 This lecture is part of an undergraduate course on the theory of numbers, and will be about quadratic residues. So, first of all, what is a quadratic residue? Well, a quadratic residue is just a slightly fancy name for a square mod p. So, in other words, if x squared is congruent to a mod p, then a is called a quadratic residue, provided a is not congruent to 0. The case a equals 0 is a bit of a special case. In the discussion of quadratic residues, we normally assume that p is odd, because p being equal to 2 is, as usual, a rather exceptional case that behaves differently from everything else. So, p is going to be an odd prime. So, let's just stop by making a little list of examples of quadratic residues for various primes. So, for p equals 3, there are two numbers, modulo p, that are none 0. And what I'm going to do is I'm going to mark the quadratic residues in green, and the none residues in this colour, which is as close as I can get to red. So, the only square is 1 modulo 3. For p equals 5, the squares are now 1 and 4, and the none squares are 2 and 3. So, for p equals 7, the squares are quadratic residues. Well, if you square 1, 2 and 3, you get 1, 4, 9, which is 2, and the ones left over are 3, 5 and 6. And for p equals 11, you get 1, 2, 3, 4, 5, 6, 7, 8, 9, 10. In this case, if you square the numbers, 1 squared is 1, 2 squared is 4, 3 squared is 9, 4 squared is 16, which gives you 5, and 5 squared is 25, which gives you 3. And those are all the squares you get in the none squares, or quadratic none residues, are the ones left over. And now let's take a look at this and sort of see what patterns you can see. Well, the most obvious pattern is that half of all numbers are quadratic residues, and the other half are quadratic none residues, which are the ones that aren't squares. And this is not very difficult to prove, because x squared equals congruent to a mod p has naught or two solutions. It can't have more than two, because a second degree equation only has at most two solutions. And if it has one solution, x and minus x is also a solution. So the map taking x to x squared is a map such that each point is the image of either zero or two non-zero elements mod p. So exactly half of all non-zero residues must be squares. So exactly half of the numbers are residues, and the other half are none residues. Next, we notice that a quadratic residue times a quadratic residue is a quadratic residue. And this is obvious because a squared times b squared is ab squared. And secondly, we notice that a quadratic residue times a quadratic none residue is a quadratic none residue. And this follows for much the same reason. If a quadratic residue times something is a quadratic residue, then again we see this has to be a quadratic residue. A more subtle property is that a quadratic none residue times a quadratic none residue is a quadratic residue. And to see this, suppose we pick a number a that's a quadratic none residue. And if we multiply it by a number b, then if we multiply by all numbers b, we're going to get all numbers. So the numbers a times b are going to be half of them are going to be quadratic residues, and half are going to be quadratic none residues. But if b is a quadratic residue, then the result is always a quadratic none residue. And this accounts for all the possible quadratic none residues because half of all elements are quadratic residues. So this fills up all the quadratic none residues. So by counting, we see that if b is a none residue, these must exactly fill up the quadratic residues. So a quadratic none residue times a none residue is a quadratic residue. And this sort of follows from the fact that exactly half of everything is a quadratic residue. Incidentally, there's another way to prove this. If we take g to be a primitive root, then a is equal to g to the n for some n. And we see that a is a quadratic residue if and only if n is even. If n is even, then we can find the square root of a as g to the n over 2. And if n is odd, you see that by, because exactly half of all things are none residues, all the odd ones here must actually be none residues. And then this makes the fact that quadratic none residues times quadratic none residues are quadratic residues obvious because if we take g to the m times g to the n, this is equal to g to the m plus n. And this thing is even if a and b are both even or both odd. So this is something that only works for prime. So for example, if we work modulo 8 and take the numbers that are co-prime to 8, we get 1, 3, 5 and 7. And you see of these, 1 is a quadratic residue but it's a square. But 3, 5 and 7 are none residues. So we have less than half of things are quadratic residues. And we also notice the product of a quadratic none residue by quadratic none residue can be a quadratic none residue because 3 times 5 is congruent to 7. So the thing about the product of two none residues being a quadratic residue fails for if you work modulo 8. You remember 8 doesn't actually have a primitive root which is sort of why this fact fails. There's a common notation for this which is the Legendre symbol. So the Legendre symbol is defined as a p is defined to be 1 if a is a quadratic residue. That means a is equal x squared, congruent to x squared and a not congruent to 0. Minus 1 if a is a quadratic none residue and not if a is congruent to 0 modulo p. Mathematicians grossly overuse parentheses as a piece of notation and the Legendre symbol is yet another example of overusing parentheses but it's the traditional notation and it's too late to do anything about it. And now we notice that all this stuff about quadratic residues or none residues times residues or none residues being residues or none residues can be written as follows. A b p is equal to a p times b p. So for instance if a and b are both none residues then these two would be minus 1 so this product is 1 so this says a times b is a quadratic residue. Another way of stating that if you've done group theory is that a map taking a to a p is a homomorphism of groups from the group of elements co-prime to p modulo p to the little group of order 2 which is just 2 elements 1 and minus 1. So now we have the following problems that we would like to solve. First of all given a and p is a quadratic residue. And the second problem is if so solve x squared is congruent to a modulo p. And there's an obvious stupid solution just check all possible x so we would have 1 squared is congruent to 1, 2 squared is congruent to 4 and we go all the way up to p minus 1 squared which is congruent to plus 1. And we just check all of these to see if x squared is congruent to a. This obviously works and gives a solution and it's fine if p is small but so this is okay for p small but now we have the following problem. What if p is huge say p might be say about 10 to the power of 100. So suppose I give you a large prime p in some number a and of course I give you a computer because it would be a bit unreasonable to expect you to do arithmetic with 100 digits. Can you use the computer to test whether a is a square and if so to find its square root? And of course you can't check every case because this would take 10 to the 100 steps which is just far too much. And Euler found a very neat solution of this so here's a nice result due to Euler. It says that the Legendre symbol a p is just equal to a to the p minus 1 over 2 modulo p. You know by Fermat's theorem that a to the p minus 1 is congruent to 1 so a to the p minus 1 over 2 is square 1 so this must always be congruent to plus or minus 1. So both sides are plus or minus 1. And now a quick way to prove this is just to kind of cheat and use primitive roots. If you write a is equal to g to the n where g is a primitive root then a to the p minus 1 over 2 is equal to g to the p minus 1 times n over 2 which is equal to g to the p minus 1 over 2 to the n. And we notice that if g is a primitive root then g to the p minus 1 over 2 is congruent to minus 1 because it's square is 1 and it can't be 1. So this is just equal to congruent to minus 1 to the n which is equal to 1 if n is even and minus 1 if n is odd. And we saw before that if n is even then g to the n is a square and if n is odd then g to the n is not a square. So this actually gives a fast test to see if a is a quadratic residue because you remember power's modulo p can be worked out fast by you know express p minus 1 over 2 in binary through this trick of repeatedly squaring a and using that to calculate this modulo p. So we do actually have a fast way of checking whether or not a is a square using Euler's criterion. In fact this is not the best way to check whether a is a square I just say there's a faster method that we will see a little bit later using something called a Jacobi symbol and the law of quadratic reciprocity which is a really basic result we're going to be covering over the next few lectures. So that's the first solves the first problem. We can check whether a number is a quadratic residue fairly quickly and even quicker when we when we've covered the Jacobi symbol. So now we have the next problem given a solve x squared is congruent to a modulo p and again we're assuming p is far too large to do this by case by case check. You notice if we can solve this equation this allows us to solve any quadratic equation ax squared plus bx plus c is congruent to 0 modulo p and the point is we can write down a solution to this by completing the square and we get the formula that x is equal to minus b plus or minus the square root of b squared minus 4ac over 2a just as we do over the reals. There's one slight problem we have to divide by two so we need to assume that p is not congruent sorry p is not equal to 2 otherwise we can't divide by 2 but if p is equal to 2 then we can just there are only two possible values of x and we can just check them both so that's kind of trivial. So this will give us a fast way of solving quadratic equations. Later on we will find a fast way of solving all polynomial equations over finite fields. Well let's start by doing some easy cases. So the first easy case is when a to the n is congruent to 1 with n odd and this is because we can write this as a to the 1 plus n minus 1 over 2 times 2 is congruent to 1. So a is congruent to a to the 1 minus n over 2 all squared and now we can just work out this easily because we're just raising a to some power and notice n has to be odd in order because we need to divide 1 minus n over 2. So an example of this is let's find a square root of 2 modulo 31. Well we know 2 to the 5 is congruent to 1 modulo 31 and the key point here is that this number here is odd. So 2 is congruent to 2 to the minus 2 all squared. We're just dividing by 2 squared squared if you see what I mean. So the square root of 2 it's not really a square root of 2 but it's always what I meant. It's going to be just 2 to the minus 2 and we can calculate this easily. It's just 8 and you can check that in fact it is 64 which is indeed 2 modulo 31. Being able to solve things where a is of odd order allows us to actually solve all the cases where p is 3 mod 4. So let's take any prime congruent to 3 modulo 4 and then if a is a square this implies by Euler that h to the p minus 1 over 2 is congruent to 1 modulo p. This was just Euler's criterion. And now we notice that p minus 1 over 2 is odd as p is congruent to 3 modulo 4. So we can just use the previous method to solve this. We find the square root of a is now congruent to a to the p plus 1 over 4. Square root is easy to find if p is 3 mod 4. So let's just see an example of this. Suppose we take p equals 19 then p plus 1 over 4 is equal to 5. So we see that the square root of any number if it has a square root is just that number to the 5. For example we can work out the square root of 6 mod 19 is congruent to 6 the power of 5 where this 5 is just p plus 1 over 4. And you can easily work out this is congruent to 5 modulo 19. So 5 squared is 25 which is indeed 6. Well what if p is congruent to 1 modulo 4? Well there's at least one easy case of this. Let's try a equals minus 1. So we're trying to find the square root of minus 1 where p is congruent to 1 mod 4. And now suppose g is a primitive root. Then we know that g to the p minus 1 over 2 is congruent to minus 1. So g to the p minus 1 over 4 squared is also congruent to minus 1. And you don't notice we need to have p congruent to 1 mod 4 for this to make sense. So this is a square root of minus 1. So all you need to do is to find a primitive root and raise it to the power of p minus 1 over 4. So how do we find primitive roots? Well it turns out it's actually quite difficult finding a primitive root of a very large prime. But fortunately we don't really need to. What we do to find a primitive root is guess at random. Which is a traditional way for students to solve problems so everyone should be good at this. What you do is you just pick a random number g, you raise it to the power of p minus 1 over 4 and see if the square of that is equal to minus 1. And if it doesn't work you just try another value of g and you just keep going. And it's very easy to check and in fact half of all numbers you try like this will actually give you a square root of minus 1. So this gives you a probabilistic algorithm. You just keep guessing values of g and each time you've got a 50% chance of finding a square root of minus 1. Probabilistic algorithms really annoy people who like to analyze running times of algorithm. Because when you analyze running times you want to figure out what the worst is. And the worst case of this algorithm is dreadful because you might be unlucky every time and you might keep guessing and you might have to sort of guess half the values mod p. But the chance of that happening is ridiculously small. And in fact the average number of guesses you need is about 2. So in practice probabilistic algorithms are often very fast but it's quite, it's hard to find a good estimate for their maximum running time. So let's just see what happens. Let's take p equals 13 and what are the possible values of g we could guess? Well there's 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12. And we could just guess them at random but they're so few. Let's just work out all of them to see what we get. So here g cubed is common to 1, 8, 1, minus 1, 8, 8, 5, 5, 1, minus 1, 5, minus 1. And you see what is happening is that half the time we just get 1 or minus 1 which is sort of uninteresting. And the other half of the time we either get 8 or 5 and you can see that 8 squared is common to minus 1 and 5 squared is common to minus 1. This number 3 here is of course 13 minus 1 over 4. So in practice it's really easy to find square roots of minus 1. There are actually non probabilistic ways of doing this as well but the probabilistic way is much easier. Much easier to remember. So what happens in general? Well I'm going to be a little bit sketchier here. So first suppose the order of A is a power of 2. So A to the 2 to the m is common to 1 modulo p. And we want to try and find a square root of p. What we do is we pick a primitive root g. And again we pick one by guessing. We sort of guess a number and try it and see if it works and if it doesn't we guess again. And now if we write p minus 1 is going to be 2 to the n times some odd number for some n. So we factor p minus 1 as a power of 2 times some odd number b. And we know g to the b now has order 2 to the n. And we must have n greater than m if A is a square. So what we're going to do now is write A as a power of g. So we see that A is now going to be g to the 2 to the n minus m times something odd. So we're writing A as a power of g. And in order that A has order 2 to the m it must be this sort of power of g. And then we notice that A times g to the 2 to the n minus m now has order dividing 2 to the m minus 1. So what we can do is we can write the square root of A is equal to the square root of A times 2 times g to the 2 to the n minus m times divided by g, the square root of g to the 2 to the n minus m. And we can work out the square root of this because it's just g to the 2 to the n minus m minus 1. And we can work out the square root of this by induction because it's got order smaller than the order of A. So we just keep on repeating this process and we get a reasonably fast algorithm for finding a square root of a number whose order is a power of 2. Now I'll sketch the general case. Let's try and find the square root of A and the idea is very simple. We write A is equal to s times t times b times c where b has order 2 to the m and c has odd order. And we know how to find square roots of things of order 2 to the m and we know how to find square roots of things whose order is odd. So we can then find the square root of A. So how do we express A like this? Well, what we do is we solve 2 to the n s plus g times t is equal to 1. Here we're writing p minus 1 is equal to 2 to the n times g. So we're writing p minus 1 as a power of 2 times the number g where g is odd. And we can solve this using Euclid. And now we write A is equal to A to the 2 to the n s times A to the gt because 2 to the n s plus gt is 1. And now we notice that A to the 2 to the n has odd order and A to the g has even order. Sorry, not even order. Order a power of 2. So we've written A, so all we need to do is to work out the square root of this bit of odd order, raise it to the power of s and then work out the square root of this thing of order of power of 2 and then raise it to the power of t. So this sort of more or less shows that we can find square roots of numbers modulo p even if p is very large. If you want an exercise you can try just generalising that to show that there's a fast method of finding cube roots modulo p. Okay, the next few lectures we're going to be looking at the problem of finding a simpler way of telling whether a number is a square or quadratic residue modulo p and we'll start by looking at some examples in the next lecture.