Quadratic residuosity problem

Last updated December 21, 2023

The quadratic residuosity problem (QRP^[1]) in computational number theory is to decide, given integers $a$ and $N$ , whether $a$ is a quadratic residue modulo $N$ or not. Here $N=p_{1}p_{2}$ for two unknown primes $p_{1}$ and $p_{2}$ , and $a$ is among the numbers which are not obviously quadratic non-residues (see below).

Precise formulation

Given integers $a$ and $T$ , $a$ is said to be a quadratic residue modulo $T$ if there exists an integer $b$ such that

a\equiv b^{2}{\pmod {T}}

.

Otherwise we say it is a quadratic non-residue. When $T=p$ is a prime, it is customary to use the Legendre symbol:

\left({\frac {a}{p}}\right)={\begin{cases}1&{\text{ if }}a{\text{ is a quadratic residue modulo }}p{\text{ and }}a\not \equiv 0{\pmod {p}},\\-1&{\text{ if }}a{\text{ is a quadratic non-residue modulo }}p,\\0&{\text{ if }}a\equiv 0{\pmod {p}}.\end{cases}}

This is a multiplicative character which means ${\big (}{\tfrac {a}{p}}{\big )}=1$ for exactly $(p-1)/2$ of the values $1,\ldots ,p-1$ , and it is $-1$ for the remaining.

It is easy to compute using the law of quadratic reciprocity in a manner akin to the Euclidean algorithm; see Legendre symbol.

Consider now some given $N=p_{1}p_{2}$ where $p_{1}$ and $p_{2}$ are two different unknown primes. A given $a$ is a quadratic residue modulo $N$ if and only if $a$ is a quadratic residue modulo both $p_{1}$ and $p_{2}$ and $\gcd(a,N)=1$ .

Since we don't know $p_{1}$ or $p_{2}$ , we cannot compute ${\big (}{\tfrac {a}{p_{1}}}{\big )}$ and ${\big (}{\tfrac {a}{p_{2}}}{\big )}$ . However, it is easy to compute their product. This is known as the Jacobi symbol:

\left({\frac {a}{N}}\right)=\left({\frac {a}{p_{1}}}\right)\left({\frac {a}{p_{2}}}\right)

This also can be efficiently computed using the law of quadratic reciprocity for Jacobi symbols.

However, ${\big (}{\tfrac {a}{N}}{\big )}$ cannot in all cases tell us whether $a$ is a quadratic residue modulo $N$ or not! More precisely, if ${\big (}{\tfrac {a}{N}}{\big )}=-1$ then $a$ is necessarily a quadratic non-residue modulo either $p_{1}$ or $p_{2}$ , in which case we are done. But if ${\big (}{\tfrac {a}{N}}{\big )}=1$ then it is either the case that $a$ is a quadratic residue modulo both $p_{1}$ and $p_{2}$ , or a quadratic non-residue modulo both $p_{1}$ and $p_{2}$ . We cannot distinguish these cases from knowing just that ${\big (}{\tfrac {a}{N}}{\big )}=1$ .

This leads to the precise formulation of the quadratic residue problem:

Problem: Given integers $a$ and $N=p_{1}p_{2}$ , where $p_{1}$ and $p_{2}$ are distinct unknown primes, and where ${\big (}{\tfrac {a}{N}}{\big )}=1$ , determine whether $a$ is a quadratic residue modulo $N$ or not.

Distribution of residues

If $a$ is drawn uniformly at random from integers $0,\ldots ,N-1$ such that ${\big (}{\tfrac {a}{N}}{\big )}=1$ , is $a$ more often a quadratic residue or a quadratic non-residue modulo $N$ ?

As mentioned earlier, for exactly half of the choices of $a\in \{1,\ldots ,p_{1}-1\}$ , then ${\big (}{\tfrac {a}{p_{1}}}{\big )}=1$ , and for the rest we have ${\big (}{\tfrac {a}{p_{1}}}{\big )}=-1$ . By extension, this also holds for half the choices of $a\in \{1,\ldots ,N-1\}\setminus p_{1}\mathbb {Z}$ . Similarly for $p_{2}$ . From basic algebra, it follows that this partitions $(\mathbb {Z} /N\mathbb {Z} )^{\times }$ into 4 parts of equal size, depending on the sign of ${\big (}{\tfrac {a}{p_{1}}}{\big )}$ and ${\big (}{\tfrac {a}{p_{2}}}{\big )}$ .

The allowed $a$ in the quadratic residue problem given as above constitute exactly those two parts corresponding to the cases ${\big (}{\tfrac {a}{p_{1}}}{\big )}={\big (}{\tfrac {a}{p_{2}}}{\big )}=1$ and ${\big (}{\tfrac {a}{p_{1}}}{\big )}={\big (}{\tfrac {a}{p_{2}}}{\big )}=-1$ . Consequently, exactly half of the possible $a$ are quadratic residues and the remaining are not.

Applications

The intractability of the quadratic residuosity problem is the basis for the security of the Blum Blum Shub pseudorandom number generator. It also yields the public key Goldwasser–Micali cryptosystem,^[3]^[4] as well as the identity based Cocks scheme.

Related Research Articles

In mathematics, the Chinese remainder theorem states that if one knows the remainders of the Euclidean division of an integer n by several integers, then one can determine uniquely the remainder of the division of n by the product of these integers, under the condition that the divisors are pairwise coprime.

In number theory, the Legendre symbol is a multiplicative function with values 1, −1, 0 that is a quadratic character modulo of an odd prime number p: its value at a (nonzero) quadratic residue mod p is 1 and at a non-quadratic residue (non-residue) is −1. Its value at zero is 0.

<span class="mw-page-title-main">Quadratic reciprocity</span> Gives conditions for the solvability of quadratic equations modulo prime numbers

In number theory, the law of quadratic reciprocity is a theorem about modular arithmetic that gives conditions for the solvability of quadratic equations modulo prime numbers. Due to its subtlety, it has many formulations, but the most standard statement is:

In number theory, given a prime number $p$ , the $p$ -adic numbers form an extension of the rational numbers which is distinct from the real numbers, though with some similar properties; $p$ -adic numbers can be written in a form similar to decimals, but with digits based on a prime number $p$ rather than ten, and extending to the left rather than to the right. Formally, given a prime number $p$ , a $p$ -adic number can be defined as a series

The Jacobi symbol is a generalization of the Legendre symbol. Introduced by Jacobi in 1837, it is of theoretical interest in modular arithmetic and other branches of number theory, but its main use is in computational number theory, especially primality testing and integer factorization; these in turn are important in cryptography.

In number theory, Euler's criterion is a formula for determining whether an integer is a quadratic residue modulo a prime. Precisely,

In modular arithmetic, a number $g$ is a primitive root modulo $n$ if every number $a$ coprime to $n$ is congruent to a power of $g$ modulo $n$ . That is, $g$ is a primitive root modulo $n$ if for every integer $a$ coprime to $n$ , there is some integer $k$ for which $g$ ^$k$ ≡ $a$ . Such a value $k$ is called the index or discrete logarithm of $a$ to the base $g$ modulo $n$ . So $g$ is a primitive root modulo $n$ if and only if $g$ is a generator of the multiplicative group of integers modulo $n$ .

In number theory, an integer q is called a quadratic residue modulo n if it is congruent to a perfect square modulo n; i.e., if there exists an integer x such that:

In number theory, quadratic Gauss sums are certain finite sums of roots of unity. A quadratic Gauss sum can be interpreted as a linear combination of the values of the complex exponential function with coefficients given by a quadratic character; for a general character, one obtains a more general Gauss sum. These objects are named after Carl Friedrich Gauss, who studied them extensively and applied them to quadratic, cubic, and biquadratic reciprocity laws.

In number theory, the Kronecker symbol, written as $or, is a generalization of the Jacobi symbol to all integers . It was introduced by Leopold Kronecker.$

Gauss's lemma in number theory gives a condition for an integer to be a quadratic residue. Although it is not useful computationally, it has theoretical significance, being involved in some proofs of quadratic reciprocity.

The Goldwasser–Micali (GM) cryptosystem is an asymmetric key encryption algorithm developed by Shafi Goldwasser and Silvio Micali in 1982. GM has the distinction of being the first probabilistic public-key encryption scheme which is provably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely used definition of semantic security.

In number theory, the law of quadratic reciprocity, like the Pythagorean theorem, has lent itself to an unusually large number of proofs. Several hundred proofs of the law of quadratic reciprocity have been published.

The Tonelli–Shanks algorithm is used in modular arithmetic to solve for r in a congruence of the form r² ≡ n, where p is a prime: that is, to find a square root of n modulo p.

In cryptography, most public key cryptosystems are founded on problems that are believed to be intractable. The higher residuosity problem is one such problem. This problem is easier to solve than integer factorization, so the assumption that this problem is hard to solve is stronger than the assumption that integer factorization is hard.

Cubic reciprocity is a collection of theorems in elementary and algebraic number theory that state conditions under which the congruence x³ ≡ p (mod q) is solvable; the word "reciprocity" comes from the form of the main theorem, which states that if p and q are primary numbers in the ring of Eisenstein integers, both coprime to 3, the congruence x³ ≡ p is solvable if and only if x³ ≡ q is solvable.

Cocks IBE scheme is an identity based encryption system proposed by Clifford Cocks in 2001. The security of the scheme is based on the hardness of the quadratic residuosity problem.

Quartic or biquadratic reciprocity is a collection of theorems in elementary and algebraic number theory that state conditions under which the congruence x⁴ ≡ p is solvable; the word "reciprocity" comes from the form of some of these theorems, in that they relate the solvability of the congruence x⁴ ≡ p to that of x⁴ ≡ q.

The decisional composite residuosity assumption (DCRA) is a mathematical assumption used in cryptography. In particular, the assumption is used in the proof of the Paillier cryptosystem.

In mathematics, elliptic curve primality testing techniques, or elliptic curve primality proving (ECPP), are among the quickest and most widely used methods in primality proving. It is an idea put forward by Shafi Goldwasser and Joe Kilian in 1986 and turned into an algorithm by A. O. L. Atkin the same year. The algorithm was altered and improved by several collaborators subsequently, and notably by Atkin and François Morain, in 1993. The concept of using elliptic curves in factorization had been developed by H. W. Lenstra in 1985, and the implications for its use in primality testing followed quickly.

References

↑ Kaliski, Burt (2011). "Quadratic Residuosity Problem". Encyclopedia of Cryptography and Security. p. 1003. doi: 10.1007/978-1-4419-5906-5_429 . ISBN 978-1-4419-5905-8.
↑ Adleman, L. (1980). "On Distinguishing Prime Numbers from Composite Numbers". Proceedings of the 21st IEEE Symposium on the Foundations of Computer Science (FOCS), Syracuse, N.Y. pp. 387–408. doi:10.1109/SFCS.1980.28. ISSN 0272-5428.
↑ S. Goldwasser, S. Micali (1982). "Probabilistic encryption & how to play mental poker keeping secret all partial information". Proceedings of the fourteenth annual ACM symposium on Theory of computing - STOC '82. pp. 365–377. doi:10.1145/800070.802212. ISBN 0897910702. S2CID 10316867.
↑ S. Goldwasser, S. Micali (1984). "Probabilistic encryption". Journal of Computer and System Sciences. 28 (2): 270–299. doi: 10.1016/0022-0000(84)90070-9 .

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Kaliski, Burt (2011). "Quadratic Residuosity Problem". Encyclopedia of Cryptography and Security. p. 1003. doi: 10.1007/978-1-4419-5906-5_429 . ISBN 978-1-4419-5905-8.

[2] Adleman, L. (1980). "On Distinguishing Prime Numbers from Composite Numbers". Proceedings of the 21st IEEE Symposium on the Foundations of Computer Science (FOCS), Syracuse, N.Y. pp. 387–408. doi:10.1109/SFCS.1980.28. ISSN 0272-5428.

[3] S. Goldwasser, S. Micali (1982). "Probabilistic encryption & how to play mental poker keeping secret all partial information". Proceedings of the fourteenth annual ACM symposium on Theory of computing - STOC '82. pp. 365–377. doi:10.1145/800070.802212. ISBN 0897910702. S2CID 10316867.

[4] S. Goldwasser, S. Micali (1984). "Probabilistic encryption". Journal of Computer and System Sciences. 28 (2): 270–299. doi: 10.1016/0022-0000(84)90070-9 .

[1]

[2]

[3]

[4]

v t e Computational hardness assumptions
Number theoretic	Integer factorization Phi-hiding RSA problem Strong RSA Quadratic residuosity Decisional composite residuosity Higher residuosity
Group theoretic	Discrete logarithm Diffie-Hellman Decisional Diffie–Hellman Computational Diffie–Hellman
Pairings	External Diffie–Hellman Sub-group hiding Decision linear
Lattices	Shortest vector problem (gap) Closest vector problem (gap) Learning with errors Ring learning with errors Short integer solution
Non-cryptographic	Exponential time hypothesis Unique games conjecture Planted clique conjecture