[proofplan] The Galois group $G = \operatorname{Gal}(L/\mathbb{Q})$ acts faithfully on the $p$ roots of $f$, yielding an embedding $G \hookrightarrow S_p$. We identify $G$ with its image and show it equals $S_p$ in three stages. First, irreducibility of $f$ forces $G$ to act transitively on the roots, so $p \mid |G|$, and Cauchy's theorem then supplies an element of order $p$ in $G$; since $p$ is prime, this element must be a $p$-cycle in $S_p$. Second, complex conjugation restricts to an automorphism of $L$ that transposes the two non-real roots and fixes the remaining $p - 2$ real roots, giving a transposition in $G$. Third, a subgroup of $S_p$ containing both a $p$-cycle and a transposition equals $S_p$: conjugation by powers of the $p$-cycle moves the transposition through all positions, generating every transposition, and the transpositions generate $S_p$. [/proofplan] [step:Embed $G$ in $S_p$ via the action on roots and extract a $p$-cycle from transitivity] Let $\alpha_1, \ldots, \alpha_p \in \mathbb{C}$ be the $p$ distinct roots of $f$ (distinct because $f$ is irreducible over $\mathbb{Q}$, hence separable, since $\operatorname{char}(\mathbb{Q}) = 0$). The splitting field $L = \mathbb{Q}(\alpha_1, \ldots, \alpha_p)$ is a subfield of $\mathbb{C}$. Every $\sigma \in G := \operatorname{Gal}(L/\mathbb{Q})$ permutes $\{\alpha_1, \ldots, \alpha_p\}$: if $f(\alpha_i) = 0$ and $\sigma$ fixes the coefficients of $f$ (which lie in $\mathbb{Q}$), then $f(\sigma(\alpha_i)) = \sigma(f(\alpha_i)) = \sigma(0) = 0$, so $\sigma(\alpha_i)$ is again a root of $f$. Since $L$ is generated over $\mathbb{Q}$ by the roots, each $\sigma$ is determined by its action on $\{\alpha_1, \ldots, \alpha_p\}$. This defines an injective group homomorphism \begin{align*} \varphi \colon G &\hookrightarrow S_p \\ \sigma &\mapsto \text{the permutation } i \mapsto j \text{ where } \sigma(\alpha_i) = \alpha_j. \end{align*} We identify $G$ with its image $\varphi(G) \le S_p$ for the remainder of the proof. Since $f$ is irreducible over $\mathbb{Q}$, the group $G$ acts transitively on $\{\alpha_1, \ldots, \alpha_p\}$: for any two roots $\alpha_i, \alpha_j$, there exists $\sigma \in G$ with $\sigma(\alpha_i) = \alpha_j$. (This follows because $\mathbb{Q}(\alpha_i) \cong \mathbb{Q}[t]/(f) \cong \mathbb{Q}(\alpha_j)$ for each pair $i, j$, and any $\mathbb{Q}$-isomorphism between these subfields extends to an automorphism of $L$.) By the orbit-stabiliser theorem, \begin{align*} |G| = |\operatorname{Orb}_G(\alpha_1)| \cdot |\operatorname{Stab}_G(\alpha_1)| = p \cdot |\operatorname{Stab}_G(\alpha_1)|, \end{align*} so $p \mid |G|$. Since $p$ is prime, [Cauchy's Theorem](/theorems/???) guarantees the existence of an element $\tau \in G$ of order $p$. We now determine the cycle type of $\tau$ in $S_p$. Write $\tau$ as a product of disjoint cycles of lengths $\ell_1, \ldots, \ell_r$. The order of $\tau$ equals $\operatorname{lcm}(\ell_1, \ldots, \ell_r) = p$. Since $p$ is prime, each $\ell_s$ divides $p$, so $\ell_s \in \{1, p\}$. If every $\ell_s$ were $1$, then $\tau$ would be the identity, contradicting $\operatorname{ord}(\tau) = p$. Therefore at least one $\ell_s$ equals $p$. Since the cycle lengths must sum to $p$ (every element of $\{1, \ldots, p\}$ appears in exactly one cycle), we need $\ell_s = p$ for exactly one $s$ and no other cycles. Hence $\tau$ is a $p$-cycle. [guided] **Why embed in $S_p$?** The Galois group $G$ is abstractly a group of field automorphisms. To apply the combinatorial theory of permutation groups, we need to realise $G$ concretely as a subgroup of a symmetric group. The natural choice is to let $G$ act on the roots of $f$. Every $\sigma \in G = \operatorname{Gal}(L/\mathbb{Q})$ fixes $\mathbb{Q}$ pointwise. Since $f \in \mathbb{Q}[t]$, applying $\sigma$ to the equation $f(\alpha_i) = 0$ gives $f(\sigma(\alpha_i)) = 0$, so $\sigma$ sends roots to roots. Because $L = \mathbb{Q}(\alpha_1, \ldots, \alpha_p)$ is generated by the roots, an automorphism $\sigma$ is completely determined by where it sends $\alpha_1, \ldots, \alpha_p$. This gives an injective homomorphism $\varphi \colon G \hookrightarrow S_p$, where we label the roots $\alpha_1, \ldots, \alpha_p$ and a permutation records how $\sigma$ rearranges these labels. **Why does irreducibility give transitivity?** Fix any two roots $\alpha_i$ and $\alpha_j$. Since $f$ is the minimal polynomial of each $\alpha_k$ over $\mathbb{Q}$ (being irreducible and having $\alpha_k$ as a root), the fields $\mathbb{Q}(\alpha_i)$ and $\mathbb{Q}(\alpha_j)$ are both isomorphic to $\mathbb{Q}[t]/(f)$. Composing these isomorphisms yields a $\mathbb{Q}$-isomorphism $\mathbb{Q}(\alpha_i) \xrightarrow{\sim} \mathbb{Q}(\alpha_j)$ mapping $\alpha_i \mapsto \alpha_j$. By the extension theorem for splitting fields, this isomorphism extends to a $\mathbb{Q}$-automorphism $\sigma \colon L \xrightarrow{\sim} L$. Thus $\sigma \in G$ and $\sigma(\alpha_i) = \alpha_j$, confirming that $G$ acts transitively on $\{\alpha_1, \ldots, \alpha_p\}$. **From transitivity to a $p$-cycle.** Transitivity means the orbit of any root has size $p$. By the orbit-stabiliser theorem, $|G| = p \cdot |\operatorname{Stab}_G(\alpha_1)|$, so $p$ divides $|G|$. Since $p$ is prime and $G$ is a finite group, Cauchy's theorem produces an element $\tau \in G$ of order $p$. What is the cycle structure of $\tau$ in $S_p$? Write $\tau$ as a product of disjoint cycles of lengths $\ell_1, \ldots, \ell_r$. The order of a product of disjoint cycles is $\operatorname{lcm}(\ell_1, \ldots, \ell_r)$, and this must equal $p$. Since $p$ is prime, every $\ell_s$ divides $p$, so each $\ell_s$ is either $1$ or $p$. But we also require $\ell_1 + \cdots + \ell_r = p$ (every symbol in $\{1, \ldots, p\}$ appears in exactly one cycle). If all cycles had length $1$, the permutation would be the identity, contradicting $\operatorname{ord}(\tau) = p \ge 2$. So at least one cycle has length $p$. A single $p$-cycle already accounts for all $p$ symbols, leaving no room for further cycles. Therefore $\tau$ is a single $p$-cycle. This is where the primality of $p$ is consumed most directly: for composite $n$, an element of $S_n$ can have order $n$ without being an $n$-cycle (for example, the product of a $2$-cycle and a $3$-cycle in $S_6$ has order $6$). [/guided] [/step] [step:Identify complex conjugation as a transposition in $G$] Label the roots so that $\alpha_1, \ldots, \alpha_{p-2} \in \mathbb{R}$ are the $p - 2$ real roots and $\alpha_{p-1}, \alpha_p \in \mathbb{C} \setminus \mathbb{R}$ are the two non-real roots. Since $f$ has real coefficients, the non-real roots occur in conjugate pairs, so $\alpha_p = \overline{\alpha_{p-1}}$. Define complex conjugation \begin{align*} \kappa \colon \mathbb{C} &\to \mathbb{C} \\ z &\mapsto \overline{z}. \end{align*} The map $\kappa$ is a field automorphism of $\mathbb{C}$ that fixes $\mathbb{R}$ pointwise, and in particular fixes $\mathbb{Q}$. Since $L \subset \mathbb{C}$ and $L$ is a Galois extension of $\mathbb{Q}$ (being the splitting field of a separable polynomial), the restriction $\kappa|_L$ is well-defined: for any $x \in L$, we have $\overline{x} \in L$ because $L$ is the splitting field of $f$ over $\mathbb{Q}$ and $\kappa$ permutes the roots of $f$, hence maps any $\mathbb{Q}$-linear combination of products of roots to another such combination. Therefore $\kappa|_L \in \operatorname{Gal}(L/\mathbb{Q}) = G$. Under the embedding $G \hookrightarrow S_p$, the element $\kappa|_L$ acts as follows: - For $i \in \{1, \ldots, p-2\}$: $\kappa(\alpha_i) = \overline{\alpha_i} = \alpha_i$, since $\alpha_i \in \mathbb{R}$. - $\kappa(\alpha_{p-1}) = \overline{\alpha_{p-1}} = \alpha_p$ and $\kappa(\alpha_p) = \overline{\alpha_p} = \alpha_{p-1}$. In cycle notation, $\kappa|_L$ acts as the transposition $(p{-}1 \;\; p)$. In particular, $G$ contains a transposition. [guided] **Why does complex conjugation restrict to an element of $G$?** This is the step that uses the hypothesis about the root structure most directly. Complex conjugation $\kappa \colon z \mapsto \overline{z}$ is a field automorphism of $\mathbb{C}$ (it preserves addition and multiplication, and fixes $\mathbb{Q} \subset \mathbb{R}$ pointwise). The question is whether $\kappa$ maps $L$ to itself — that is, whether $\kappa(L) = L$. Since $L$ is the splitting field of $f$ over $\mathbb{Q}$, the field $L$ is generated over $\mathbb{Q}$ by the roots $\alpha_1, \ldots, \alpha_p$. The map $\kappa$ sends each root of $f$ to another root of $f$ (since $f$ has coefficients in $\mathbb{Q} \subset \mathbb{R}$, if $f(\alpha) = 0$ then $f(\overline{\alpha}) = \overline{f(\alpha)} = 0$). Therefore $\kappa$ permutes the generating set $\{\alpha_1, \ldots, \alpha_p\}$ of $L/\mathbb{Q}$. An element of $L$ is a $\mathbb{Q}$-polynomial expression in the $\alpha_i$, and $\kappa$ maps it to the same polynomial expression in the $\kappa(\alpha_i)$, which is again a $\mathbb{Q}$-polynomial expression in roots of $f$, hence an element of $L$. This shows $\kappa(L) \subset L$, and since $\kappa = \kappa^{-1}$ (conjugation is an involution), we also have $\kappa^{-1}(L) \subset L$, so $\kappa(L) = L$. The restriction $\kappa|_L$ is therefore a well-defined $\mathbb{Q}$-automorphism of $L$, i.e., an element of $G$. **Determining the cycle type.** By hypothesis, exactly $p - 2$ roots are real and exactly $2$ are non-real. Label so that $\alpha_1, \ldots, \alpha_{p-2} \in \mathbb{R}$ and $\alpha_{p-1}, \alpha_p \in \mathbb{C} \setminus \mathbb{R}$ with $\alpha_p = \overline{\alpha_{p-1}}$ (the non-real roots of a real polynomial come in conjugate pairs). Then: - Each real root is fixed: $\kappa(\alpha_i) = \alpha_i$ for $1 \le i \le p - 2$. - The two non-real roots are swapped: $\kappa(\alpha_{p-1}) = \alpha_p$ and $\kappa(\alpha_p) = \alpha_{p-1}$. So $\kappa|_L$ corresponds to the permutation $(p{-}1 \;\; p) \in S_p$, a single transposition. **What if there were more than two non-real roots?** If $f$ had, say, $4$ non-real roots (coming in two conjugate pairs), then complex conjugation would be a product of two disjoint transpositions — not a transposition. The argument in the next step requires a transposition specifically, so the hypothesis "exactly $2$ non-real roots" is essential. Similarly, if all roots were real, complex conjugation would act as the identity and contribute nothing to the Galois group. [/guided] [/step] [step:Show that a $p$-cycle and a transposition generate all of $S_p$] By the preceding steps, $G \le S_p$ contains a $p$-cycle $\tau$ and a transposition $\kappa|_L$. We show that $\langle \tau, \kappa|_L \rangle = S_p$. After relabelling the roots (which amounts to conjugating inside $S_p$, and does not change the isomorphism type of $G$), we may assume that $\tau = (1 \; 2 \; 3 \; \cdots \; p)$ and that the transposition is $(a \;\; b)$ for some $a \neq b$ in $\{1, \ldots, p\}$. Since $\tau$ is a $p$-cycle and $p$ is prime, $\tau$ acts transitively on $\{1, \ldots, p\}$, so there exists $k \in \{0, 1, \ldots, p-1\}$ such that $\tau^k(a) = b$ (or, equivalently, $(b - a) \equiv k \pmod{p}$). Replacing $\tau$ by $\tau^d$ where $d \equiv (b - a)^{-1} \pmod{p}$ (which exists since $p$ is prime and $b - a \not\equiv 0$), we obtain a $p$-cycle $\sigma := \tau^d$ that still generates the same cyclic subgroup $\langle \tau \rangle$ (since $\gcd(d, p) = 1$) and satisfies $\sigma(a) = a + 1 \pmod{p}$ (interpreting labels modulo $p$). After a further relabelling, we may therefore assume without loss of generality that $\tau = (1 \; 2 \; \cdots \; p)$ and the transposition is $(i \;\; i{+}1)$ for some $i$, where indices are read modulo $p$. [claim:A $p$-cycle and an adjacent transposition generate $S_p$] Let $p$ be prime, let $\tau = (1 \; 2 \; \cdots \; p) \in S_p$, and let $\sigma = (i \;\; i{+}1) \in S_p$ for some $i \in \{1, \ldots, p\}$ (indices modulo $p$). Then $\langle \tau, \sigma \rangle = S_p$. [/claim] [proof] For any $m \in \{0, 1, \ldots, p-1\}$, the conjugate $\tau^m \sigma \tau^{-m}$ is computed by shifting all entries of $\sigma$ by $m$ under the action of $\tau$: since $\tau$ sends $j \mapsto j + 1 \pmod{p}$ for each $j$, we have \begin{align*} \tau^m \sigma \tau^{-m} = \tau^m (i \;\; i{+}1) \tau^{-m} = (i{+}m \;\; i{+}m{+}1), \end{align*} where all entries are taken modulo $p$. As $m$ ranges over $\{0, 1, \ldots, p-1\}$, the transpositions $(i{+}m \;\; i{+}m{+}1)$ range over all "adjacent" transpositions $(1 \; 2),\, (2 \; 3),\, \ldots,\, (p{-}1 \;\; p),\, (p \;\; 1)$ in the cyclic labelling. Every permutation in $S_p$ can be written as a product of adjacent transpositions (this is the standard fact that the adjacent transpositions $(1\;2), (2\;3), \ldots, (p{-}1\;\;p)$ generate $S_p$). Therefore $\langle \tau, \sigma \rangle = S_p$. [/proof] Applying this claim to the $p$-cycle and transposition in $G$, we conclude $G = S_p$, that is, \begin{align*} \operatorname{Gal}(L/\mathbb{Q}) \cong S_p. \end{align*} [guided] **Strategy.** We have two elements of $G \le S_p$: a $p$-cycle $\tau$ and a transposition. The goal is to show these two elements generate all of $S_p$. The key idea is to use conjugation by powers of the $p$-cycle to "move" the transposition into every possible position, thereby generating enough transpositions to produce all of $S_p$. **Reducing to a convenient form.** The specific labelling of the roots $\alpha_1, \ldots, \alpha_p$ was arbitrary. Relabelling the roots corresponds to conjugating every element of $G$ by a fixed permutation in $S_p$. Since $G$ and its conjugate $\pi G \pi^{-1}$ are isomorphic (and in fact equal as subgroups of $S_p$ when $G$ is normal — but we do not need normality, just that the generating property is invariant under conjugation), we may choose any convenient labelling. After relabelling, assume $\tau = (1 \; 2 \; \cdots \; p)$. The transposition is $(a \; b)$ for some distinct $a, b$. Set $d \equiv (b - a)^{-1} \pmod{p}$; this inverse exists because $p$ is prime and $b \neq a$, so $b - a \not\equiv 0 \pmod{p}$. Since $\gcd(d, p) = 1$ (as $p$ is prime and $1 \le d \le p - 1$), the element $\tau^d$ is again a $p$-cycle generating the same cyclic subgroup $\langle \tau \rangle$. Replacing $\tau$ by $\tau^d$ and relabelling, we may assume the transposition has the form $(i \;\; i{+}1)$ for some $i$ (all arithmetic modulo $p$). **Generating all transpositions by conjugation.** For each $m \in \{0, 1, \ldots, p-1\}$: \begin{align*} \tau^m (i \;\; i{+}1) \tau^{-m} = (i{+}m \;\; i{+}m{+}1). \end{align*} This follows from the general conjugation formula for cycles: if $\pi \in S_n$ and $(a_1 \; a_2 \; \cdots \; a_k)$ is a $k$-cycle, then $\pi (a_1 \; \cdots \; a_k) \pi^{-1} = (\pi(a_1) \; \cdots \; \pi(a_k))$. Applied to $\pi = \tau^m$ and $(a_1 \; a_2) = (i \;\; i{+}1)$: \begin{align*} \tau^m(i) &= i + m \pmod{p}, \\ \tau^m(i+1) &= i + 1 + m \pmod{p}. \end{align*} As $m$ varies over $\{0, 1, \ldots, p-1\}$, the pair $(i+m, \, i+m+1)$ cycles through all $p$ consecutive pairs modulo $p$. This produces the transpositions $(1\;2), (2\;3), \ldots, (p{-}1\;\;p), (p\;1)$. **Why do adjacent transpositions generate $S_p$?** The transpositions $(j \;\; j{+}1)$ for $j = 1, \ldots, p-1$ are the Coxeter generators of $S_p$. Any transposition $(a \;\; b)$ with $a < b$ can be decomposed as \begin{align*} (a \;\; b) = (a \;\; a{+}1)(a{+}1 \;\; a{+}2) \cdots (b{-}1 \;\; b) \cdots (a{+}1 \;\; a{+}2)(a \;\; a{+}1), \end{align*} and every permutation is a product of transpositions. Therefore the adjacent transpositions generate $S_p$. Since $G$ contains both $\tau$ and the transposition, and these generate $S_p$, we conclude $G = S_p$, i.e., $\operatorname{Gal}(L/\mathbb{Q}) \cong S_p$. **Where each hypothesis was used.** It is worth pausing to note the role of each assumption: - **$f$ irreducible**: gave transitivity of the Galois action, hence $p \mid |G|$, hence a $p$-cycle. - **$\deg f = p$ prime**: ensured that elements of order $p$ in $S_p$ must be $p$-cycles (fails for composite degree), and that the inverse $(b-a)^{-1} \pmod{p}$ exists (used to normalise the transposition to adjacent form). - **Exactly $2$ non-real roots**: made complex conjugation a transposition (rather than a product of disjoint transpositions or the identity). - **Coefficients in $\mathbb{Q}$**: ensured that complex conjugation fixes the base field, so it restricts to an element of the Galois group. If any one of these is dropped, the conclusion can fail. For instance, the irreducible polynomial $t^4 - 2 \in \mathbb{Q}[t]$ has degree $4$ (not prime), two real roots $\pm\sqrt[4]{2}$ and two non-real roots $\pm i\sqrt[4]{2}$; its Galois group is the dihedral group $D_4$ of order $8$, not $S_4$ (of order $24$). [/guided] [/step]