Therefore, 3 | |Gf |. Moreover, f(t) is irreducible over Q, thus we know thatdeg(f(t)) = 5 | |Gf | as well (see [1], Lemma 21). It follows that 15 | |Gf | andhence |Gf | = 15, 30 or 60, because Gf ⊆ A5 and |A5| = 60. By Lemma 6.2.1,every group of order 15 is cyclic. Since the group A5 contains no element oforder greater then 5, we have |Gf | = 30 or 60. Suppose |Gf | = 30, then Gf

would be of index 2 in A5 and so would be a strict normal subgroup of A5.But A5 is a simple group and therefore |Gf | = 60, i.e. Gf

∼= A5.

Remark 6.2.6. For every n ≥ 5, the alternating group An is simple. Fora proof of this important result of group theory we refer the reader to ([7],Chapter 8, Theorem 8.27).

As a consequence of Theorem 6.2.5, to construct a Galois extension withGalois group isomorphic to A5 we simply need to �nd a polynomial satisfyingconditions (i) and (ii). For example we can consider the following polynomial

f(t) = t5 − 10t3 + 2t2 + 19t− 6.

This polynomial is irreducible, because it is irreducible after reduction mod-ulo 5 (see [1] Section 2.1). Indeed, one can verify that this polynomial hasno roots modulo 5. Then if f(t) would be reducible, there would exist afactorization of the type:

(t2 + at+ b)(t3 + ct2 + dt+ e) = t5 + 2t2 − t− 1.

This leads to the following system:a+ c = 0

d+ ac+ b = 0e+ ad+ bc = 2bd+ ae = −1

be = −1

After resolution, it comes:c = −ad = −ac− b = a2 − be = −b−1

ba2 − ab−1 − b2 + 1 = 0a3 − b−1 − 2ab = 2

With the last two equations we prove that this system has no solution inZ/5Z. Indeed, the fourth equation has a solution if and only if b 6= 0 and

6.3 The general group An 74

(b−1)2 +b(1−b2) is a square in Z/5Z. In particular, we found that the follow-ing couples for (a, b) are solutions of the fourth equation: (0, 1), (1, 1), (2, 3),(0, 4), (1, 4). One can easily verify that no one of this couples is a solutionof the last equation. Hence, the system is not solvable in Z/5Z and f(t) isirreducible over Z/5Z.

Moreover using the software PARI we �nd the discriminant: D(f) =(23887)2, which is a square in Z. In particular, as D(f) 6= 0, we have thatf(t) is separable.Considering the reduction of f(t) modulo 3 we have:

f(t) = t5 − t3 + 2t2 + t = t(t− 1)(t3 + t2 − 1).

As 3 does not divide D(f) the polynomial f(t) satis�es the necessary condi-tions of Theorem 6.2.5. Denote Kf the splitting �eld of f(t) over Q. As f(t)is separable, the extension Kf/Q is a Galois extension. Hence, by Theorem6.2.5, the Galois group of Kf/Q is isomorphic to A5.

6.3 The general group An

In this section we outline some results related to the alternating groupAn, for any positive integer n.

We start by de�ne Hilbert's property and its most important theorem re-lated to inverse Galois theory. For more details we refer the reader to ([24],Chapter 1) (or to ([19], Chapter 3) for an approach of the same subject usingalgebraic geometry).

De�nition 6.3.1 (Hilbertian �eld). A �eld K is called an Hilbertian �eld ifit satis�es one of the three following equivalent conditions:

(i) For each irreducible polynomial f(X,T ) in two variables over K and ofdegree greater or equal to 1 in T , there are in�nitely many b ∈ K suchthat the specialized polynomial f(b, T ) is irreducible over K[T ].

(ii) Given a �nite extension L/K and if h1(X,T ), . . . , hm(X,T ) ∈ L[X,T ]are irreducible polynomials in T over L[X], there are in�nitely manyb ∈ K such that the specialized polynomials h1(b, T ), . . . , hm(b, T ) areirreducible in L[T ] as well.

(iii) For all irreducible polynomials p1(X,T ), . . . , pr(X,T ) ∈ K[X,T ] thatare of degree ≥ 1 as polynomials in T over K[X], there are in�nitely


many b ∈ K such that none of the specialized polynomials p1(b, T ), . . . ,pr(b, T ) has any root in K.

Moreover it can be shown that if a �eld K is Hilbertian and if f(X,T )satis�es the property (i), then there are in�nitely many b ∈ K such that theGalois group of f(X,T ) and of f(b, T ) are the same. More generally, we havethe following theorem.

Theorem 6.3.2. Let K be an Hilbertian �eld. If a �nite group G occurs asa Galois group over K(X1, . . . , Xm), for some m ≥ 1, then G also occurs asa Galois group over K.

The Irreducibility Theorem of Hilbert guarantees that we can use thiscriterion over the rational �eld Q. Indeed, it can be stated as follows.

Theorem 6.3.3 (Hilbert's Irreducibility Theorem). The �eld Q is Hilber-tian.

Notice that according to the equivalence (i)⇔(ii) in the de�nition ofHlbertian �elds, it is clear that every �nite extension of Q is also an Hilber-tian �eld. In particular any number �eld is Hilbertian.

Using this result, Hilbert in 1892 proved that for any positive integer n,the symmetric group Sn and the alternating group An are Galois groups overQ. For the case of An it is generally necessary to distinguish di�erent casesfor n even or odd.For example, if n is even it is proved that the polynomial

hn(X,T ) = (n− 1)Xn − nXn−1 + 1 + (−1)n2 (n− 1)T 2 ∈ Q[X,T ],

which is irreducible over Q[T ], has Galois group An over Q(T ) (see [19], Sec-tion 4.5).Unfortunately, whereas Hilbert's Theorem guarantees the existence of a suit-able b ∈ Q such that hn(X, b) is irreducible over Q with Galois group An, itdoes not give any information on how to �nd such a value b.

In [8] using some suitable variable substitutions and �xing T = 1 the au-thor considers the polynomial

gn = Xn − n(2− n)n−2X + (2− n)n−1(n− 1),

It is an irreducible polynomial over Q whose splitting �eld has Galois groupAn over Q, for any even integer n ≤ 50 which is not a multiple of 4.


With a similar approach, Malle and Matzat ([9]) have shown that there existin�nitely many trinomials of the form

m(X,T ) = Xn − T (nX − n+ 1)

with Galois group An over Q. Using di�erent arguments for the cases nodd and n even, Hermez and Salinier give a method to �x the value of Tand construct a trinomialXn+aXm+b with Galois group An over Q (see [5]).

On the other side, Schur studied polynomials that play an important rolein analysis and obtain various results. For example, he proved that the poly-nomial

fn(X) =n∑k=0

Xk

k!,

has Galois group Gfn isomorphic to An, if 4 divides n, and isomorphic to Snotherwise.Schur also solved the case of an odd positive integer n considering Laguerre'spolynomial. In particular he proved that this polynomial de�ned as

Lαn(X) =n∑k=0

(n+ α

n−m

)(−X)k

k!,

with n, α ∈ N, is irreducible over Q for α = 0 or 1 and that for any oddpositive integer n the Galois group of L1

n is the alternating group An.We refer the reader to [17] for more details on the work of Schur.

Chapter 7

Elliptic curves and the groupGL2(Fp)

Let p be a prime number. In this chapter we construct the general lineargroup GL2(Fp) as a Galois group. The method here is essentially geometric,based on the theory of elliptic curves. For that purpose, we �rst recall somenotions related to projective spaces and elliptic curves in Section 7.1. Thissection also contains all properties that will be usefull for the rest of thechapter. In the second section we describe the method and we apply it torealize GL2(Fp) as a Galois group over Q. Finally in Section 7.3 we de�ne thenotion of complex multiplication and we consider the example of a speci�celliptic curve E with complex multiplication.

7.1 Elliptic curves

In this section, we recall some de�nitions and properties about projectivespaces and elliptic curves. These objects are not studied into depth and formore details we refer the reader to [21], [20] or to [25].

7.1.1 The projective space Pn(K)

Let K be a �eld, which, in our case, will be Q, Q, C or a number �eldK. Let n ≥ 1 be a positive integer. To de�ne the projective space Pn(K) weconsider the action of K∗ on Kn+1 de�ned by:

K∗ ×Kn+1 −→ Kn+1

(t, (x0, . . . , xn)) 7→ t(x0, . . . , xn) = (tx0, . . . , txn).

77

7.1 Elliptic curves 78

De�nition 7.1.1 (Projective Space). The projective space Pn(K) is de�nedas the set of all the orbits for the action of K∗ on Kn+1 de�ned above.

Equivalently, a point in Pn(K) is an equivalence class of Kn+1−{(0, . . . , 0)}with respect to the equivalence relation

(x0, . . . , xn) ∼ (y0, . . . , yn)⇔ ∃t ∈ K∗ such that yi = txi, ∀i = 0, . . . , n.

Notation: An element of Pn(K) is written [x0 : · · · : xn] if it is the equiv-alence class of a point P = (x0, . . . , xn) of Kn+1. We say that [x0 : · · · : xn]are homogeneous coordinates of P .

Remark 7.1.2. Any point [x0 : · · · : xn] with xn 6= 0 is equivalent to[x0/xn : · · · : xn−1/xn, 1].

Example 7.1.3. - The real projective line P1(R): When K = R andn = 1, we can give an equivalent de�nition of the projective spaceP1(R). Indeed, as outlined above, it is the set of equivalence classes ofR2 − {(0, 0)} where two points P = (x, y) and P ′ = (x′, y′) are equiv-alent if and only if there exists t ∈ R∗ such that P = tP ′. Elementsof P1(R) are written [x0 : x1]. In particular, any point [x0 : x1], withx1 6= 0 is equivalent to [x0/x1 : 1] = [z : 1], for some z ∈ R, andconversely. This subset is then in bijection with R.There remains the points [x0 : 0] which are all equivalent to [1 : 0],since x0 cannot be zero. We denote this class {∞} and it is called thepoint at in�nity. We thus have the decomposition

P1(R) = R t {∞}.

Geometrically, the subset of points equivalent to [z : 1], for some z ∈ Ris in bijection with the set of lines of the Euclidean plane R2 passingthrough the origin (0, 0) and not parallel to the axis y = 0. Indeed, eachreal number a 6= 0 gives rise to a unique such line. Precisely the onethat passes through (a, 1) and (0, 0). The unique line passing through(0, 0) that remains is the axis x = 0 and we identify it with the pointat in�nity [1 : 0] of P1(R). For that reason, one can see P1(R) as theset of directions of all lines of R2 passing through (0, 0).

- The real projective space P2(R): Extending the previous description to

n = 2 for K = R, we get the following equivalent construction of P2(R).In the Euclidean space R3, considering all the lines passing through(0, 0, 0) we can separate them into three subsets:


- the subset of such lines that intersect the plane of z = 1. Sincethere is only one point of intersection, say (x, y, 1), for some(x, y) ∈ R2, this subset is in bijection with R2.

- the subset of such lines that belong to the plane z = 0 and thatare not parallel to the axis y = 0. As before, these lines thus

intersect the line

{y = 1,z = 0

in a unique point, say (x, 1, 0), with

x ∈ R. Therefore this subset is in bijection with R.

- the subset formed by the axis

{y = 0,z = 0

. We denote this subset

{∞}, since it corresponds to the point at in�nity of P1(R).

Therefore one can write

P2(R) = R2 t R t {∞}.

In particular, P1(R) can be considered as a subset of P2(R) and as suchit is usually called the "line at in�nity", whereas R2 is called the "a�neplane".

In this chapter, we will essentially consider the projective plane P2(K)where points are given by coordinates X, Y, Z. The points at in�nity corre-spond to the equation Z = 0 as in the example here above.

Elliptic curves are usually de�ned over the projective space P2(K), whereK denotes the algebraic closure of K. According to the previous example,we can expect that points at in�nity will play a special role in the theory ofelliptic curves.We are considering the larger projective space P2(K). Nevertheless, we willsee that points with coordinates inK are of particular interest too. Thereforewe de�ne rational points.

De�nition 7.1.4 (Rational point). A point p = [x0, x1, x2] ∈ P2(K) is calleda rational point if there exists t ∈ K∗ such that t(x0, x1, x2) = (y0, y1, y2) ∈K3 − 0.

This means that all rational points of P2(K) are equivalent to a pointwith coordinates in K.Similarly to Example 7.1.3, if x2 6= 0, the point [x0 : x1 : x2] ∈ P2(K) corre-

spond to the point [x0

x2: x1

x2: 1] and hence to the unique point (x0

x2, x1

x2) ∈ K2

.In particular, if [x0, x1, x2] is the representative with all coordinates in K of arational point, then the corresponding point (x0

x2, x1

x2) is in K2. Respectively,


any point (x, y) ∈ K2will correspond to a unique point in the projective

space P2(K), which can be represented by [x : y : 1]. Hence each point(x, y) ∈ K2, corresponds to a rational point in P2(K).The case of x2 = 0, which correspond to the points at in�nity, will be con-sidered further on in the particular case of elliptic curves.

7.1.2 Homogeneous polynomials, projective curves and

elliptic curves

Elliptic curves are projective curves with additional properties.

De�nition 7.1.5 (Homogeneous polynomial). A polynomial f ∈ K[X, Y, Z]is said to be homogeneous of degree d if f(λX, λY, λZ) = λdf(X, Y, Z), forany λ ∈ K.

De�nition 7.1.6 (Projective curve). A projective curve over K in P2(K) isthe zero-locus of a non-zero homogeneous polynomial of K[X, Y, Z].

Note that the consideration of P2(K) instead of P2(K) assures to have thewhole set of zeros. Moreover, notice that there is a correspondence betweenpolynomials of K[x, y] and homogeneous polynomials of K[X, Y, Z]. Indeed,to each polynomial f(x, y) ∈ K[x, y] we associate a unique homogeneouspolynomial of K[X, Y, Z] of degree d = deg(f) given by

F (X, Y, Z) = Zdf(X

Z,Y

Z).

The idea is that given a polynomial in K[x, y] we multiply every monomialof degree e < d by Zd−e, so that each monomial has then degree d.

Example 7.1.7. For example consider the polynomial f(x, y) = x4 − x2y +3y − 2. The related homogeneous polynomial is:

F (X, Y, Z) = X4 −X2Y Z + 3Y Z3 − 2Z4 =

= Z4(X4/Z4 −X2Y/Z3 + 3Y/Z − 2) = Z4f(X

Z,Y

Z).

Conversely, if we �x Z = 1, then we have F (x, y, 1) = f(x, y), so that onecan recover f(x, y) from F (X, Y, Z).

There is still one property that we need to introduce to de�ne ellipticcurves. We give here after the equivalent de�nitions in the a�ne case andthe projective case.


De�nition 7.1.8 (Non-singular point). Consider an a�ne curve C givenby the equation f(x, y) = 0 in K2. Let P be a point of C. We say thatP = (x0, y0) is singular if

∂f

∂x(x0, y0) =

∂f

∂y(x0, y0) = 0.

The point P is called non-singular if it is not singular. The curve C is callednon-singular if every point of C is non-singular.

This property guarantee that the tangent line is well-de�ned for eachpoint of the curve. Indeed, the equation of the tangent line of the curve f at(r, s) is

∂f

∂x(r, s)(x− r) +

∂f

∂y(r, s)(y − s) = 0, (7.1)

which is well-de�ned when at least one derivative in non-zero. This is notthe case for example when the curve C crosses over it self or contains a cusp.

De�nition 7.1.9 (Singular point). Equivalently, let F (X, Y, Z) be an ho-mogeneous polynomial. We say that a point P = [X : Y : Z] is singular ifand only if

∂F

∂X(P ) =

∂F

∂Y(P ) =

∂F

∂Z(P ) = 0.

If C = {P ∈ P2(K) | F (P ) = 0} is the projective curve related to thehomogeneous polynomial F , we say that it is non-singular if every point Pof C is not singular.Again this enables to de�ne the notion of tangent line of the curve.

De�nition 7.1.10 (Elliptic curve). An elliptic curve overK is a non-singular,projective curve in P2(K) of degree 3 with at least one rational point.This means that an elliptic curve is the locus of all zeros in P2(K) of a non-singular homogeneous polynomial of degree 3 with coe�cients in K togetherwith a rational point O.

The set of rational points of an elliptic curve E is denoted by E(K). Theproblem of the existence of a rational point can be solved in a �nite numberof steps for a projective curve of degree 2, but not for a projective cubic.This problem is not considered in this report.

7.1.3 The Weierstrass equation of an elliptic curve

In this subsection we want to give a simpler polynomial form de�ning anelliptic curve. Therefore we anticipate that any elliptic curve has a structure


of an abelian group and we assume the result presented here after withoutproof.

Theorem 7.1.11. Let E be an elliptic curve over a �eld K with rationalbase point O.

(i) The curve E is isomorphic to an elliptic curve E ′ over K given by apolynomial of the Weierstrass form

Y 2Z + a1XY Z + a3Y Z2 = X3 + a2X

2Z + a4XZ2 + a6Z

3.

In particular there exists a group isomorphism Φ : E → P2(K) suchthat Φ(O) = [0 : 1 : 0].

(ii) Every cubic non-singular projective curve given by a Weierstrass equa-tion is an elliptic curve over K with base point O′ = [0 : 1 : 0].

(iii) Suppose there are two elliptic curves E ′, E ′′ satisfying the conditions ofpart (i). Then there exists a linear transformation from E ′ to E ′′ ofthe form X = u2X ′ + r and Y = u3Y ′ + suX ′ + t, with u, r, s, t ∈ Kand u 6= 0. The curves E ′ and E ′′ are then equivalent.

Proof. Omitted. See ([20], Chapter 3, Proposition 3.1).

We now study more in detail the set of rational point E(K). In particu-lar this set has an abelian group structure for non-singular elliptic curves ifchar(K) 6= 2, 3.From now on, suppose char(K) 6= 2, 3. Using the a�ne curve correspond-ing to the homogeneous polynomial given by the Weierstrass equation andTheorem 7.1.11, we will consider from now on the following de�nition of anelliptic curve which gives a useful equation for the study of these curves.

De�nition 7.1.12 (Elliptic curve). An elliptic curve over K is given by anon-singular equation in K[x, y] of the Weierstrass form

y2 = x3 + ax2 + bx+ c,

with coe�cients a, b, c ∈ K together with a point O "at in�nity".

If one considers the Weierstrass homogeneous polynomial

F (X, Y, Z) = X3 + aX2Z + bXZ2 + cZ3 − Y 2Z,

then an elliptic curveE is also a projective curve in P2(K) given by F (X, Y, Z) =0. In particular, the point O = [0 : 1 : 0] belongs to E. It is called the pointat in�nity of the curve E.


Remark 7.1.13. - If not mentioned di�erently we will suppose now onthat the rational base point of an elliptic curve E is O = [0 : 1 : 0].

- Notice that starting from the Weierstrass homogeneous equation con-sidered in Theorem 7.1.11 we have the correspondent a�ne polynomialequation in K[x, y]:

y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6

Then, we obtain the equivalent polynomial equation

y2 = x3 + b2x2 + b4x+ b6,

with b2 = a2 +a2

1

4, b4 = a4 +

a1a3

2and b6 = a6 +

a23

4,

after replacing y by y − a1

2x − a3

2. Hence, every elliptic curve can be

expressed in the Weierstrass form given in De�nition 7.1.12.

7.1.4 Singular points

Consider an equation of the Weierstrass form f(x, y) = y2 − x2 − ax2 −bx − c = y2 − p(x) with a, b, c ∈ K. By the de�nition of singular point, weknow that P = (x0, y0) is a singular point if and only if

∂f

∂x(x0, y0) = −p′(x0) = 0 and

∂f

∂y(x0, y0) = 2y0 = 0.

Equivalently we have that the curve has a singular point if and only if p(x)has a multiple root. Indeed, suppose (x0, y0) is a point of the curve suchthat x0 is a multiple root of p(x). Then x0 is also a zero of p

′(x0). Therefore∂f∂x

(x0, y0) = 0. Moreover we have

f(x0, y0) = 0⇒ y20 − p(x0) = 0⇒ y0 = 0.

Hence ∂f∂y

(x0, y0) = 0 as well and (x0, y0) is a singular point.

Similarly, if (x0, y0) is a singular point we have ∂f∂y

(x0, y0) = 0, and so y0 = 0,

because char(K) 6= 2. Therefore we have

f(x0, y0) = 0⇒ −p(x0) = 0⇒ x0 is a root of p(x).

But also ∂f∂x

(x0, y0) = 0, i.e. p′(x0) = 0. Hence x0 is a multiple root of p(x).

Finally f(x, y) = y2 − p(x) describes a non-singular curve if and only if


p(x) has no multiple roots.As already seen in Proposition 6.1.1, we can prove that p(x) has no multipleroot by considering its discriminant D(p). This can be computed using theFormula 5.1 for a cubic polynomial.

Actually, the discriminant of the polynomial p informs about several geo-metric properties of the geometry of the curve given by y2 = p(x). Forexample, we have the following:

(i) if D(p) = 0 the curve is singular and it is not an elliptic curve in thiscase only;

(ii) if D(p) > 0 the polynomial p(x) has three real zeros and the ellipticcurve has two components;

(iii) if D(p) < 0 the polynomial p(x) has one real zero and a couple ofcomplex conjugates roots. In this case the elliptic curve has a uniquecomponent.

For more explicit formulas giving the roots of a cubic polynomial we referthe reader to [22].

Example 7.1.14. For example we can consider the two elliptic curves givenin Figure 7.1. These illustrate the cases (ii) and (iii).

Figure 7.1: Example of some elliptic curves.

On the left we have the curve given by the equation y2 = x3 − x, which has


three real zeros and two components. On the right the curve y2 = x3 +x hasonly one real zero and we see that it is represented by a unique component.

Other geometric properties that are characteristic of an elliptic curve canbe found in detail in [20].

7.1.5 Points at in�nity

The next step is to �nd points at in�nity of the Weierstrass homogeneousequation

Y 2Z = X3 + aX2Z + bXZ2 + cXZ2 + dZ3. (7.2)

We have already seen that points at in�nity are given by Z = 0. In this casewe obtain the equation X3 = 0, which has the unique solution X = 0. Hencethere is a unique point at in�nity is [0 : 1 : 0] with multiplicity 3. Moreover,this is a rational point of the elliptic curve E de�ned by the Weierstrassequation 7.2. This is the reason why we �x it as base rational point (seeRemark 7.1.13).

7.1.6 Points of intersection between an elliptic curve

and a straight line

In this section we explain why every straight line of the projective planeP2(K) intersect E in exactly three points counting multiplicity. Indeed, aline on the projective plane is given by the equation Drst : rX+sY + tZ = 0.If r = s = 0, we obtain the line at in�nity Z = 0 considered here above,which intersects the curve at the point O with multiplicity 3.Suppose r and s are not both zero. Then the line Drst corresponds in theEuclidean plane to the straight line rx+ sy + t = 0.If s 6= 0 we can equivalently write this equation as y = − r

sx − t

s= r′x + t′

therefore the intersection points between Drst and E are given by the cubicequation

(r′x+ t′)2 − x3 − ax2 − bx− c = 0,

which has always 3 solutions in K. Moreover, note that [0 : 1 : 0] is not asolution of rX + sY + tZ = 0 whenever s 6= 0.Finally suppose s = 0. Then we get the equation rX + tZ = 0 which in theEuclidean plane corresponds to the straight line x = −t

r= k. This line has

only two intersection points with the curve in the Euclidean plane which aregiven by the quadratic equation

y2 − k3 − ak2 − bk − c = 0.


The third point of intersection should be the point at in�nity of the projec-tive plane which one can check easily. Indeed, O = [0 : 1 : 0] is a solution ofthe equation rX + tZ = 0.

We then consider the intersection between a straight line passing through twogiven points and the elliptic curve E. Once two points on a straight line aregiven, the line is uniquely de�ned. Consider P1 = (x1, y1), P2 = (x2, y2) ∈ Etwo points. To simplify, we �rst consider the case with x1 6= x2 and y1 6= y2.The line is de�ned by the equation rx + t = y, where r, t must satisfy thetwo following conditions

rx1 + t = y1 and rx2 + t = y2.

Hence

r =y1 − y2

x1 − x2

and t = y1 − rx1. (7.3)

Notice that if P1, P2 are rational points, then r, t lie in K as well. The thirdpoint of intersection in this case is given by the third root of the equation

(rx+ t)2 − x3 − ax2 − bx− c = 0. (7.4)

Note that if P1, P2 are rational points, then Equation 7.4 has coe�cients inK and two roots in K. Thus the third point of intersection is also a rationalpoint because the polynomial (rx + t)2 − x3 − ax2 − bx − c is completelyreducible in K.

7.1.7 The group structure of an elliptic curve

In this subsection we de�ne the structure of abelian group on the ellipticcurve E.De�ne P1 ∗P2 the third point of intersection of the curve E and the straightline de�ned by P1 and P2. We clearly have P1 ∗ P2 = P2 ∗ P1.We de�ne the operation + on the set of rational points as follows for P1, P2 ∈E(K):

P1 + P2 = (P1 ∗ P2) ∗O.

This means that we �rst draw the straight line passing trough P1 and P2

and we �nd the third intersection point P1 ∗ P2 on E. Then we repeat theoperation and we draw the line between P1 ∗ P2 and O.

Notice that O is the point at in�nity on the projective plane and we haveseen that it is the third point of intersection on any vertical line x = k, for


Figure 7.2: Example: sum of points on an elliptic curve (Image generatedwith [27])

k ∈ K. Therefore if P1 ∗ P2 = (x3, y3) ∈ K2, we will draw the line x = x3

and the second intersection of E and this line is P1 + P2. We have alreadyseen that if P1 and P2 are rational points, then P1 ∗P2 ∈ E(K). As O is alsoa rational point, P1 + P2 ∈ E(K) as well.In Figure 7.2 a graphic illustration of this sum is given.

Actually, this composition law + provides the set E(K) with the structure ofan abelian group whose identity element is O. Moreover the set of rationalpoints E(K) is a subgroup of this structure. The proof of this is quite easy,except for the associativity that needs the Riemann-Roch theorem ( see ([20],Section 3.2, Proposition 2.2)).

The inverse element −P of P = (x, y) is its re�ection −P = (x,−y). Inorder to verify this property, we �rst describe the third intersection pointP1 ∗ P2 in the cases that have been omitted before.

• Suppose P1 = (x1, y1), P2 = (x1, y2), then P1 and P2 are on a verticalline de�ned by x = x1 and the third intersection point between theline and the curve is the point at in�nity of the projective plane, i.e.P1 ∗ P2 = O.

• Suppose P1 = (x1, y1), P2 = (x2, y1), then P1, P2 de�ne the horizontalline y = y1. The rest of the construction hold in this case as well. Inparticular, the point P1 ∗ P2 is the third zero of the equation

y21 − x3 − ax2 − bx− c = 0.


• Finally suppose P1 = P2 = P . Then the line passing trough P andP is the tangent line to the curve E at the point P , which is givenby equation 7.1. Then the point P1 ∗ P2 = P1 ∗ P1 is on the straightline whose slope is (∂f/∂x)/(∂f/∂y) = (−3x2

1 − 2ax1 − b)/2y1 passingtrough P1 and cutting E in a second point, that can be computed usingthe equation of the curve.Note that as the line is tangent to the curve at P , we count this pointof intersection twice. It could also happen that P2 is on the tangentline of E at P1. In this case we will have P1 ∗ P2 = P1.

Now, let P and −P as de�ned above. Then P ∗ −P = O. Indeed, we havealready seen that O is a zero of multiplicity 3 of the homogeneous equationde�ning the curve in the projective plan. Hence P + (−P ) = O ∗O = O.For a more detailed explanation of the multiplicity of a point over a projectivehypersurface we refer the reader to ([21], Appendix) or to [20]. In particu-lar, this concept is important to understand intersections between projectivehypersurfaces.We can also verify that P + O = P . Indeed, by de�nition, −P is on thevertical line of P . Hence P ∗O = −P and P + O = −P ∗O = P .

For our purpose we do not need a more detailed description of the operation+ over E(K) and we will admit that this operation is associative. Hence thearguments above prove the next result.

Theorem 7.1.15. Consider an elliptic curve E de�ned by the equation

y2 = x3 + ax2 + bx+ c,

with a, b, c ∈ K, together with the rational point O = [0 : 1 : 0].Consider the operation + on E(K) de�ned as above. Then (E(K),+) is anabelian group. In particular we have:

• O is the identity element;

• P +Q = Q+ P , for every P,Q ∈ E(K);

• for every P = (x, y) ∈ E(K) we have P + (−P ) = O,with −P = (x,−y);

The sum + is also de�ned more generally for any points P,Q of an ellipticcurve E, hence (E(K),+) is also an abelian group and (E(K),+) is then inparticular a subgroup of (E(K),+).


Example 7.1.16. In this example we compute a more explicit formula forP + Q with P = (x1, y1) and Q = (x2, y2) with x1 6= x2 and y1 6= y2. UsingEquation 7.4 we �nd that P +Q = (x3, y3) must satisfy the equation

(rx+ t)2 − x3 − ax2 − bx− c = (x− x1)(x− x2)(x− x3) = 0, (7.5)

where r, t are functions in the variables x1, y1, x2, y2 ( see Equation 7.3).Comparing the coe�cienfs of x2 in equality 7.5, we obtain the formula x3 =r2 − a − x1 − x2. Moreover, y3 is on the vertical line x = x3 and is theordinate of the opposite of the point on the straight line passing trough Pand Q. Hence y3 is given by y3 = r(x1 − x3)− y1.

Remark 7.1.17. Notice that the formula 7.5 depends on the Weierstrassform. One can prove that applying linear transformations on the variablesof the form x′ = r1x + r2 and y′ = s1y + s2x + s3, with r1, r2, s1, s2, s3 ∈ Kthe group structure is preserved. But in this case the explicit formula for thecoordinates need to be computed again. For example, if the coe�cient of x3

is d 6= 1, then the constant term d must also appear in the right side of theequality 7.5 as well.

7.1.8 The group of rational points of an elliptic curve

When K is a number �eld and E an elliptic curve over K, there are twoimportant results related to the structure of the group (E(K),+).

Theorem 7.1.18 (Mordell-Weil). Let K be a number �eld and E an ellipticcurve over K. The group E(K) of rational points is a �nitely generatedabelian group.

In particular, using this result and the classi�cation of �nitely generatedabelian groups for K = Q we have

E(Q) = ZrE ⊕ E(Q)tors,

where ZrE is a free group of rank rE and E(Q)tors is the torsion subgroup ofE(Q) containing all elements of �nite order.The free group ZrE is mysterious and there are not many results on therank rE. On the contrary, the structure of E(Q)tors is known. Here afterwe present the result of Mazur which gives a list of all possibilities for thetorsion subgroup of E(Q)tors.

Theorem 7.1.19 (Mazur). The subgroup E(Q)tors of the group of rationalpoints of the elliptic curve E has one of the two following forms:

7.2 Construction of GL2(Z/pZ) as a Galois group 90

(i) a cyclic group of order 1 ≤ N ≤ 10 or N = 12;

(ii) the direct product of a cyclic group of order 2 and a cyclic group of order2N , with 1 ≤ N ≤ 4.

We refer the reader to ([20], Chapter 8, Theorem 6.7 and Theorem 7.5)for a proof of these two results.

Figure 7.3: Example: sum of points on the curve y2 = x3 + x+ 2.

Example 7.1.20. The structure of the group E(Q) is not easy to compute,nevertheless the software SAGE and PARI/GP have commands to completelycompute the subgroup of torsion and the rank of the free group in certaincases.For example, consider the elliptic curve E de�ned by y2 = x3 + x+ 2.Clearly P = (1, 2) is a rational point in E(K) and one can compute P +P =2P , 3P and �nd out that 4P = O (see Figure 7.3). Hence P ∈ E(Q)tors. Butit is more di�cult to completely determine the structure of the group E(Q).Using SAGE we obtain that E(Q) ∼= C4 with generator (1, 2) (see AppendixA).

7.2 Construction of GL2(Z/pZ) as a Galois group

In this section we want to see how elliptic curves are related to Galoisgroups.Let K be a number �eld, i.e. a �nite extension of Q with [K : Q] = n. First,by Proposition 1.1.4 there exists an element x ∈ K such that K = Q(x).In particular, if mx(t) is the minimal polynomial of x over Q, then we have


Q(x) ∼= Q[t]/〈mx(t)〉 (see Proposition 1.2.5). Therefore, we can constructexactly n �eld homomorphisms σi : K → C mapping x to a root xi of mx,for i = 1, . . . , n. These maps are distinct, because xi are distinct to eachother. Indeed, if mx(t) had a multiple root, say xi, then m′x(xi) = 0 andxi would be annihilated by a polynomial of smaller degree than mx. Thiscontradicts the fact that mx is also the minimal polynomial of xi over Q,because it is monic and irreducible. Thus mx(t) has no multiple root.Moreover Q(x) ∼= Q[t]/〈mx(t)〉 and this isomorphism is given by the FirstTheorem of isomorphism mapping p(t) ∈ Q[t] to p(x). Hence every elementof Q(x) can be expressed as a0 + a1x + · · · + ad−ix

d−1, with d = deg(mx(t))and a1, . . . , ad−1 ∈ Q and using that mx(xi) = 0 it is easy to prove thatmapping x to xi we obtain a �eld homomorphism.In particular, we have the �eld isomorphisms

Q(x) ∼= Q[t]/〈mx(t)〉 ∼= Q(xi) ⊆ C,

for every root xi of mx(t).With the same notation as above we can state the following result.

Proposition 7.2.1. The extension K/Q is a Galois extension if and only ifall the �eld homomorphisms σi with i ∈ {1, . . . , n} are automorphisms of K.

Proof. Suppose K/Q is a Galois extension. Then by the Fundamental The-orem 1.6.6 and Theorem 1.6.4 we know that |Gal(L/Q)| = n. Hence theproperty is satis�ed.Conversely suppose K/Q is an algebraic extension with n Q-automorphisms.Denote by Σ the set of Q-automorphisms of K. We conclude using Theorem1.6.4. Suppose F = Fix(Σ) 6= Q. Then by the theorem [K : F ] = |Σ| = n.Hence [K : F ] = [K : Q] and F = Q, because clearly Q ⊆ F .This proves the proposition.

Note that in particular, if K/Q is a Galois extension, then K is thesplitting �eld of mx(t) over Q.

7.2.1 Automorphisms of the points of an elliptic curve

Consider an algebraic �eld extension K of Q and an elliptic curve E. Letσ : K → C be a �eld homomorphism. We can de�ne a map on E(K) by

E(K) −→ E(K)

P = (x, y) 7→ σ(P ) = (σ(x), σ(y)).

Considering homogeneous coordinates, this de�nition corresponds toσ([x0 : x1 : x2]) = [σ(x0) : σ(x1) : σ(x2)]. It is easy to verify that this


application is well-de�ned on the equivalence classes de�ning P2(K) and thatσ(O) = O. In the next proposition we prove some properties of this map.

Proposition 7.2.2. Let E be an elliptic curve de�ned by the Weierstrassequation y2 = x3 + ax2 + bx + c with a, b, c ∈ Q and let K/Q be a �nitealgebraic extension.

(i) Let σ : K → C be a �eld homomorphism and let P ∈ E(K). De�ne

σ(P ) =

{(σ(x), σ(y)), if P = (x, y)O, if P = O

Then σ(P ) ∈ E(K).

(ii) Let σ : K → C be a �eld homomorphism and let P,Q be two points inE(K). Then:

σ(P +Q) = σ(P ) + σ(Q) and σ(−P ) = −σ(P ).

(iii) Moreover, if K/Q is a Galois extension, then σ(P ) ∈ E(K) and for allP ∈ E(K), σ ∈ Gal(K/Q). Moreover, for all σ, τ ∈ Gal(K/Q) we have(στ)(P ) = σ(τ(P )).

Proof. (i) We have already seen that σ(O) = O using homogeneous coordi-nates. Consider a point P = (x, y) ∈ E(K), then using the de�nitionof E we have that y2−x3−ax2− bx− c = 0. Hence applying σ to bothsides of the equality and using the fact that σ is an homomorphism of�elds, we get:

σ(y2 − x3 − ax2 − bx− c) = 0⇒ σ(y)2 = σ(x)3 + aσ(x)2 + bσ(x) + c,

because a, b, c ∈ Q. It follows that σ(P ) = (σ(x), σ(y)) ∈ E.

(ii) First, recall that if P,Q are rational points over K, then the line passingtrough P and Q is rational. Hence P ∗Q and P + Q are also rationalpoints over K. Therefore the proof of this property is similar to theproof of (i) using the fact that σ is the identity on Q and that thecoordinates of P +Q can be given by equations with coe�cients in Q.For example, if P = (x1, y1) and Q = (x2, y2) with x1 6= x2 and y1 6= y2,we can use the explicit formulas given in Example 7.1.16. First since Pand Q are rational points, the slope of the straight line passing throughthese two points is r = y1−y2

x1−x2∈ K. Hence σ(r) is well de�ned and we


can develop this term as here after.Using the fact that σ is a Q-homomorphism we have:

σ(x3) =

(σ(y1)− σ(y2)

σ(x1)− σ(x2)

)2

− a− σ(x1)− σ(x2)

and σ(y3) =

(σ(y1)− σ(y2)

σ(x1)− σ(x2)

)(σ(x1)− σ(x3))− σ(y1).

Hence σ(P + Q) = (σ(x3), σ(y3)) = (σ(x1), σ(y1)) + (σ(x2), σ(y2)) =σ(P ) + σ(Q).Similarly we have

σ(−P ) = (σ(x1), σ(−y1)) = (σ(x1),−σ(y1)) = −σ(P ).

(iii) Suppose, moreover, that K/Q is a Galois extension. Then every �eldhomomorphism σ : K → C is an automorphism. Thus σ(x), σ(y) ∈ Kand σ(P ) ∈ E(K).The reader can easily verify the property on composition of automor-phisms.

In the general case, this result assures that σ(P ) is a point on the ellipticcurve and that σ preserves the group structure de�ned by the group law +on E(K). In particular, if K/Q is a Galois extension, any Q-automorphismσ of K de�ned as above on the set of points E(K) is a group automorphismof (E(K),+).

7.2.2 Points of order dividing n

We �x a positive integer n ∈ N. We want to study the set of points ofE(C) that are of order dividing n . Denote by [n] the multiplication-by-nmap that sends P to [n]P , where [n]P denotes the sum of n times P . Notethat the map [n] is well-de�ned over E(C) by Theorem 7.1.15.

De�nition 7.2.3 (Points of order dividing n). Let P ∈ E(C). We say thatP is a point of order dividing n if P ∈ Ker([n]), i.e. if [n]P = O.We denote E[n] the set of points of order dividing n, i.e. Ker([n]) = E[n].

To understand the structure of the group E[n] we �rst study the structureof the group E(C) using the Weierstrass function.


De�nition 7.2.4 (Lattice). Let ω1, ω2 be R-linearly independent complexnumbers. The lattice de�ned by ω1, ω2 is the set:

Λ = {a1ω1 + a2ω2 | a1, a2 ∈ Z}.

It is a free Z-module of C of rank 2. We say that ω1, ω2 are two generatorsof Λ.

Remark 7.2.5. Notice that {ω1,ω2} is a basis for the lattice as a Z-module.Any element of Λ can be expressed as a1ω1 + a2ω2, with a1, a2 ∈ Z, in aunique way. The R-linear independence of ω1 and ω2 guarantees that for anyr1, r2 ∈ R, if r1ω1 + r2ω2 = 0, then r1 = r2 = 0.The basis is not unique, but the results given are independent from the choiceof the basis.

The Weierstrass function is de�ned for a given lattice Λ as follows.

De�nition 7.2.6 (Weierstrass function). Let Λ be a lattice. For any z ∈ Cthe Weierstrass function ℘ is de�ned by

℘(z) =1

z2+

∑ω∈Λ,ω 6=0

(1

(z − ω)2− 1

ω2

).

The next result shows that for any elliptic curve E, we can de�ne a latticeΛ such that C/Λ ∼= E(C). For more details on this correspondence, we referthe reader to Appendix B of this report.

Theorem 7.2.7. Let E be an elliptic curve. There exists a lattice Λ suchthat C/Λ ∼= E(C). In particular, the group isomorphism is given by the map

z 7→ (℘(z), ℘′(z)).

Remark 7.2.8. One can prove that the isomorphism given is actually anisomorphism of Riemannian surfaces.

Moreover, the converse result is also true. Indeed, we have:

Theorem 7.2.9. Let Λ be a lattice. De�ne γ4 =∑

ω∈Λ,ω 6=0 ω−4 and

γ6 =∑

ω∈Λ,ω 6=0 ω−6. Consider the elliptic curve EΛ de�ned by the equation

y2 = 4x3 − 60γ4x− 140γ6.

Then the mapz 7→ (℘(z), ℘′(z))

de�nes an isomorphism of groups C/Λ ∼= EΛ(C).


In general, the correspondence between an elliptic curve EΛ and thecorresponding lattice Λ is di�cult to explicit. Replacing x by x − a/3 inthe equation y2 = x3 + ax2 + bx + c de�ning the elliptic curve EΛ andthen again x by 4x and y by 4y, we obtain the equivalent equation y2 =4x3 + 4(b− a2

3)x+ (2a3

27− ab

3+ c). This mean that there exists a lattice Λ such

that

4(b− a2

3) = −60γ4 and (

2a3

27− ab

3+ c) = −140γ6,

where γk =∑

ω∈Λ ω−k. A basis for the lattice can be computed by evaluating

certain integrals which are studied in Weierstrass theory of elliptic curves butare beyond the scope of this report. For more details on this theory we referthe reader to ([25], Section 9.4).

Fix an elliptic curve E and write Λ for the associated lattice. Throughthe isomorphism E(C) ∼= C/Λ, we are now going to study the structure ofthe group E[n] of points of order dividing n.

Proposition 7.2.10. The group E[n] is isomorphic to the direct sum of twocyclic groups of order n:

E[n] ∼= Z/nZ⊕ Z/nZ.

Proof. Denote by {ω1, ω2} a basis of the lattice Λ satisfying the isomorphismE(C) ∼= C/Λ. Then we can consider E[n] as a subsgroup of C/Λ. Anyelement of E[n] can thus be expressed as z = b1ω1 + b2ω2 and [n]z = nb1ω1 +nb2ω2. The isomorphism Z/nZ⊕ Z/nZ ∼= E[n] is then given by the map:

ρ : Z/nZ⊕ Z/nZ −→ E[n]

(a1, a2) 7→ a1

nω1 +

a2

nω2,

with a1, a2 ∈ {0, . . . , n−1}. Clearly this map is well-de�ned. Indeed, for any(a1, a2) ∈ Z/nZ ⊕ Z/nZ we have [n](a1

nω1 + a2

nω2) = O, because a1, a2 ∈ Z.

Thus these elements are mapped into E[n].Moreover, any element z ∈ C/Λ is congruent modulo Λ to an element inthe fundamental domain D = {b1ω1 + b2ω2 | b1, b2 ∈ [0, 1[} of Λ. Supposez = b1ω1 + b2ω2 ∈ D is of order dividing n, then we have [n]z = O. Hencenb1, nb2 ∈ Z and since b1, b2 < 1 we have nb1, nb2 ∈ {0, . . . , n − 1} andρ((nb1, nb2)) = b1ω1 + b2ω2. This proves that the map is onto and it is easyto see that it is also a one-to-one homomorphism.

Remark 7.2.11. In particular this means that E[n] is generated by twopoints P1, P2 and that for any P ∈ E[n] there exists a1, a2 ∈ Z/nZ such thatP = a1P1 + a2P2. Precisely, P1 and P2 are the images of some generators ofZ/nZ⊕ Z/nZ.


7.2.3 The Galois extensions Q(E[n])/QThe groups E[n], n ≥ 1 are useful to construct Galois extensions over Q.

This is the next proposition.

Proposition 7.2.12. Let E be an elliptic curve de�ned by the Weierstrassequation y2 = x3 + ax2 + bx+ c, with a, b, c ∈ Q. Then:

(i) Let P = (x, y) ∈ E be a point of order n ∈ N. The coordinates x, y arealgebraic over Q.

(ii) Write E[n] = {O, (x1, y1), . . . , (xm, ym)}, with m = n2 − 1.Let

K = Q(x1, y1, x2, . . . , xm, ym)

be the extension of Q generated by the coordinates xi and yi with i ∈{1, . . . ,m}. Then K/Q is a Galois extension of Q.

Proof. (i) Here is a sketch of a direct proof. The arguments are not compli-cated, but the computations are quite tedious.First, as there is a group structure on the set of points of E, we knowthat the multiplication-by-n map is a group homomorphism of E(C).Replacing x by x − a/3 in the Weierstrass equation of E, we �nd anequivalent equation of the type y2 = x3 + Ax + B. Consider a pointof the curve P = (x, y). The point 2P = (x2, y2) has x-coordinatex2 = λ2− 2x and y-coordinate y2 = λ(x− x2)− y, where λ is the slopeof the tangent to E at P and is a rational function of x and y. Denoteby xn and yn the coordinates of [n]P . When repeating recursively theprevious computations for 2P , 3P , 4P, . . . using the formula given inExample 7.1.16 we prove the existence of polynomials Φn,Ψn such that

xn =Φn(x, y)

Ψn(x, y)2.

In particular, one can show the following relations:

Ψ1 = 1, Ψ2 = 2y, Ψ3 = 3x4 + 6Ax2 + 12Bx− A2

Ψ4 = 4y(x6 + 5Ax4 + 20Bx3 − 5A2x2 − 4ABx− 8B2 − A3),

Ψ2m+1 = Ψm+2Ψ3m −Ψm−1Ψ3

m+1, for m ≥ 2

2yΨ2m = Ψm(Ψm+2Ψ2m−1 −Ψm−2Ψ2

m+1), for m ≥ 3

Moreover, the polynomials Φm can be de�ned recursively from the poly-nomials Ψm:

Φm = xΨ2m −Ψm+1Ψm−1, for m ≥ 2.


A more detailed study of these polynomials will be given in the nextsubsection.

Next, write R(x, y) = Φn(x, y)/Ψn(x, y)2. According to the equationde�ning the elliptic curve E, we can replace y2 by x3 +Ax+B. HenceR(x, y) is of the form

R(x, y) =q1(x) + q2(x)y

r1(x) + r2(x)y,

for some polynomial functions q1, q2, r1, r2 in x. Multiplying by (r1(x)−r2(x)y)/(r1(x)−r2(x)y), the denominator will depend only by y2 whichcan be replaced by x3 + Ax+B. Hence R(x, y) is of the form

xP =p1(x) + p2(x)y

s(x)=

Φn(x, y)

Ψn(x, y)2,

for some polynomial functions p1, p2, s in x. Note that xP = x−P . Thismeans that

Φn(x, y)

Ψn(x, y)2=

Φn(x,−y)

Ψn(x,−y)2⇒ p2(x) = 0.

Then the rational fraction R(x, y) depends only on x. One can alsoprove recursively that Φn(x, y) does not depend on y. Hence we canexpress Ψ2

n and Φn as polynomials in x only. Moreover, it can be shownthat Ψn and Φn are coprime polynomials in Z[x] (see [25], Section 3.2).Now, by de�nition a point of order dividing n is such that [n]P = O. Inparticular, this mean that the rational function R(x) = Φ/Ψ2(x) is notde�ned. Thus [n]P = O if and only if Ψ2

n(x) = 0. Suppose Ψ2n(x) = 0,

then as Ψn and Φn are relatively prime xn is not �nite and yn neither,because y2

P = x3B + Axp + B. On the contrary, suppose that xn = k is

�nite, then yn is also �nite and [n]P 6= O.

In conclusion x is algebraic over Q, because it satis�es the algebraicequation Ψ2

n(x) = 0. Then y is also algebraic, because we have y2 −xB3 − Ax−B = 0.

(ii) By (i) we know that K is a �nite algebraic extension of Q.Consider a Q-homomorphism σ : K → C. Using the de�nition of Galoisextension given at the beginning of this section, we know that there are[K : Q] such homomorphisms and that K/Q is a Galois extension ifand only if any such homomorphism is an automorphism.Any σ is completely de�ned by the image of the coordinates xi and yi,


for i = 1, . . . ,m. Now, we can de�ne σ on E(C) as in Proposition 7.2.2.Then, for any point Pi = (xi, yi) of order dividing n according to part(i) and (iii) of the proposition we have:

[n]σ(Pi) = σ([n]Pi) = σ(O) = O.

Hence σ(Pi) is also in E[n]. Therefore σ(xi), σ(yi) ∈ K and σ is anautomorphism. This proves that K/Q is a Galois extension.

Remark 7.2.13. The sketch of proof of part (i) is given as an exercise in([20], Chapter III), but all the main steps are proved in ([25], Section 3.2).

Example 7.2.14. As an example we compute points of order 2 of the ellipticcurve E de�ned by the equation y2 = x3 + x. The x coordinate of points oforder 2 on E must satisfy the condition Ψ2(x, y)2 = 0, i.e. 4y2 = 0 and sox3 + x = 0. Therefore we have

E[2] = {O, (0, 0), (i, 0), (−i, 0)}.

7.2.4 Division polynomials

The polynomials Ψn de�ned in part (i) of the previous proof are calleddivision polynomials and they are very useful to compute points of orderdividing a given integer n as suggested in the proof of Proposition 7.2.12.One can verify by induction that for an integer n we have

deg(Ψ2ny) =n2

2+ 1 and deg(Ψ2n+1) =

n2 − 1

2. (7.6)

Moreover, if n is an odd integer, one can prove that Ψn(x, y) is a polynomialin x only. Hence to �nd the x-coordinates of points of order n, we can restrictourselves to the only study of the equation Ψn(x) = 0.

As already said in the previous proof, one can compute, by using recursivelythe formula of point addition, the general formula for the coordinates of thepoint [n]P on an elliptic curve E. The computations needed are complicatedand the use of an algebra computer system is suggested. For example, animplementation of the division polynomials Ψn is given by Cremona and canbe found in Appendix A. Using Ψn, one can then verify the formulas givenin the proof of Proposition 7.2.12.For a less computational proof of these formulas, we refer the reader to [25].Indeed, in Section 3.2 of [25], Washington presents a proof of the general for-mula for the coordinates of [n]P using the Weierstrass function and preciselythe isomorphism given in Theorem 7.2.7.


Example 7.2.15. Let P = (xP , yP ) be a point on the elliptic curve E de�nedby the equation y2 = x3 + Ax + B, for some A,B ∈ Q. As an example, weare looking for a criterion that characterize points of order 3. This conditionwill be used further on to realize GL2(Z/3Z) as a Galois group.We �rst compute P + P = [2]P . For this, we need to compute the tangentline to the curve at P . The equation of the tangent line is given by Equation7.1 and in this case we have the following straight line:

(3x2P+A)(x−xP )+2yP (y−yP ) = 0⇒ y = −(A+ 3x2

P )x

2yP+AxP + 3x2

P + 2y2P

2yP,

where we suppose yp 6= 0, because if yP = 0 then P is a point of order 2.

Write r1 = − (3x2P +A)

2yPfor the slope. Using the same construction as in Exam-

ple 7.1.16 we �nd the coordinates of [2]P :

x2P = r21 − 2xP and y2P = r1(xP − x2P )− yP .

Next, we compute the coordinates of [3]P . In this case xP 6= x2P , so theslope of the straight line passing trough xP and x2P is

r2 =yP − y2P

xP − x2P

=2yP − r1(xP − x2P )

xP − x2P

The x-coordinate of [3]P is then given by x3P = r22 − xP − x2P and P is of

order 3 if and only if this coordinate is not �nite. Hence P is of order 3 ifand only if r2

2 is not �nite. This is the case if the denominator of r22 is zero.

Thus, the condition to have P of order 3 is that xP − x2P = 0. This can berewritten as:

xP − x2P = 0 ⇔ 3xP − r21 = 0⇔ 12xPy

2P − (3x2

P + A)2

4y2P

= 0

⇔ 12xP (x3P + AxP +B)− 9x4

p − 6Ax2P − A2 = 0

⇔ 3x4P + 6Ax2

P + 12BxP − A2 = 0.

This condition is equal to the condition given by division polynomials, i.e.Ψ3(xP ) = 0.

7.2.5 Some Galois representation theory

For any positive integer n, write Q(E[n]) = Q(x1, y1, . . . , xm, ym) for the�eld extension of Q generated by the coordinates of all points of order di-viding n di�erent from O. According to Proposition 7.2.12, Q(E[n])/Q isa Galois extension. In this subsection we study the structure of the Galoisgroup Gal(Q(E[n])/Q).


Theorem 7.2.16. Fix an integer n ≥ 2. Let E be an elliptic curve givenby the Weierstrass equation y2 = x3 + ax2 + bx + c, with a, b, c ∈ Q. LetP1 and P2 be two generators for E[n]. Then there exists a one-to-one grouphomomorphism

ρn : Gal(Q(E[n])/Q)→ GL2(Z/nZ).

Proof. In the proof of this result we construct explicitly the group homomor-phism ρn. For any σ ∈ Gal(Q(E[n])/Q) we can de�ne a group homomor-phism Ψ(σ) on E[n] as in Proposition 7.2.2. Indeed, we have [n]Ψ(σ)(P ) =Ψ(σ)([n]P ) = O and the composition is preserved, i.e. Ψ(στ)(P ) =Ψ(σ)Ψ(τ(P )), for any σ, τ ∈ Gal(Q(E[n])/Q) (see Proposition 7.2.2).Moreover, since σ ∈ Gal(Q(E[n])/Q) is an automorphism, Ψ(σ) is also anautomorphism with Ψ(σ)−1 = Ψ(σ−1).Recall that the group of automorphisms of E[n] form a group that we denoteby Aut(E[n]). Hence the map Ψ : Gal(Q(E[n])/Q) → Aut(E[n]) is a grouphomomorphism.

Moreover, by Proposition 7.2.10, we know that there exist generators P1

and P2 for E[n], so that any P ∈ E[n] can be written as P = a1P1 + a2P2,for some unique a1, a2 ∈ Z/nZ. Hence any homomorphism σ : E[n] → E[n]is completely de�ned by the images of P1 and P2. In particular we know thatσ(P1), σ(P2) are in E[n], so we can �nd α, β, γ, δ ∈ Z/nZ such that

σ(P1) = αP1 + γP2 and σ(P2) = βP1 + δP2.

Moreover, for any α, β, γ, δ ∈ Z/nZ the map σ de�ned as above is a grouphomomorphism of E[n].Now σ can be expressed by a matrix under the following map:

Φ : Aut(E[n]) −→ GL2(Z/nZ)

σ 7→ Φ(σ) =

(α βγ δ

),

where α, β, γ, δ ∈ Z/nZ are given by the de�nition of σ(P1) and σ(P2) above.We can verify that Φ is a group isomorphism. Suppose g, h ∈ Aut(E[n]), weneed to prove that

Φ(g ◦ h) =

(αg◦h βg◦hγg◦h δg◦h

)=

(αg βgγg δg

)(αh βhγh δh

)= Φ(g)Φ(h). (7.7)


By de�nition we have g ◦ h(P ) = αg◦hP1 + γg◦hP2. But also g ◦ h(P1) =g(αhP1 + γhP2) = αgαhP1 + γgαhP2 + βgγhP1 + δgγhP2. Hence by uniquenesswe have

αg◦h = αgαh + βgγh and γg◦h = γgαh + δgγh

and the �rst column of the matrix equality 7.7 holds. For the second columnwe proceed similarly using P2. This proves that Φ is a group homomorphism.Since σ ∈ Aut(E[n]), σ is invertible and since Φ is a group homomorphismwe have: (

1 00 1

)= Φ(σσ−1) = Φ(σ)Φ(σ−1).

Therefore Φ(σ) is invertible and Φ(Aut(E[n])) ⊆ GL2(Z/nZ). We can �nallyprove that Φ is an isomorphism. Indeed, suppose Φ(σ) = Id, then it is easyto show that σ = Id.Moreover, for any matrix

A =

(α βγ δ

)∈ GL2(Z/nZ),

we can consider the homomorphism de�ned by σ(P1) = αP1 + γP2 andσ(P2) = βP1 + δP2. We already saw that such an application is an homo-morphism. In particular, it is an isomorphism with inverse de�ned by A−1

and given by σ−1(P1) = δ∆P1 − γ

∆P2 and σ−1(P2) = − β

∆P1 + α

∆P2, where ∆

is the determinant of A.

Finally, when composing these two homomorphisms, we obtain the grouphomomorphism

ρn : Gal(Q(E[n])/Q) −→ GL2(Z/nZ)

σ 7→ Φ ◦Ψ(σ).

We still need to show that ρn is one-to-one. Suppose ρn(σ) = Id. Thenby de�nition we have Ψ(σ(P1)) = P1 and Ψ(σ(P2)) = P2 and Ψ(σ) = Id ∈Aut(E[n]). But Q(E[n]) is generated by the coordinates of all P ∈ E[n].Hence

Ψ(σ(P )) = P ⇒ (σ(x), σ(y)) = (x, y)

and all coordinates of P ∈ E[n] are �xed. Thus σ = Id ∈ Gal(Q(E[n])/Q)as well and ρn is one-to-one.


De�nition 7.2.17 (Galois representation). The map

ρn : Gal(Q(E[n])/Q)→ GL2(Z/nZ)

de�ned as in the previous result is called the Galois representation.

Remark 7.2.18. The map ρn is not always onto. To illustrate this withn = 2, we are going to give two elliptic curves E and E ′ such that ρ2 is ontofor E ′ but not for E.Let us �x n = 2. Using Proposition 7.2.12(i) or computing directly thecoordinates of 2P , the reader can verify that a point P of the elliptic curveE de�ned by y2 = x3 + ax2 + bx+ c, with a, b, c ∈ Q satis�es 2P = O if andonly if 4y2 = 4(x3 + ax2 + bx + c) = 0. Moreover, as E[2] ∼= Z/2Z ⊕ Z/2Z,we know that E[2] has 4 elements.

- Consider the elliptic curve E de�ned by y2 = x(x − 1)(x − 2). Thenwe get E[2] = {O, (0, 0), (1, 0), (2, 0)}. Hence Q(E[2]) = Q andGal(Q(E[2]/Q) = {Id}. It is clear that in this case the Galois repre-sentation ρ2 is not surjective.

- Now consider the elliptic curve E ′ de�ned by the equation y2 = x3− 2.We have already studied this polynomial in Proposition 4.2.1 accordingto which we can prove:

E ′[2] = {O, ( 3√−2, 0), ( 3

√−2e2iπ/3, 0), ( 3

√−2e4iπ/3, 0)}.

Moreover Q(E ′[2]) = Q( 3√−2, e2iπ/3) which is the splitting �eld of t3−2.

We also proved that Gal(Q(E ′[2])/Q) is of order 6. As GL2(Z/2Z)is also of order 6, then by the previous theorem, ρ2 is bijective, i.e.Gal(Q(E ′[2])/Q) ∼= GL2(Z/2Z).

Actually, it turns out that for most elliptic curves, the representations ρn are"almost" onto.

7.2.6 Construction of GL2(Z/3Z) as a Galois group

In this subsection we introduce a particular curve E such that E[3] en-ables to construct GL2(Z/3Z) as a Galois group.Then, we will give a moregeneral result.

Consider the elliptic curve E de�ned by the equation

E : y2 = x3 − x+ 1/4.


Using the condition given in Example 7.2.15 and by division polynomials,we know that the x-coordinates of points of order 3 of E are roots of thepolynomial

3x4 − 6x2 + 3x+ 1. (7.8)

For any root xi, i = 1, . . . , 4 the y-coordinate is found using the equationy2 = x3

i − xi + 1/4, because the points are on the curve E. We do not haveto compute these coordinates. Now, if exact values are needed it is possibleto apply Viète formula to �nd the roots of the quartic equation 7.8.

According to the results of the previous section we already have the followinginformation:

(i) Q(E[3])/Q is a Galois extension;

(ii) the Galois representation ρ3 : Gal(Q(E[3])/Q) → GL2(Z/3Z) is a one-to-one group homomorphism.

As we have two �nite groups, by (ii) we have that |Gal(Q(E[3])/Q)| ≤|GL2(Z/3Z)| and by (i) we know that |Gal(Q(E[3])/Q)| = [ Q(E[3]) : Q ].To compute the cardinality of GL2(Z/3Z) we use the equivalenceA ∈ GL2(Z/3Z) ⇔ det(A) 6= 0. This is the case if the two columns of A

are linearly independent. So let A =

(a bc d

), the column

(ac

)can be

anything except the vector 0. Hence we have 8 possibilities. For the column(bd

)we can choose any vector linearly independent to the �rst one. So we

have 6 possibilities and the cardinality of GL2(Z/3Z) is 8 · 6 = 48.Therefore if we prove that [ Q(E[3]) : Q ] ≥ 48, we can conclude that|Gal(Q(E[3])/Q)| = 48 and hence that we have the isomorphism

Gal(Q(E[3])/Q) ∼= GL2(Z/3Z).

To compute the degree of the extension Q(E[3])/Q we construct the splitting�eld Kf of the polynomial given by Equation 7.8 using PARI/GP . The �eldKf is the smallest extension of Q containing all the x-coordinates of the pointsof order 3. The commands used are given in Annexe A and we obtain the�eld Kf = Q[t]/〈f(t)〉, where f(t) is the following irreducible polynomial:

f(t) = t24 − 12t23 + 70t22 − 264t21 + 718t20 − 1482t19 + 2357t18 − 2802t17

+2152t16 − 216t15 − 2288t14 + 4224t13 − 4915t12 + 4224t11 − 2288t10 − 216t9

+2152t8 − 2802t7 + 2357t6 − 1482t5 + 718t4 − 264t3 + 70t2 − 12t+ 1.


Hence the extension Kf/Q has degree 24. To prove that the degree ofQ(E[3])/Q is 48 it is su�cient to prove that Kf 6= Q(E[3]).Denote by a a root of 3x4 − 6x2 + 3x− 1 in Kf . Using PARI/GP or SAGE,one can prove that the polynomial y2 − a3 + a − 1/4 is irreducible over Kf

and it follows that the y-coordinates associated to a are not in Kf . HenceKf 6= Q(E[3]) and then [Q(E[3]) : Q] = |Gal(Q(E[3])/Q)| = 48 and

Gal(Q(E[3])/Q) ∼= GL2(Z/3Z)

as was to be shown.

Remark 7.2.19. In SAGE there exists the command E.is_surjective(n)that checks whether the Galois representation ρn associated to the ellipticcurve E is surjective. The implemented method uses some more developedproperties of the elliptic curves which are not presented in this report. Wehave preferred to present a solution that we get using our results only.

Finally we present a result which furnishes a polynomial r(t) ∈ Q[t] withsplitting �eld Kr

∼= GL2(Z/pZ), for a prime integer p.

Proposition 7.2.20. Let E be an elliptic curve de�ned over Q by the equa-tion y2 = x3 + ax + b. Let p 6= 2 be a prime number and assume that therepresentation ρp : Gal(Q(Ep)/Q)→ GL2(Z/pZ) is surjective, then we have:

(i) The division polynomial Ψp (see de�nition in the proof of Proposition7.2.12(i)), whose roots are the x-coordinates of the non-trivial p-torsionpoints of E, is irreducible.

(ii) Let P = (x, y) ∈ E[p] − {0}. The characteristic polynomial of the mul-tiplication by x + y in K(x, y) is irreducible and its Galois group overK is GL2(Z/pZ).

Proof. (i) Omitted. See ([13], Theorem 2.1).

(ii) Denote by G the Galois group Gal(Q(E[p])/Q). The set of conjugatesof x is

Cx = {σ(x) | σ ∈ G} = {xi | (xi,±yi) ∈ E[p]}.Similarly, for x+ y, we have

Cx+y = {σ(x+ y) | σ ∈ G} = {xi ± yi | (xi,±yi) ∈ E[p]}.

Indeed, σ ∈ G de�nes an automorphism of E[p] as described in Sub-section 7.2.1, hence we have the inclusions:

Cx+y ⊆ {xi ± yi | (xi,±yi) ∈ E[p]} and Cx ⊆ {xi | (xi,±yi) ∈ E[p]}.


Moreover, let {P,Q} be a basis of E[p] and write Ri = (xi, yi), foreach xi ∈ Cx. Notice that such a basis exists for any point P of orderp, because p is a prime number and so any element can be taken asgenerator.Let a, b ∈ Z/pZ such that aP + bQ = R. Clearly a 6= 0 or b 6= 0,

thus there exist c, d, c′, d′ ∈ Z/pZ such that A =

(a cb d

)and A′ =(

−a c′

−b d′

)are in GL2(Z/pZ).

Under the assumption, the Galois representation ρp is onto. There thusexist τ, τ ′ ∈ G such that ρp(τ) = A and ρp(τ

′) = A′. So we have

τ(P ) = aP + bQ = R and τ ′(P ) = −R = (xi,−yi).

This proves the equalities for the sets Cx and Cx+y, and we have:

Q(E[p]) = Q(xi ± yi| (xi,±yi) ∈ E[p]) = Q(Cx+y).

Then, denote by {αi}si=1 the set of all the distinct conjugates of x +y. Since Q(E[p])/Q is a Galois extension and since x + y belongs toQ(E[p]), by Lemma 32 in [1], the minimal polynomial of x+ y over Qcan be written as:

mx+y(t) =s∏i=1

(t− αi).

Hence the previous argument proves that the splitting �eld of mx+y(t)is Q(E[p]).

Now, according to (i) we know that Ψp is irreducible, hence it hasno multiple 0. This proves that xi 6= xj, for all i 6= j. Moreover, con-sider the automorphism σ of E[p] mapping any P ∈ E[p] to −P ∈ E[p].By surjectivity of the Galois representation ρp, there exists an elementof G that induces the automorphism σ. By some abuse of notation, wedenote by σ ∈ G this element as well.In particular, by de�nition of −P , σ �xes all the xi. Then we canprove that xi + yi 6= xj − yj, for any i 6= j. Indeed, suppose U =xi + yi = xj − yj = −V , then we would have σ(V ) = −V = U andso xi = xj, which is impossible for every i 6= j, by the previous ar-gument. By a similar argument applied to Id ∈ Aut(E[p]), we �ndthat xi + yi 6= xj + yj, for any i 6= j. Finally for every i we havexi + yi 6= xi − yi, because if P = xi + yi = xi − yi, we have P = −Pand hence 2P = O and this is impossible, because P is a point of order


p 6= 2.Hence Cx+y is a set of p

2−1 distinct points and deg(mx+y(t)) = p2−1.

Moreover we have:

Q(x+ y) ⊆ Q(x, y) ⊆ Q(E[p]).

Next, we want to compute the degree of Q(x, y)/Q(x + y) in orderto apply Proposition 3.1.8 with K = Q and L = Q(x, y). By part(i) the minimal polynomial Ψp(t) is irreducible over Q and according

to the property 7.6 we know that deg(Ψp(t)) = p2−12

. Hence we have[Q(x) : Q] = (p2 − 1)/2.Then, if y ∈ Q(x), we would have Q(x, y) = Q(x). But this is im-possible, because Q(x + y) ⊆ Q(x, y) and [Q(x + y) : Q] = p2 − 1 ≥p2−1

2. Hence y 6∈ Q(x) and the minimal polynomial of y over Q(x) is

y2 − x3 − ax− b. Thus [Q(x, y) : Q] = p2 − 1 and Q(x, y) = Q(x+ y).Then, according to Proposition 3.1.8, the polynomial mx+y(t) is alsothe characteristic polynomial of the multiplication-by-(x + y) map inQ(x, y). For a reminder of these de�nitions see Subsection 3.1.3.

As ρp is onto, we have Gal(Q(E[p])/Q) ∼= GL2(Z/pZ). Since the split-ting �eld of mx+y(t) is Q(E[p]), we conclude that the Galois groupassociated to mx+y(t) ∈ Q[t] is isomorphic to GL2(Z/pZ).

Remark 7.2.21. In the proof of (ii), we have used Lemma 32 of [1], whoseproof is omitted here. Write nx+y(t) =

∏si=1(t−αi). The idea of this lemma

is to prove that nx+y(t) divides the minimal polynomial mx+y(t) of x+y overQ. One argument is that for any σ ∈ G, we have 0 = σ(mx+y(x + y)) =mx+y(σ(x + y)), because mx+y(t) has coe�cients in Q. Moreover one canprove that nx+y(t) is �xed by any σ ∈ G. Hence it has coe�cients in Q andis minimal for these properties.

Application of Proposition 7.2.20: We apply now Proposition 7.2.20 to�nd a polynomial with Galois group GL2(Z/3Z). Consider P = (x, y) apoint of order 3 on the curve E. The minimal polynomial of x over Q isΨ3(t) = 3t4 − 6t2 + 3t − 1, which is irreducible according to part (i) of theproposition. Therefore {1, x, x2, x3} is a basis of Q(x) over Q.Moreover, using PARI/GP one can verify that y2−x3 +x−1/4 is irreducibleover Q(x) and thus {1, y} is a basis of Q(x, y) over Q(x). Therefore we canconsider the basis {1, x, x2, x3, y, xy, x2y, x3y} for Q(x, y) over Q and compute


the matrix associated to the application

mx+y : Q(x, y) → Q(x, y)

a 7→ a(x+ y).

We obtain the following matrix:

M =

0 0 0 13

14

13

0 13

1 0 0 −1 −1 −34

13−1

0 1 0 2 0 1 −34

73

0 0 1 0 1 0 1 −34

1 0 0 0 0 0 0 13

0 1 0 0 1 0 0 −10 0 1 0 0 1 0 20 0 0 1 0 0 1 0

The characteristic polynomial of this matrix is

cx+y(t) = t8 − 2t6 − 26

3t5 +

283

24t4 − 9t3 +

35

4t2 − 343

72t+

5831

6912.

Denote by Kc the splitting �eld of cx+y over Q. Then, by the previousargument the Galois group of the extension Kc/Q is GL2(Z/3Z). This canbe veri�ed with the software Maple and the command galois().

Remark 7.2.22. Construction of a basis for Q(x, y):

• For the simple extension Q(x), the family {1, x, . . . , xd−1} is a Q-basis,where d = deg(mx(t)) andmx(t) is the minimal polynomial of x over Q.Indeed, ifmx(t) = td+ad−1x

d−1+· · ·+a1x+a0 we can replace any powerof x bigger then xd−1 using the relation xd = −(ad−1x

d−1+· · ·+a1x+a0).

• Similarly for Q(x, y) over Q(x) we can use the basis {1, y . . . , yr−1},with r = deg(my(t)) where my(t) is the minimal polynomial of Q(x, y)over Q(x).

• Then, for Q(x, y), we can use the basis

{xiyj | 0 ≤ i ≤ d− 1 and 0 ≤ j ≤ r − 1}.

Indeed, consider an element l ∈ Q(x, y). Then we have

l =r−1∑j=0

ljyj =

r−1∑j=0

(d−1∑i=0

lijxi

)yj,

with lj ∈ Q(x) and lij ∈ Q, for 0 ≤ i ≤ d− 1 and 0 ≤ j ≤ r − 1.

7.3 Elliptic curves with complex multiplication 108

All the details of this proof are given in Theorem 16 of [1].

More generally, Serre studied under which condition the Galois represen-tation ρn de�ned in Theorem 7.2.16 is onto. In particular, he proved thefollowing di�cult theorem in [18] which claims that for curves without com-plex multiplication (see Subsection 7.3) the map ρn is onto for almost everyn ∈ N.

Theorem 7.2.23. Let E be an elliptic curve given by a Weierstrass equationwith rational coe�cients. Assume that E does not have complex multiplica-tion. There is an integer NE ≥ 1 depending on the elliptic curve E, suchthat if n is an integer relatively prime to NE, then the Galois representation

ρn : Gal(Q(E[n])/Q)→ GL2(Z/nZ)

is an isomorphism.

The proof of this result was presented in 1972 in [18] and need more ad-vanced tools of elliptic curves theory. Using this result one proves that forany prime p the group GL2(Fp) is a Galois group.

The image of the Galois representation ρp, for small prime numbers p, wasstudied more explicitly by Reverter and Vila in [13] and [14].

7.3 Elliptic curves with complex multiplication

7.3.1 Complex multiplication

In this part, we consider K = Q. Let E be an elliptic curve de�nedover K. By Theorem 7.1.15 it is clear that for every positive integer n, themultiplication-by-n map is a group homomorphism on (E(C),+). Moreover,if P = (x, y) the coordinates xn, yn of the point [n]P are expressed by rationalfunctions of x, y (see proof of Proposition 7.2.12).Actually, we have de�ned the multiplication-by-n maps for positive integersn only. Now, we can consider the map [−n]P = −[n]P , which is also anhomomorphism, because we have

[−n](P +Q) = −[n](P +Q) = −([n]P + [n]Q) = −[n]P − [n]Q,

by linearity of the maps P 7→ [n]P and P 7→ −P . Hence the multiplication-by-n map is well de�ned for all integers n ∈ Z.


De�nition 7.3.1 (Endomorphism). Let Φ : E → E be a homomorphismof E. We say that Φ is an endomorphism if Φ((x, y)) is de�ned by rationalfunctions of x and y.We denote by End(E(C)) the group of endomorphisms of the curve E.

In particular, the multiplication-by-n maps, for n ∈ Z, are endomor-phisms of (E(C),+). The idea of this subsection is to determine wheterthere are other endomorphisms of (E(C),+). By the way, this will lead usto the notion of complex multiplication.

First in the next proposition we give a characterization of endomorphisms ofan elliptic curve E.

Proposition 7.3.2. Let E be an elliptic curve de�ned over Q by the Weier-strass equation y2 = x3 + Ax+ B, with A,B ∈ Q. Then any endomorphismα ∈ End(E(C)) is of the form

α : E(C) → E(C)

(x, y) 7→ (R(x), yS(x)),

where R(x), S(x) are rational functions in x.

Proof. Consider any rational function R(x, y), where we suppose x, y to bethe coordinates of a point of E. Using the Weierstrass equation de�ning thecurve, we can replace y2 by x3 + Ax+B. Then R is of the form:

R(x, y) =r1(x) + r2(x)y

q1(x) + q2(x)y,

where r1, r2, q1, q2 are polynomial functions. Then multiplying R(x, y) by(q1(x)− q2(x)y)/(q1(x)− q2(x)y) and replacing y2 by x3 +Ax+B, we get:

R(x, y) =c1(x) + c2(x)y

c3(x), (7.9)

where c1, c2, c3 are polynomial functions in x again.Now, let α be an endomorphism of E. By de�nition, there exist rationalfunctions R and S such that α((x, y)) = (R(x, y), S(x, y)). Since α is inparticular an homomorphism we have:

−α((x, y)) = α(x,−y),

i.e. (R(x, y),−S(x, y)) = (R(x,−y), S(x,−y))

Then R depends on y2 only and then on x. Moreover, S is an odd functionin y. In particular, using Equation 7.9, we can prove that S(x, y) = yS ′(x),for some rational function S ′ in x.


De�nition 7.3.3 (Complex multiplication ). Let E be an elliptic curve.We say that E has complex multiplication if there exists an endomorphismΦ : E → E which is not a multiplication-by-n map, with n ∈ Z.

In what follows we will always consider as example the elliptic curve Ede�ned by the equation

E : y2 = x3 + x.

This curve has complex multiplication Φ : E → E given by

Φ(x, y) = (−x, iy).

Indeed, let P = (x, y) be a point of E(C), then Φ(P ) ∈ E as well, becausewe have

(iy)2 = −y2 = −x3 − x.Using homogeneous coordinates we can verify that Φ(O) = O. Indeed, themapping corresponding to Φ is [X : Y : Z] 7→ [−X : iY : Z] and hence[0 : 1 : 0] 7→ [0 : i : 0] = O. One can also verify that Φ((x1, y2) + (x2, y2)) =Φ((x1, y1)) + Φ((x2, y2)).We present the computation only for the case of P1 = (x1, y1), P2 = (x2, y2) ∈E with x1 6= x2 and y1 6= y2. Denote P1 + P2 = P3 = (x3, y3).We have already seen that

x3 =

(y1 − y2

x1 − x2

)2

− x1 − x2 and y3 =

(y1 − y2

x1 − x2

)(x1 − x3)− y1

(see Example 7.1.16). Then Φ(P3) = (−x3, iy3).On the other hand

Φ(P1) + Φ(P2) = (−x1, iy1) + (−x2, iy2) =

=

((−i(y1 − y2)

x1 − x2

)2

+ x1 + x2,

(−i(y1 − y2)

x1 − x2

)(−x1 + x′3)− iy1

),

where x′3 =(−i(y1−y2)x1−x2

)2

+x1+x2. It is now easy to verify that Φ(P1)+Φ(P2) =

(−x3, iy3) = Φ(P3).

Here above we veri�ed that Φ is an homomorphism, but studying more indetail theory of elliptic curves one can prove the following result. For theproof we refer the reader to ([20], Chapter 3, Theorem 4.8).

Theorem 7.3.4. Let C,C be two elliptic curves and consider a mapΨ : C(C) → C(C) given by rational functions and satisfying Ψ(O) = O.Then Ψ is an homomorphism of groups.


In particular, this result guarantees that the condition Φ(O) = O is suf-�cient to conclude that Φ(P1) + Φ(P2) = Φ(P1 + P2).

By de�nition, an elliptic curve C has complex multiplication if End(C(C))contains some other endomorphism which is not a multiplication-by-n map,with n ∈ Z.Denote by Λ the lattice such that C(C) ∼= C/Λ. The aim of this section is toprove that any endomorphism of C induces a map f : C/Λ → C/Λ de�nedby f(z) = cz, with c ∈ C− R.

Consider an endomorphism α : C(C) → C(C) of an elliptic curve C. Thenα induces a group homomorphism α : C/Λ→ C/Λ. Indeed, we have provedthat there exists a group isomorphism which is also an isomorphism of Rie-mannian surfaces given by:

Φ : C/Λ → C(C)

z 7→ (℘(z), ℘′(z)),

where ℘ denotes the Weierstrass function of Λ. By composition with α, wethus get a homomorphism of groups:

α = Φ−1αΦ.

Using some arguments of Riemannian surfaces theory that will not be devel-oped here, one can prove that α is also an holomorphic map of Riemanniansurfaces, because Φ is an isomorphism, ℘ is homomorphic and α is given byrational functions. Hence, one can �nd an open neighborhood U0 of 0 inC, such that if we identify any z ∈ U0 with its class modulo Λ, the map αinduces an analytic map α̃ : U0 → C satisfying the property:

∀z ∈ U0, α(z) ≡ α̃(z) mod Λ.

The map α̃ is not uniquely de�ned, in particular the unique condition onthe image of 0 is that α̃(0) ∈ Λ. Without loss of generality, we can supposeα̃(0) = 0. Since α̃ is continue, the image of α̃ is in a neighborhood of 0 aswell.Moreover α is an homomorphism and so the map α̃ satis�es the followingrelations:

α̃(z1 + z2) ≡ α̃(z1) + α̃(z2) mod Λ (7.10)

⇔ α̃(z1 + z2) −α̃(z1)− α̃(z2) ∈ Λ


for any z1, z2 in U0. The neighborhood U0 can be restricted so that the onlyelement of Λ in α̃(U0) is 0. Thus, for such a neighborhood U0, Equation 7.10is equivalent to

α̃(z1 + z2) = α̃(z1) + α̃(z2).

Hence, any endomorphism α : C(C)→ C(C) induces an analytic mapα̃ : U0 → C de�ned on an open neighborhood U0 of 0 such that α̃(0) = 0 andsatisfying α̃(z1 + z2) = α̃(z1) + α̃(z2), for any z1, z2 ∈ U0.

This property is important to characterize the endomorphisms of an ellipticcurve.

Proposition 7.3.5. Let C be an elliptic curve. Then:

End(C(C)) ∼= {c ∈ C | cΛ ⊆ Λ}.

Proof. Let Λ be the lattice such that C(C) ∼= C/Λ.

(i) Let f : C/Λ→ C/Λ be the homomorphism induced by an endomorphismof C. We �rst prove that for any z ∈ C/Λ, f(z) = cz, for some c ∈ Csuch that cΛ ⊆ Λ.By the arguments preceding this proposition, f induces an analyticmap f̃ : U0 → C on an open neighborhood U0 ⊂ C of 0 such that

f̃(z1 + z2) = f̃(z1) + f̃(z2),

for any z1, z2 ∈ U0.For any z ∈ U0 we have

f̃ ′(z) = limh→0

f̃(z + h)− f̃(z)

h= lim

h→0

f̃(z) + f̃(h)− f̃(z)

h.

Then, since f̃(0) = 0, we �nd:

f̃ ′(z) = limh→0

f̃(h)− f̃(0)

h= f̃ ′(0).

This proves that the derivative of f̃ is constant over U0. Hence f̃(z) =c1z + c0 and since f̃(0) = 0 we have f̃(z) = c1z, for any z ∈ U0.Now, if we identify any z ∈ U0 with its class modulo Λ, we get:

f(z) ≡ f̃(z) mod Λ.

Thus f(z) = c1z, for any z ∈ U0, where c1z is identi�ed with its classin C/Λ.


Now, for every z ∈ C, there exists a positive integer nz ∈ N such thatznz∈ U0. Under identi�cation of elements of C with their class modulo

Λ, it comes:

f(z) ≡ nf(z

n) ≡ nf̃(

z

n) = nc1

z

n= c1z,

where the congruences are given modulo Λ. Hence, for any z ∈ C wehave f(z) ∼= c1z mod Λ.Moreover, c1 cannot be chosen arbitrarily, because f is an endomor-phism. In particular, for any z ∈ Λ we must have that c1z ∈ Λ. So wehave that f(z) = c1z, with c1 ∈ {c ∈ C | cΛ ⊆ Λ}.

(ii) To conclude the proof, we prove that any map f : C/Λ→ C/Λ de�nedas f(z) = lz, with l ∈ {c ∈ C | cΛ ⊆ Λ} correspond to an endomor-phism of C.Clearly the multiplication-by-l map is an homomorphism of C/Λ intoC/Λ and hence correspond to an homomorphism of C, by an argumentsimilar to the one preceeding this proposition. Thus we only need toprove that the map on C corresponding to f is given by rational func-tions of x and y. Now, the map f induces the following homomorphismof E:

ϕ : C(C) → C(C)

(℘(z), ℘′(z)) 7→ (℘(lz), ℘′(lz)).

The map ℘(lz), ℘′(lz) are doubly periodic of period Λ, because so are℘(z) and ℘′(z) and lΛ ⊆ Λ. Then, according to Proposition B.1.2(iii),℘(cz) and ℘′(cz) are rational functions of ℘(z) and ℘′(z). Hence ϕ isan endomorphism of E. In particular, according to Proposition 7.3.2,there exists R(x), S(x) rational functions of x such that ϕ((x, y)) =(R(x), yS(x)).

Hence any endomorphism of C corresponds to a multiplication-by-c mapover C/Λ for a unique c ∈ C such that cΛ ⊆ Λ. Thus we have the followingisomorphism of rings:

End(E) ∼= {c ∈ C | cΛ ⊆ Λ}

because the arguments preceding this proposition prove that there is an iso-morphism between homomorphisms of C(C) and homomorphisms of C/Λ.


Note that, using this characterization of endomorphisms of C, we canprove that any complex multiplication of C corresponds to a function f :C/Λ→ C/Λ de�ned by f(z) = cz, with c ∈ C− R.Indeed, suppose c ∈ R such that cΛ ⊆ Λ. Let {ω1, ω2} be a basis of Λ.Then we have in particular, cω1 ∈ Λ, i.e. there exist a, b ∈ Z such thatcω1 = aω1+bω2. Then (c−a)ω1−bω2 = 0 and by R-linear independence of ω1

and ω2 we have c−a = b = 0. Then c = a ∈ Z and f is a multiplication-by-cmap, with c ∈ Z. It follows that a complex multiplication is a multiplication-by-c map over C/Λ, with c ∈ C− R.

7.3.2 Properties of the complex multiplication on E

Let C be an elliptic curve de�ned over Q. In the previous subsection weproved the existence of an isomorphism of rings:

End(C(C)) ∼= {c ∈ C | cΛ ⊆ Λ},

where Λ is the lattice such that C(C) ∼= C/Λ.Moreover, we have that Z ⊆ {c ∈ C | cΛ ⊆ Λ} and E has complex multipli-cation if and only if End(E) is larger then Z.One can prove that in this case End(C(C)) is such that K = End(C(C))Qis an imaginary number �eld. Moreover, it can be shown that for any integern ≥ 1 the �eld K(C[n]) is a Galois extension of K with abelian Galois group.

Here we present the proof of this result in the special case of the ellipticcurve E de�ned by the equation y2 = x3 + x with K = Q(i). For this aimwe need two lemmas. First, if we �x an integer n ≥ 1 the complex multi-plication Φ(x, y) = (−x, iy) is an endomorphism of E[n]. So we can de�neΦ by a matrix using the images of a basis P1, P2 of E[n]. In particular, ifΦ(P1) = aP1 + cP2 and Φ(P2) = bP1 +dP2, Φ will be described by the matrix

A =

(a bc d

)∈ M2(Z/nZ). The �rst lemma that we are going to prove

concerns this matrix.

Lemma 7.3.6. Let A be the matrix de�ned here above. Then:

(i) A ∈ GL2(Z/nZ);

(ii) A is not a scalar matrix modulo l, for all prime numbers l dividing n.

Proof. (i) Let P = (x, y) be a point of E[n]. We have

Φ(Φ(P )) = Φ(−x, iy) = (x,−y) = −P.


Matricially this is equivalent to A2 =

(−1 00 −1

). Then det(A2) =

det(A)2 = 1. It follows that det(A) is a unit in Z/nZ and A ∈GL2(Z/nZ).

(ii) Recall that in the basis {P1, P2}, any point P of E[n] can be expresseduniquely as P = αP1+βP2, with α, β ∈ Z/nZ. The group E[n] containsall the points of order dividing n. Therefore for every prime p dividingn we have E[p] ⊆ E[n]. Moreover, by (i), Φ is an automorphism ofE[n] and hence it preserves the order of a point. Consider a point P oforder p and write P = αP1 + βP2. Then [p]P = pαP1 + pβP2 = O andso pα = pβ = 0 ∈ Z/nZ. Similarly, Φ(P ) = (aα+ bβ)P1 + (cα+dβ)P2,thus Φ(P ) is also of order p and so are (aα+bβ) and (cα+dβ) ∈ Z/nZ.Then the coordinates of a point of order p are in the unique subgroupof Z/nZ isomorphic to Z/pZ. This subgroup is obtained as the quo-tient (Z/nZ)/(pZ/nZ) ∼= Z/pZ and therefore we can consider a, b, c, das elements of Z/pZ. If we restrict Φ to E[p], we can thus consider thematrix A modulo p and describe the map Φ by reducing modulo p.

Suppose there exists some prime number l dividing n such that(a bc d

)=

(m 00 m

)mod l,

then Φ : E[l]→ E[l] is the multiplication-by-m map. Denote byτ : C → C the complex conjugation and write Kn = Q(i)(E[n]).As Kn ⊆ C, we can restrict τ to Kn and in particular we have τ ∈Gal(Kn/Q). As for a given point P = (x, y) the coordinates of [m]Pare rational functions in x, y ∈ C (see Proposition 7.2.12), it is quiteeasy to verify that τ([m]P ) = [m](τ(P )). Moreover, τ(i) = −i. Hencewe �nd for any P ∈ E(Kn)

τ(Φ(P )) = τ(−x, iy) = (−τ(x),−iτ(y)) = −Φ(τ(P )).

In particular, this is true for any P ∈ E[l]. But for P ∈ E[l] we alsohave Φ = [m] and then we �nd

[m]τ(P ) = τ([m]P ) = τ(Φ(P )) = −Φ(τ(P )) = −[m]τ(P ),

because τ(P ) ∈ E[l] as well.It follows that for any P ∈ E[l] we have 2[m]τ(P ) = O. And as τ is apermutation of elements in E[l] we obtain 2[m]P = O.There are two possibilities. Either, we could have l | m, but then


Φ(P ) = O, for every P ∈ E[l]. This is impossible, because we alreadyproved that Φ(Φ(P )) = −P and so we would have −P = O, for any Pof order l, which is absurd.Or, we could have l = 2. In this case, we compute explicitly the matrixof Φ using the points of E[2] computed in Example 7.2.14 and we checkthat it is not diagonal. Indeed, we have

E[2] = {O, (0, 0), (i, 0), (−i, 0)}

and we can take P1 = (0, 0) and P2 = (i, 0) as generators. We haveΦ(P1) = P1 and Φ(P2) = (−i, 0) = P1 + P2. Indeed, the straight linepassing trough P1 and P2 is y = 0 and the third point of intersectionwith the curve E is thus P1 ∗P2 = (−i, 0). Hence P1 +P2 = −(−i, 0) =

(−i, 0). Then the matrix of Φ : E[2]→ E[2] is

(1 10 1

)∈ GL2(Z/2Z),

which is not diagonal.

To prove the second lemma we need two algebraic results whose proof areomitted (see [21], Chapter 6, Sublemma 2' and 2�).

Lemma 7.3.7. Let A ∈ GL2(Z/leZ) be a matrix which is not a scalar matrixmodulo l. Then there is a change-of-basis matrix T ∈ GL2(Z/leZ) which putsA into rational normal form, i.e. such that:

T−1AT =

(0 ∗1 ∗

).

Lemma 7.3.8. Let A =

(0 ∗1 ∗

)∈ GL2(Z/nZ).

Then {B ∈ GL2(Z/nZ) | AB = BA} is an abelian subgroup of GL2(Z/nZ).

These results are used to prove the following proposition.

Proposition 7.3.9. Let A ∈ GL2(Z/nZ) be a matrix which is not a scalarmatrix modulo l, for all prime number l dividing n. Then

G = {B ∈ GL2(Z/nZ) | AB = BA}

is an abelian subgroup of GL2(Z/nZ).

Proof. It is easy to check that G is a subgroup. Indeed, suppose B ∈ G, thenAB−1 = B−1A ⇔ BA = AB. So B−1 ∈ G. Moreover, suppose B,B′ ∈ G,then BB′ ∈ G, because ABB′ = BAB′ = BB′A.


To prove that G is abelian we decompose n into a product of prime fac-tors, n = pe11 . . . per

r . To show that two matrices are congruent modulo n it issu�cient to prove that they are congruent modulo pei

i , for every i = 1, . . . , r.Indeed, suppose a ≡ b+s mod n and a ≡ b mod pei

i for every i = 1, . . . , r. Wehave s ≡ 0 mod pei

i , for every i = 1, . . . , r, i.e. peii | s, for every i = 1, . . . , r.

Then pe11 · · · perr | s as well and so s ≡ 0 mod n, i.e. a ≡ b mod n. Clearly we

also have that a ≡ b mod n involves a ≡ b mod peii , for every i = 1, . . . , r.

Therefore for B ∈ GL2(Z/nZ) we have

AB = BA ∈ GL2(Z/nZ)⇔ AB = BA ∈ GL2(Z/peii Z), for every i = 1, . . . r.

Then we can suppose n = le, for a prime integer l.

Consider a prime l such that le divide n. The matrix A ∈ GL2(Z/leZ) is nota scalar matrix modulo l, hence by Lemma 7.3.7 we know that we can �nd

a change-of-basis matrix T such that T−1AT =

(0 ∗1 ∗

)∈ GL2(Z/leZ).

Write Gl ⊂ GL2(Z/leZ) the subgroup of matrices which commute with A.Let B,B′ ∈ Gl. We have

AB = BA and AB′ = B′A,

then we get

(T−1AT )(T−1BT ) = (T−1BT )(T−1AT ) and

(T−1AT )(T−1B′T ) = (T−1B′T )(T−1AT ).

By Lemma 7.3.8 this proves that T−1BT and T−1B′T commute. In partic-ular, we have

(T−1BT )(T−1B′T ) = (T−1B′T )(T−1BT )⇒ BB′ = B′B ∈ GL2(Z/leZ)

because T is invertible. Hence Gl is abelian.

Using this result and the previous argument we can conclude. ConsiderB,B′ ∈ G, then we have AB = BA and AB′ = B′A ∈ GL2(Z/nZ) soAB = BA and AB′ = B′A ∈ GL2(Z/pei

i Z), for every i = 1, . . . , r as well.It follows that BB′ = B′B ∈ GL2(Z/pei

i Z), for every i = 0, . . . , r and thusBB′ = B′B ∈ GL2(Z/nZ). Therefore the group G is abelian.


7.3.3 The Galois extension Q(i)(E[n])/QWe have all the tools needed to prove the most important result about

the �eld extension Q(i)(E[n]) of Q(i).

Theorem 7.3.10. Let E be the elliptic curve y2 = x3 + x. For each integern ≥ 1, write Kn = Q(i)(E[n]) for the �eld generated by i and all the coordi-nates of the points of order dividing n.Then Kn is a Galois extension of Q(i) and its Galois group is abelian.

Proof. By Proposition 7.2.12 we already know that Q(E[n])/Q is a Galoisextension. As Q(i)/Q is also a Galois extension, their composite Q(i, E[n])is a Galois extension of Q as well (see Proposition 7.3.11 here after).By Theorem 1.6.5 we know that there exists a separable polynomial f(t) ∈Q[t] with splitting �eld Q(i, E[n]). Then f(t) is also separable as a polyno-mial in Q(i)[t] and it follows that Q(i, E[n])/Q(i) is a Galois extension.

We still have to prove that the associated Galois group is abelian.Write G = Gal(Q(i, E[n])/Q(i)) and denote by A ∈ GL2(Z/nZ) the matrixof the complex multiplication Φ de�ned as above using the image of gener-ators P1, P2 of E[n]. Also, for any σ ∈ G de�ne a matrix Bσ ∈ GL2(Z/nZ)as in Theorem 7.2.16. We can prove that for any P = (x, y) ∈ E[n] and forany σ ∈ G we have:

σ(Φ(P )) = Φ(σ(P )).

Indeed, by de�nition we have

σ(Φ(P )) = σ(−x, iy) = (−σ(x), σ(i)σ(y)) = (−σ(x), iσ(y)),

because σ is the identity on Q(i). Moreover

Φ(σ(P )) = Φ(σ(x), σ(y)) = (−σ(x), iσ(x)) = σ(Φ(P )).

This proves that A and Bσ commute, for any σ ∈ G. Also, according toLemma 7.3.6 A is not a scalar matrix modulo any prime number p dividingn. Then, by Proposition 7.3.9, we have that

H = {B ∈ GL2(Z/nZ) | AB = BA}

is an abelian subgroup of GL2(Z/nZ). Moreover:

Gσ = {Bσ ∈ GL2(Z/nZ) | σ ∈ G} ⊆ H

and it follows that B,B′ ∈ Gσ satisfy BB′ = B′B. Thus G is isomorphic toGσ and G is abelian.


To prove that Q(i, E[n])/Q is a Galois extension we used the followinggeneral result on the composite EF of two Galois extensions E/K and F/K,i.e. the smallest extension of the �eld K that contains E and F .

Proposition 7.3.11. Let E/K and F/K be two Galois extensions, thentheir composite EF/K is also a Galois extension.

Proof. According to Theorem 1.6.5 there exist some separable polynomialsp(t), q(t) ∈ K[t] such that E and F are the splitting �elds of p and q over Krespectively. Suppose p(t) = (t−x1) . . . (t−xk) and q(t) = (t−y1) . . . (t−yr).According to the assumption, xi 6= xj and yi 6= yj, for any i 6= j. Eliminatethe yj such that there exists xi satisfying yj = xi and consider the polynomial

f(t) = (t− x1) . . . (t− xk)(t− y1) . . . (t− yr′),

where y1, . . . , yr′ are the yi left after reordering the numbering.Clearly f(t) is separable, because we eliminated all multiple roots. Denoteby C the splitting �eld of f(t). We have x1, . . . , xk, y1, . . . , yr′ ∈ EF , henceC ⊆ EF . Moreover, we did not eliminate any root of q(t) completely. Thenp(t) and q(t) split in C. It follows that E,F ⊆ C and then EF ⊆ C, becauseEF is the smallest �eld containing both E and F . Therefore C = EF andEF/K is a Galois extension by Theorem 1.6.5.

7.3.4 The structure of the group Gal(Q(E[3])/Q)

As an application of the previous results we study the structure of theGalois group Gal(Q(E[3])/Q), where E is again the elliptic curve de�ned byy2 = x3 + x.We have already the following information:

(i) The x-coordinates x0 of points of order 3 are roots of the division poly-nomial

Ψ3(x) = 3x4 + 6x2 − 1

and the y-coordinates satisfy y2 = x30 + x0;

(ii) Q(E[3], i),Q(E[3]) and Q(i) are Galois extensions of Q;

(iii) Q(E[3], i) is a Galois extension of Q(i) and Gal(Q(E[3], i)/Q(i)) isabelian.

In this subsection, we are going to prove:


Proposition 7.3.12. The Galois group of Q(E[3])/Q is isomorphic to thesemi-direct product Z/8Z×Ψ Z/2Z, where ϕ is de�ned as

Ψ : Z/2Z → Aut(Z/8Z)

h 7→ Ψ(h),

where Ψ(h) is de�ned as Ψ(h)(k) = h−1kh = k3, for any k ∈ Z/8Z.

Proof. Using part (i) and the equation of the curve we �nd all points of E[3].In particular, as the coe�cient of the term x is 0, we get a quadratic equationin x2, which is easy to solve. We �nd:

E[3] = {O, (α−, β−), (α−,−β−), (−α−, iβ−), (−α−,−iβ−), (−iα+,(i+ 1)√

2β−),

(−iα+,(−i− 1)√

2β+), (iα+,

(−i+ 1)√2

β+), (iα+,(i− 1)√

2β+), },

with α± =√

3±1√2√

3and β± =

√√3± 1

(2√27

)1/4

. Moreover, one can prove

that the points P = (α−, β−) and Q = (−α−, iβ−) form a basis for E[3].

For example, if R = (iα+,(i−1)√

2β+), we have R = −P + Q. We are going

to check this relation using the formulas for the addition of points. Thestraight line y = sx + b passing trough −P and Q must satisfy the twofollowing equations

sα− + b = −β− and − sα− + b = iβ−.

Hence we have

s =(−1− i)

2

β−α−

and b =(−1 + i)

2β−.

So we obtain

x = s2 − α− + α− =i

2

β2−

α2−

= iα+

and then

y = s(α− − x) + β− =(i− 1)√

2β+.

The following equalities have been used

β2−

2α2−

= α+ and(1 +

√3)β−√

2= β+.


Q = 0 1 2P = 0 O (−α−, iβ−) (−α−,−iβ−)

1 (α−, β−) (−iα+,(i+1)√

2β+) (iα+,

(1−i)√2β+)

2 (α−,−β−) (iα+,(i−1)√

2β+) (−iα+,

(−i−1)√2β+)

Table 7.1: Points of E[3] with basis P,Q.

One can verify that using P and Q we can express all points of order 3 usingPARI/GP. We resume the result obtained in Table 7.1.

Then, we want to study the extension Q(E[3])/Q. First of all note thatβ−, iβ− ∈ Q(E[3]) and then β−1

− iβ− = i ∈ Q(E[3]). Hence Q(E[3], i) =Q(E[3]). Moreover, we can express α± and β+/

√2 using β−

α− =2

3β2−, α+ =

2

3β2+

=3

16β4−(3β2

− + 4)

and1√2β+ =

8β−9β4− + 4

.

Therefore Q(E[3]) = Q(β−, i).We have a tower of Galois extensions and we know that [Q(i, β−) : Q] =[Q(i, β−) : Q(i)][Q(i) : Q]. The minimal polynomial of β− over Q(i) ism(t) = t8 + 8

3t4− 16

27. Indeed, m(β−) = 0 and one can verify using PARI/GP

that this polynomial is irreducible over Q(i).Hence [Q(i, β−) : Q(i)] = 8 and |Gal(Q(i, β−)/Q] = [Q(i, β−) : Q] = 16.

We now use the map ρ3 : Gal(Q(E[3], i)→ GL2(Z/3Z) to study the structureof Gal(Q(E[3])/Q). In particular, we consider the applications a, c de�nedby

a(i) = i and a(β−) =(−1 + i)√

2β−

c(i) = −i and c(β−) = β−.

Clearly c(P ) = (α−, β−) = P and c(Q) = (−α−,−iβ−) = −Q. Thus, itfollows that

ρn(c) =

(1 00 −1

)= C ∈ GL2(Z/3Z).

The map a : Q(E[3]) → Q(E[3]) is a �eld homomorphism of Q(E[3]), then

a(P ), a(Q) ∈ E[3]. As a(β−) = (−1+1)√2β+ the only possibility is


a(P ) = (iα+,(−1+i)√

2β+) = −P + Q according to the previous computations.

Similarly, one can verify that a(Q) = (iα+,(−1−i)√

2β+) = −P −Q. Hence

ρn(a) =

(−1 −11 −1

)= A ∈ GL2(Z/3Z).

First, the element A is of order 8 and a belongs to Gal(Q(E[3], i)/Q(i)) be-cause it �xes Q(i). By a previous argument we know that Gal(Q(E[3], i)/Q(i))is abelian and of order 8. Hence Gal(Q(E[3], i)/Q(i)) ∼= Z/8Z (see Section5.1 ).Moreover A and C satisfy the following relations in GL2(Z/3Z):

A8 = C2 = Id and CAC = A3.

Write N = 〈A〉 and G = ρ3(Gal(Q(E[3], i)/Q)). Since N has index 2 in G,it is a normal subgroup and we can write the following short exact sequence

1 −→ Ni−→ G

π−→ G/N −→ 1,

where i is the inclusion map and π the canonical projection.The element C, which belongs to G and not to N , is of order 2. We thuscan de�ne a section s : G/N → G given by s(N) = Id and s(gN) = C,if gN 6= N . Then, applying Proposition 4.1.2 and Lemma 4.1.3, we getisomorphisms of groups:

Gal(Q(E[3])/Q) ∼= N ×Ψ H ∼= Z/8Z×Ψ Z/2Z,

with H = s(G/N) = 〈C〉 ∼= Z/2Z and Ψ : H → Aut(N), Ψ(c)(a) =cac−1, for every a ∈ N and c ∈ H. Since CAC = A3, the Galois groupGal(Q(E[3])/Q) is thus isomorphic to the semidirect product Z/8Z×Ψ Z/2Z.

In [4] this example is developed further in the study of E[2], E[3], E[4] forthe elliptic curves y2 = x3 + x and y2 = x3 + 2x.

Chapter 8

Survey on Known Results andOpen Problems

The inverse Galois theory still yields many open questions. Hilbert wasthe �rst who studied this problem since the end of the ninetieth century andafter him many mathematicians have solved it over Q for particular �nitegroups.

In this �rst part of this chapter we give an overview of many of the resultsalready proved as well as of some methods used to obtain them. The proofsare omitted, for more details we refer the reader to [19]. Most of the methodsare also developed in [24] and a survey of the results known is presented in[23].

Then, in the last section we give some comments and useful results to ap-proach the problem of computing the Galois group of a speci�c polynomial.

8.1 Hilbert's Irreducibility Theorem

One of the most important results of Galois inverse theory is Hilbert'sIrreducibility Theorem. In particular, this theorem enabled Hilbert to provein 1892 that the symmetric group Sn and the alternating group An can berealized as Galois groups over Q, for all integers n ∈ N. The idea is that onecan prove the existence of Galois extensions over Q with given Galois groupsusing the existence of Galois extensions over Q(T ) with the same group. Forthis some properties related to Hilbertian �elds and given in Section 6.3 areused (see Theorem 6.3.2 and Hilbert Irreducibility Theorem 6.3.3 ).More precisely, Hilbert's results guarantee that if a polynomial f(X,T ) ∈

123

8.1 Hilbert's Irreducibility Theorem 124

Q[X,T ] generates a Galois extension of Q(T ) with Galois group G, thenthere are in�nitely many b ∈ Q such that f(b, T ) generates a Galois exten-sion over Q with Galois group G as well. Now, recall that this does not giveany explicit method to �nd a suitable b.

Hence to realize a group G as a Galois group using Hilbert's method onestill has to �nd good Galois extensions of Q(T ) and suitable values of b ∈ Q.Therefore, di�erent methods have been studied to solve this problem.

Similarly as what has been done in Chapter 7 to construct Galois exten-sions over Q, in the 1970's, Shih studied Galois extensions of Q(T ) givenby torsion points on elliptic curves. He obtained the following result onprojective special linear groups:

Theorem 8.1.1. Fix a prime integer p. The group PSL2(Fp) can be realized

as a Galois group if(

2p

)= −1,

(3p

)= −1 or

(7p

)= −1, where

(xy

)is the

Legendre symbol de�ned in Section 2.2.

It has also been shown that PSL2(Fp), with(

5p

)= −1 and PGL2(n), for

any integer n, can be realized as Galois groups over Q.Moreover, by the result of Serre given in Chapter 7 using torsion points of anelliptic curve without complex multiplication (see Theorem 7.2.23) one canprove that for any integer n ≥ 1 the group GL2(Z/nZ) can be realized asGalois group over Q.

Another important result for the construction of Galois extensions over Q(T )is given by using the theory of rigid groups, that we are going to present.For a given group G, denote by Cl(G) the set of conjugacy classes of G. LetN be an integer such that any element of G has order dividing N . Denote byΓN the group (Z/NZ)∗ which acts on G, and hence on Cl(G), by mapping sto sα for α ∈ ΓN . Finally denote by X(G) the set of all irreducible charactersfrom G to C. Recall that a character χρ from G to C is a group homomor-phism from G to C−{0}. In particular, there exists a group homomorphism,or representation, ρ : G → GL(V ), where V is a C-vector space, such thatχρ(g) = Tr(ρ(g)), for any g ∈ G. Also, χρ is said to be irreducible, if ρ hasno non-invariant subspaces except for {0} and V .

De�nition 8.1.2 (Q-rational class). Let G be a group. A class c ∈ Cl(G)is said to be Q-rational if the following equivalent properties hold:

• The class c is �xed under the action of ΓN .

8.1 Hilbert's Irreducibility Theorem 125

• Every character χ ∈ X(G) takes values in Q on the class c.

De�nition 8.1.3 (Rigid conjugacy classes). Let G be a group. Consider ak-tuple of conjugacy classes (C1, . . . , Ck) of G. Let Σ be the set of k-tuples(g1, . . . , gk) with gi ∈ Ci, for i = 1, . . . , k and such that g1 · · · gk = 1. Denoteby Σ the subset of (g1, . . . , gk) ∈ Σ such that g1, . . . , gk are generators of thegroup G.Then, the k-tuple (C1, . . . , Ck) is said to be rigid if Σ 6= ∅ and if G actstransitively on Σ.

Note that these de�nitions can be generalized to any �eld K of charac-teristic 0.The most important result using these two notions was proved by Beyli,Matzat, Malle and Thompson in the 1980's:

Theorem 8.1.4. Let G be a group with trivial center Z(G) and let (C1, . . . , Ck)be a rigid family of conjugacy classes of G such that Ci is Q-rational, for ev-ery i = 1, . . . , k. Then G can be realized as Galois group over Q.

Remark 8.1.5. If the center Z(G) is trivial, the action by conjugacy of Gon Σ is free. Indeed, if we suppose that g �xes (g1, . . . , gk) ∈ Σ, then g �xesthe whole G and it follows that g ∈ Z(G) = 1.

In particular, Theorem 8.1.4 gives a very useful criterion to realize sim-ple groups as Galois groups. For example, using this method, a realizationas Galois groups has been found for every sporadic simple group, with thepossible exception of the Mathieu group M23.

Moreover this criterion has been used to obtain a realization of the followinggroups of Lie type:

• PSL2(p), for every prime p 6≡ ±1 mod 24;

• PSL2(p2), for every prime p ≡ ±2 mod 5;

• PSL3(p), for every prime p ≡ 1 mod 4;

• PSU3(p), for every prime p ≡ 3 mod 4, p > 3; p ≡ 3, 5 mod 7, p > 5;

• PSp4(p2), for every prime p ≡ ±2 mod 5, p ≥ 3;

where PSp denotes the symplectic group and PSU the special unitary group.

Similarly, it has been proved that the special orthogonal group and certainexceptional Lie groups can be realized as Galois groups over Q under speci�c

8.2 Nilpotent and solvable groups 126

Group Order Proof byA5∼= SL4(F4) ∼= PSL2(F5) 60 Hilbert, ShihSL3(F2) ∼= PSL2(F7) 168 ShihA6∼= PSL2(F9) 360 HilbertSL2(F8) 504 other methodPSL2(F11) 660 ShihPSL2(F13 1092 ShihPSL2(F17) 2448 Shih

A7 2520 HilbertPSL2(F19) 3420 ShihSL2(F16) 4080 unrealized

Table 8.1: Results on the smallest non-abelian groups

conditions (see [23]). Moreover, this method is even more powerful to con-struct Galois extension of Qab(T ), where Qab denotes the maximal abelianextension of Q.

Hence, thanks to these results, it has been proved that most of the smallestnon-abelian simple groups can be realized as Galois groups. In Table 8.1 wesummarize these results.Note that among the ten smallest non-abelian simple groups only SL2(F16)has not yet a realization as a Galois group obtained with these methods.

The reason to focus on �nite simple groups is a consequence of the clas-si�cation of these groups completed around 1980. The idea is that �nitesimple groups can been seen as buildings blocks of all the �nite groups, i.eany �nite group is a composite of �nite simple groups.Hence, once the inverse Galois problem is solved for any �nite simple group,then mathematician should look for an inductive procedure to realize anycomposite group as a Galois group. This inductive procedure is not yet clearand this problem is an embedding problem, similar to the one solved byShafarevich to realize any solvable group as a Galois group (see Section 8.2).

8.2 Nilpotent and solvable groups

The original motivation of Galois when he wrote his theory was to under-stand under which conditions an equation is solvable by radicals. He �nd outthat an equation is solvable by radicals if an only if the Galois group of its

8.2 Nilpotent and solvable groups 127

splitting �eld is solvable. For that reason, solvable groups are of particularinterest in the inverse Galois theory.

We �rst recall the notions of nilpotent and solvable groups.

De�nition 8.2.1 (Nilpotent group). Let G be a group. The lower centralseries of G is the descending series of subgroups

G�GL1 � · · ·�GLn,

where n ∈ N and the term G(i+1)L is the commutators' subgroup G(i+1)L =[G,GiL]. The group G is said to be nilpotent if its central series terminatesin the trivial subgroup after �nitely many steps.

De�nition 8.2.2 (Solvable group). Let G be a group. The derivative seriesof G is the descending series of subgroups

G�GD1 � · · ·�GDn,

where n ∈ N and the term G(i+1)D is the commutators' subgroup G(i+1)D =[GiD, GiD]. The group G is said to be solvable if its central series terminatesin the trivial subgroup after �nitely many steps.

Notice that every nilpotent group is a solvable group. Indeed, for everyindex i, we have GiD ⊆ GiL. Hence, if the lower series terminates in thetrivial subgroup, the same is true for the derivative series.Also, notice that in the derivative series of a group G, the subgroup G(i+1)D

is a normal subgroup of GiD and the quotient GiD/G(i+1)D is abelian, for anyinteger 1 ≤ i ≤ n− 1.

In the 1954, Shafarevich proved the following result with a purely number-theoretic approach.

Theorem 8.2.3 (Shafarevich). Every solvable group can be realized as aGalois group over Q.

The idea of the proof is that, as a solvable group G is given by a series ofgroup extensions with abelian kernel, then a suitable Galois extension overQ with Galois group G can be built up after a series of embedding problems.Hence the problem of construct such an extension is related to the moregeneral embedding problem extensions. We give a de�nition of this problemhere following.

8.3 Computing Galois groups 128

De�nition 8.2.4 (Embedding problem). Let H be a group. A �nite embed-ding problem over a �eld K consists of a �nite extension L/K together witha surjective homomorphism φ : H → Gal(L/K).A solution is a �nite �eld extension M/K with K ⊆ L ⊆ M together withan isomorphism Ψ : H → Gal(M/K) such that φ = resML ◦Ψ, where resML

denotes the restriction of M to L.

In other words, given a Galois extension L/K and given a group Hthat surjects onto Gal(L/K), the idea is to �nd a larger Galois extensionK ⊆ L ⊆ M with Galois group Gal(M/K) ∼= H. Note that, in the embed-ding problem related to the realization of a solvable group, the kernel of thesurjective homomorphism φ is abelian.

The mathematicians Scholz and Reichardt studied this kind of problemssince the 1920's and they obtained some results about nilpotent groups ofodd order. This problem was simpler but similar, because also nilpotentgroups are also given by a series of group extensions.The proof of Shafarevich were done in the 1950's and it covers the case ofsolvable groups and hence of nilpotent groups as well.

8.3 Computing Galois groups

In this last section we consider the relation between a polynomial p(t)and its Galois group, i.e. the Galois group of its splitting �eld. It is beyondthe scope of this project to give a complete overview on this subject. Theidea of this section is to highlight some results that have already been usedin this project and that are useful to compute the Galois group of a speci�cpolynomial or to �nd criteria to identify a polynomial that has a given groupas Galois group.Most of the results will be given without proof, but some examples are treatedto clarify the importance of the results considered. For more details we referthe reader to ([2], Section 6.3) and ([3], Chapters 12 and 13).

8.3.1 The resolvent method

The method presented in this subsection generalizes the resolvent method,to all integers n. This method was used in Section 5.2.4 to determine theGalois group of an irreducible polynomial of degree n = 4.

Let p(t) be an irreducible polynomial of degree n over Q. In what follows wedenote by Kp the splitting �eld of the polynomial p(t) and by Gp its Galois


group over Q. Moreover, let r1, . . . , rn denote the roots of p(t) in some alge-braic closure of Q. The group Gp is identi�ed with a subgroup of Sn for this�xed numbering.

The �rst important idea was highlighted in Remark 5.2.7: as p(t) is irre-ducible, its Galois group acts transitively on the set of roots. Recall that theconverse is also valid.This result reduces considerably the number of subgroups of Sn that we haveto consider. In particular, the list of transitive subgroups of Sn has beencalculated up to n ≤ 15: it is given in the works of McKay and Butler.

Moreover, Proposition 6.1.1 furnishes a criterion on the discriminant ofp(t) to determine if Gp is a subgroup of the alternating group An.

Here after we give the de�nition of the resolvent polynomial, which is ageneralization of the cubic resolvent used in Section 5.2.4.

De�nition 8.3.1 (Resolvent polynomial). Let G be a subgroup of Sn con-taining Gp (for the given numbering of roots) and let F (X1, . . . , Xn) be apolynomial with coe�cients in Z. Denote by H the stabilizer of F , i.e.

H = {σ ∈ G| F (Xσ(1) . . . , Xσ(n)) = F (X1, . . . , Xn)}.

The resolvent polynomial RG(F, p) with respect to G,F and p is de�ned by

RG(F, p) =∏

σ∈G/H

(X − F (rσ(1), . . . , rσ(n))),

where G/H denotes a set of left coset representatives of G modulo H.

With the same notations we have the following important result (see [2],Section 6.3, Theorem 6.3.3).

Theorem 8.3.2. Set m = [G : H] = deg(RG(F, p)) and suppose thatRG(F, p) is squarefree. Then the Galois group of RG(F, p) is equal to Φ(Gp),where Φ is the group homomorphism from G to Sm given by the natural leftaction of G on G/H.In particular, the list of degrees of the irreducible factors of RG(F, p) in Z[X]is the same as the list of the lengths of the orbits of the action of Φ(Gp) on{1, . . . ,m}.

This result is very useful since we already have algorithms that computeRG(F, p) and factorize it over Z[X]. Also, this result informs us about the


action of Gp on G/H. Since there are �nitely many possibilities for Gp, wecan study the actions of each of these possible groups on G/H and see whichones satisfy the conditions on the length of the orbits given by the theorem.In Section 6.3 of [2], Cohen suggests algorithms using this method to computethe Galois group of any separable and irreducible polynomial up to degree 7.

As an illustration of Theorem 8.3.2, we present an algorithm which deter-mines the Galois group of a given irreducible monic polynomial of degree 4.Recall from Section 5.2.4 that the transitive subgroups of S4 are the groupsC4, D4,V4, A4 and S4 itself.The problems of computing the roots of p(t) as well as the resolvent poly-nomials with a good rounding will not be considered here. We will neitherdiscuss the problem of �nding a squarefree resolvent polynomial. These prob-lems are treated in [2] where the Tschirnhausen Transformation Algorithmis presented to adjust RG(F, p) so that it is squarefree ( see [2], Section 6.3,Algorithm 6.3.4).

Algorithm 1 ([2], Algorithm 6.3.6). Input: an irreducible monic

polynomial p(t) of degree 4.Output: the Galois group Gp.

(1) [Compute Resolvent] Compute the roots r1, r2, r3, r4 of p(t) in C.

Let G = S4 and H = C4, let

F (X1, X2, X3, X4) = X1X22 +X2X

23 +X3X

24 +X4X

21 .

Compute R = RG(F, p) with the following system of

representatives

G/H = {I, (12), (13), (14), (23), (34)}

and round each coefficient of R to the nearest integer.

(2) [Squarefree] Check wheter R is squarefree and eventually

modify it.

(3) [Factor resolvent] Factor R over Z and denote by L the list

of lengths of irreducible factors sorted in increasing order.

(4) [Conclusion] Let D(p) be the discriminant of p(t). If Ris irreducible (L = (6)), output A4 if D(p) is a perfect

square and S4 if not.

If L = (1, 1, 4), L = (2, 2, 2), L = (2, 4) output respectively

C4, V4 or D4.


In this algorithm we consider the group G = S4 and the polynomial F ofstep (1). Therefore one can verify that we have

H = {σ ∈ G | F (Xσ(1) . . . , Xσ4 = F (X1, . . . , X4)} = 〈(1234)〉.

It follows that we can choose the list of representatives of left cosets G/H(see step (1)).To understand how this algorithm works, we analyse for example the actionof V4 on G/H. We denote by (ab) the class modulo H of the transposition(ab). We have:

• (12)(34) maps (12) to (34), because (12)(34)(12) = (34). Respectivelyit maps (34) to (12). Similarly the elements I and (13) are permuted.Finally (14) and (23) are �xed.

• (13)(24) preserves the classes (13) and I. Since (13)(24)(12) = (1423)and (34)(13)(24) = (1423), the class (12) is mapped to (34). Moreoverone can verify that these two classes are permuted and so are (14) and(23).

• (14)(23) clearly exchanges the classes (14) and (23). Moreover (12) and(34) are �xed and I and (13) are permuted.

Therefore the orbits of this action are {{I, (13)}, {(12), (34)}, {(14), (23)}}and the list of their lengths in this case is L = {2, 2, 2}.Computing the lengths of the orbits of the action on G/H of each group, we�nd out each one of the list of lenghts given in the algorithm. Therefore theresult of step (4) of the algorithm is given by computing RG(F, p) and itsirreducible factors, and then by applying the result of Theorem 8.3.2.

Finally let us see how Theorem 8.3.2 could be used to conclude in Subsection5.2.4. In this Subsection, we de�ned the cubic resolvent polynomial to realizethe dihedral group D4 as a galois group. This polynomial actually consist onthe resolvent polynomial of an irreducible polynomial p(t) of degree 4, withG = S4 and F = X1X3 +X2X4. It follows that H = 〈(1234), (13)〉 ∼= D4 andthen a list of representatives of left cosets is {I, (12), (14)}. Denote by Kp

the splitting �eld of p(t) and by Gp the Galois group of the extension Kp/Q.Considering the actions of S4, A4, V4, D4 and C4 on G/H, one can verify thatwe obtain respectively the following lists of lengths of the orbits: L = (3), L =(3), L = (1, 1, 1), L = (1, 2), L = (1, 2). Thus, exactly as in Subsection 5.2.4,one can �nd out if Gp is isomorphic to S4, A4 or V , but one cannot distin-guish the cases of D4 and of C4.


Note that to distinguish between these two cases we could use another resol-vent. In particular, if we suppose that Gp is D4 or C4, we can restrict G toG = D4.Then applying Theorem 8.3.2 with G and with the polynomial

T (X1, X2, X3, X4) = X1X22 +X2X

23 +X3X

24 +X4X

21 ,

we get H = C4 and G/H = {I, (13)}. Since G = D4, it is easy to see thatD4 acts transitively on G/H and that in this case we have L = (2). On thecontrary C4 = H, so C4 �xes every class and L = (1, 1) in this case. Thiscorresponds to the method used in ([2], Algorithm 6.3.7).The last argument of this method is not equivalent to the one used in Subsec-tion 5.2.4 to distinguish the cases of D4 and C4. Indeed, with the resolventmethod given here, we consider Galois extensions over Q which are given byirreducible polynomials p(t). In the method presented in Subsection 5.2.4,we have considered the Galois extension Kp/M , where Kp denotes the split-ting �eld of the polynomial p and M denotes the splitting �eld of the cubicresolvent of p. In particular, M 6= Q and it is not known wheter p(t) isirreducible over M .

8.3.2 Kronecker Analysis and Dedekind's Theorem

In its work on Galois theory, published in 1853, Kronecker studied theconstruction of the splitting �eld starting from the results of Galois, Lagrangeand other mathematicians. The results presented in this section are givenwithout proof. For more details on this subject we refer the reader to ([3],Chapters 12 and 13).In order to explain the works of Kronecker on this subject we consider amonic, separable and irreducible polynomial f(t) ∈ Q[t] given by

f(t) = tn + c1tn−1 + · · ·+ cn−1t+ cn.

Denote by r1, . . . , rn its roots and by ∆(f) its discriminant.Let L be the splitting �eld of f over Q. Then, according to Theorem 1.6.5,L/Q is a Galois extension. Denote by Gf its Galois group.Kronecker, and Galois before him, considered the following polynomial

s(y) =∏σ∈Sn

(y − (t1rσ(1) + · · ·+ tnrσ(n))) ∈ Q[y].

Galois proved that it is possible to �nd integers t1, . . . , tn ∈ Z such that s(y)de�ned as above is a separable polynomial of degree n!. In that case thepolynomial s(y) is called the Galois resolvent of f(t) and one can prove that

L = Q(t1r1 + · · ·+ tnrn),


i.e. the element R = t1r1 + · · · + tnrn is a primitive element of the Galoisextension L/Q.Consider τ ∈ Gf , then ,if y is taken in Q, we have:

τ(s(y)) =∏σ∈Sn

(y− τ(t1rσ(1) + · · ·+ tnrσn)) =∏σ∈Sn

(y− (t1rτσ(1) + · · ·+ tτσn)),

because t1, . . . , tn ∈ Q. Since τ ∈ Gf ⊂ Sn, we have τσ ∈ Sn, for every σ ∈Sn. In particular, τ permutes the elements of Sn and we have τ(s(y)) = s(y),for every y ∈ Q. This proves that the coe�cients of s(y) lie in Fix(Gf ) = Q.Hence s(y) ∈ Q[y].None of the results proves that s(y) is irreducible, but denoting by h(y) ∈ Q[t]the irreducible factor of s(y) such that h(R) = 0, we have that

L ∼= Q[t]/〈h(t)〉.

In this construction we used the roots of f . Kronecker proved that it ispossible to construct s(y) and then the splitting �eld of f without knowingthe roots of f . In order to prove this result, he constructed the generalresolvent polynomial de�ned as

S(y) =∏σ∈Sn

(y − (t1xσ(1) + · · ·+ tnxσn)) ∈ Q[y, x1, . . . , xn].

He then proved his result by using some properties of the symmetric polyno-mials and of the symmetric elementary functions.

Theorem 8.3.3. Let h(t) ∈ Q[t] be any irreducible factor of the polynomials(y). Then we have

L ∼= Q[t]/〈h(t)〉.

Using this isomorphism we obtain the cardinality of the Galois group Gf .In particular we have [L : Q] = |Gf | = deg(h(t)).

In the further developments of his analysis of the Galois resolvent polynomials(y), Kronecker took t1, . . . , tn as variables. This generalization of the poly-nomial gave him some additional information on the structure of the Galoisgroup Gf . In particular he obtained the following result, where st(y) denotesthe generalised polynomial considered by Kronecker.

Theorem 8.3.4 ([3],Theorem 13.4.2). Assume that f ∈ Q[t] is a monic,separable and irreducible polynomial of degree n. Let h(t) be any irreduciblefactor of the polynomial st(y) ∈ Q[t1, . . . , tn, y]. Then Gf is conjugate to thesubgroup

G = {τ ∈ Sn | τ · h = h} ⊆ Sn.


Remark 8.3.5. This result can be generalized to any in�nite �eld F (see([3], Chapter 13)).

This result yields a method to compute the Galois group of any separablepolynomial f ∈ Q[t], but the computations of the generalized Galois resol-vent polynomial quickly become ine�cient when n grows.

Finally, we consider the Dedekind's result given in Proposition 6.2.3. Thisresult is a useful tool to compute the Galois group of a given separable andmonic polynomial f .From now on, we suppose f(t) ∈ Z[t]. In [3], Cox presents a proof ofDedekind's theorem using Kronecker result on the Galois group of a givenpolynomial (see [3], Chapter 13, Theorem 13.4.5).Consider a prime number p such that p does not divide the discriminant∆(f). Taking the reduction modulo p we obtain the irreducible factorization

f(t) = f 1(t) . . . , fm(t) ∈ Z/pZ[t].

Denote by di = deg(fi). As p does not divide ∆(f), we have ∆(f) 6= 0 inZ/pZ, so that f(t) is separable (see Section 6.2).Denote by G its Galois group. One can prove that, identifying the Galoisgroups with subgroups of Sn, we have G ⊆ Gf . Moreover, when studyingextensions of Z/pZ, one can prove that G is cyclic of order lcm(d1, . . . , dm).It follows that G is generated by an element of order lcm(d1, . . . , dm) and,in particular, that there exists in G and thus in G a product of cycles of thetype σ1 · · · σm, where every σi has order di and where all σi have distinctsupport.This result has already been applied to realize A5 as a Galois group (seeSection 6.2 ). In what follows we develop another example.

Example 8.3.6. We consider the polynomial f(t) = t5−6t+3. This polyno-mial is irreducible, by the Eisenstein criterion (see [1] Section 2.1). Moreoverthe discriminant is ∆(f) = −34 · 19 · 1129, which is not a square. Hence f isseparable and Gf 6⊆ A5.Using arguments of group theory, one can prove that S5 is generated by a5-cycle and any transposition. Indeed, suppose without loss of generalitythat (12345), (a b) are elements of G, with a, b ∈ Z/5Z. Then we can provethat G contains any transposition (m n), since we have:

(12345)−1(a b)(12345) = (a− 1 b− 1).

Repeating this operation we �nd (a b), (a− 1 b− 1), (a− 2 b− 2),(a − 3 b − 3), (a − 4 b − 4). Now, suppose b = a − c, with c ∈ (Z/5Z)∗,


then we have:

(a b)(a−c b−c)(a b) = (a a−c)(a−c a−2c)(a a−c) = (a a−2c).

We also have:

(a a− 2c)(a− 2c a− 3c)(a a− 2c) = (a a− 3c).

Repeating this argument, we �nd that (a a− c), (a a− 2c), (a a− 3c),(a a−4c) are all elements ofG as well. As Z/5Z is a �eld, the multiplication-by-c map is an automorphism and hence these are all the elements (a 1),(a 2), (a 3), (a 4), (a 5). Then we have

(a n)(a m)(a n) = (n m)

and this proves that any transposition (m n) lies in G. Since any permu-tation is a product of transpositions, it follows: G = S5.

Then, Dedekind's result (see Proposition 6.2.3) can be used to prove thatGf contains an element of order 5 and an element of order 2. Indeed, 5 and17 do not divide ∆(f). Thus, reducing modulo these prime numbers we �nd

f 5(t) = t5 + 4t+ 3 ∈ Z/5Z[t] and

f 17(t) = (t+ 2)(t+ 7)(t+ 13)(t2 + 12t+ 13) ∈ Z/17Z[t].

Hence Gf∼= S5 as was to be shown.

8.3.3 Explicit polynomials with a given Galois group

Although many groups are known to have a realization as a Galois groupover Q, it is di�cult to �nd explicitly a polynomial that generates the cor-responding Galois extension. This is still an open question in the inverseGalois theory, which by now has been solved only for �nitely many simplegroups other than An. The resolution of this problem is strongly related tocomputer calculations.

The results presented in this section furnish a partial answer to this problem.Other methods have also been studied. In ([9], Appendix) a list of polyno-mials realizing any transitive subgroup of Sn, for n ≤ 10. Most of theseresults were established by the research team of Malle and Matzat. More-over, Abhyankar studied in�nite series of polynomials and found polynomialsrealizing various classical groups as Galois groups.

Conclusion

At the end of a master's thesis on the inverse Galois problem, it is ex-pected still to have many ideas on how it would be possible to continue theproject. Indeed, the subject is interesting, rich with examples and resultsalready proved and yields many open problems.

Clearly, it was not possible to cover the whole subject of inverse Galois the-ory in this report. For example, some of the results presented such as theHilbert's Irreducibility criteria or the rigidity method have not been givenin their whole generality. Also, there exist other results using applicationsfrom algebraic geometry to �nd some extensions of Q(T ). For example, moreresults using elliptic curves could be proved with a deeper knowledge of theirgeometrical properties .Moreover, we have considered only Galois extensions of Q. In a furtherwork on this subject, Galois extensions of number �elds or of �nite �eldscould be considered. For example, the study of elliptic curves with complexmultiplication gives a method to �nd abelian Galois extensions of quadraticimaginary number �elds.

Personally, I have appreciated developing my knowledge of Galois theory andhave relished the opportunity to apply many of the concepts I have learnedin the last few years to this project on the inverse Galois problem. If I hadthe chance to continue, I would start by studying in more detail the construc-tion of the splitting �eld of some polynomial and hence the correspondencebetween Galois groups and polynomials.

137

Appendix A

Code PARI/GP and SAGE

A.1 Code PARI/GP

In this section we give all codes and speci�c commands that we used withPARI/GP to verify and illustrate many results stated in this report (see [12]).

(i) Test of the isomorphism between two Galois extensions (see Section 3.2)p = x5 − x− 1;q = x5 + 6 ∗ x+ 3;nfisisom(p, q) = 0→ The extensions given by p and q are not isomorphic.⇒ same Galois group and same degree does not mean same field

extension.

(ii) Commands used to �nd the degree of the extension Q(δ) (see Section5.2.3)a = polroots(polcyclo(105))[1]→ define the 105-th root of unity

b = a+ a4 + a16 + a46 + a64 + a79

→ define δ = b

algdep(b, 8) = x8+x7−4∗x6+9∗x5+23∗x4−18∗x3−16∗x2−8∗x+16→ find the minimal polynomial of δ. The degree 8 is fixed,

but we can verify that this polynomial annihilates δ.The same verification can be done using command b.minpoly()

with SAGE.

(iii) Code used to verify that the polynomial p(t) = t8 − 72t6 + 180t4 −144t2 + 36 has Galois group H8 (see Section 5.2.5).

139

A.1 Code PARI/GP 140

nf = nfinit(a8 − 72 ∗ a6 + 180 ∗ a4 − 144 ∗ a2 + 36)→ give the field extension Q(a), with a a root of x8−72x6+180x4 − 144x2 + 36.nffactor(nf, x8 − 72 ∗ x6 + 180 ∗ x4 − 144 ∗ x2 + 36)→ calculation of the roots of the polynomial in Q(a).⇒ verification of the roots ±α,±β,±γ,±δ given.

evalbeta(a) = 1/2 ∗ a7 − 215/6 ∗ a5 + 78 ∗ a3 − 42 ∗ a→ definition of σ(a) = βevalgamma(a) = −9/8 ∗ a7 + 961/12 ∗ a5 − 549/4 ∗ a3 + 101/2 ∗ a→ definition of τ(a) = γg = γ;b = β;

Mod(evalbeta(g), r8 − 72 ∗ r6 + 180 ∗ r4 − 144 ∗ r2 + 36) = δ→ verification τσ(a) = δ Mod(evalgamma(b), r8 − 72 ∗ r6 + 180 ∗r4 − 144 ∗ r2 + 36) = −δ→ verification τσ(a) = δ⇒ G is non abelian.

Mod(evalbeta(beta), r8 − 72 ∗ r6 + 180 ∗ r4 − 144 ∗ r2 + 36) = −rMod(evalbeta(−r), r8 − 72 ∗ r6 + 180 ∗ r4 − 144 ∗ r2 + 36) = −βMod(evalbeta(−1/2 ∗ r7 + 215/6 ∗ r5 − 78 ∗ r3 + 42 ∗ r), r8 − 72 ∗ r6 +180 ∗ r4 − 144 ∗ r2 + 36) = r→ verification σ order 4 (similar for τ)⇒ G ∼= H8 because in D4 there is only one subgroup of order 4.

(iv) De�nition of the division polynomial Ψn implemented by John Cremonain ell_divpol.gp

{elldivpol(e, n) =local(m, a1, a2, a3, a4, a6, t1, t2, f1, f2, psi24);a1 = e[1]; a2 = e[2]; a3 = e[3]; a4 = e[4]; a6 = e[5];f1 = x3 + a2 ∗ x2 + a4 ∗ x+ a6; f2 = a1 ∗ x+ a3;n = abs(n);if(n == 0, return(0));if(n == 1, return(1));if(n == 2, return(1));if(n == 3, return(3∗x4 +(a12 +4∗a2)∗x3 +(3∗a1∗a3+6∗a4)∗x2 +

A.1 Code PARI/GP 141

(3∗a32 +12∗a6)∗x+a12∗a6−a1∗a3∗a4+a2∗a32 +4∗a2∗a6−a42));if(n == 4, return(2∗x6 +(a12 +4∗a2)∗x5 +(5∗a1∗a3+10∗a4)∗x4 +(10∗a32 + 40∗a6)∗x3 + (10∗a12 ∗a6−10∗a1∗a3∗a4 + 10∗a2∗a32+40∗a2∗a6−10∗a42)∗x2 + (a14 ∗a6−a13 ∗a3∗a4 +a12 ∗a2∗a32 + 8∗a12 ∗a2∗a6−a12 ∗a42−4∗a1∗a2∗a3∗a4−a1∗a33−4∗a1∗a3∗a6+4∗a22∗a32+16∗a22∗a6−4∗a2∗a42−2∗a32∗a4−8∗a4∗a6)∗x+a13∗a3∗a6−a12∗a32∗a4+2∗a12∗a4∗a6+a1∗a2∗a33+4∗a1∗a2∗a3∗a6−3∗a1∗a3∗a42+2∗a2∗a32∗a4+8∗a2∗a4∗a6−a34−8∗a32∗a6−2∗a43−16∗a62));%general case, use recursion%If n is odd, n = 2m+ 1 : if(n%2 == 1,m = (n− 1)/2;t1 = elldivpol(e,m+ 2) ∗ elldivpol0(e,m)3;t2 = elldivpol(e,m− 1) ∗ elldivpol0(e,m+ 1)3;psi24 = (4 ∗ f1 + f22)2;if(m%2 == 1, return(t1− psi24 ∗ t2), return(psi24 ∗ t1− t2)));

%Now n is even, n = 2m :m = n/2;t1 = elldivpol(e,m+ 2) ∗ elldivpol0(e,m− 1)2;t2 = elldivpol(e,m− 2) ∗ elldivpol0(e,m+ 1)2;elldivpol(e,m) ∗ (t1− t2);}→ Polynomial Ψn defined in Subsection 7.2.3

{ellphi(e, n) =elldivpol(e, n)2 − elldivpol(e, n+ 1) ∗ elldivpol(e, n− 1);}→ Polynomial Φn defined in Subsection 7.2.3

⇒For P = (x, y) the x-coordinate of [n]P is given by

ellphi(e, n)/elldivpol(e, n)2

{ellw(e, n) =elldivpol(e, n+2)∗elldivpol(e, n−1)2−elldivpol(e, n−2)∗elldivpol(e, n+1)2; }⇒For P = (x, y) the y-coordinate of [n]P is given by

ellw(e, n)/elldivpol(e, n)3

(v) Computation of the splitting �eld of 3x4 − 6x2 + 3x− 1 used inSection 7.3.3.p = 3 ∗ x4 − 6 ∗ x2 + 3 ∗ x− 1polcompositum(%, p)[2]

A.2 Code SAGE 142

→This command furnishes a list of all the possible extensions

generated by two roots of p. In particular, for any extension,

it returns a polynomial generating the extension. Taking [2]

we find the extension given by two different roots.

polredabs(%)→This command gives a simpler polynomial generating the same

extension.

⇒ We repeat this procedure until p can be decomposed into a

product of linear factors in the obtained extension.

polcompositum(%, p)[3]; polredabs(%);→We obtain an extension generated by 3 roots of p(x).

⇒ Generating polynomial that we get:

f = x24−12x23+70x22−264x21+718x20−1482x19+2357x18−2802x17+

2152x16−216x15−2288x14+4224x13−4915x12+4224x11−2288x10−216x9

+2152x8− 2802x7 + 2357x6− 1482x5 + 718x4− 264x3 + 70x2− 12x+ 1;

It is possible to check whether each one of the extensions we

get is the splitting field of p(x) over Q.

A.2 Code SAGE

In this section we describe all commands used with SAGE (see [15]) inSection 7.1 to verify the structure of the group of rational points of an ellipticcurve.

• E = EllipticCurve([1, 2])→ definition of the elliptic curve y2 = x3 + x+ 2;

• E.rank() or E.selmer_rank_bound()→ methods to compute or bound the rank of the free subgroup

of rational points E(Q);

• E.gens()→ generators of the free subgroup of E(Q). Notice that the

method to compute the rank will not always stop in a finite

number of steps, so SAGE could not give an answer to these

commands.

⇒ In this case we get rank = 0 and no generators.

A.2 Code SAGE 143

• G = E.torsion_subgroup()→ compute the subgroup of torsion of E(Q).

• G.0 (and G.1)→ this command returns the generators of the subgroup of

torsion.

⇒ In the example we find G ∼= C4 with generator g = [1 : 2 :1] and one can compute g + g + g + g to verify that g is of

order 4.

Appendix B

The Weierstrass function

B.1 The isomorphism C/Λ ∼= EΛ

Let EΛ be an elliptic curve and Λ the lattice such that C/Λ ∼= EΛ.In this appendix we prove some preliminary results related to the Weierstrassfunction. This results are then used to sketch the proof of the isomorphismC/Λ ∼= EΛ. For the full details of the proof presented here, we refer thereader to ([25], Chapter 9).

We �rst recall the de�nition of the Weierstrass function ℘.

De�nition B.1.1 (Weierstrass function). Let Λ be a lattice. For any z ∈ Cthe Weierstrass function ℘ is de�ned as

℘(z) =1

z2+

∑ω∈Λ,ω 6=0

(1

(z − ω)2− 1

ω2

).

Proposition B.1.2. Let Λ be a lattice with basis {ω1, ω2} and let ℘ therelated Weierstrass function. Then:

(i) The sum de�ning ℘(z) converges absolutely and uniformly on compactsets that do not contain any element of Λ.

(ii) ℘ is doubly periodic and even, i.e. for all u ∈ C℘(u+ ω1) = ℘(u), ℘(u+ ω2) = ℘(u) and ℘(u) = ℘(−u).

(iii) Every doubly periodic function of period Λ is a rational function of ℘and its derivative ℘′.

Proof. (i) and (iii) Omitted. See ([25], Theorem 9.3).

145

B.1 The isomorphism C/Λ ∼= EΛ 146

(ii) First we prove that ℘ is even. To prove that the sum de�ning ℘ isequal for u and −u, it is su�cient to see that Λ is an abelian group.Hence if ω ∈ Λ, then −ω is in Λ as well. Therefore, in the sum wewill �nd the term 1/(u − ω)2 and 1/(u + ω)2. In the sum for −uthese terms will be permuted, because 1/(−u + ω)2 = 1/(u − ω)2 and1/(−u− ω)2 = 1/(u+ ω)2. For the last term we have 1/u2 = 1/(−u)2

and then ℘(u) = ℘(−u), for all u ∈ C.

We now prove the double periodicity. Note that as {ω1, ω2} is a basis forΛ, the doubly periodicity is equivalent to the relation ℘(u+ v) = ℘(u),for all v ∈ Λ.Fix any v ∈ Λ and u ∈ C. We have

℘(u+ v) =1

(u+ v)2+

∑ω∈Λ,ω 6=0

(1

(u+ v − ω)− 1

ω2

)=

=∑ω∈Λ

1

(u+ v − ω)2−

∑ω∈Λ,ω 6=0

1

ω2

The lattice Λ is closed by addition and the map ω → ω + w is apermutation of its elements. Hence this map will only permute theterms in the �rst sum and we thus get

=∑ω′∈Λ

1

(u− ω′)2−

∑ω∈Λ,ω 6=0

1

ω2= ℘(u).

De�nition B.1.3 (Elliptic function). A meromorphic function de�ned onC and having two periods c1, c2 ∈ C such that c1

c26∈ R is called an elliptic

function.

Remark B.1.4. Notice that the condition on c1, c2 implies that they areR-linearly independent, i.e. for any r1, r2 ∈ R we have r1c1 + r2c2 = 0 if andonly if r1 = r2 = 0.

We then give a useful result on doubly periodic functions.

Lemma B.1.5. A doubly periodic holomorphic function f : C → C is con-stant.

Proof. Let c1, c2 be the periods of f and write

P = {a1c1 + a2c2 | a1, a2 ∈ [0, 1]}.


Then P is compact and therefore f(P ) is bounded. But f is doubly periodicand all values of f are in P . Hence f is bounded and by Liouville's Theoremf is constant.

Remark B.1.6. Recall that Liouville's Theorem states that every holomor-phic function f such that |f(z)| ≤ M , for all z ∈ C and for some M ≥ 0, isconstant.

According to the de�nition of ℘ it is clear that ℘ is meromorphic andthat its poles are the points of the lattice Λ. If we consider a fundamentaldomain of Λ de�ned as D = {a1ω1 + a2ω2 | a1, a2 ∈ [0, 1[}, where {ω1, ω2} isa basis for the lattice Λ, then the only pole of ℘ is in 0. Hence if we consider℘ and ℘′ as functions on C/Λ, they have a unique pole in z = 0 of orderrespectively 2 and 3.The next step is to �nd the development of ℘ into Laurent series around 0.We know that for |t| ≤ 1 we have

1

1− t= 1 + t+ t2 + t3 + · · · =

∞∑i=0

ti.

Taking the derivative of this expression we �nd

1

(1− t)2=∞∑i=0

(i+ 1)ti.

Hence, for every z ∈ C satisfying |z| ≤ |ω|, we �nd

1

(z − ω)2− 1

ω2=

1

ω2

(1

(1− z/ω)2− 1

)=∑n≥1

(n+ 1)zn

ωn+2.

Finally the Laurent series of ℘ for each complex number z ∈ C such that|z| ≤ |ω| and for all ω ∈ Λ is given by

℘(z) =1

z2+∑n≥1

∑ω∈Λ,ω 6=0

(n+ 1)zn

ωn+2.

Taking the derivative of this expression we obtain the Laurent series of ℘′

(which also has a unique pole z = 0 in D).

Using these expressions one can compute the �rst terms of the series

f(z) = ℘′2(z)− 4℘3(z) + 60γ4℘(z) + 140γ6,


with γk =∑

ω∈Λ,ω 6=0 ω−k. Computing the �rst terms of this series, one proves

that this function is holomorphic and doubly periodic for every z ∈ C satis-fying |z| ≤ |ω|, i.e. 0 is not a pole of f(z).Then, suppose that f has a pole. By de�nition, it must be a pole of ℘ or ℘′,but for any λ ∈ Λ we have f(λ) = f(0) by doubly periodicity. As 0 is not apole, f is holomorphic. Hence by Lemma B.1.5 it is constant. Moreover onecan verify that f(0) = 0 so that f = 0.This result proves that considering the map z 7→ P (z) = (℘(z), ℘′(z)), weobtain a point of the elliptic curve EΛ de�ned by the equation

y2 = 4x3 − 60γ4x− 160γ6,

with γk =∑

ω∈Λ,ω 6=0 ω−k. In particular, it can be shown that taking a re-

striction of the map from C/Λ to EΛ, we obtain an isomorphism.

In the next proposition we resume two important properties of meromor-phic doubly periodic functions, which are used to prove the existence of suchisomorphism.

Proposition B.1.7. Let Λ be a lattice and let D be a fundamental domainof Λ.

(i) Any doubly periodic function that is not identically zero, has as manypoles as zeros counted with multiplicity in a fundamental domain of Λ.

(ii) Let f be any non-zero meromorphic function on C/Λ. The sum of zeros,counted with multiplicity, of any periodic function on C/Λ, is equal tothe sum of poles counted with multiplicity.

Proof. Omitted. See ([10], Section 10, Proposition 10.3).

Using this proposition and considering the application ℘(z) − ℘(z′), forsome �xed z′ ∈ C/Λ, it can be shown that ℘(z) = ℘(z′) if and only ifz = z′ ∈ C/Λ or z = −z′ ∈ C/Λ, because ℘(z) − ℘(z′) has a unique pole in0 of multiplicity 2 and hence has two opposite zeros. This proves that ℘ is2 : 1, except if z′ ∈ 1/2Λ in which case z′ = −z′. Now, consider ℘′. As ℘ iseven, its derivative is an odd function and ℘′(−z) = −℘′(z) 6= ℘′(z) except if℘′(z) = 0. As ℘′ has a unique pole in 0 ∈ D of multiplicity 3, we know that℘′ has three zeros whose sum is equal to 0. In particular, one can prove thatω1/2, ω2/2 and (ω1 +ω2)/2 are the zeros of ℘′ in the fundamental domain D.But on this points ℘ is injective, hence P (z) = (℘(z), ℘′(z)) is injective.To prove that P is onto one needs a more detailed argument in a�ne geom-etry, which will not be developed here.


To prove that P is a group homomorphism we still need to prove thatP (z + z′) = P (z) + P (z′), where the �rst + is the usual complex sum andthe second + is the additive law of the elliptic curve EΛ.Consider the map r(z) = ℘′(z)− A℘(z)− B, for some A,B ∈ C. Using theLaurent series development of the two functions close to 0 it is clear thatr(z) has a unique pole in 0 ∈ D of multiplicity 3. Therefore, let u,w be twozeros of r(z). Then the third zero is −(u+w), because by Proposition B.1.7we know that the sum of the zeros is equal to 0.Equivalently, we can say that we choose A,B ∈ C so that the straight liney = Ax+B pass through the points (℘(u), ℘′(u)) and (℘(w), ℘′(w)) of the el-liptic curve EΛ. Then Proposition B.1.7 gives a characterization of the thirdpoint of intersection.We have

℘′(t) = A℘(t) +B ⇒ ℘′(t)2 = A2℘(t)2 + 2AB℘(t) +B2,

for t = u,w,−(u + w) respectively. Replacing the value of ℘′(t)2 in theequation de�ning EΛ we obtain

℘(t)3 − A2

4℘(t)2 −

(AB + 60γ4

4

)℘(t)−

(B2 + 140γ6

4

)= 0,

for t = u,w,−(u+ w) respectively. It follows that the polynomial equation

z3 − A2

4z2 −

(AB + 60γ4

4

)z −

(B2 + 140γ6

4

)= 0

in C has zeros ℘(u), ℘(w) and ℘(−(u+w)). Moreover the term A2/4 is givenby the sum of the zeros. We obtain

℘(u) + ℘(w) + ℘(−(u+ w)) = ℘(u) + ℘(w) + ℘(u+ w) = A2/4 (B.1)

but also

℘′(u) = A℘(u) +B and ℘′(w) = A℘(w) +B ⇒ A =℘′(u)− ℘′(w)

℘(u)− ℘(w). (B.2)

Finally using Equations B.1 and B.2 we �nd

℘(u+ w) =1

4

(℘′(u)− ℘′(w)

℘(u)− ℘(w)

)2

− ℘(u)− ℘(w),

which coincides with the de�nition of the sum on EΛ for ℘(u) 6= ℘(w) (seeformula in Example 7.1.16).


As we can choose constants A,B ∈ C to �nd the straight line passing troughany two points of the elliptic curve, we conclude that

P (u+w) = (℘(u+w), ℘′(u+w)) = (℘(u), ℘′(u))+(℘(w), ℘′(w)) = P (u)+P (w).

Thus we have the group isomorphism

C/Λ ∼= EΛ

given in Theorem 7.2.7. In particular, any elliptic curve in related to a latticeand to any lattice one can associate an elliptic curve as described in Section7.2.

Bibliography

[1] J. Andreotti, Galois Theory, Semester Project EPFL, Fall 2008

[2] H. Cohen, A Course in Computational Algebraic Number Theory , NewYork, Springer-Verlag, 1993

[3] D. Cox, Galois Theory , Hoboken, N.J., Wiley, 2004

[4] C. Hattori M. Matsunaga, T. Matsuoka, K. Nakanishi, Galois group ofelliptic curves and �avor symmetry, http://arxiv.org/abs/0710.2959

[5] A. Hermez and A. Salinier, Rational Trinomials with the AlternatingGroup as Galois Group, Journal of Number Theory 90, 113-129, 2001http://www.sciencedirect.com/science/journal

[6] D. Husemöller, Elliptic curves , New York, Springer, 2004

[7] I. M. Isaacs, Finite group theory, Providence, American MathematicalSociety, 2008

[8] A. Kraus, Théorie de Galois, Courses Notes, Université de Paris, 1998http://www.institut.math.jussieu.fr/m2/aa/dea02-03/Galois.

pdf

[9] G. Malle and B. H. Matzat, Inverse Galois Theory (Chapter 1: TheRigidity Method), Berlin/Heidelberg/New York Springer Verlag, 1999

[10] J. S. Milne, Fields and Galois Theory, Courses Notes, Version 4.21http://www.jmilne.org/math/CourseNotes/math594f.html

[11] J. Neukirch, Algebraic number theory , Berlin/Heidelberg/New YorkSpringer Verlag, 1999

[12] PARI/GP, version 2.3.4, Bordeaux, 2008,http://pari.math.u-bordeaux.fr/

151

http://arxiv.org/abs/0710.2959

http://www.sciencedirect.com/science/journal

http://www.institut.math.jussieu.fr/m2/aa/dea02-03/Galois.pdf

http://www.institut.math.jussieu.fr/m2/aa/dea02-03/Galois.pdf

http://www.jmilne.org/math/CourseNotes/math594f.html

http://pari.math.u-bordeaux.fr/

BIBLIOGRAPHY 152

[13] A. Reverter and N. Vila, Polynomials of Galois representations attachedto elliptic curves, Rev.R.Acad. Cienc.Exact.Fis.Nat. (Esp), Vol.94 3◦,pp.417-421, 2000

[14] A. Reverter and N. Vila, Images of mod p Galois representations as-sociated to elliptic curves, Canada Math. Bullet., Vol.44(3), pp.313-322,2001

[15] SAGE Mathematics Software, Version 2.6,http://www.sagemath.org/

[16] P. Samuel, Théorie algébrique des nombres, Paris, Hermann - Editeurdes sciences et des arts, 2003

[17] I. Schur, A�ektlose Gleichungen in der Theorie der Laguerreschen undHermiteschen, Berlin/Heidelberg/New York Springer-Verlag, 1973.

[18] J. P. Serre, Propriétés galoisiennes des points d'ordre �ni sur des courbeselliptiques, Berlin, Springer-Verlag, Inventiones math.15 (259-331), 1972

[19] J. P. Serre, Topics in Galois Theory, USA, AK Peters Ltd, 1992

[20] J. Silverman, The Arithmetic of Elliptic Curves , New York, Springer,1986

[21] J. Silverman and J. Tate, Rational points on elliptic curves , New York,Springer, 1992

[22] I. Stewart, Galois theory, London, Chapman &Hall, 3rd ed. 2004

[23] N. Vila, On the inverse problem of Galois theory, Publication matemà-tiques, Vol.36, pp.1053-1073, 1992

[24] H. Völklein, Groups as Galois Groups, New York, Springer, 2006

[25] L. Washington, Elliptic : number theory and cryptography , Boca RatonFL, Chapman&Hall, 2008

[26] S. H. Weintraub, Galois Theory, New York, Springer, 2006

[27] Wolfram Demonstration Project Rational points on an Elliptic curve,http://demonstrations.wolfram.com

http://www.sagemath.org/

http://demonstrations.wolfram.com

Galois Inverse

Documents

Transcript of Galois Inverse