Chapter 8

Quadratic Residues

8.1 Quadratic residues

Let n > 1 be a given positive integer, and gcd(a, n) = 1. We say that a ∈ Z•n is a quadratic
residue mod n if the congruence x2 ≡ a mod n is solvable. Otherwise, a is called a
quadratic nonresidue mod n.

1. If a and b are quadratic residues mod n, so is their product ab.

2. If a is a quadratic residue, and b a quadratic nonresidue mod n, then ab is a quadratic

nonresidue mod n.

3. The product of two quadratic nonresidues mod n is not necessarily a quadratic residue
mod n. For example, in Z•12 = {1, 5, 7, 11}, only 1 is a quadratic residue; 5, 7, and
11 ≡ 5 · 7 are all quadratic nonresidues.

Proposition 8.1. Let p be an odd prime, and p  a. The quadratic congruence ax2 +bx+c ≡
0 mod p is solvable if and only if (2ax + b)2 ≡ b2 − 4ac mod p is solvable.

Theorem 8.2. Let p be an odd prime. Exactly one half of the elements of Z•p are quadratic
residues.

Proof. Each quadratic residue modulo p is congruent to one of the following 12 (p − 1)

residues.
 2
2 2 2 p−1
1 , 2 , ...,k , ..., .
2

We show that these residue classes are all distinct. For 1 ≤ h < k ≤ p−1 2
, h2 ≡ k 2 mod p
if and only if (k − h)(h + k) is divisible by p, this is impossible since each of k − h and
h + k is smaller than p.

Corollary 8.3. If p is an odd prime, the product of two quadratic nonresidues is a quadratic
residue.
46 Quadratic Residues

8.2 The Legendre symbol

Let p be an odd prime. For an integer a, we define the Legendre symbol

  
a +1, if a is a quadratic residue mod p,
:=
p −1, otherwise.
    
ab a b
Lemma 8.4. p
= p p
.

Proof. This is equivalent to saying that modulo p, the product of two quadratic residues
(respectively nonresidues) is a quadratic residue, and the product of a quadratic residue and
a quadratic nonresidue is a quadratic nonresidue.
  1
−1
For an odd prime p, p
= (−1) 2 (p−1) . This is a restatement of Theorem 8.6 that −1
is a quadratic residue mod p if and only if p ≡ 1 mod 4.

Theorem 8.5 (Euler). Let p be an odd prime. For each integer a not divisible by p,
 
a 1
≡ a 2 (p−1) mod p.
p

Proof. Suppose a is a quadratic nonresidue mod p. The mod p residues 1, 2, . . . , p − 1 are

partitioned into pairs satisfying xy = a. In this case,
1
(p − 1)! ≡ a 2 (p−1) mod p.

On the other hand, if a is a quadratic residue, with a ≡ k 2 ≡ (p − k)2 mod p, apart from
0, ±k, the remaining p − 3 elements of Zp can be partitioned into pairs satisfying xy = a.
1 1
(p − 1)! ≡ k(p − k)a 2 (p−3) ≡ −a 2 (p−1) mod p.

Summarizing, we obtain
 
a 1
(p − 1)! ≡ − a 2 (p−1) mod p.
p

Note that by putting a = 1, we obtain

  Wilson’s theorem: (p − 1)! ≡ −1 mod p. By
comparison, we obtain a formula for ap :
 
a 1
≡ a 2 (p−1) mod p.
p
8.3 −1 as a quadratic residue mod p 47

8.3 −1 as a quadratic residue mod p

Theorem 8.6. Let p be an odd prime. −1 is a quadratic residue modp if and only if
p ≡ 1 mod 4.
p−1
Proof. If x2 ≡ −1 mod p, then (−1) 2 ≡ xp−1 ≡ 1 mod p by Fermat’s little theorem.
This means that p−1
2
is even, and p ≡ 1 mod 4.
Conversely, if p ≡ 1 mod 4, the integer p−1
2
is even. By Wilson’s theorem,
p−1 p−1 p−1

p−1 2 
2 
2 
2

(( )!) = j2 = j · (−j) ≡ j · (p − j) = (p − 1)! ≡ −1 mod p.

2 i=1 i=1 i=1

The solutions of x2 ≡ −1 mod p are therefore x ≡ ±( p−1

2
)!.
Here are the square roots of −1 mod p for the first 20 primes of the form 4k + 1:
√ √ √ √ √
p −1 p −1 p −1 p −1 p −1
5 ±2 13 ±5 17 ±4 29 ±12 37 ±6
41 ±9 53 ±23 61 ±11 73 ±27 89 ±34
97 ±22 101 ±10 109 ±33 113 ±15 137 ±37
149 ±44 157 ±28 173 ±80 181 ±19 193 ±81

Theorem 8.7. There are infinitely many primes of the form 4n + 1.

Proof. Suppose there are only finitely many primes p1 , p2 , . . . , pr of the form 4n + 1.
Consider the product
P = (2p1 p2 · · · pr )2 + 1.
Note that P ≡ 1 mod 4. Since P is greater than each of p1 , p2 , . . . , pr , it cannot be prime,
and so must have a prime factor p different from p1 , p2 , . . . , pr . But then modulo p, −1 is
a square. By Theorem 8.6, p must be of the form 4n + 1, a contradiction.
In the table below we list, for primes < 50, the quadratic residues and their square
roots. It is understood that the square roots come in pairs. For example, the entry (2,7)
for the prime 47 should be interpreted as saying that the two solutions of the congruence
x2 ≡ 2 mod 47 are x ≡ ±7 mod 47. Also, for primes of the form p = 4n + 1, since −1 is
a quadratic residue modulo p, we only list quadratic residues smaller than p2 . Those greater
than p2 can be found with the help of the square roots of −1.
48 Quadratic Residues

Quadratic residues mod p and their square roots

3 (1, 1)
5 (−1, 2) (1, 1)
7 (1, 1) (2, 3) (4, 2)
11 (1, 1) (3, 5) (4, 2) (5, 4) (9, 3)
13 (−1, 5) (1, 1) (3, 4) (4, 2)
17 (−1, 4) (1, 1) (2, 6) (4, 2) (8, 5)
19 (1, 1) (4, 2) (5, 9) (6, 5) (7, 8) (9, 3) (11, 7) (16, 4)
(17, 6)
23 (1, 1) (2, 5) (3, 7) (4, 2) (6, 11) (8, 10) (9, 3) (12, 9)
(13, 6) (16, 4) (18, 8)
29 (−1, 12) (1, 1) (4, 2) (5, 11) (6, 8) (7, 6) (9, 3) (13, 10)
31 (1, 1) (2, 8) (4, 2) (5, 6) (7, 10) (8, 15) (9, 3) (10, 14)
(14, 13) (16, 4) (18, 7) (19, 9) (20, 12) (25, 5) (28, 11)
37 (−1, 6) (1, 1) (3, 15) (4, 2) (7, 9) (9, 3) (10, 11) (11, 14) (12, 7)
(16, 4)
41 (−1, 9) (1, 1) (2, 17) (4, 2) (5, 13) (8, 7) (9, 3) (10, 16) (16, 4)
(18, 10) (20, 15)
43 (1, 1) (4, 2) (6, 7) (9, 3) (10, 15) (11, 21) (13, 20) (14, 10)
(15, 12) (16, 4) (17, 19) (21, 8) (23, 18) (24, 14) (25, 5) (31, 17)
(35, 11) (36, 6) (38, 9) (40, 13) (41, 16)
47 (1, 1) (2, 7) (3, 12) (4, 2) (6, 10) (7, 17) (8, 14) (9, 3)
(12, 23) (14, 22) (16, 4) (17, 8) (18, 21) (21, 16) (24, 20) (25, 5)
(27, 11) (28, 13) (32, 19) (34, 9) (36, 6) (37, 15) (42, 18)

8.4 The law of quadratic reciprocity

  8.8 (Gauss’ Lemma). Let p be an odd prime, and a an integer not divisible by
Proposition
p. Then ap = (−1)μ where μ is the number of residues among

p−1
a, 2a, 3a, . . . . . . , a
2
p
falling in the range 2
< x < p.

Proof. Every residue modulo p has a unique representative with least absolute value, namely,
the one in the range − p−12
≤ x ≤ p−1
2
. The residues described in the statement of Gauss’
Lemma are precisely those whose representatives are negative. Now, among the represen-
tatives of the residues of
p−1
a, 2a, · · · a,
2
say, there are λ positive ones,
r1 , r2 , . . . , rλ ,
and μ negative ones
−s1 , −s2 , . . . , −sμ .
p−1
Here, λ + μ = 2
, and 0 < ri , sj < p2 .
8.4 The law of quadratic reciprocity 49

Note that no two of the r’s are equal; similarly for the s’s. Suppose that ri = sj for
some indices i and j. This means
ha ≡ ri mod p; ka ≡ −sj mod p
for some h, k in the range 0 < h, k < 12 (p − 1). Note that (h + k)a ≡ 0 mod p. But this
is a contradiction since h + k < p − 1 and p does not divide a. It follows that
r1 , r2 , . . . , r λ , s 1 , s 2 , . . . , s μ
are a permutation of 1, 2, . . . , 12 (p − 1). From this
p−1 p−1
a = (−1)μ 1 · 2 · · ·
a · 2a · · · ,
2 2
1
 
and a 2 (p−1) = (−1)μ . By Theorem 8.5, ap = (−1)μ .

Example 8.1. Let p = 19 and a = 5. We consider the first 9 multiples of 5 mod 19. These
are
5, 10, 15, 20 ≡ 1, 25 ≡ 6, 30 ≡ 11, 35 ≡ 16, 40 ≡ 2, 45 ≡ 7.
5
4 of these exceed 9, namely, 10, 15, 11, 16. It follows that 19 = 1; 5 is a quadratic residue
1
mod 19.
Theorem 8.9.  
2 1 1 2
= (−1) 4 (p+1) = (−1) 8 (p −1) .
p
Equivalently,
  
2 +1 if p ≡ ±1 mod 8,
=
p −1 if p ≡ ±3 mod 8.
Proof. We need to see how many terms in the sequence
p−1
2 · 1, 2 · 2, 2 · 3, ..., 2·
2
are in the range p2 < x < p. If p = 4k + 1, these are the numbers 2k + 2, . . . , 4k, and there
are k of them. On the other hand, if p = 4k + 3, these are the numbers 2k + 2, . . . , 4k + 2,
and there are k + 1 of them. In each case, the number of terms is [ 14 (p + 1)].
Example 8.2. Square root of 2 mod p for the first 20 primes of the form 8k ± 1.
√ √ √ √ √
p 2 p 2 p 2 p 2 p 2
7 3 17 6 23 5 31 8 41 17
47 7 71 12 73 32 79 9 89 25
97 14 103 38 113 51 127 16 137 31
151 46 167 13 191 57 193 52 199 20

Proposition 8.10 (Euler). Let p > 3 be a prime number of the form 4k + 3. If q = 2p + 1

is also prime, then the Mersenne number Mp = 2p − 1 has a prime factor 2p + 1 and is
composite.
1
Indeed 5 ≡ 92 mod 19.
50 Quadratic Residues

Proof. Note that the prime q is of the form 8k + 7, and so admits 2 as a quadratic residue.
By Theorem 8.9,  
p 1
(q−1) 2
2 = 22 ≡ = 1 mod q.
q
This means that q = 2p + 1 divides Mp = 2p − 1. If p > 3, 2p + 1 < 2p − 1, and Mp is
composite.

For example, M11 = 211 − 1 is divisible by 23 since 23 = 2 · 11 + 1 is prime. Similarly,

M23 = 223 − 1 is divisible by 47, and M83 = 283 − 1 is divisible by 167.
Theorem 8.11 (Law of quadratic reciprocity). Let p and q be distinct odd primes.
  
p q p−1 q−1
= (−1) 2 · 2 .
q p
Equivalently, when at least one of p, q ≡ 1 mod 4, p is a quadratic residue mod q if and
only if q is a quadratic residue mod p. 2
Proof. (1) Let a be an integer not divisible by p. Suppose, as in the proof of Gauss’ Lemma
above, of the residues a, 2a, . . . p−1 2
a, the positive least absolute value representatives are
r1 , r2 , . . . , rλ , and the negative ones are −s1 , −s2 , . . . , −sμ . The numbers a, 2a, . . . , p−1
2
a
are a permutation of

hi a
p + ri , i = 1, 2, . . . , λ,
p
and

kj a
p + (p − sj ), j = 1, 2, . . . , μ,
p
p−1
where h1 , . . . , hλ , k1 , . . . , kμ are a permutation of 1, 2, . . . , 2
. Considering the sum of
these numbers, we have


ma  
1 1
(p−1) (p−1) μ
2 2 λ 
a· m =p + ri + (p − sj )
m=1 m=1
p i=1 j=1


ma  
1
(p−1) μ μ
2 λ  
=p + ri + sj + (p − 2sj )
m=1
p i=1 j=1 j=1


ma  2 
1 1
(p−1) (p−1) μ
2 
=p + m+μ·p−2 sj .
m=1
p m=1 j=1

In particular, if a is odd, then


ma 
1
2
(p−1)

μ≡ mod 2,
m=1
p
2
For p ≡ q ≡ 3 mod 4, p is a quadratic residue mod q if and only if q is a quadratic nonresidue mod p.
8.4 The law of quadratic reciprocity 51

and by Gauss’ lemma,

 
a  12 (p−1) ma
= (−1) m=1  p  .
p
(2) Therefore, for distinct odd primes p and q, we have
 
q  12 (p−1) mq
= (−1) m=1  p  ,
p

and  
p  12 (q−1) np
= (−1) n=1  q  .
q

q
2

2
1

1 2 m p
2
(3) In the diagram above, we consider the lattice points (m, n) with 1 ≤ m ≤ p−1 2
and
q−1 p−1 q−1
1 ≤ n ≤ 2 . There are altogether 2 · 2 such points forming a rectangle. These points
are separated by the line L of slope pq through the point (0,0).
For each m = 1, 2, . . . , p−1 , the number of points in the vertical line through (m, 0) un-
12 (p−1)  mq 
2
der L is  mq
p
. Therefore, the total number of points under L is m=1 p
. Similarly,

2 (q−1) np
1 
the total number of points on the left side of L is n=1 q
. From these, we have


mq  2 (q−1)

1 1
2
(p−1)
np p−1 q−1
+ = · .
m=1
p n=1
q 2 2

It follows that   
p q p−1 q−1
= (−1) 2 · 2 .
q p

The law of quadratic reciprocity can be recast into the following form:
⎧  
  ⎨
p − pq , if p ≡ q ≡ 3 mod 4,
=  
q ⎩+ q , otherwise.
p
52 Quadratic Residues

Examples
 59
   7  
1. = − 131
131 59
= − 13
59
= − 59
13
= − 13 = − 13 7
= − −1
7
= −(−1) = 1.
  2  17 2
2. 34
97
= 97 97 . Now, 97 = +1 by Theorem 8.9, and
              
17 97 12 3 4 3 17 2
= = = = = = = −1.
97 17 17 17 17 17 3 3

3. For which primes p is 3 a quadratic residue ?

  p
3 p−1 1
= (−1) 2 = (−1)k+ 2 (−1)  = (−1)k
p 3
provided p = 6k + ,  = ±1. This means 3 is a quadratic residue mod p if and only
if k is even, i.e., p = 12m ± 1.
Chapter 9

Calculation of Square Roots

9.1 Square roots modulo p

 
a
1. Let p be a prime of the form 4k + 3. If p
= 1, then the square roots of a mod p
1
are ±a 4 (p+1) .

Proof.  
 1
2 1 1 a
(p+1) (p+1) (p−1)
a 4 ≡a 2 =a 2 ·a= a = a mod p.
p

 
a
2. Let p be a prime of the form 8k + 5. If p
= 1, then the square roots of a mod p are

1 1
• ±a 8 (p+3) if a 4 (p−1) ≡ 1 mod p,
1 1 1
• ±2 4 (p−1) · a 8 (p+3) if a 4 (p−1) ≡ −1 mod p.

Proof. Note that

 1
2 1 1
(p+3)
a 8 ≡ a 4 (p+3) = a 4 (p−1) · a mod p.
  1 1
a
Since p
= a 2 (p−1) ≡ 1 mod p, we have a 4 (p−1) ≡ ±1 mod p.
1 1
If a 4 (p−1) ≡ 1 mod p, then this gives a 8 (p+3) as a square root of a mod p.
1
If a 4 (p−1) ≡ −1 mod p, then we have
 1 2  y   1 2  1 1
2
(p+3)
a ≡ − a8 ≡ a 8 (p+3) ≡ y 4 (p−1) a 8 (p+3)
p

for any quadratic nonresidue y mod p. Since p ≡ 5 mod 8, we may simply take
y = 2.
54 Calculation of Square Roots

Examples

1. Let p = 23. Clearly 2 is a quadratic residue mod 23. The square roots of 2 are
±26 ≡ ±18 ≡ ∓5 mod 23.

2. Let p = 29. Both 6 and 7 are quadratic residues mod 29.

Since 77 ≡ 1 mod 29, the square root of 7 are ±74 ≡ ±23 ∓ 6 mod 29.
On the other hand, Since 67 ≡ −1 mod 29, the square roots of 6 are ±27 · 64 ≡
±12 · 20 ≡ ±8 mod 29.

Proposition 9.1. Let p be an odd prime and p − 1 = 2λ u, u odd. Consider the congruence
x2 ≡ a mod p. Let b be any quadratic nonresidue mod p. Assume that au ≡ ±1 mod p,
μ
and that μ > 1 is the smallest integer for which (au )2 ≡ −1 mod p.
(a) If μ = λ − 1, then the congruence has no solution.
λ−μ−1 k
(b) If μ ≤ λ − 2, then au ≡ (bu )2 for some odd number k < 2μ+1 . The solutions of
the congruence are
1 λ−μ−2 (2μ+1 −k)u
x ≡ ±a 2 (u+1) b2 mod p.

Example 9.1. Consider the congruence x2 ≡ 215 mod 257. Here 257 − 1 = 28 · 1. In the
notation of the above theorem, u = 1. With a = 215, the order of au = 215 modulo 257 is
128:
2152 ≡ 222; 2154 ≡ 197; 2158 ≡ 2;
21516 ≡ 4; 21532 ≡ 16; 21564 ≡ 256 ≡ −1.
This means μ = 6. Let b = 3, a quadratic nonresidue of 257. The successive powers of
bu ≡ 3 are, modulo 257,

32 ≡ 9; 34 ≡ 81; 38 ≡ 136;
316 ≡ 249; 332 ≡ 64; 364 ≡ 241;
128
3 ≡ 256 ≡ −1.
λ−μ−1
Now, au = 215 should be an odd power of (bu )2 ≡ 32 ≡ 9. In fact,

93 ≡ 729 ≡ 215 mod 257.

This means k = 3. The solutions of the congruence are

0 (27 −3)
x ≡ ±215 · 32 ≡ ±215 · 3125 ≡ · · · ≡ ±230 ≡ 27 mod 257.

9.2 Square roots modulo an odd prime power

The quadratic congruence x2 ≡ 2 mod 7 clearly has solutions x ≡ ±3 mod 7. We want to
solve the congruence x2 ≡ 2 mod 72 by seeking a solution of the form x ≡ 3 + 7b.

2 ≡ (3 + 7b)2 = 9 + (6b) · 7 + b2 · 72 = 2 + (1 + 6b) · 7 mod 72

Choose b so that 1 + 6b ≡ 0 mod 7. This gives b ≡ 1 mod 7 and x ≡ 10 mod 72 .
9.3 Squares modulo 2k 55

Exercise

1. Find the squares modulo 49.

Answer. Squares modulo 49:

2 9 16 23 30 37 44
10 3 45 38 31 24 17

2. Proceed to solve the congruences x2 ≡ 2 mod 73 . and x2 ≡ 2 mod 74 .

Proposition 9.2. Let p be an odd prime. Suppose x2 = a mod pk has solution x ≡ ck mod
a−c2
pk . Let γ be the multiplicative inverse of 2c1 ∈ Z•p . Then with bk ≡ γ · pk k mod p, We
have a solution ck+1 = ck + bk pk mod pk+1 of x2 ≡ a mod pk+1 .

Example 9.2. The solutions of the congruences x2 ≡ 12345 mod 7k for k ≤ 8 are as
follows:

k 1 2 3 4 5 6 7 8
x mod 7k 2 37 37 380 5182 89217 677462 3148091
The base 7 expansions of these solutions are x ≡ ±12355210527 .

9.3 Squares modulo 2k

Here are the squares modulo 2k , up to k = 7.

Z4 : 0, 1,
Z8 : 4,
Z16 : 9,
Z32 : 16, 17, 25,
Z64 : 33, 36, 41, 49, 57,
Z128 : 64, 65, 68, 73, 81, 89, 97, 100, 105, 113, 121.
It is easy to see that the analogue of Proposition xxx is no longer true. For example, 1
is clearly a square of Z4 ; but 5 = 1 + 4 is not a square in Z8 .
Suppose c ∈ Z2k is a square. Let h be the smallest integer such that c = (a + 2h )2 for
some a ∈ Z2h−1 . Since c = (a + 2h )2 = a2 + 2h+1 a + 22h , we must have h + 1 < k, and
h ≤ k − 2.
From this, we infer that 5 is not a square, and the squares in Z8 are 0, 1, 4. Also, apart
from these, the squares in Z16 are 42 = 0, 52 = 9, 62 = 4, and 72 = 1. This means that the
squares in Z16 are 0, 1, 4 and 9.

Proposition 9.3. Let k ≥ 3. For every square c ∈ Z•2k , c + 2k is a square in Z•2k+1 .

Proof. Clearly, if c = 1, c + 2k = 1 + 2k = (1 + 2k−1 )2 ∈ Z2k+1 . If c = 1, we write c =

(a+2h )2 for 1 ≤ h ≤ k −2 and a ∈ Z2k−3 . Then, (a+2h +2k−1 )2 = c+2k (a+2h )+22k−2 .
Since a is a unit, modulo 2k+1 , this is c + 2k .
56 Calculation of Square Roots

Corollary 9.4. A residue given in binary expansion

a = (ak−1 ak−2 · · · a1 a0 )2 ,

is a quadratic residue mod 2k if and only if on the right of the rightmost digit 1 there is an
even number (possibly none) of zeros, and on its left there are at least two zeros.