Quadratic residue

In number theory, an integer q is called a quadratic residue modulo n if it is congruent to a perfect square modulo n; i.e., if there exists an integer x such that:

${\displaystyle x^{2}\equiv q{\pmod {n}}.}$

Otherwise, q is called a quadratic nonresidue modulo n.

Originally an abstract mathematical concept from the branch of number theory known as modular arithmetic, quadratic residues are now used in applications ranging from acoustical engineering to cryptography and the factoring of large numbers.

History, conventions, and elementary facts

Fermat, Euler, Lagrange, Legendre, and other number theorists of the 17th and 18th centuries established theorems ^[1] and formed conjectures ^[2] about quadratic residues, but the first systematic treatment is § IV of Gauss's Disquisitiones Arithmeticae (1801). Article 95 introduces the terminology "quadratic residue" and "quadratic nonresidue", and states that if the context makes it clear, the adjective "quadratic" may be dropped.

For a given n a list of the quadratic residues modulo n may be obtained by simply squaring the numbers 0, 1, ..., n− 1. Because a² ≡ (n−a)² (mod n), the list of squares modulo n is symmetric around n/2, and the list only needs to go that high. This can be seen in the table below.

Thus, the number of quadratic residues modulo n cannot exceed n/2 + 1 (n even) or (n + 1)/2 (n odd). ^[3]

The product of two residues is always a residue.

Prime modulus

Modulo 2, every integer is a quadratic residue.

Modulo an odd prime number p there are (p + 1)/2 residues (including 0) and (p− 1)/2 nonresidues, by Euler's criterion. In this case, it is customary to consider 0 as a special case and work within the multiplicative group of nonzero elements of the field ${\displaystyle (\mathbb {Z} /p\mathbb {Z} )}$. (In other words, every congruence class except zero modulo p has a multiplicative inverse. This is not true for composite moduli.) ^[4]

Following this convention, the multiplicative inverse of a residue is a residue, and the inverse of a nonresidue is a nonresidue. ^[5]

Following this convention, modulo an odd prime number there are an equal number of residues and nonresidues. ^[4]

Modulo a prime, the product of two nonresidues is a residue and the product of a nonresidue and a (nonzero) residue is a nonresidue. ^[5]

The first supplement ^[6] to the law of quadratic reciprocity is that if p ≡ 1 (mod 4) then −1 is a quadratic residue modulo p, and if p ≡ 3 (mod 4) then −1 is a nonresidue modulo p. This implies the following:

If p ≡ 1 (mod 4) the negative of a residue modulo p is a residue and the negative of a nonresidue is a nonresidue.

If p ≡ 3 (mod 4) the negative of a residue modulo p is a nonresidue and the negative of a nonresidue is a residue.

Prime power modulus

All odd squares are ≡ 1 (mod 8) and thus also ≡ 1 (mod 4). If a is an odd number and m = 8, 16, or some higher power of 2, then a is a residue modulo m if and only if a ≡ 1 (mod 8). ^[7]

For example, mod (32) the odd squares are

1²≡ 15²≡ 1

3²≡ 13²≡ 9

5²≡ 11²≡ 25

7²≡ 9²≡ 49 ≡ 17

and the even ones are

0²≡ 8²≡ 16²≡ 0

2²≡ 6²≡ 10²≡ 14²≡ 4

4²≡ 12²≡ 16.

So a nonzero number is a residue mod 8, 16, etc., if and only if it is of the form 4^k(8n + 1).

A number a relatively prime to an odd prime p is a residue modulo any power of p if and only if it is a residue modulo p. ^[8]

If the modulus is pⁿ,

then p^ka

is a residue modulo pⁿ if k≥n

is a nonresidue modulo pⁿ if k<n is odd

is a residue modulo pⁿ if k<n is even and a is a residue

is a nonresidue modulo pⁿ if k<n is even and a is a nonresidue. ^[9]

Notice that the rules are different for powers of two and powers of odd primes.

Modulo an odd prime power n = p^k, the products of residues and nonresidues relatively prime to p obey the same rules as they do mod p; p is a nonresidue, and in general all the residues and nonresidues obey the same rules, except that the products will be zero if the power of p in the product ≥ n.

Modulo 8, the product of the nonresidues 3 and 5 is the nonresidue 7, and likewise for permutations of 3, 5 and 7. In fact, the multiplicative group of the non-residues and 1 form the Klein four-group.

Composite modulus not a prime power

The basic fact in this case is

if a is a residue modulo n, then a is a residue modulo p^k for every prime power dividing n.

if a is a nonresidue modulo n, then a is a nonresidue modulo p^k for at least one prime power dividing n.

Modulo a composite number, the product of two residues is a residue. The product of a residue and a nonresidue may be a residue, a nonresidue, or zero.

For example, from the table for modulus 6  1, 2, 3, 4, 5 (residues in bold).

The product of the residue 3 and the nonresidue 5 is the residue 3, whereas the product of the residue 4 and the nonresidue 2 is the nonresidue 2.

Also, the product of two nonresidues may be either a residue, a nonresidue, or zero.

For example, from the table for modulus 15  1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 (residues in bold).

The product of the nonresidues 2 and 8 is the residue 1, whereas the product of the nonresidues 2 and 7 is the nonresidue 14.

This phenomenon can best be described using the vocabulary of abstract algebra. The congruence classes relatively prime to the modulus are a group under multiplication, called the group of units of the ring ${\displaystyle (\mathbb {Z} /n\mathbb {Z} )}$, and the squares are a subgroup of it. Different nonresidues may belong to different cosets, and there is no simple rule that predicts which one their product will be in. Modulo a prime, there is only the subgroup of squares and a single coset.

The fact that, e.g., modulo 15 the product of the nonresidues 3 and 5, or of the nonresidue 5 and the residue 9, or the two residues 9 and 10 are all zero comes from working in the full ring ${\displaystyle (\mathbb {Z} /n\mathbb {Z} )}$, which has zero divisors for composite n.

For this reason some authors ^[10] add to the definition that a quadratic residue a must not only be a square but must also be relatively prime to the modulus n. (a is coprime to n if and only if a² is coprime to n.)

Although it makes things tidier, this article does not insist that residues must be coprime to the modulus.

Notations

Gauss ^[11] used R and N to denote residuosity and non-residuosity, respectively;

for example, 2 R 7 and 5 N 7, or 1 R 8 and 3 N 8.

Although this notation is compact and convenient for some purposes, ^{[12] [13]} a more useful notation is the Legendre symbol, also called the quadratic character, which is defined for all integers a and positive odd prime numbers p as

${\displaystyle \left({\frac {a}{p}}\right)={\begin{cases}\;\;\,0&{\text{ if }}p{\text{ divides }}a\\+1&{\text{ if }}a\operatorname {R} p{\text{ and }}p{\text{ does not divide }}a\\-1&{\text{ if }}a\operatorname {N} p{\text{ and }}p{\text{ does not divide }}a\end{cases}}}$

There are two reasons why numbers ≡ 0 (mod p) are treated specially. As we have seen, it makes many formulas and theorems easier to state. The other (related) reason is that the quadratic character is a homomorphism from the multiplicative group of nonzero congruence classes modulo p to the complex numbers under multiplication. Setting ${\displaystyle ({\tfrac {np}{p}})=0}$ allows its domain to be extended to the multiplicative semigroup of all the integers. ^[14]

One advantage of this notation over Gauss's is that the Legendre symbol is a function that can be used in formulas. ^[15] It can also easily be generalized to cubic, quartic and higher power residues. ^[16]

There is a generalization of the Legendre symbol for composite values of p, the Jacobi symbol, but its properties are not as simple: if m is composite and the Jacobi symbol ${\displaystyle ({\tfrac {a}{m}})=-1,}$ then a N m, and if a R m then ${\displaystyle ({\tfrac {a}{m}})=1,}$ but if ${\displaystyle ({\tfrac {a}{m}})=1}$ we do not know whether a R m or a N m. For example: ${\displaystyle ({\tfrac {2}{15}})=1}$ and ${\displaystyle ({\tfrac {4}{15}})=1}$, but 2 N 15 and 4 R 15. If m is prime, the Jacobi and Legendre symbols agree.

Distribution of quadratic residues

Although quadratic residues appear to occur in a rather random pattern modulo n, and this has been exploited in such applications as acoustics and cryptography, their distribution also exhibits some striking regularities.

Using Dirichlet's theorem on primes in arithmetic progressions, the law of quadratic reciprocity, and the Chinese remainder theorem (CRT) it is easy to see that for any M > 0 there are primes p such that the numbers 1, 2, ..., M are all residues modulo p.

For example, if p ≡ 1 (mod 8), (mod 12), (mod 5) and (mod 28), then by the law of quadratic reciprocity 2, 3, 5, and 7 will all be residues modulo p, and thus all numbers 1–10 will be. The CRT says that this is the same as p ≡ 1 (mod 840), and Dirichlet's theorem says there are an infinite number of primes of this form. 2521 is the smallest, and indeed 1² ≡ 1, 1046² ≡ 2, 123² ≡ 3, 2² ≡ 4, 643² ≡ 5, 87² ≡ 6, 668² ≡ 7, 429² ≡ 8, 3² ≡ 9, and 529² ≡ 10 (mod 2521).

Dirichlet's formulas

The first of these regularities stems from Peter Gustav Lejeune Dirichlet's work (in the 1830s) on the analytic formula for the class number of binary quadratic forms. ^[17] Let q be a prime number, s a complex variable, and define a Dirichlet L-function as

${\displaystyle L(s)=\sum _{n=1}^{\infty }\left({\frac {n}{q}}\right)n^{-s}.}$

Dirichlet showed that if q ≡ 3 (mod 4), then

${\displaystyle L(1)=-{\frac {\pi }{\sqrt {q}}}\sum _{n=1}^{q-1}{\frac {n}{q}}\left({\frac {n}{q}}\right)>0.}$

Therefore, in this case (prime q ≡ 3 (mod 4)), the sum of the quadratic residues minus the sum of the nonresidues in the range 1, 2, ..., q− 1 is a negative number.

For example, modulo 11,

1, 2, 3, 4, 5, 6, 7, 8, 9, 10 (residues in bold)

1 + 4 + 9 + 5 + 3 = 22, 2 + 6 + 7 + 8 + 10 = 33, and the difference is −11.

In fact the difference will always be an odd multiple of q if q > 3. ^[18] In contrast, for prime q ≡ 1 (mod 4), the sum of the quadratic residues minus the sum of the nonresidues in the range 1, 2, ..., q− 1 is zero, implying that both sums equal ${\displaystyle {\frac {q(q-1)}{4}}}$.^{[ citation needed ]}

Dirichlet also proved that for prime q ≡ 3 (mod 4),

${\displaystyle L(1)={\frac {\pi }{\left(2-\left({\frac {2}{q}}\right)\right)\!{\sqrt {q}}}}\sum _{n=1}^{\frac {q-1}{2}}\left({\frac {n}{q}}\right)>0.}$

This implies that there are more quadratic residues than nonresidues among the numbers 1, 2, ..., (q− 1)/2.

For example, modulo 11 there are four residues less than 6 (namely 1, 3, 4, and 5), but only one nonresidue (2).

An intriguing fact about these two theorems is that all known proofs rely on analysis; no-one has ever published a simple or direct proof of either statement. ^[19]

Law of quadratic reciprocity

Main article: quadratic reciprocity

If p and q are odd primes, then:

((p is a quadratic residue mod q) if and only if (q is a quadratic residue mod p)) if and only if (at least one of p and q is congruent to 1 mod 4).

That is:

${\displaystyle \left({\frac {p}{q}}\right)\left({\frac {q}{p}}\right)=(-1)^{{\frac {p-1}{2}}\cdot {\frac {q-1}{2}}}}$

where ${\displaystyle \left({\frac {p}{q}}\right)}$ is the Legendre symbol.

Thus, for numbers a and odd primes p that don't divide a:

a	a is a quadratic residue mod p if and only if	a	a is a quadratic residue mod p if and only if
1	(every prime p)	−1	p ≡ 1 (mod 4)
2	p ≡ 1, 7 (mod 8)	−2	p ≡ 1, 3 (mod 8)
3	p ≡ 1, 11 (mod 12)	−3	p ≡ 1 (mod 3)
4	(every prime p)	−4	p ≡ 1 (mod 4)
5	p ≡ 1, 4 (mod 5)	−5	p ≡ 1, 3, 7, 9 (mod 20)
6	p ≡ 1, 5, 19, 23 (mod 24)	−6	p ≡ 1, 5, 7, 11 (mod 24)
7	p ≡ 1, 3, 9, 19, 25, 27 (mod 28)	−7	p ≡ 1, 2, 4 (mod 7)
8	p ≡ 1, 7 (mod 8)	−8	p ≡ 1, 3 (mod 8)
9	(every prime p)	−9	p ≡ 1 (mod 4)
10	p ≡ 1, 3, 9, 13, 27, 31, 37, 39 (mod 40)	−10	p ≡ 1, 7, 9, 11, 13, 19, 23, 37 (mod 40)
11	p ≡ 1, 5, 7, 9, 19, 25, 35, 37, 39, 43 (mod 44)	−11	p ≡ 1, 3, 4, 5, 9 (mod 11)
12	p ≡ 1, 11 (mod 12)	−12	p ≡ 1 (mod 3)

Pairs of residues and nonresidues

Modulo a prime p, the number of pairs n, n + 1 where n R p and n + 1 R p, or n N p and n + 1 R p, etc., are almost equal. More precisely, ^{[20] [21]} let p be an odd prime. For i, j = 0, 1 define the sets

${\displaystyle A_{ij}=\left\{k\in \{1,2,\dots ,p-2\}:\left({\frac {k}{p}}\right)=(-1)^{i}\land \left({\frac {k+1}{p}}\right)=(-1)^{j}\right\},}$

and let

${\displaystyle \alpha _{ij}=|A_{ij}|.}$

That is,

α₀₀ is the number of residues that are followed by a residue,

α₀₁ is the number of residues that are followed by a nonresidue,

α₁₀ is the number of nonresidues that are followed by a residue, and

α₁₁ is the number of nonresidues that are followed by a nonresidue.

Then if p ≡ 1 (mod 4)

${\displaystyle \alpha _{00}={\frac {p-5}{4}},\;\alpha _{01}=\alpha _{10}=\alpha _{11}={\frac {p-1}{4}}}$

and if p ≡ 3 (mod 4)

${\displaystyle \alpha _{01}={\frac {p+1}{4}},\;\alpha _{00}=\alpha _{10}=\alpha _{11}={\frac {p-3}{4}}.}$

For example: (residues in bold)

Modulo 17

1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16

A₀₀ = {1,8,15},

A₀₁ = {2,4,9,13},

A₁₀ = {3,7,12,14},

A₁₁ = {5,6,10,11}.

Modulo 19

1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18

A₀₀ = {4,5,6,16},

A₀₁ = {1,7,9,11,17},

A₁₀ = {3,8,10,15},

A₁₁ = {2,12,13,14}.

Gauss (1828) ^[22] introduced this sort of counting when he proved that if p ≡ 1 (mod 4) then x⁴ ≡ 2 (mod p) can be solved if and only if p = a² + 64 b².

The Pólya–Vinogradov inequality

The values of ${\displaystyle ({\tfrac {a}{p}})}$ for consecutive values of a mimic a random variable like a coin flip. ^[23] Specifically, Pólya and Vinogradov proved ^[24] (independently) in 1918 that for any nonprincipal Dirichlet character χ(n) modulo q and any integers M and N,

${\displaystyle \left|\sum _{n=M+1}^{M+N}\chi (n)\right|=O\left({\sqrt {q}}\log q\right),}$

in big O notation. Setting

${\displaystyle \chi (n)=\left({\frac {n}{q}}\right),}$

this shows that the number of quadratic residues modulo q in any interval of length N is

${\displaystyle {\frac {1}{2}}N+O({\sqrt {q}}\log q).}$

It is easy ^[25] to prove that

${\displaystyle \left|\sum _{n=M+1}^{M+N}\left({\frac {n}{q}}\right)\right|<{\sqrt {q}}\log q.}$

In fact, ^[26]

${\displaystyle \left|\sum _{n=M+1}^{M+N}\left({\frac {n}{q}}\right)\right|<{\frac {4}{\pi ^{2}}}{\sqrt {q}}\log q+0.41{\sqrt {q}}+0.61.}$

Montgomery and Vaughan improved this in 1977, showing that, if the generalized Riemann hypothesis is true then

${\displaystyle \left|\sum _{n=M+1}^{M+N}\chi (n)\right|=O\left({\sqrt {q}}\log \log q\right).}$

This result cannot be substantially improved, for Schur had proved in 1918 that

${\displaystyle \max _{N}\left|\sum _{n=1}^{N}\left({\frac {n}{q}}\right)\right|>{\frac {1}{2\pi }}{\sqrt {q}}}$

and Paley had proved in 1932 that

${\displaystyle \max _{N}\left|\sum _{n=1}^{N}\left({\frac {d}{n}}\right)\right|>{\frac {1}{7}}{\sqrt {d}}\log \log d}$

for infinitely many d > 0.

Least quadratic non-residue

The least quadratic residue mod p is clearly 1. The question of the magnitude of the least quadratic non-residue n(p) is more subtle, but it is always prime, with 7 appearing for the first time at 71.

The Pólya–Vinogradov inequality above gives O(√p log p).

The best unconditional estimate is n(p) ≪ p^θ for any θ>1/4√e, obtained by estimates of Burgess on character sums. ^[27]

Assuming the Generalised Riemann hypothesis, Ankeny obtained n(p) ≪ (log p)². ^[28]

Linnik showed that the number of p less than X such that n(p) > X^ε is bounded by a constant depending on ε. ^[27]

The least quadratic non-residues mod p for odd primes p are:

2, 2, 3, 2, 2, 3, 2, 5, 2, 3, 2, ... (sequence A053760 in the OEIS )

Quadratic excess

Let p be an odd prime. The quadratic excessE(p) is the number of quadratic residues on the range (0,p/2) minus the number in the range (p/2,p) (sequence A178153 in the OEIS ). For p congruent to 1 mod 4, the excess is zero, since −1 is a quadratic residue and the residues are symmetric under r ↔ p−r. For p congruent to 3 mod 4, the excess E is always positive. ^[29]

Complexity of finding square roots

That is, given a number a and a modulus n, how hard is it

1. to tell whether an x solving x² ≡ a (mod n) exists
2. assuming one does exist, to calculate it?

An important difference between prime and composite moduli shows up here. Modulo a prime p, a quadratic residue a has 1 + (a|p) roots (i.e. zero if a N p, one if a ≡ 0 (mod p), or two if a R p and gcd(a,p) = 1.)

In general if a composite modulus n is written as a product of powers of distinct primes, and there are n₁ roots modulo the first one, n₂ mod the second, ..., there will be n₁n₂... roots modulo n.

The theoretical way solutions modulo the prime powers are combined to make solutions modulo n is called the Chinese remainder theorem; it can be implemented with an efficient algorithm. ^[30]

For example:

Solve x² ≡ 6 (mod 15).

x² ≡ 6 (mod 3) has one solution, 0; x² ≡ 6 (mod 5) has two, 1 and 4.

and there are two solutions modulo 15, namely 6 and 9.

Solve x² ≡ 4 (mod 15).

x² ≡ 4 (mod 3) has two solutions, 1 and 2; x² ≡ 4 (mod 5) has two, 2 and 3.

and there are four solutions modulo 15, namely 2, 7, 8, and 13.

Solve x² ≡ 7 (mod 15).

x² ≡ 7 (mod 3) has two solutions, 1 and 2; x² ≡ 7 (mod 5) has no solutions.

and there are no solutions modulo 15.

Prime or prime power modulus

First off, if the modulus n is prime the Legendre symbol ${\displaystyle \left({\frac {a}{n}}\right)}$ can be quickly computed using a variation of Euclid's algorithm ^[31] or the Euler's criterion. If it is −1 there is no solution. Secondly, assuming that ${\displaystyle \left({\frac {a}{n}}\right)=1}$, if n ≡ 3 (mod 4), Lagrange found that the solutions are given by

${\displaystyle x\equiv \pm \;a^{(n+1)/4}{\pmod {n}},}$

and Legendre found a similar solution ^[32] if n ≡ 5 (mod 8):

${\displaystyle x\equiv {\begin{cases}\pm \;a^{(n+3)/8}{\pmod {n}}&{\text{ if }}a{\text{ is a quartic residue modulo }}n\\\pm \;a^{(n+3)/8}2^{(n-1)/4}{\pmod {n}}&{\text{ if }}a{\text{ is a quartic non-residue modulo }}n\end{cases}}}$

For prime n ≡ 1 (mod 8), however, there is no known formula. Tonelli ^[33] (in 1891) and Cipolla ^[34] found efficient algorithms that work for all prime moduli. Both algorithms require finding a quadratic nonresidue modulo n, and there is no efficient deterministic algorithm known for doing that. But since half the numbers between 1 and n are nonresidues, picking numbers x at random and calculating the Legendre symbol ${\displaystyle \left({\frac {x}{n}}\right)}$ until a nonresidue is found will quickly produce one. A slight variant of this algorithm is the Tonelli–Shanks algorithm.

If the modulus n is a prime power n = p^e, a solution may be found modulo p and "lifted" to a solution modulo n using Hensel's lemma or an algorithm of Gauss. ^[8]

Composite modulus

If the modulus n has been factored into prime powers the solution was discussed above.

If n is not congruent to 2 modulo 4 and the Kronecker symbol ${\displaystyle \left({\tfrac {a}{n}}\right)=-1}$ then there is no solution; if n is congruent to 2 modulo 4 and ${\displaystyle \left({\tfrac {a}{n/2}}\right)=-1}$, then there is also no solution. If n is not congruent to 2 modulo 4 and ${\displaystyle \left({\tfrac {a}{n}}\right)=1}$, or n is congruent to 2 modulo 4 and ${\displaystyle \left({\tfrac {a}{n/2}}\right)=1}$, there may or may not be one.

If the complete factorization of n is not known, and ${\displaystyle \left({\tfrac {a}{n}}\right)=1}$ and n is not congruent to 2 modulo 4, or n is congruent to 2 modulo 4 and ${\displaystyle \left({\tfrac {a}{n/2}}\right)=1}$, the problem is known to be equivalent to integer factorization of n (i.e. an efficient solution to either problem could be used to solve the other efficiently).

The above discussion indicates how knowing the factors of n allows us to find the roots efficiently. Say there were an efficient algorithm for finding square roots modulo a composite number. The article congruence of squares discusses how finding two numbers x and y where x² ≡ y² (mod n) and x≠ ±y suffices to factorize n efficiently. Generate a random number, square it modulo n, and have the efficient square root algorithm find a root. Repeat until it returns a number not equal to the one we originally squared (or its negative modulo n), then follow the algorithm described in congruence of squares. The efficiency of the factoring algorithm depends on the exact characteristics of the root-finder (e.g. does it return all roots? just the smallest one? a random one?), but it will be efficient. ^[35]

Determining whether a is a quadratic residue or nonresidue modulo n (denoted a R n or a N n) can be done efficiently for prime n by computing the Legendre symbol. However, for composite n, this forms the quadratic residuosity problem, which is not known to be as hard as factorization, but is assumed to be quite hard.

On the other hand, if we want to know if there is a solution for x less than some given limit c, this problem is NP-complete; ^[36] however, this is a fixed-parameter tractable problem, where c is the parameter.

In general, to determine if a is a quadratic residue modulo composite n, one can use the following theorem: ^[37]

Let n > 1, and gcd(a,n) = 1. Then x² ≡ a (mod n) is solvable if and only if:

• The Legendre symbol ${\displaystyle \left({\tfrac {a}{p}}\right)=1}$ for all odd prime divisors p of n.
• a ≡ 1 (mod 4) if n is divisible by 4 but not 8; or a ≡ 1 (mod 8) if n is divisible by 8.

Note: This theorem essentially requires that the factorization of n is known. Also notice that if gcd(a,n) = m, then the congruence can be reduced to a/m ≡ x²/m (mod n/m), but then this takes the problem away from quadratic residues (unless m is a square).

The number of quadratic residues

The list of the number of quadratic residues modulo n, for n = 1, 2, 3 ..., looks like:

1, 2, 2, 2, 3, 4, 4, 3, 4, 6, 6, 4, 7, 8, 6, ... (sequence A000224 in the OEIS )

A formula to count the number of squares modulo n is given by Stangl. ^[38]

Applications of quadratic residues

Acoustics

Sound diffusers have been based on number-theoretic concepts such as primitive roots and quadratic residues. ^[39]

Graph theory

Paley graphs are dense undirected graphs, one for each prime p ≡ 1 (mod 4), that form an infinite family of conference graphs, which yield an infinite family of symmetric conference matrices.

Paley digraphs are directed analogs of Paley graphs, one for each p ≡ 3 (mod 4), that yield antisymmetric conference matrices.

The construction of these graphs uses quadratic residues.

Cryptography

The fact that finding a square root of a number modulo a large composite n is equivalent to factoring (which is widely believed to be a hard problem) has been used for constructing cryptographic schemes such as the Rabin cryptosystem and the oblivious transfer. The quadratic residuosity problem is the basis for the Goldwasser-Micali cryptosystem.

The discrete logarithm is a similar problem that is also used in cryptography.

Primality testing

Euler's criterion is a formula for the Legendre symbol (a|p) where p is prime. If p is composite the formula may or may not compute (a|p) correctly. The Solovay–Strassen primality test for whether a given number n is prime or composite picks a random a and computes (a|n) using a modification of Euclid's algorithm, ^[40] and also using Euler's criterion. ^[41] If the results disagree, n is composite; if they agree, n may be composite or prime. For a composite n at least 1/2 the values of a in the range 2, 3, ..., n− 1 will return "n is composite"; for prime n none will. If, after using many different values of a, n has not been proved composite it is called a "probable prime".

The Miller–Rabin primality test is based on the same principles. There is a deterministic version of it, but the proof that it works depends on the generalized Riemann hypothesis; the output from this test is "n is definitely composite" or "either n is prime or the GRH is false". If the second output ever occurs for a composite n, then the GRH would be false, which would have implications through many branches of mathematics.

Integer factorization

In § VI of the Disquisitiones Arithmeticae ^[42] Gauss discusses two factoring algorithms that use quadratic residues and the law of quadratic reciprocity.

Several modern factorization algorithms (including Dixon's algorithm, the continued fraction method, the quadratic sieve, and the number field sieve) generate small quadratic residues (modulo the number being factorized) in an attempt to find a congruence of squares which will yield a factorization. The number field sieve is the fastest general-purpose factorization algorithm known.

Table of quadratic residues

The following table (sequence A096008 in the OEIS ) lists the quadratic residues mod 1 to 75 (a red number means it is not coprime to n). (For the quadratic residues coprime to n, see OEIS:  A096103 , and for nonzero quadratic residues, see OEIS:  A046071 .)

n	quadratic residues mod n	n	quadratic residues mod n	n	quadratic residues mod n
1	0	26	0, 1, 3, 4, 9, 10, 12, 13, 14, 16, 17, 22, 23, 25	51	0, 1, 4, 9, 13, 15, 16, 18, 19, 21, 25, 30, 33, 34, 36, 42, 43, 49
2	0, 1	27	0, 1, 4, 7, 9, 10, 13, 16, 19, 22, 25	52	0, 1, 4, 9, 12, 13, 16, 17, 25, 29, 36, 40, 48, 49
3	0, 1	28	0, 1, 4, 8, 9, 16, 21, 25	53	0, 1, 4, 6, 7, 9, 10, 11, 13, 15, 16, 17, 24, 25, 28, 29, 36, 37, 38, 40, 42, 43, 44, 46, 47, 49, 52
4	0, 1	29	0, 1, 4, 5, 6, 7, 9, 13, 16, 20, 22, 23, 24, 25, 28	54	0, 1, 4, 7, 9, 10, 13, 16, 19, 22, 25, 27, 28, 31, 34, 36, 37, 40, 43, 46, 49, 52
5	0, 1, 4	30	0, 1, 4, 6, 9, 10, 15, 16, 19, 21, 24, 25	55	0, 1, 4, 5, 9, 11, 14, 15, 16, 20, 25, 26, 31, 34, 36, 44, 45, 49
6	0, 1, 3, 4	31	0, 1, 2, 4, 5, 7, 8, 9, 10, 14, 16, 18, 19, 20, 25, 28	56	0, 1, 4, 8, 9, 16, 25, 28, 32, 36, 44, 49
7	0, 1, 2, 4	32	0, 1, 4, 9, 16, 17, 25	57	0, 1, 4, 6, 7, 9, 16, 19, 24, 25, 28, 30, 36, 39, 42, 43, 45, 49, 54, 55
8	0, 1, 4	33	0, 1, 3, 4, 9, 12, 15, 16, 22, 25, 27, 31	58	0, 1, 4, 5, 6, 7, 9, 13, 16, 20, 22, 23, 24, 25, 28, 29, 30, 33, 34, 35, 36, 38, 42, 45, 49, 51, 52, 53, 54, 57
9	0, 1, 4, 7	34	0, 1, 2, 4, 8, 9, 13, 15, 16, 17, 18, 19, 21, 25, 26, 30, 32, 33	59	0, 1, 3, 4, 5, 7, 9, 12, 15, 16, 17, 19, 20, 21, 22, 25, 26, 27, 28, 29, 35, 36, 41, 45, 46, 48, 49, 51, 53, 57
10	0, 1, 4, 5, 6, 9	35	0, 1, 4, 9, 11, 14, 15, 16, 21, 25, 29, 30	60	0, 1, 4, 9, 16, 21, 24, 25, 36, 40, 45, 49
11	0, 1, 3, 4, 5, 9	36	0, 1, 4, 9, 13, 16, 25, 28	61	0, 1, 3, 4, 5, 9, 12, 13, 14, 15, 16, 19, 20, 22, 25, 27, 34, 36, 39, 41, 42, 45, 46, 47, 48, 49, 52, 56, 57, 58, 60
12	0, 1, 4, 9	37	0, 1, 3, 4, 7, 9, 10, 11, 12, 16, 21, 25, 26, 27, 28, 30, 33, 34, 36	62	0, 1, 2, 4, 5, 7, 8, 9, 10, 14, 16, 18, 19, 20, 25, 28, 31, 32, 33, 35, 36, 38, 39, 40, 41, 45, 47, 49, 50, 51, 56, 59
13	0, 1, 3, 4, 9, 10, 12	38	0, 1, 4, 5, 6, 7, 9, 11, 16, 17, 19, 20, 23, 24, 25, 26, 28, 30, 35, 36	63	0, 1, 4, 7, 9, 16, 18, 22, 25, 28, 36, 37, 43, 46, 49, 58
14	0, 1, 2, 4, 7, 8, 9, 11	39	0, 1, 3, 4, 9, 10, 12, 13, 16, 22, 25, 27, 30, 36	64	0, 1, 4, 9, 16, 17, 25, 33, 36, 41, 49, 57
15	0, 1, 4, 6, 9, 10	40	0, 1, 4, 9, 16, 20, 24, 25, 36	65	0, 1, 4, 9, 10, 14, 16, 25, 26, 29, 30, 35, 36, 39, 40, 49, 51, 55, 56, 61, 64
16	0, 1, 4, 9	41	0, 1, 2, 4, 5, 8, 9, 10, 16, 18, 20, 21, 23, 25, 31, 32, 33, 36, 37, 39, 40	66	0, 1, 3, 4, 9, 12, 15, 16, 22, 25, 27, 31, 33, 34, 36, 37, 42, 45, 48, 49, 55, 58, 60, 64
17	0, 1, 2, 4, 8, 9, 13, 15, 16	42	0, 1, 4, 7, 9, 15, 16, 18, 21, 22, 25, 28, 30, 36, 37, 39	67	0, 1, 4, 6, 9, 10, 14, 15, 16, 17, 19, 21, 22, 23, 24, 25, 26, 29, 33, 35, 36, 37, 39, 40, 47, 49, 54, 55, 56, 59, 60, 62, 64, 65
18	0, 1, 4, 7, 9, 10, 13, 16	43	0, 1, 4, 6, 9, 10, 11, 13, 14, 15, 16, 17, 21, 23, 24, 25, 31, 35, 36, 38, 40, 41	68	0, 1, 4, 8, 9, 13, 16, 17, 21, 25, 32, 33, 36, 49, 52, 53, 60, 64
19	0, 1, 4, 5, 6, 7, 9, 11, 16, 17	44	0, 1, 4, 5, 9, 12, 16, 20, 25, 33, 36, 37	69	0, 1, 3, 4, 6, 9, 12, 13, 16, 18, 24, 25, 27, 31, 36, 39, 46, 48, 49, 52, 54, 55, 58, 64
20	0, 1, 4, 5, 9, 16	45	0, 1, 4, 9, 10, 16, 19, 25, 31, 34, 36, 40	70	0, 1, 4, 9, 11, 14, 15, 16, 21, 25, 29, 30, 35, 36, 39, 44, 46, 49, 50, 51, 56, 60, 64, 65
21	0, 1, 4, 7, 9, 15, 16, 18	46	0, 1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18, 23, 24, 25, 26, 27, 29, 31, 32, 35, 36, 39, 41	71	0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 12, 15, 16, 18, 19, 20, 24, 25, 27, 29, 30, 32, 36, 37, 38, 40, 43, 45, 48, 49, 50, 54, 57, 58, 60, 64
22	0, 1, 3, 4, 5, 9, 11, 12, 14, 15, 16, 20	47	0, 1, 2, 3, 4, 6, 7, 8, 9, 12, 14, 16, 17, 18, 21, 24, 25, 27, 28, 32, 34, 36, 37, 42	72	0, 1, 4, 9, 16, 25, 28, 36, 40, 49, 52, 64
23	0, 1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18	48	0, 1, 4, 9, 16, 25, 33, 36	73	0, 1, 2, 3, 4, 6, 8, 9, 12, 16, 18, 19, 23, 24, 25, 27, 32, 35, 36, 37, 38, 41, 46, 48, 49, 50, 54, 55, 57, 61, 64, 65, 67, 69, 70, 71, 72
24	0, 1, 4, 9, 12, 16	49	0, 1, 2, 4, 8, 9, 11, 15, 16, 18, 22, 23, 25, 29, 30, 32, 36, 37, 39, 43, 44, 46	74	0, 1, 3, 4, 7, 9, 10, 11, 12, 16, 21, 25, 26, 27, 28, 30, 33, 34, 36, 37, 38, 40, 41, 44, 46, 47, 48, 49, 53, 58, 62, 63, 64, 65, 67, 70, 71, 73
25	0, 1, 4, 6, 9, 11, 14, 16, 19, 21, 24	50	0, 1, 4, 6, 9, 11, 14, 16, 19, 21, 24, 25, 26, 29, 31, 34, 36, 39, 41, 44, 46, 49	75	0, 1, 4, 6, 9, 16, 19, 21, 24, 25, 31, 34, 36, 39, 46, 49, 51, 54, 61, 64, 66, 69

Quadratic Residues (see also A048152, A343720)

x	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25
x2	1	4	9	16	25	36	49	64	81	100	121	144	169	196	225	256	289	324	361	400	441	484	529	576	625
mod 1	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
mod 2	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1
mod 3	1	1	0	1	1	0	1	1	0	1	1	0	1	1	0	1	1	0	1	1	0	1	1	0	1
mod 4	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1	0	1
mod 5	1	4	4	1	0	1	4	4	1	0	1	4	4	1	0	1	4	4	1	0	1	4	4	1	0
mod 6	1	4	3	4	1	0	1	4	3	4	1	0	1	4	3	4	1	0	1	4	3	4	1	0	1
mod 7	1	4	2	2	4	1	0	1	4	2	2	4	1	0	1	4	2	2	4	1	0	1	4	2	2
mod 8	1	4	1	0	1	4	1	0	1	4	1	0	1	4	1	0	1	4	1	0	1	4	1	0	1
mod 9	1	4	0	7	7	0	4	1	0	1	4	0	7	7	0	4	1	0	1	4	0	7	7	0	4
mod 10	1	4	9	6	5	6	9	4	1	0	1	4	9	6	5	6	9	4	1	0	1	4	9	6	5
mod 11	1	4	9	5	3	3	5	9	4	1	0	1	4	9	5	3	3	5	9	4	1	0	1	4	9
mod 12	1	4	9	4	1	0	1	4	9	4	1	0	1	4	9	4	1	0	1	4	9	4	1	0	1
mod 13	1	4	9	3	12	10	10	12	3	9	4	1	0	1	4	9	3	12	10	10	12	3	9	4	1
mod 14	1	4	9	2	11	8	7	8	11	2	9	4	1	0	1	4	9	2	11	8	7	8	11	2	9
mod 15	1	4	9	1	10	6	4	4	6	10	1	9	4	1	0	1	4	9	1	10	6	4	4	6	10
mod 16	1	4	9	0	9	4	1	0	1	4	9	0	9	4	1	0	1	4	9	0	9	4	1	0	1
mod 17	1	4	9	16	8	2	15	13	13	15	2	8	16	9	4	1	0	1	4	9	16	8	2	15	13
mod 18	1	4	9	16	7	0	13	10	9	10	13	0	7	16	9	4	1	0	1	4	9	16	7	0	13
mod 19	1	4	9	16	6	17	11	7	5	5	7	11	17	6	16	9	4	1	0	1	4	9	16	6	17
mod 20	1	4	9	16	5	16	9	4	1	0	1	4	9	16	5	16	9	4	1	0	1	4	9	16	5
mod 21	1	4	9	16	4	15	7	1	18	16	16	18	1	7	15	4	16	9	4	1	0	1	4	9	16
mod 22	1	4	9	16	3	14	5	20	15	12	11	12	15	20	5	14	3	16	9	4	1	0	1	4	9
mod 23	1	4	9	16	2	13	3	18	12	8	6	6	8	12	18	3	13	2	16	9	4	1	0	1	4
mod 24	1	4	9	16	1	12	1	16	9	4	1	0	1	4	9	16	1	12	1	16	9	4	1	0	1
mod 25	1	4	9	16	0	11	24	14	6	0	21	19	19	21	0	6	14	24	11	0	16	9	4	1	0

See also

• Euler's criterion
• Gauss's lemma
• Zolotarev's lemma
• Character sum
• Law of quadratic reciprocity
• Quadratic residue code

Notes

1. Lemmemeyer, Ch. 1
2. Lemmermeyer, pp 6–8, p. 16 ff
3. Gauss, DA, art. 94
4. Gauss, DA, art. 96
5. Gauss, DA, art. 98
6. Gauss, DA, art 111
7. Gauss, DA, art. 103
8. Gauss, DA, art. 101
9. Gauss, DA, art. 102
10. e.g., Ireland & Rosen 1990 , p. 50
11. Gauss, DA, art. 131
12. e.g. Hardy and Wright use it
13. Gauss, DA, art 230 ff.
14. This extension of the domain is necessary for defining L functions.
15. See Legendre symbol#Properties of the Legendre symbol for examples
16. Lemmermeyer, pp 111–end
17. Davenport 2000 , pp. 8–9, 43–51. These are classical results.
18. Davenport 2000 , pp. 49–51, (conjectured by Jacobi, proved by Dirichlet)
19. Davenport 2000 , p. 9
20. Lemmermeyer, p. 29 ex. 1.22; cf pp. 26–27, Ch. 10
21. Crandall & Pomerance, ex 2.38, pp 106–108
22. Gauss, Theorie der biquadratischen Reste, Erste Abhandlung (pp 511–533 of the Untersuchungen über hohere Arithmetik)
23. Crandall & Pomerance, ex 2.38, pp 106–108 discuss the similarities and differences. For example, tossing n coins, it is possible (though unlikely) to get n/2 heads followed by that many tails. V-P inequality rules that out for residues.
24. Davenport 2000 , pp. 135–137, (proof of P–V, (in fact big-O can be replaced by 2); journal references for Paley, Montgomery, and Schur)
25. Planet Math: Proof of Pólya–Vinogradov Inequality in external links. The proof is a page long and only requires elementary facts about Gaussian sums
26. Pomerance & Crandall, ex 2.38 pp.106–108. result from T. Cochrane, "On a trigonometric inequality of Vinogradov", J. Number Theory, 27:9–16, 1987
27. Friedlander, John B.; Iwaniec, Henryk (2010). Opera De Cribro. American Mathematical Society. p. 156. ISBN   978-0-8218-4970-5. Zbl   1226.11099.
28. Montgomery, Hugh L. (1994). Ten Lectures on the Interface Between Analytic Number Theory and Harmonic Analysis. American Mathematical Society. p. 176. ISBN   0-8218-0737-4. Zbl   0814.11001.
29. Bateman, Paul T.; Diamond, Harold G. (2004). Analytic Number Theory. World Scientific. p. 250. ISBN   981-256-080-7. Zbl   1074.11001.
30. Bach & Shallit 1996 , p. 104 ff; it requires O(log²m) steps where m is the number of primes dividing n.
31. Bach & Shallit 1996 , p. 113; computing ${\displaystyle \left({\frac {a}{n}}\right)}$ requires O(log a log n) steps
32. Lemmermeyer, p. 29
33. Bach & Shallit 1996 , p. 156 ff; the algorithm requires O(log⁴n) steps.
34. Bach & Shallit 1996 , p. 156 ff; the algorithm requires O(log³n) steps and is also nondeterministic.
35. Crandall & Pomerance, ex. 6.5 & 6.6, p.273
36. Manders & Adleman 1978
37. Burton, David (2007). Elementary Number Theory. New York: McGraw HIll. p. 195.
38. Stangl, Walter D. (October 1996), "Counting Squares in ℤ_n" (PDF), Mathematics Magazine, 69 (4): 285–289, doi:10.2307/2690536, JSTOR   2690536
39. Walker, R. "The design and application of modular acoustic diffusing elements" (PDF). BBC Research Department. Retrieved 25 October 2016.
40. Bach & Shallit 1996 , p. 113
41. Bach & Shallit 1996 , pp. 109–110; Euler's criterion requires O(log³n) steps
42. Gauss, DA, arts 329–334

References

The Disquisitiones Arithmeticae has been translated from Gauss's Ciceronian Latin into English and German. The German edition includes all of his papers on number theory: all the proofs of quadratic reciprocity, the determination of the sign of the Gauss sum, the investigations into biquadratic reciprocity, and unpublished notes.

• Gauss, Carl Friedrich; Clarke, Arthur A. (translator into English) (1986), Disquisitiones Arithemeticae (Second corrected ed.), New York: Springer, ISBN   0-387-96254-9 {{citation}}: |first2= has generic name (help)
• Gauss, Carl Friedrich; Maser, H. (translator into German) (1965), Untersuchungen über hohere Arithmetik[Disquisitiones Arithemeticae & other papers on number theory] (second ed.), New York: Chelsea, ISBN   0-8284-0191-8 {{citation}}: |first2= has generic name (help)
• Bach, Eric; Shallit, Jeffrey (1996), Efficient Algorithms, Algorithmic Number Theory, vol. I, Cambridge: The MIT Press, ISBN   0-262-02405-5
• Crandall, Richard; Pomerance, Carl (2001), Prime Numbers: A Computational Perspective, New York: Springer, ISBN   0-387-94777-9
• Davenport, Harold (2000), Multiplicative Number Theory (third ed.), New York: Springer, ISBN   0-387-95097-4
• Garey, Michael R.; Johnson, David S. (1979), Computers and Intractability: A Guide to the Theory of NP-Completeness , W. H. Freeman, ISBN   0-7167-1045-5 A7.1: AN1, pg.249.
• Hardy, G. H.; Wright, E. M. (1980), An Introduction to the Theory of Numbers (fifth ed.), Oxford: Oxford University Press, ISBN   978-0-19-853171-5
• Ireland, Kenneth; Rosen, Michael (1990), A Classical Introduction to Modern Number Theory (second ed.), New York: Springer, ISBN   0-387-97329-X
• Lemmermeyer, Franz (2000), Reciprocity Laws: from Euler to Eisenstein, Berlin: Springer, ISBN   3-540-66957-4
• Manders, Kenneth L.; Adleman, Leonard (1978), "NP-Complete Decision Problems for Binary Quadratics", Journal of Computer and System Sciences, 16 (2): 168–184, doi: 10.1016/0022-0000(78)90044-2 .

External links

• Weisstein, Eric W. "Quadratic Residue". MathWorld .
• Proof of Pólya–Vinogradov inequality at PlanetMath .