Lecture 18 - Quadratic Residues; Legendre Symbols

Summary

In today's class we discussed some of the basic properties of quadratic residues. We then uncovered the Legendre symbol, exploring its connection to Euler's Criterion and using this to set a game-plan for answering the general question: when is a number a a square modulo a prime p?

Announcements

Just as a reminder, we mentioned at the beginning of class that your project contracts are due this coming Friday, and that your project topics should be submitted by Monday, March 16th.

Some Basic Properties of Quadratic Residues

Last class period we introduced quadratic residues, so we started today's class by computing the squares of all the residues mod 17 to determine what the quadratic residues (and non-residues) mod 17 were.

n n2 n n2 n n2
1 1 7 $49 \equiv -2$ 13 $(-4)^2 \equiv -1$
2 4 8 $64 \equiv 13 \equiv -4$ 14 $(-3)^2 \equiv 9$
3 9 9 $(-8)^2 \equiv -4$ 15 $(-2)^2 \equiv 4$
4 $16 \equiv -1$ 10 $(-7)^2 \equiv -2$ 16 $(-1)^2 \equiv 1$
5 $25 \equiv 8$ 11 $(-6)^2 \equiv 2$
6 $36 \equiv 2$ 12 $(-5)^2 \equiv 8$

This means that the quadratic residues mod 17 are

  • 1, 2, 4, 8, 9, 13, 15, 16

and the quadratic nonresidues mod 17 are

  • 3, 5, 6, 7, 10, 11, 12, 14

With this table as our motivation, let's try to prove some general statements about quadratic residues. First, we'll count the number of solutions to equations of the form

(1)
\begin{align} x^2 \equiv n \mod{p} \end{align}

when $p \nmid n$.

Lemma: If p is an odd prime and $p \nmid n$, then the equation $x^2 \equiv n \mod{p}$ has either 0 solutions or 2 solutions.

Proof: First, if n is a quadratic nonresidue, then by definition $x^2 \equiv n \mod{p}$ has no solutions.

Now if n is a quadratic residue, then by definition this means $x^2 \equiv n \mod{p}$ does have at least one solution. Let's choose one solution $x_0$. Notice that we then also have

(2)
\begin{align} (-x_0)^2 \equiv (-1)^2(x_0)^2 \equiv n \mod{p}, \end{align}

so that $-x_0$ is also a solution. Furthermore, we know that $x_0 \not \equiv x_1 \mod{p}$, since otherwise we'd have $p \mid 2x_0$, implying either $p \mid 2$ (impossible since p is odd) or $p \mid x_0$ (impossible since this would mean $0 \equiv 0^2 \equiv x_0^2 \equiv n \mod{p}$, which is ruled out since $p\nmid n$ by hypothesis). So this means that $x_0,-x_0$ are distinct solutions to the equation.

Are there any more? If $x_1$ were some solution to $x^2 \equiv n \mod{p}$, then this would mean that

(3)
\begin{align} x_0^2 \equiv n \equiv x_1^2 \mod{p}. \end{align}

This in turn implies that $p \mid x_0^2 - x_1^2 = (x_0-x_1)(x_0+x_1)$, and then Euclid's Lemma says that $p \mid x_0 - x_1$ or $p \mid x_0+x_1$. In the former case we'd have $x_1 \equiv x_0 \mod{p}$, whereas in the latter we'd have $x_1 \equiv -x_0 \mod{p}$. Hence we see that any solution is equivalent to one of the two we have already produced, and so there aren't any new solutions. This makes the total number of solutions in this case equal to 2. $\square$

From our example we also noticed two other things: first that the quadratic residues are given by the squares of the first $\frac{p-1}{2}$ residue classes, and second that the number of quadratic residues is the same as the number of quadratic non-residues. Let's try to prove these observations.

Lemma: The residue classes of $1^2, 2^2, 3^2,\cdots, \left(\frac{p-1}{2}\right)^2$ are distinct and give a complete list of the quadratic residues modulo p.

Proof: First, notice that for any $1 \leq i \leq \frac{p-1}{2}$, the number $i^2$ is a quadratic residue modulo p: indeed, we can "see" that this is a square, and moreover cannot be divisible by p (since the number i isn't divisible by p). Hence the numbers $1^2, 2^2, \cdots, \left(\frac{p-1}{2}\right)^2$ are all quadratic residues.

Moreover we know that for any $\frac{p+1}{2} \leq j \leq p-1$, the number $j^2$ must occur in the list $1^2, 2^2, \cdots, \left(\frac{p-1}{2}\right)^2$. This is true because the number $p-j$ must have residue which sits in the list $1,2,\cdots, \frac{p-1}{2}$, and of course we know that

(4)
\begin{align} j^2 \equiv (-j)^2 \equiv (p-j)^2 \mod{p}. \end{align}

So we only have to prove that all the numbers $1^2, 2^2, \cdots, \left(\frac{p-1}{2}\right)^2$ are distinct. So let i and j be distinct residues between 1 and $\frac{p-1}{2}$, and suppose that $i^2 \equiv j^2 \mod{p}$. We'll derive a contradiction from this assumption. Notice first that the given congruence implies $p \mid i^2-j^2 = (i-j)(i+j)$. Now Euclid's Lemma says that either $p \mid i-j$ or $p \mid i+j$. The former implies that $i \equiv j \mod{p}$, a possibility we've already ruled out by assuming i and j are distinct residues. Hence we must be in the case $p \mid i+j$. But notice that if i and j are taken as least non-negative residues, then we have

(5)
\begin{align} 3 \leq i+j \leq \frac{p-3}{2}+\frac{p-1}{2} = p-2. \end{align}

But if $i+j$ satisfy these inequalities, then it is impossible for $p \mid i+j$. This is a contradiction, and so we conclude that $i^2 \equiv j^2 \mod{p}$ is impossible. $\square$

As a consequence of this result, we verify our second observation.

Corollary: There are precisely $\frac{p-1}{2}$ distinct quadratic residues and $\frac{p-1}{2}$ distinct quadratic nonresidues.

Proof: The previous lemma says that the numbers $1^2, 2^2, \cdots, \left(\frac{p-1}{2}\right)^2$ are distinct and give a complete list of the quadratic residues. Since there are $\frac{p-1}{2}$ numbers in this list, this means that there are $\frac{p-1}{2}$ quadratic residues.

How many quadratic nonresidues does this leave us with? There are p-1 nonzero residues modulo p, and $\frac{p-1}{2}$ are quadratic residues. This means the remaining

(6)
\begin{align} p-1-\left(\frac{p-1}{2}\right) = \frac{p-1}{2} \end{align}

are quadratic nonresidues. $\square$

The Legendre Symbol

For the rest of this chapter, we're going to focus on the problem of giving good criteria to determine when a given nonzero residue class a is a square modulo p. Notice that right now, if I asked whether a given integer a is a square modulo p, the only way you could answer this question is by computing all the quadratic residues modulo p (i.e., by computing $1^2, 2^2, \cdots, \left(\frac{p-1}{2}\right)^2$) and seeing if a wound up on the list. This isn't a very efficient means for determining whether a is a residue or not.

We start by defining a "square indicator" function.

Definition: For an odd prime p and $p \nmid a$, the Legendre symbol $\left(\frac{a}{p}\right)$ is defined as

$\displaystyle \left(\frac{a}{p}\right) = \left\{\begin{array}{rl}1,&\mbox{ if } x^2 \equiv a \mod{p} \mbox{ has a solution,}\\-1 ,&\mbox{ if } x^2 \equiv a \mod{p} \mbox{ has no solutions.}\end{array}\right.$

WARNING: This notation could easily be confusing, as it looks as if the Legendre symbol has something to do with the fraction $\frac{a}{p}$. Hopefully in practice you won't be confused, since context will often tell you whether $\left(\frac{a}{p}\right)$ means the rational number "a divided by p" or the Legendre symbol "is a a square modulo p?" If you are ever confused, though, please ask so you can get things clarified sooner (rather than later).

Example: Legendre symbols modulo 17

We know that

(7)
\begin{align} \left(\frac{2}{17}\right) = \left(\frac{-1}{17}\right) = \left(\frac{8}{17}\right) = 1 \end{align}

whereas

(8)
\begin{align} \left(\frac{3}{17}\right) = \left(\frac{10}{17}\right) = \left(\frac{11}{17}\right) = -1 \end{align}

since we already computed the quadratic residues (and nonresidues) mod 17. $\square$

It might seem that defining this Legendre symbol doesn't buy us anything, but we'll see that capturing the question "is this number a square mod p?" in the form of a function will have some real benefits.

Euler's Criterion

To begin, though, we note that there are different ways for computing $\left(\frac{a}{p}\right)$ than simply computing all the quadratic residues mod p. The first real theorem in this direction is the following

Theorem (Euler's Criterion): For p an odd prime and $p \nmid a$ we have

$\displaystyle \left(\frac{a}{p}\right) \equiv a^{\frac{p-1}{2}} \mod{p}$

This theorem tells us that if we can compute the residue of $a^{\frac{p-1}{2}}\mod{p}$, then we can determine whether or not a is a square. Before we prove Euler's Criterion, though, let's see some consequences of this important result.

Example: Computing quadratic residue-ness through exponents

Let's see Euler's Criterion in action by determining whether 2 is a square modulo 19. For this, Euler's Criterion says that

(9)
\begin{align} 2^{\frac{19-1}{2}} \equiv \left(\frac{2}{19}\right) \mod{19}. \end{align}

Now the left hand side is clearly $2^9 \mod{19}$, so we'll compute this power. For this, we'll use successive squaring. We have

(10)
\begin{split} 2^1 &\equiv 1\\ 2^2 &\equiv 4\\ 2^4 &\equiv 4^2 \equiv 16\\ 2^8 \equiv (16)^2 \equiv (-3)^2 \equiv 9. \end{split}

Hence we have

(11)
\begin{align} \left(\frac{2}{19}\right) \equiv 2^9 \equiv 2 \cdot 2^8 \equiv 2 \cdot 9 \equiv 18 \equiv -1 \mod{19}. \end{align}

Hence we have $\left(\frac{2}{19}\right) =-1$, and so we know that 2 is not a square mod 19. $\square$

Is -1 a square?

One of the nicest applications of Euler's Criterion is that it gives us a fast way of checking whether -1 is a square modulo p based only on the congruence class of p mod 4.

Corollary: For an odd prime p, we have

$\left(\frac{-1}{p}\right) = \left\{\begin{array}{rl}1,&\mbox{ if } p \equiv 1 \mod{4}\\-1,& \mbox{ if }p \equiv 3 \mod{4}.\end{array}\right.$

Proof: Euler's criterion tells us that

(12)
\begin{align} \left(\frac{-1}{p}\right) \equiv (-1)^{\frac{p-1}{2}} \mod{p}. \end{align}

Hence to prove the corollary, we just need to show that $\frac{p-1}{2}$ is even whenever $p\equiv 1 \mod{4}$ and that $\frac{p-1}{2}$ is odd whenever $p \equiv 3 \mod{4}$. So let's try it out.

Suppose that $p \equiv 1 \mod{4}$. This means that $p = 4k+1$ for some integer k. Hence we have

(13)
\begin{align} \left(\frac{-1}{p}\right) \equiv (-1)^{\frac{p-1}{2}} = (-1)^{\frac{4k+1-1}{2}} = (-1)^{\frac{4k}{2}} = (-1)^{2k} = 1 \mod{p}. \end{align}

But since the Legendre symbol is either 1 or -1, this congruence implies equality as integers.

On the other hand, suppose that $p \equiv 3 \mod{4}$. Then we have $p = 4k+3$ for some integer k, and we get

(14)
\begin{align} \left(\frac{-1}{p}\right) \equiv (-1)^{\frac{p-1}{2}} = (-1)^{\frac{4k+3-1}{2}} = (-1)^{\frac{4k+2}{2}} = (-1)^{2k+1} = -1 \mod{p}. \end{align}

Again, since the Legendre symbol is either 1 or -1, this congruence tells us that we actually have an equality of integers. $\square$

A Proof of Euler's Criterion

Now that we've seen some applications of Euler's Criterion, let's prove it. We'll break things down into 2 cases.

Case 1: a is a quadratic residue In this case, we have $\left(\frac{a}{p}\right) = 1$, and also that there is a solution to the equation $x^2 \equiv a \mod{p}$. Let $x_0$ be such a solution. Then we get

(15)
\begin{align} a^{\frac{p-1}{2}} = (x_0^2)^{\frac{p-1}{2}} = x_0^{p-1} \equiv 1 \mod{p} \end{align}

with the last equality coming from Fermat's Little Theorem. But we also know that $1 = \left(\frac{a}{p}\right)$, so the previous equation tells us that

(16)
\begin{align} a^{\frac{p-1}{2}} \equiv \left(\frac{a}{p}\right) \mod{p} \end{align}

in this case.

Case 2: a is not a quadratic residue In this case, we know that $\left(\frac{a}{p}\right) = -1$, and we also know that there is no solution to $x^2 \equiv a \mod{p}$. Now we claim that in this case we can pair up the residues between 1 and p-1 so that each pair has product a. To see that this is true, let m be any number between 1 and p-1. Now the equation $mx \equiv a \mod{p}$ has precisely one solution, since $(m,p) = 1$. Hence for each number between 1 and p-1, there is a unique "partner" n between 1 and p-1 so that $mn = a \mod{p}$. Notice that $m \not \equiv n$ since this would imply that $m^2 \equiv a \mod{p}$, impossible since we're in the quadratic nonresidue case.

Now let's compute $\prod_{i=1}^{p-1}i$ in two ways. On the one hand, we know that

(17)
\begin{align} \prod_{i=1}^{p-1} = 1\cdot 2 \cdot 3 \cdots (p-1) = (p-1)! \equiv -1 \mod{p} \end{align}

because of Wilson's Theorem. On the other hand, since we can split the set $\{1,2,\cdots, p-1\}$ into $\frac{p-1}{2}$ pairs, each with product a, we get

(18)
\begin{align} \prod_{i=1}^{p-1} = \prod_{\textrm{\tiny{pairs }}m_in_i} m_in_i = \prod_{\textrm{\tiny{pairs}}} a = a^{\frac{p-1}{2}}. \end{align}

Hence we get $a^{\frac{p-1}{2} \equiv -1 \mod{p}$, and since $\left(\frac{a}{p}\right) = -1$ in this case, we have

(19)
\begin{align} a^{\frac{p-1}{2}} \equiv \left(\frac{a}{p}\right) \mod{p}. \end{align}

$\square$

Multiplicative behavior of the Legendre Symbol

Another bonus of Euler's Criterion is that it gives us a kind of "multiplicativity" for the Legendre symbol.

Lemma: For p and odd prime and $p \nmid a,b$, we have

  1. $\left(\frac{a^2}{p}\right) = 1$;
  2. if $a \equiv b \mod{p}$, then $\left(\frac{a}{p}\right) = \left(\frac{b}{p}\right)$; and
  3. $\left(\frac{ab}{p}\right) = \left(\frac{a}{p}\right)\left(\frac{b}{p}\right)$.

Proof: The first two statements aren't hard to prove. The first just says that if you can visibly see that the top part of the Legendre symbol is a square, then you can immediately conclude that — well — it's a square. The second just says that the Legendre symbol is only defined for the congruence class of a given integer a; but of course we know this, because if $a \equiv b \mod{p}$ then the equation $x^2 \equiv a \mod{p}$ has solutions if and only if $x^2 \equiv b \mod{p}$ does.

So we have left to prove the last fact. For this, we'll use Euler's criterion twice (marked using $\star$ in the equation below):

(20)
\begin{align} \left(\frac{ab}{p}\right) \stackrel{\star}{\equiv} (ab)^{\frac{p-1}{2}} = a^{\frac{p-1}{2}}b^{\frac{p-1}{2}} \stackrel{\star}{\equiv} \left(\frac{a}{p}\right)\left(\frac{b}{p}\right) \mod{p}. \end{align}

Notice that since the Legendre symbol is either 1 or -1, this congruence is enough to give us a bona fide equality of integers. $\square$

Example: Computing the Legendre symbol of a random numbers

Suppose, as usual, that p is an odd prime and that $p \nmid a$. Let's write a as its prime factorization: $a = \pm 2^e p_1^{e_1}\cdots p_k^{e_k}$. Then the previous lemma tells us that

(21)
\begin{align} \left(\frac{a}{p}\right) = \left(\frac{\pm 2^ep_1^{e_1}\cdots p_k^{e_k}}{p}\right) = \left(\frac{\pm 1}{p}\right)\left(\frac{2}{p}\right)^{e}\left(\frac{p_1}{p}\right)^{e_1}\cdots \left(\frac{p_k}{p}\right)^{e_k}. \end{align}

This means that if we want to know whether any given number a is a square mod p, it's enough for us to know whether -1 is a square mod p, and also to know which other primes q are squares mod p. $\square$

A Final Note

To finish class I mentioned the following

Theorem: For an odd prime p, we have

$\displaystyle \left(\frac{2}{p}\right) = \left\{\begin{array}{rl}1, &\mbox{ if }p \equiv 1 \mbox{ or }p \equiv 7 \mod{8},\\-1, &\mbox{ if }p \equiv 3\mbox{ or }p \equiv 5 \mod{8}.\end{array}\right.$

We'll cover the proof next time in class, but I point it out because it will be a useful tool for answering questions on the homework.

[module Comments]

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License