Chapter 6

Quadratic Residues

The very structural theory of congruences we have built thus far leads us
to the next level: quadratic congruences. The existence question of square
roots modulo a prime will be consummated in the celebrated law of quadratic
reciprocity. Our approach toward this goal will follow closely that of the text
[NZM91]. Meanwhile, actual algorithms needed to solve quadratic congru-
ences will be treated only briefly in this chapter, but to be continued and
settled in Appendix D.

6.1 Quadratic Residues and Nonresidues

The simplest quadratic congruence will be x2 a (mod n). We shall first
differentiate between the values of a for which this congruence has a solution
and those for which it does not.
Definition. A number a which is relatively prime to n is a quadratic residue
modulo n if the congruence x2 a (mod n) has a solution. If it has no
solution, then a is called a quadratic nonresidue modulo n. For example, 19
is a quadratic residue modulo 5 since 19 22 (mod 5), but 7 is a nonresidue
because there is no integer whose square belongs to [7]5 .
It is clear that being a quadratic residue, or nonresidue, is a characteristic
of the entire residue class of a modulo n. Hence, as usual, we will use the
phrase distinct or incongruent quadratic (non)residues when we mean that
they belong to different residue classes.
Moreover, the solutions to x2 a (mod n), if any, are also given by
residue classes. In particular, the task of separating the quadratic residues
from the nonresidues can be done within a chosen reduced residue system.

52
ISBN 1419687352 53

For example, modulo 14 we look at {1, 3, 5, 9, 11, 13}. We have

12 1 (mod 14) 32 9 (mod 14) 52 11 (mod 14)
92 11 (mod 14) 112 9 (mod 14) 132 1 (mod 14)
The quadratic residues modulo 14 are therefore given by [1], [9], and [11],
whereas quadratic nonresidues by [3], [5], and [13].
Exercise 6.1. Find all the quadratic residues and nonresidues modulo n.
a) n = 8
b) n = 9
c) n = 10
d) n = 11
e) n = 12
Exercise 6.2. Unlike primitive roots, show that quadratic nonresidues exist
with any modulus n > 2. (So do quadratic residues, e.g., a = 1.)
Exercise 6.3. Suppose g is a primitive root modulo n > 2.
a) Show that g k is a quadratic residue modulo n if and only if k is even. In
particular, it follows that every primitive root is a quadratic nonresidue.
b) Prove there are as many quadratic residues as nonresidues modulo n.
c) Give an example where (b) is false when modulo n has no primitive roots.
d) Prove that the product ab is a quadratic residue modulo n if and only if
either both a and b are quadratic residues or both nonresidues.
The Chinese remainder theorem allows us to eventually reduce the con-
gruence x2 a (mod n), or any congruence, to the case where n is a prime
power. Our next focus will be on prime modulus, with which the terms
quadratic residue and nonresidue can then be numerically denoted by the
Legendre symbol, a very convenient as well as useful notation.
Definition. The Legendre symbol is written and defined as follows.

  1 if a is a quadratic residue modulo p
a
= 1 if a is a quadratic nonresidue modulo p
p
0 if p | a

for any integer a and prime p > 2. Some authors prefer the notation (a|p)
for the Legendre symbol. We shall use both interchangeably, mainly for
the sake of readabilitythe vertical mode in a displayed equation and the
horizontal mode for intext. For example, we have earlier seen that (19|5) = 1
and (7|5) = 1. Note also that (a|p) = (b|p) whenever a b (mod p) and,
in particular,    
a a%p
=
p p
54 Theory of Numbers

Exercise 6.4. Investigate true or false.

a) (a|p) = (b|p) implies a b (mod p)
b) (1|p) = 1
c) (1|p) = 1
d) (a2 |p) = (a|p)2
We shall henceforth agree that the number p in the notation (a|p) is
always understood an odd prime, i.e., a prime p > 2. With that, the next
Eulers criterion states a very useful congruence for the Legendre symbol.
Theorem 6.1 (Eulers Criterion). The Legendre symbol (a|p) satisfies
 
a
a(p1)/2 (mod p)
p

Proof. It is trivial if p | a, else apply Corollary 5.9 with k = 2.

Exercise 6.5. Alternately, prove Theorem 6.1 using Exercise 6.3(a).
Corollary 6.2. The following equalities hold for the Legendre symbol.
      
ab a b 1
= and = (1)(p1)/2
p p p p

Proof. Assume p ab to avoid triviality. In each equation, left and right are
congruent modulo p > 2, by Theorem 6.1. But each quantity is 1; the only
way this can happen is when both sides are 1 or both 1.
Note that the second equality gives (1|p) = 1 if p % 4 = 1, and (1|p) =
1 if p % 4 = 3. This result agrees with that given earlier in Exercise 5.22.
Example. Let us apply the above properties in evaluating (75|17). We
have (75|17) = (1|17)(5|17)2 (3|17) = (1)8 (1)2 (3|17) = (3|17). And
then (3|17) 38 (mod 17) according to Eulers criterion (Theorem 6.1). Suc-
cessive squaring algorithm gives us 38 % 17 = 16, hence (75|17) = 1.
There really are different ways to arrive at this same result. For instance,
since 75 27 (mod 17) then (75|17) = (27|17) = (3|17)3 = (3|17). Or by
the fact that 75 % 17 = 10, we have (75|17) = (10|17) = (2|17)(5|17). Or
Eulers criterion alone, (10|17) 108 (mod 17), etc.
Exercise 6.6. Evaluate the Legendre symbol (a|p) in several ways.
a) (35|11)
b) (54|13)
c) (28|19)
d) (11|23)
ISBN 1419687352 55

Exercise 6.7. Let p be an odd prime relatively prime to a. Prove that the
quadratic congruence ax2 + bx + c 0 (mod p) has a solution if and only if
(b2 4ac|p) 0. Then determine the solvability of the following.
a) x2 1 (mod 101)
b) x2 5x + 2 0 (mod 29)
c) 2x2 18x + 24 (mod 43)
d) 13x2 56x 44 (mod 79)
As a matter of fact, there are yet other ways by which we can evaluate
the Legendre symbol. The next two lemmas are not that practical, but they
carry some theoretical significance. The first of the two is that of Gauss.
Lemma 6.3 (Gausss Lemma). Consider the Legendre symbol (a|p) with
p a. Let d = (p 1)/2 and A = {a, 2a, 3a, . . . , da}. Then (a|p) = (1)n ,
where n is the number of elements x A such that x % p > d.
Proof. Since p a, elements of A are distinct modulo p. Now consider the
reduced residue system modulo p given by S = {1, 2, . . . , d}. Note that
the solutions to x % p > d in S are precisely given by the negative elements,1
exactly n of which are congruent to an element in A.
In S, only one number in each plus/minus pair can be congruent modulo
p to some element in A. If this claim were false, we would have ia, ja A,
with 1 i < j d, for which ia ja (mod p), and so i j (mod p).
This is impossible as both i and j belong to S, a reduced residue system.
It follows that, modulo p, the elements of A are reordering of the numbers
1, 2, . . . , donly that n of them are prefixed by the negative sign. Then,
a 2a da (1)n 1 2 d (mod p)
from which we claim (1)n ad (a|p) (mod p), by Eulers criterion.
Example. Let us illustrate Gausss lemma with a = 5 and p = 17, hence
d = 8. We have A = {5, 10, 15, 20, 25, 30, 35, 40}, reduced mod 17 to
{5, 10, 15, 3, 8, 13, 1, 6}. Three elements exceed 8, so (5|17) = (1)3 = 1.
Exercise 6.8. Redo Exercise 6.6 using Gausss lemma.
At this point we are able to derive the following formula for (2|p), a spe-
cial case of the Legendre symbol which will be encountered quite frequently
in computation.
Proposition 6.4. The following formula holds for (2|p).
  
2 (p2 1)/8 1 if p 1 (mod 8)
= (1) =
p 1 if p 3 (mod 8)
1 In fact, x % p > d if and only if x %% p < 0. See Exercise 1.8 for definition.
56 Theory of Numbers

Proof. We claim, as an easy exercise, that the exponent (p2 1)/8 is even
if and only if p 1 (mod 8).
Let us keep the same notation we use in Lemma 6.3 and its proof. We
repeat that elements of A are congruent modulo p to 1, 2, . . . , d, not nec-
essarily in this order, except that n of them should have the negative sign.
Denote by ri s those which should have been negative, and the rest by sj s.
Then, for 1 k d, the residue ka % p is either sj or p ri for some indices
i and j. Using the relation ka = ka
p p + ka % p, we take sums over k,

d d   n dn
X X ka X X
ka = p+ p ri + sj (6.1)
p i=1 j=1
k=1 k=1

On the other hand, we also have

d
X n
X dn
X
k= ri + sj (6.2)
k=1 i=1 j=1

Next, we subtract Equation 6.2 from Equation 6.1, to get

d d   n n
X X ka X X
(a 1) k= p+ p2 ri (6.3)
p i=1 i=1
k=1 k=1

If we now let a = 2, then 2k

p = 0 since 2k < p, and Equation 6.3 becomes
P
d(d+1)/2 = np2 ri . As p is odd, this quantity is even or odd as n is. By
Lemma 6.3, then (2|p) = (1)n = (1)d(d+1)/2 . Substitute d = (p 1)/2,
and we are done.
Exercise 6.9. Complete the proof that (2|p) = 1 if and only if p [1]8 .
Similarly, show that (2|p) = 1 if and only if p % 8 = 1 or 3.
The second lemma, due to Eisenstein, is to be proved along the same
line. We will need Eisensteins lemma mainly in proving the law of quadratic
reciprocity, the coming paramount theorem for the Legendre symbol.
Lemma 6.5 (Eisensteins Lemma). If p a, and both are odd, then
  (p1)/2  
a X ka
= (1)m where m=
p p
k=1

Proof. As a p 1 (mod 2), this time Equation (6.3) gives the congruence
0 m + n (mod 2). Again, this means that m is of the same parity as that
of the number n in Gausss lemma, and hence (1)m = (1)n = (a|p).
ISBN 1419687352 57

Example. We illustrate Eisensteins lemma with a = 5 and p = 17. We have

5 10
m = 17 + 17 + 15 20 25 30 35 40
17 + 17 + 17 + 17 + 17 + 17
=0+0+0+1+1+1+2+2=7
and (5|17) = (1)7 = 1.
Exercise 6.10. Redo Exercise 6.6 using Eisensteins lemma.
At last we will now show that the Legendre symbol obeys a reciprocity
law in which (q|p), where q is another odd prime, may be replaced by (p|q)
according to the following rule.
Theorem 6.6 (The Law of Quadratic Reciprocity). If p and q are distinct
odd primes, then   
p q
= (1)(p1)(q1)/4
q p
Proof. Consider all ordered pairs (x, y) with 1 x p12 and 1 q 2 .
q1

There are exactly (p1)

2 (q1)
2 such elements, which can be grouped into
two classesin the first class if py < qx, and in the second if py > qx.
Note that py = qx is not possible since p qx. For each x, the condition
py < qx is equivalent to 1 y qxp , and hence the first class consists of
P(p1)/2 qx P(q1)/2
m1 elements, where m1 = x=1 p . Similarly, m2 = y=1 py q for
the second class. In all,
(p1)/2   (q1)/2
(p 1)(q 1) X qx X  py 
= m1 + m2 = +
4 x=1
p y=1
q

Hence (1)(p1)(q1)/4 = (1)m1 (1)m2 = (q|p)(p|q) by Lemma 6.5.

Exercise 6.11. For any pair of odd primes p and q, show that (q|p) = (p|q),
except when both primes belong to the class [3]4 , for then (q|p) = (p|q).
Exercise 6.12. If p q (mod 4a) then (a|p) = (a|q). Prove that this fact,
initially conjectured by Euler, is equivalent to Theorem 6.6.
Example. Consider (4459|6247). The factorization 4459 = 73 13 enables us
to write (4459|6247) = (7|6247)(13|6247). The next steps consist of repeated
applications of Theorem 6.6 and the replacement of (a|p) by (a % p|p).
         
7 6247 3 7 1
= = = = =1
6247 7 7 3 3
           
13 6247 7 13 6 1
= = = = = = (1)3 = 1
6247 13 13 7 7 7
Putting the two together, we conclude that (4459|6247) = 1.
58 Theory of Numbers

Exercise 6.13. Evaluate (a|p) with the help of the reciprocity law.
a) (37|83)
b) (71|103)
c) (69|127)
d) (1414|2063)
e) (19392|2939)
Exercise 6.14. Show that (3|p) = 1 if and only if p [1]12 . Similarly,
(3|p) = 1 if and only if p % 6 = 1.
Exercise 6.15. Modulo which odd prime is 5 is a quadratic residue?

6.2 The Jacobi Symbol

Despite all the variety of tools we have for evaluating the Legendre symbol
(a|p), we just cannot avoid the need of factoring a. This slows down com-
putation time a great deal, especially when p is large. The Jacobi symbol
is an extension of the Legendre symbol in the way that the denominator
can now be any odd number, not necessarily prime. This will make possible
a very fast algorithm to compute (a|p), almost in an analogous way that the
Euclidean algorithm enables us to compute gcd without factoring.
Definition. Let n = p1 p2 pk be the product of odd prime numbers, not
necessarily distinct. Define the Jacobi symbol (a|n) by
      
a a a a
=
n p1 p2 pk
where each factor (a|pi ) is the Legendre symbol. Moreover, let (a|1) = 1.
As an example, we have (14|1275) = (14|3)(14|5)(14|5)(14|17) because
1275 = 3 52 17. Note that if gcd(a, n) = 1, then the value of (a|n) is 1,
and 0 otherwise. In addition, if k = 1 then the two symbolsLegendre and
Jacobiare one and the same. It is furthermore true that if (a|n) = 1,
then a is a quadratic nonresidue modulo n, but the converse is sometimes
false.
Exercise 6.16. Evaluate the Jacobi symbol (14|1275). Is 14 a quadratic
residue modulo 1275? Why or why not?
The Jacobi symbol too respects residue classes, for if a Qb (mod n)
then
Q a b (mod pi ) for each prime pi dividing n, thus (a|n) = (a|pi ) =
(b|pi ) = (b|n). Surprisingly enough, the Jacobi symbol furthermore enjoys
the main properties of the Legendre symbol given in the previous section,
including the law of reciprocity.
ISBN 1419687352 59

Theorem 6.7. With the Jacobi symbol, for any odd number n > 0,
1) (ab|n) = (a|n)(b|n)
2) (1|n) = (1)(n1)/2
2
3) (2|n) = (1)(n 1)/8

4) (m|n) = (n|m)(1)(m1)(n1)/4 if m is also an odd positive number.

Q
Proof. Let n = pi with odd Q prime factors,
Q not assumed distinct. The first
equality holds as (ab|n) = (ab|pi ) = (a|pi )(b|pi ) = (a|n)(b|n).
Now for each factor, (1|pi ) = 1 if and only if pi [1]4 , with plus or
minus, respectively. (See Corollary 6.2 or Exercise 5.22.) Then, (1|n) = 1
if and only if the case pi [1]4 occurs an even number of times, which is
equivalent to having n % 4 = 1. This is the fact expressed in (2).
Similarly, by Proposition 6.4, (2|pi ) = 1 when pi [1]8 , and (2|pi ) = 1
if pi [3]8 . Note that for any pair x, y [3]8 , we have xy [1]8 .
Therefore, (2|n) = 1 if and
Q only if n 1 (mod 8), proving (3).
For (4), write m = qj where, again, there may be repeated prime
factors. Assume also that gcd(m, n) = 1, or else (m|n) = (n|m) = 0. Then
m  n  Y Y p  q  Y Y
i j
= = (1)(pi 1)(qj 1)/4
n m qj pi

This quantity is 1 if and only if there is an odd number of pairs (pi , qj )

with both primes in the class [1]4 (Exercise 6.11). Equivalently, this occurs
when both m and n each has an odd number of prime factors in this class,
i.e., when m n 1 (mod 4). Hence, (m|n)(n|m) = (1)(m1)(n1)/4 .
Example. We reconsider the evaluation of the Legendre symbol (4459|6247),
this time with the help of Jacobi symbols.
       2    
4459 6247 1788 2 447 4459
= = = =
6247 4459 4459 4459 4459 447
   2        
436 2 109 447 11 109
= = = = =
447 447 447 109 109 11
        
10 2 5 109 4
= = = (1)1485 =
109 109 109 5 5

The same conclusion, (4459|6247) = 1. But note that neither 4459 nor
447 is prime, and that the only factoring needed is for the even factors.
Exercise 6.17. Evaluate the Jacobi symbol (1939|29391).
60 Theory of Numbers

Exercise 6.18. Redo Exercise 6.13 with the help of Jacobi symbols.

Recall Exercise 6.3(b), which says that quadratic residues and non-
residues modulo n > 2 are equally many, provided that we have primitive
roots. The next problem claims that the Jacobi symbol (a|n) takes on the
values 1 equally many times, if n has no repeated prime factors.

Exercise 6.19. Let n be the product of distinct odd primes.

a) Show that (a|n)
P = 1 for some a relatively prime to n.
b) Prove that (ai |n) = 0 over any reduced residue system modulo n.
c) Conclude that (x|n) = 1 each has (n)/2 incongruent solutions.
d) Find a counter-example for (c) where n is divisible by a square.

6.3 Extracting Square Roots

Having developed the tools to answer the existence question, we turn now to
the actual problem of finding the modular square roots. If a is a quadratic
residue modulo the odd prime p, then Corollary 5.9 says that the congruence
x2 a (mod p) has exactly two solutions given by [x0 ]p , for any particular
solution x0 . Still, this knowledge does not readily reveal the value of x0 ,
except in the following special case.

Theorem 6.8. If (a|p) = 1 and p % 4 = 3, then there are exactly two

solutions to the congruence x2 a (mod p), given by x a(p+1)/4 (mod p).

Proof. By Eulers criterion, (a(p+1)/4 )2 = a(p+1)/2 = a(p1)/2 a a (mod p).

That the two solutions are distinct is clear since p 2a, thus the theorem
follows from Corollary 5.9.

Example. Let us apply Theorem 6.8 to x2 7 (mod 19). We first verify that
(7|19) = (19|7) = (5|7) = (7|5) = (2|5) = 1, and that 19 % 4 = 3.
A particular solution is x0 = 7(19+1)/4 = 75 = 16807. One solution class is
given by [16807]19 = [11]19 , and the other by [11]19 = [8]19 .

Exercise 6.20. Solve the following congruences.

a) x2 2 (mod 23)
b) x2 8 (mod 83)
c) x2 2x + 3 0 (mod 11)
d) 2x2 + x + 2 0 (mod 31)

The case p % 4 = 1 is generally rather complex, but half of the time,

when p % 8 = 5, it is yet manageable without needing special algorithms.
ISBN 1419687352 61

Theorem 6.9. Suppose that (a|p) = 1 and p % 8 = 5. Let r = a(p+3)/8 .

Then either r or 2(p1)/4 r is a solution to the congruence x2 a (mod p).
Proof. In this case (2|p) = 1, (Proposition 6.4) so 2(p1)/2 1 (mod p)
by Eulers criterion. And now, the congruence r4 = a(p1)/2 a2 a2 (mod p)
implies that r2 a (mod p). (See Exercise 3.12.) If r2 a (mod p), then
2(p1)/4 r is a solution to x2 a (mod p).
Example. Let us solve x2 5 (mod 29), noting that 29 % 8 = 5. We have
here r = 54 % 29 = 16. As we check, 162 % 29 = 24 5 (mod 29), hence
the multiplier 27 % 29 = 12 is needed. A particular solution is then x0 =
12 16 = 192, yielding the two classes of solution, [192]29 = [11]29 .
Exercise 6.21. Solve the congruence x2 33 (mod 101).
With the last theorem, the problem of extracting square roots modulo
p is left to the case p % 8 = 1. A complete treatment of this topic can be
found in Appendix D. For now, instead, we demonstrate how one might find
square roots modulo the product of two distinct primes.
Example. Solve the congruence x2 54 (mod 115), given that 115 = 5 23.
By the Chinese remainder theorem, the congruence is equivalent to the pair
below, whose solutions can each be found using Theorems 6.8 and 6.9.

y 2 54 4 (mod 5) y 2 (mod 5)
2
z 54 8 (mod 23) z 13 (mod 23)

And by the Chinese remainder theorem again, we conclude that there is a

total of four distinct solutions modulo 115,

y +2 (mod 5) and z +13 (mod 23) x +82 (mod 115)

y +2 (mod 5) and z 13 (mod 23) x 13 (mod 115)
y 2 (mod 5) and z +13 (mod 23) x +13 (mod 115)
y 2 (mod 5) and z 13 (mod 23) x 82 (mod 115)

Note that this divide-and-conquer technique clearly generalizes to any

modulus which factors into three or more distinct primes.
Exercise 6.22. Solve these congruences, modulo n = pq.
a) x2 10 (mod 21)
b) x2 29 (mod 35)
c) x2 31 (mod 55)
d) x2 106 (mod 119)
e) x2 102 (mod 341)
62 Theory of Numbers

Exercise 6.23. Using the Chinese remainder theorem, show that if a is

a quadratic residue modulo an odd composite n, then x2 a (mod n) has
exactly 2t incongruent solutions, where t is the number of distinct prime
divisors of n. Then find all the solutions to x2 1 (mod 7425).

6.4 Electronic Coin Tossing [Project 6]

In a game of coin tossing, two players have a fifty-fifty chance of winning
by betting on the outcome, either head or tail. How can this game be
played electronically, over email for instance? This was answered in 1982 by
M. Blum.
Alia selects two large primes p and q, both from the class [3]4 , and sends
the product n = pq to Bob. In turn, Bob chooses an integer h < n and
sends a = h2 % n to Alia. Using Theorem 6.8 plus the Chinese remainder
theorem, Alia is able to solve x2 a (mod n) and find the four square roots,
in the forms x1 h (mod n) and x2 t (mod n).
Now Alia must guess Bobs number, either h or t. If Alia sends h to Bob,
Alia wins. If, however, she bets on t then Bob wins, and he shall prove his
victory by factoring n, which supposedly only Alia knows. How will Bob do
it? Knowing both h and t, Bob simply computes gcd(h t, n) in no time2
using the Euclidean algorithm, and that will give him p and q.
Project 6.4.1. Justify each claim assumed in this protocol and illustrate
it using your own numerical example. By the way, though not needed in
this context, show that exactly one of the four numbers, h and t, is a
quadratic residue modulo n.
Project 6.4.2. Do a library or internet research on how to devise a similar
protocol for playing poker over the telephone!

2 Well, in at most O(log2 n) time.