Four Interesting Applications of Quadratic Reciprocity

Abstract

Gauss called the Law of Quadratic Reciprocity the golden theorem of number theory because, when it is in hand, the study of quadratic residues and non-residues can be pursued to a significantly deeper level. We have already seen some examples of how useful the LQR can be in answering questions about specific residues or non-residues. In this chapter, we will study four applications of the LQR which illustrate how it can be used to shed further light on interesting properties of residues and non-residues.

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Gauss called the Law of Quadratic Reciprocity the golden theorem of number theory because, when it is in hand, the study of quadratic residues and non-residues can be pursued to a significantly deeper level. We have already seen some examples of how useful the LQR can be in answering questions about the calculation of specific residues or non-residues. In this chapter, we will study four applications of the LQR which illustrate how it can be used to shed further light on interesting properties of residues and non-residues.

Our first application will use quadratic reciprocity to completely solve the Basic Problem and the Fundamental Problem for Odd Primes that we introduced in Chap. 2 If z is an integer, recall that the Basic Problem is to determine all primes p such that z is a quadratic residue of p and to determine all primes p such that z is a quadratic non-residue of p. The Basic Problem must be solved in order to determine when the quadratic congruence ax ² + bx + c ≡ 0 mod p has a solution, as we saw in Chap. 1, and it must also be solved in order to determine the splitting moduli of quadratic polynomials, as we explained in Sect. 3.1 of Chap. 3 Theorems 2.4 and 2.6 solve the Basic Problem for, respectively, z = −1 and z = 2 and in Chap. 2 we also showed how to reduce the solution of the Basic Problem to its solution when z is an odd prime, which we call the Fundamental Problem for Odd Primes. In Sect. 4.1 of this chapter, the LQR will be used to solve the Fundamental Problem for Odd Primes and this solution will then be used in Sect. 4.2 to solve the Basic Problem.

The second application, which we will discuss in Sect. 4.3, employs quadratic reciprocity to investigate when finite, nonempty subsets of the positive integers occur as sets of residues of infinitely many primes. In addition to the LQR, the key lemma which we will use to answer that question also employs Dirichlet’s theorem on primes in arithmetic progression. We take the appearance of Dirichlet’s theorem here as an opportunity to discuss Dirichlet’s proof of that theorem in Sect. 4.4, because many of the ideas and techniques of his reasoning will be used extensively in much of the work that we will do in subsequent chapters.

If S is a finite, nonempty subset of the positive integers which is a set of residues for infinitely many primes, a natural question that immediately occurs asks: how large is the set of all primes p such that S is a set of residues of p? In order to answer that question, one must find a way to accurately measure the size of an infinite set of primes. A good way to make that measurement is provided by the concept of the natural or asymptotic density of a set of primes, which we will discuss in Sect. 4.5. In Sect. 4.6, we apply quadratic reciprocity a third time in order to deduce a very nice way to calculate the asymptotic density of the set of all primes p such that S is a set of residues of p.

Number theory, and in particular, quadratic residues, has been applied extensively in modern cryptology. As one example of those applications, suppose that you receive an identification number from person A and you want to verify that A validly is in possession of the identification number, i.e., you want to be sure that A really is who he claims to be, without knowing anything else about A. Or, for a more mathematical example, A wants to convince you that he knows the prime factors of a very large number, without telling you what the prime factors are. This second example is actually used by smart cards to verify personal identification numbers. In Sect. 4.7, we will describe methods, known as zero-knowledge or minimum-disclosure proofs, which use quadratic residues to securely verify the identity of someone and to convince someone that you are who you say you are. Jacobi symbols and our fourth application of the LQR are used in Sects. 4.8 and 4.9 to describe and verify an algorithm for fast and efficient computation of Legendre symbols that is required for the calculations in the zero-knowledge proof of Sect. 4.7.

4.1 Solution of the Fundamental Problem for Odd Primes

We will now use quadratic reciprocity to solve the Fundamental Problem for Odd Primes. Let q be an odd prime, and recall from Chap. 2 that the sets X _±(q) are defined by

$$\displaystyle{ X_{\pm }(q) =\{ p:\chi _{p}(q) = \pm 1\}. }$$

The Fundamental Problem for Odd Primes requires that the primes p in these sets be found in some explicit and concrete manner.

Let r _i ⁺ (respectively, r _i ⁻), \(i = 1,\ldots, \frac{1} {2}(q - 1)\) denote the residues (respectively, non-residues) of q in [1, q − 1]. Note, as we pointed out in Chap. 2, that the residues and non-residues of q can be found by simply calculating the integers \(1^{2},2^{2},\ldots,(\frac{q-1} {2} )^{2}\) and then reducing mod q. The integers that result from this computation are the residues of q inside [1, q − 1]. We consider the two cases which are determined by whether q is congruent to 1 or 3 mod 4.

Case 1: :

q ≡ 1 mod 4.

In this case, the LQR implies immediately that

$$\displaystyle\begin{array}{rcl} X_{\pm }(q)& =& \{p:\chi _{p}(q) = \pm 1\} {}\\ & =& \{p:\chi _{q}(p) = \pm 1\} {}\\ & =& \bigcup _{i=1}^{\frac{1} {2} (q-1)}\ \{p: p \equiv r_{i}^{\pm }\ \mbox{ mod}\ q\}. {}\\ \end{array}$$

Example

q = 17.

We find that the residues of 17 are 1, 2, 4, 8, 9, 13, 15, and 16 and the non-residues of 17 are 3, 5, 6, 7, 10, 11, 12, and 14. Hence

$$\displaystyle\begin{array}{rcl} X_{+}(17)& =& \{p: p \equiv 1,2,4,8,9,13,15,\ \text{or}\ 16\ \mbox{ mod}\ 17\}, {}\\ X_{-}(17)& =& \{p: p \equiv 3,5,6,7,10,11,12,\ \text{or}\ 14\ \mbox{ mod}\ 17\}. {}\\ \end{array}$$

(Recall that p always denotes an odd prime.)

Case 2: :

q ≡ 3 mod 4.

Note first (from Theorem 2.4) that

$$\displaystyle{ X_{\pm }(-1) =\{ p: p \equiv \pm 1\ \mbox{ mod}\ 4\}. }$$

Hence as a consequence of the LQR,

$$\displaystyle\begin{array}{rcl} X_{+}(q) =\big (X_{+}(-1) \cap \{ p:\chi _{q}(p) = 1\}\big) \cup \big (X_{-}(-1) \cap \{ p:\chi _{q}(p) = -1\}\big).& & {}\end{array}$$

(4.1)

Now for \(i = 1,\ldots, \frac{1} {2}(q - 1)\), let

$$\displaystyle{ x \equiv x_{i}^{\pm }\mod 4q,\ 1 \leq x_{ i}^{\pm }\leq 4q - 1, }$$

be the simultaneous solutions of

$$\displaystyle\begin{array}{rcl} x& \equiv &\pm 1\ \mbox{ mod}\ 4, {}\\ x& \equiv & r_{i}^{\pm }\ \mbox{ mod}\ q, {}\\ \end{array}$$

obtained from the Chinese remainder theorem (Theorem 1.3). If we set

$$\displaystyle{ V (q) =\{ x_{1}^{+},\ldots,x_{\frac{ 1} {2} (q-1)}^{+},x_{ 1}^{-},\ldots,x_{\frac{ 1} {2} (q-1)}^{-}\} }$$

then (4.1) implies that

$$\displaystyle{ X_{+}(q) =\bigcup _{n\in V (q)}\ \{p: p \equiv n\ \mbox{ mod}\ 4q\}. }$$

In order to calculate X ₋(q), recall that U(4q) denotes the set {n ∈ [1, 4q − 1]: gcd(n, 4q) = 1} and then observe that

$$\displaystyle\begin{array}{rcl} V (q)& \subseteq & U(4q), {}\\ \{p: p\not =q\}& =& \bigcup _{n\in U(4q)}\ \{p: p \equiv n\ \mbox{ mod}\ 4q\}. {}\\ \end{array}$$

Hence

$$\displaystyle\begin{array}{rcl} X_{-}(q)& =& \{p: p\not =q\}\setminus X_{+}(q) {}\\ & =& \bigcup _{n\in U(4q)\setminus V (q)}\ \{p: p \equiv n\ \mbox{ mod}\ 4q\}. {}\\ \end{array}$$

Example

q = 7.

The residues of 7 are 1, 2, and 4 and the non-residues are 3, 5, and 6. Because of the Chinese remainder theorem, the simultaneous solutions of the congruence pairs

$$\displaystyle\begin{array}{rcl} p& \equiv & 1\mod 4\ \mbox{ and}\ p \equiv 1\ \mbox{ mod}\ 7, {}\\ p& \equiv & 1\mod 4\ \mbox{ and}\ p \equiv 2\ \mbox{ mod}\ 7, {}\\ p& \equiv & 1\mod 4\ \mbox{ and}\ p \equiv 4\ \mbox{ mod}\ 7, {}\\ p& \equiv & -1\mod 4\ \mbox{ and}\ p \equiv 3\ \mbox{ mod}\ 7, {}\\ p& \equiv & -1\mod 4\ \mbox{ and}\ p \equiv 5\ \mbox{ mod}\ 7, {}\\ p& \equiv & -1\mod 4\ \mbox{ and}\ p \equiv 6\ \mbox{ mod}\ 7, {}\\ \end{array}$$

are, respectively,

$$\displaystyle\begin{array}{rcl} p& \equiv & 1\ \mbox{ mod}\ 28, {}\\ p& \equiv & 9\ \mbox{ mod}\ 28, {}\\ p& \equiv & 25\ \mbox{ mod}\ 28, {}\\ p& \equiv & 3\ \mbox{ mod}\ 28, {}\\ p& \equiv & 19\ \mbox{ mod}\ 28, {}\\ p& \equiv & 27\ \mbox{ mod}\ 28. {}\\ \end{array}$$

Hence

$$\displaystyle{ X_{+}(7) =\{ p: p \equiv 1,3,9,19,25,\ \text{or}\ 27\ \mbox{ mod}\ 28\}. }$$

We have that

$$\displaystyle\begin{array}{rcl} U(28)& =& \{1,3,5,9,11,13,15,17,19,23,25,27\}, {}\\ V (7)& =& \{1,3,9,19,25,27\}, {}\\ \end{array}$$

hence,

$$\displaystyle{ U(28)\setminus V (7) =\{ 5,11,13,15,17,23\}, }$$

and so

$$\displaystyle{ X_{-}(7) =\{ p: p \equiv 5,11,13,15,17,\ \text{or}\ 23\ \mbox{ mod}\ 28\}. }$$

4.2 Solution of the Basic Problem

If d is a fixed but arbitrary integer, we recall formulae (2.2) and (2.5) for X ₊(d) from Chap. 2 Suppose first that d > 0. Let

$$\displaystyle{ \mathcal{E} =\{ E \subseteq \pi _{\mbox{ odd}}(d): \vert E\vert \ \text{is even}\}, }$$

where π _odd(d) denotes the set of all prime factors of d of odd multiplicity. If \(E \in \mathcal{E}\), let R _E denote the set of all p such that

$$\displaystyle{ \chi _{p}(q) = \left \{\begin{array}{ll} - 1,\ \mbox{ if}\ \mbox{ q} \in E, \\ 1,\ \mbox{ if}\ \mbox{ q} \in \pi _{\mbox{ odd}}(d)\setminus E.\\ \end{array} \right. }$$

Then formula (2.2) of Chap. 2 is

$$\displaystyle{ X_{+}(d) =\Big (\bigcup _{E\in \mathcal{E}}\ R_{E}\Big)\setminus \pi _{\text{even}}(d), }$$

where π _even(d) denotes the set of all prime factors of d of even multiplicity, and this union is pairwise disjoint. Moreover

$$\displaystyle{ R_{E} =\Big (\bigcap _{q\in E}\ X_{-}(q)\Big) \cap \Big (\bigcap _{q\in \pi _{ \mbox{ odd}}(d)\setminus E}\ X_{+}(q)\Big). }$$

Suppose next that d < 0, and let

$$\displaystyle{ \mathcal{E}_{-1} =\{ E \subseteq \{-1\} \cup \pi _{\mbox{ odd}}(d): \vert E\vert \ \text{is even}\}. }$$

Then formula (2.5) of Chap. 2 is

$$\displaystyle{ X_{+}(d) =\Big (\bigcup _{E\in \mathcal{E}_{-1}}\ R_{E}\Big)\setminus \pi _{\text{even}}(d), }$$

where

$$\displaystyle{ R_{E} =\Big (\bigcap _{q\in E}\ X_{-}(q)\Big) \cap \Big (\bigcap _{q\in (\{-1\}\cup \pi _{ \mbox{ odd}}(d))\setminus E}\ X_{+}(q)\Big),E \in \mathcal{E}_{-1}. }$$

We can now use formula (2.2) or (2.5) of Chap. 2 in concert with the solution of the Fundamental Problem for Odd Primes to calculate X _±(d), thereby solving the Basic Problem. The formulae that we have derived for the calculation of X _±(q) where q is either − 1 or a prime show that each of these sets is equal to a union of certain equivalence classes mod 4, 8, an odd prime, or 4 times an odd prime. It follows that when we employ formula (2.2) or (2.5) of Chap. 2 to calculate X ₊(d), each of the sets R _E occurring in those formulae can hence be calculated by the method of successive substitution, a generalization of the Chinese remainder theorem that can be used to solve simultaneous congruences when the moduli of the congruences are no longer pairwise relatively prime.

The method of successive substitution works as follows. We have a series of congruences of the form

$$\displaystyle{ x \equiv a_{i}\ \mbox{ mod}\ m_{i},\ i = 1,\ldots,k, }$$

(4.2)

where (m ₁, …, m _k ) is a given k-tuple of moduli and (a ₁, …, a _k ) is a given k-tuple of integers, which we wish to solve simultaneously. Denoting by lcm(a, b) the least common multiple of the integers a and b, one starts with

Proposition 4.1

The congruences

$$\displaystyle{ x \equiv a_{1}\ \text{mod}\ m_{1},\ x \equiv a_{2}\ \text{mod}\ m_{2} }$$

have a simultaneous solution if and only if gcd (m ₁ ,m ₂ ) divides a ₁ − a ₂ . The solution is unique modulo lcm(m ₁ ,m ₂ ) and is given by

$$\displaystyle{ x \equiv a_{1} + x_{0}m_{1}\ \text{mod}\ \text{lcm}(m_{1},m_{2}), }$$

where x ₀ is a solution of

$$\displaystyle{ m_{1}x_{0} \equiv a_{2} - a_{1}\ \text{mod}\ m_{2}. }$$

The congruences (4.2) are then solved by first using Proposition 4.1 to solve the first two congruences in (4.2), then, if necessary, pairing the solution so obtained with the third congruence in (4.2) and applying Proposition 4.1 to solve that congruence pair, and continuing in this manner, successively applying Proposition 4.1 to the pair of congruences consisting of the solution obtained from step i − 1 and the i-th congruence in (4.2). This procedure confirms that (4.2) has a simultaneous solution if and only if gcd(m _i , m _j ) divides a _i − a _j for all i and j, and that the solution is unique modulo the least common multiple of m ₁, …, m _k . Proposition 4.1 is not difficult to verify, and so we will leave that to the interested reader.

Consequently, once the residues and non-residues of each integer in π _odd(d) are determined, X ₊(d) can be calculated by repeated applications of the method of successive substitutions. In particular, one finds a positive integer m(d) and a subset V (d) of \(U\big(m(d)\big)\) such that

$$\displaystyle{ X_{+}(d) =\Big (\bigcup _{n\in V (d)}\ \{p: p \equiv n\ \mbox{ mod}\ m(d)\}\Big)\setminus \pi _{\text{even}}(d). }$$

The modulus m(d) is determined like so: if d > 0 and π _odd(d) contains neither 2 nor a prime ≡ 3 mod 4, then m(d) is the product of all the elements of π _odd(d); otherwise, m(d) is 4 times this product.

The formula for X ₋(d) can now be obtained from the one for X ₊(d) by first observing that as a consequence of the above determination of m(d),

$$\displaystyle{ \pi \big(m(d)\big) \cup \{ 2\} =\pi _{\mbox{ odd}}(d) \cup \{ 2\}, }$$

and so

$$\displaystyle{ \pi (d) \cup \{ 2\} =\pi \big (m(d)\big) \cup \{ 2\} \cup \pi _{\text{even}}(d). }$$

Upon recalling that P denotes the set of all primes, it follows that

$$\displaystyle\begin{array}{rcl} X_{-}(d)& =& P\setminus \big(X_{+}(d) \cup \{ 2\} \cup \pi (d)\big) {}\\ & =& P\setminus \big(\pi \big(m(d)\big) \cup \{ 2\} \cup X_{+}(d) \cup \pi _{\text{even}}(d)\big) {}\\ & =& \big[P\setminus \big(\pi \big(m(d)\big) \cup \{ 2\}\big)\big]\setminus \big[X_{+}(d) \cup \pi _{\text{even}}(d)\big]. {}\\ & & {}\\ \end{array}$$

Because

$$\displaystyle{ P\setminus \big(\pi \big(m(d)\big) \cup \{ 2\}\big) =\bigcup _{n\in U(m(d))}\ \{p: p \equiv n\ \mbox{ mod}\ m(d)\}, }$$

$$\displaystyle{ X_{+}(d) \cup \pi _{\text{even}}(d) =\Big (\bigcup _{n\in V (d)}\ \{p: p \equiv n\ \mbox{ mod}\ m(d)\}\Big) \cup \pi _{\text{even}}(d), }$$

it hence follows that

$$\displaystyle{ X_{-}(d) =\Big (\bigcup _{n\in U(m(d))\setminus V (d)}\ \{p: p \equiv n\ \mbox{ mod}\ m(d)\}\Big)\setminus \pi _{\text{even}}(d). }$$

The set V (d) that appears in the formulae which calculate X _±(d) is obtained from applications of the method of successive substitution to the calculation of each of the sets R _E which appears in (2.2) or (2.5) of Chap. 2 A natural question which arises asks: are all of the integers in V (d) and \(U\big(m(d)\big)\setminus V (d)\) which arise from these calculations required for the determination of X _±(d)? The answer is yes, if for each pair of relatively prime positive integers m and n, the set \(\{z \in \mathbb{Z}: z \equiv n\mod m\}\) contains primes. Remarkably enough, \(\{z \in \mathbb{Z}: z \equiv n\mod m\}\) in fact always contains infinitely many primes. This is a famous theorem of Dirichlet [10], and the connection of that theorem to the calculation of X _±(d) was Dirichlet’s primary motivation for proving it. Much more is to come (in Sect. 4.4 below) about Dirichlet’s theorem and its use in the study of residues and non-residues.

We next illustrate the procedure which we have described for the solution of the Basic Problem by calculating X _±(126). From the calculations using this example that we preformed in Sect. 2.2 of Chap. 2, it follows that

$$\displaystyle{ X_{+}(126) =\Big (\big(X_{+}(2) \cap X_{+}(7)\big) \cup \big (X_{-}(2) \cap X_{-}(7)\big)\Big)\setminus \{3\}. }$$

hence we must calculate X ₊(2) ∩ X ₊(7) and X ₋(2) ∩ X ₋(7).

Calculation of X ₊(2) ∩ X ₊(7).

Theorem 2.6 implies that

$$\displaystyle{ X_{+}(2) =\{ p: p \equiv 1\ \text{or }\ 7\ \mbox{ mod}\ 8\}, }$$

and we have from the calculation of X ₊(7) above that

$$\displaystyle{ X_{+}(7) =\{ p: p \equiv 1,3,9,19,25,\ \text{or}\ 27\ \mbox{ mod}\ 28\}. }$$

In order to calculate X ₊(2) ∩ X ₊(7), we need to solve at most 12 (but in fact exactly six) pairs of simultaneous congruences. We do this by applying Proposition 4.1. We have that gcd(8, 28) = 4, lcm(8, 28) = 56, and so Proposition 4.1 implies that X ₊(2) ∩ X ₊(7) consists of the union of all odd prime simultaneous solutions of the congruence pairs

$$\displaystyle\begin{array}{rcl} x& \equiv & 1\mod 8,\ x \equiv 1\ \mbox{ mod}\ 28, {}\\ x& \equiv & 1\mod 8,\ x \equiv 9\ \mbox{ mod}\ 28, {}\\ x& \equiv & 1\mod 8,\ x \equiv 25\ \mbox{ mod}\ 28, {}\\ x& \equiv & 7\mod 8,\ x \equiv 3\ \mbox{ mod}\ 28, {}\\ x& \equiv & 7\mod 8,\ x \equiv 19\ \mbox{ mod}\ 28, {}\\ x& \equiv & 7\mod 8,\ x \equiv 27\ \mbox{ mod}\ 28, {}\\ \end{array}$$

whose odd prime solutions are, respectively,

$$\displaystyle\begin{array}{rcl} p& \equiv & 1\ \mbox{ mod}\ 56, {}\\ p& \equiv & 9\ \mbox{ mod}\ 56, {}\\ p& \equiv & 25\ \mbox{ mod}\ 56, {}\\ p& \equiv & 31\ \mbox{ mod}\ 56, {}\\ p& \equiv & 47\ \mbox{ mod}\ 56, {}\\ p& \equiv & 55\ \mbox{ mod}\ 56. {}\\ \end{array}$$

Calculation of X ₋(2) ∩ X ₋(7).

From Theorem 2.6 and the calculation of X ₋(7) above, it follows that

$$\displaystyle\begin{array}{rcl} X_{-}(2)& =& \{p: p \equiv 3\ \text{or}\ 5\ \mbox{ mod}\ 8\}, {}\\ X_{-}(7)& =& \{p: p \equiv 5,11,13,15,17,\ \text{or}\ 23\ \mbox{ mod}\ 28\}. {}\\ \end{array}$$

Hence, again according to Proposition 4.1, X ₋(2) ∩ X ₋(7) consists of the union of all odd prime simultaneous solutions of the congruence pairs

$$\displaystyle\begin{array}{rcl} x& \equiv & 3\mod 8,\ x \equiv 11\ \mbox{ mod}\ 28, {}\\ x& \equiv & 3\mod 8,\ x \equiv 15\ \mbox{ mod}\ 28, {}\\ x& \equiv & 3\mod 8,\ x \equiv 23\ \mbox{ mod}\ 28, {}\\ x& \equiv & 5\mod 8,\ x \equiv 5\ \mbox{ mod}\ 28, {}\\ x& \equiv & 5\mod 8,\ x \equiv 13\ \mbox{ mod}\ 28, {}\\ x& \equiv & 5\mod 8,\ x \equiv 17\ \mbox{ mod}\ 28, {}\\ \end{array}$$

whose odd prime solutions are, respectively,

$$\displaystyle\begin{array}{rcl} p& \equiv & 11\ \mbox{ mod}\ 56, {}\\ p& \equiv & 43\ \mbox{ mod}\ 56, {}\\ p& \equiv & 51\ \mbox{ mod}\ 56, {}\\ p& \equiv & 5\ \mbox{ mod}\ 56, {}\\ p& \equiv & 13\ \mbox{ mod}\ 56, {}\\ p& \equiv & 45\ \mbox{ mod}\ 56. {}\\ \end{array}$$

From this calculation of X ₊(2) ∩ X ₊(7) and X ₋(2) ∩ X ₋(7), it hence follows that

$$\displaystyle{ X_{+}(126) =\{ p: p \equiv 1,5,9,11,13,25,31,43,45,47,51,\ \text{or}\ 55\ \mbox{ mod}\ 56\}. }$$

In order to calculate X ₋(126), we simply delete from U(56) the minimal positive ordinary residues mod 56 that determine X ₊(126): the integers resulting from that are 3, 15, 17, 19, 23, 27, 29, 33, 37, 39, 41, and 53. Hence

$$\displaystyle{ X_{-}(126) =\{ p\not =3: p \equiv 3,15,17,19,23,27,29,33,37,39,41,\ \text{or}\ 53\ \mbox{ mod}\ 56\}. }$$

4.3 Sets of Integers Which Are Quadratic Residues of Infinitely Many Primes

In this section we will use the LQR to investigate when a finite non-empty subset of positive integers is the set of residues for infinitely many primes. We start by looking at singleton sets. Obviously, if \(a \in \mathbb{Z}\) is a square then a is a residue of all primes. Is the converse true, i.e., if a positive integer is a residue of all primes, must it be a square? The answer is yes; in fact a slightly stronger statement is valid:

Theorem 4.2

A positive integer is a residue of all but finitely many primes if and only if it is a square.

This theorem implies that if S is a nonempty finite subset of [1, ∞) then S is a set of residues for all but finitely many primes if and only if every element of S is a square. What if we weaken the requirement that S be a set of residues of all but finitely many primes to the requirement that S be a set of residues for only infinitely many primes? Then the somewhat surprising answer is asserted by

Theorem 4.3

If S is any nonempty finite subset of [1,∞) then S is a set of residues of infinitely many primes.

Theorems 4.2 and 4.3 are simple consequences of

Lemma 4.4 (Basic Lemma)

If \(\Pi =\{ p_{1},\ldots,p_{k}\}\) is a nonempty finite set of primes and if \(\varepsilon: \Pi \rightarrow \{-1,1\}\) is a fixed function then there exits infinitely many primes p such that

$$\displaystyle{ \chi _{p}(p_{i}) =\varepsilon (p_{i}),\ i \in [1,k]. }$$

N.B. This lemma asserts that if all of the integers in the set S of Theorem 4.3 are prime, then for any pattern of + 1’s or − 1’s attached to the elements of S, the Legendre symbol χ _p reproduces that pattern on S for infinitely many primes p. Thus the conclusion of Theorem 4.3 can be strengthened considerably when S is a set of primes.

Assume Lemma 4.4 for now. We will use it to first prove Theorems 4.2 and 4.3 and then we will use quadratic reciprocity (and Dirichlet’s theorem on primes in arithmetic progression) to prove Lemma 4.4.

Proof of Theorem 4.2

Suppose that n ∈ [1, ∞) is not a square. Then π _odd(n) ≠ ∅ and

$$\displaystyle{ \chi _{p}(n) =\prod _{q\in \pi _{ \mbox{ odd}}(n)}\ \chi _{p}(q),\ \text{for all}\ p\notin \pi (n). }$$

(4.3)

Now take any fixed q ₀ ∈ π _odd(n) and define ɛ: π _odd(n) → {−1, 1} by

$$\displaystyle{ \varepsilon (q) = \left \{\begin{array}{rl} - 1,&\mbox{ if}\ q = q_{0}, \\ 1,&\mbox{ if}\ q\not =q_{0}.\\ \end{array} \right. }$$

Lemma 4.4 implies that there exists infinitely many primes p such that

$$\displaystyle{ \chi _{p}(q) =\varepsilon (q),\ \text{for all}\ q \in \pi _{\mbox{ odd}}(n), }$$

and so the product in (4.3), and hence χ _p (n), is − 1 for all such p ∉ π(n).

QED

Proof of Theorem 4.3

Let S be a fixed nonempty subset of positive integers and let

$$\displaystyle{ X =\bigcup _{z\in S}\ \pi _{\mbox{ odd}}(z). }$$

We may assume that X ≠ ∅; otherwise all elements of S are squares and Theorem 4.3 is trivially true in that case. Then Lemma 4.4 implies that there exists infinitely many primes p such that

$$\displaystyle{ \chi _{p}(q) = 1,\ \text{for all}\ q \in X, }$$

hence for all such p which are not factors of an element of S,

$$\displaystyle{ \chi _{p}(z) =\prod _{q\in \pi _{ \mbox{ odd}}(z)}\ \chi _{p}(q) = 1,\ \text{for all}\ z \in S.\ }$$

QED

Proof of Lemma 4.4

It follows from our solution of the Fundamental Problem for all primes (Theorem 2.6 and the calculation of X _±(q), q an odd prime, in Sect. 4.1) that Lemma 4.4 is valid when \(\Pi \) is a singleton, so assume that k ≥ 2. We will make use of arithmetic progressions in this argument, and so if a, b ∈ [1, ∞), let

$$\displaystyle{ AP(a,b) =\{ a + nb: n \in [0,\infty )\} }$$

denote the arithmetic progression with initial term a and common difference b. We will find the primes that will verify the conclusion of Lemma 4.4 by looking inside certain arithmetic progressions, hence we will need the following theorem, one of the basic results in the theory of prime numbers:

Theorem 4.5 (Dirichlet’s Theorem on Primes in Arithmetic Progression)

If {a,b} ⊆ [1,∞) and gcd (a,b) = 1 then AP(a,b) contains infinitely many primes.

The key ideas in Dirichlet’s proof of Theorem 4.5 will be discussed in due course. For now, assume that the elements of the set \(\Pi \) in the hypothesis of Lemma 4.4 are ordered as p ₁ < … < p _k and fix \(\varepsilon: \Pi \rightarrow \{-1,1\}\). We need to verify the conclusion of Lemma 4.4 for this ɛ. Suppose first that p ₁ = 2 and ɛ(2) = 1. If i ∈ [2, k] and ɛ(p _i ) = 1, let k _i  = 1, and if ɛ(p _i ) = −1, let k _i be an odd non-residue of p _i such that gcd(p _i , k _i ) = 1 (if ɛ(p _i ) = −1 then such a k _i can always be chosen: simply pick any non-residue x of p _i in [1, p _i − 1]; if x is odd, set k _i  = x, and if x is even, set k _i  = x + p _i ).

Now, suppose that i ∈ [2, k], \(p \equiv 1\mod 8\), and p ∈ AP(k _i , 2p _i ), say p = k _i + 2p _i n, for some n ∈ [1, ∞). Then LQR implies that

$$\displaystyle{ \chi _{p}(p_{i}) =\chi _{p_{i}}(p) =\chi _{p_{i}}(k_{i} + 2p_{i}n) =\chi _{p_{i}}(k_{i}). }$$

It follows from Theorem 2.6 and the choice of k _i that

$$\displaystyle{ \chi _{p}(2) = 1\ \mbox{ and}\ \chi _{p}(p_{i}) =\varepsilon (p_{i}). }$$

Hence

$$\displaystyle\begin{array}{rcl} \mbox{ if}\ p \equiv 1\ \mbox{ mod}\ 8\ \mbox{ and}\ p \in \bigcap _{i=2}^{k}\ AP(k_{ i},2p_{i}),\ \mbox{ then}\ \chi _{p}(p_{i}) =\varepsilon (p_{i}),\ \text{for all}\ i \in [1,k].& &{}\end{array}$$

(4.4)

We prove next that there are infinitely many primes ≡ 1 mod 8 inside \(\bigcap _{i=2}^{k}\ AP(k_{i},2p_{i})\). To see this, we first use the fact that each k _i is odd and an inductive construction obtained from solving an appropriate sequence of linear Diophantine equations (Proposition 1.4) to obtain an integer m such that

$$\displaystyle{ AP(k_{2} + 2m,8p_{2}\cdots p_{k}) \subseteq AP(1,8) \cap \Big (\bigcap _{i=2}^{k}\ AP(k_{ i},2p_{i})\Big). }$$

(4.5)

We then claim that gcd(k ₂ + 2m, 8p ₂⋯p _k ) = 1. If this is true then by virtue of Theorem 4.5, we have that AP(k ₂ + 2m, 8p ₂⋯p _k ) contains infinitely many primes p, hence for any such p, it follows from (4.4) and (4.5) that

$$\displaystyle{ \chi _{p}(p_{i}) =\varepsilon (p_{i}),\ i \in [1,k], }$$

(4.6)

the conclusion of Lemma 4.4. To verify the claim, assume by way of contradiction that q is a common prime factor of k ₂ + 2m and 8p ₂⋯p _k . Then q ≠ 2 because k ₂ is odd, hence there is a j ∈ [2, k] such that q = p _j . But (4.5) implies that there exists n ∈ [0, ∞) such that

$$\displaystyle{ k_{2} + 2m + 8p_{2}\cdots p_{k} = k_{j} + 2np_{j}, }$$

and so p _j divides k _j , contrary to the choice of k _j .

If p ₁ = 2 and ɛ(2) = −1, a similar argument shows that \(\bigcap _{i=2}^{k}\ AP(k_{i},2p_{i})\) contains infinitely many primes \(p \equiv 5\mod 8\), hence (4.6) is true for all such p. If p ₁ ≠ 2, simply adjoin 2 to \(\Pi \) and repeat this argument. QED

4.4 Intermezzo: Dirichlet’s Theorem on Primes in Arithmetic Progression

In addition to the LQR, Theorem 4.5 also played a key role in the proof of the basic Lemma 4.4, and thus also in the proofs of Theorems 4.2 and 4.3. Because they will play such an important role in our story, we will now discuss the key ingredients of Dirichlet’s proof of Theorem 4.5. Dirichlet [10] proved this in 1837, and it would be hard to overemphasize the importance of this theorem and the methods Dirichlet developed to prove it. As we shall see, he used analysis, specifically the theory of infinite series and infinite products of complex-valued functions of a real variable, and in subsequent work [11] also the theory of Fourier series, to discover properties of the primes (for the reader who may benefit from it, we briefly discuss analytic functions, Fourier series, and some of their basic properties in Chap. 7). His use of continuous methods to prove deep results about discrete sets like the prime numbers was not only a revolutionary insight, but also caused a sensation in the nineteenth century mathematical community. Dirichlet’s results founded the subject of analytic number theory, which has become one of the most important areas and a major industry in number theory today. Later (in Chaps. 5 and 7) we will also see how Dirichlet used analytic methods to study important properties of residues and non-residues.

Dirichlet is a towering figure in the history of number theory not only because of the many results and methods of fundamental importance which he discovered and developed in that subject but also because of his role as an expositor of that work and the work of Gauss. We have already given an indication of how the work of Gauss, especially the Disquisitiones Arithmeticae, brought about a revolutionary transformation in number theory. However, the influence of Gauss’ work was rather slow to be realized, due primarily to the difficulty that many of his mathematical contemporaries had in understanding exactly how Gauss had done what he had done in the Disquisitiones. Dirichlet is said to have been the first person to completely master the Disquisitiones, and legend has it that he was never without a copy of it within easy reach. Many of the results and techniques that Gauss developed in the Disquisitiones were first explained in a more accessible way in Dirichlet’s great text [12], the Vorlesungen über Zahlentheorie; John Stillwell, the translator of the Vorlesungen into English, called it one of the most important mathematics books of the nineteenth century: the link between Gauss and the number theory of today. If a present-day reader of the Disquisitiones finds much of it easier to understand than a reader in the early days of the nineteenth century did, it is because that modern reader learned number theory the way that Dirichlet first taught it.

Now, back to primes in arithmetic progression. In 1737, Euler proved that the series \(\sum _{q\in P}\frac{1} {q}\) diverges and hence deduced Euclid’s theorem that there are infinitely many primes. Taking his cue from this result, Dirichlet sought to prove that

$$\displaystyle{ \sum _{p\equiv a\ \text{mod}\ b}\frac{1} {p} }$$

diverges, where a and b are given positive relatively prime integers, thereby showing that the arithmetic progression with constant term a and difference b contains infinitely many primes. To do this, he studied the behavior as s → 1⁺ of the function of s defined by

$$\displaystyle{ \sum _{p\equiv a\ \text{mod}\ b} \frac{1} {p^{s}}. }$$

This function is difficult to get a handle on; it would be easier if we could replace it by a sum indexed over all of the primes, so consider

$$\displaystyle{ \sum _{p}\delta (p)p^{-s},\ \mbox{ where}\ \delta (p) = \left \{\begin{array}{ll} 1,\ \mbox{ if}\ p \equiv a\ \text{mod}\ b, \\ 0,\ \mbox{ otherwise.}\\ \end{array} \right. }$$

Dirichlet’s profound insight was to replace δ(p) by certain functions which capture the behavior of δ(p) closely enough, but which are more amenable to analysis relative to primes in the ordinary residue classes mod b. We now define these functions.

Begin by recalling that if A is a commutative ring with identity 1 then a unit u of A is an element of A that has a multiplicative inverse in A, i.e., there exists v ∈ A such that uv = 1. The set of all units of A forms a group under the multiplication of A, called the group of units of A. Consider now the ring \(\mathbb{Z}/b\mathbb{Z}\) of ordinary residue classes of \(\mathbb{Z}\) mod b. Proposition 1.2 implies that the group of units of \(\mathbb{Z}/b\mathbb{Z}\) consists of all ordinary residue classes that are determined by the integers that are relatively prime to b. If we hence identify \(\mathbb{Z}/b\mathbb{Z}\) in the usual way with the set of ordinary non-negative minimal residues [0, b − 1] on which is defined the addition and multiplication induced by addition and multiplication of ordinary residue classes, it follows that

$$\displaystyle{ U(b) =\{ n \in [1,b - 1]:\gcd (n,b) = 1\} }$$

is the group of units of \(\mathbb{Z}/b\mathbb{Z}\), and we set

$$\displaystyle{ \varphi (b) = \vert U(b)\vert; }$$

φ is called Euler’s totient function.

Let T denote the circle group of all complex numbers of modulus 1, with the group operation defined by ordinary multiplication of complex numbers. A homomorphism of U(b) into T is called a Dirichlet character modulo b. We denote by χ ₀ the principal character modulo b, i.e., the character which sends every element of U(b) to 1 ∈ T. If χ is a Dirichlet character modulo b, we extend it to all integers z by setting χ(z) = χ(n) if there exists n ∈ U(b) such that z ≡ n mod b, and setting χ(z) = 0, otherwise. It is then easy to verify

Proposition 4.6

A Dirichlet character χ modulo b is

1. (i)

   of period b, i.e., χ(n) = 0 if and only if gcd (n,b) > 1 and χ(m) = χ(n) whenever m ≡ n mod b, and is

2. (ii)

   completely multiplicative, i.e., χ(mn) = χ(m)χ(n) for all \(m,n \in \mathbb{Z}\) .

We say that a Dirichlet character is real if it is real-valued, i.e., its range is either the set {0, 1} or [−1, 1]. In particular the Legendre symbol χ _p is a real Dirichlet character mod p.

For each modulus b, the structure theory of finite abelian groups can be used to explicitly construct all Dirichlet characters mod b; we will not do this, and instead refer the interested reader to Hecke [27], Sect. 10 or Davenport [6], pp. 27–30. In particular there are exactly φ(b) Dirichlet characters mod b.

The connection between Dirichlet characters and primes in arithmetic progression can now be made. If gcd(a, b) = 1 then Dirichlet showed that

$$\displaystyle{ \frac{1} {\varphi (b)}\sum _{\chi }\ \overline{\chi (a)}\chi (p) = \left \{\begin{array}{ll} 1,\ \mbox{ if}\ p \equiv a\ \text{mod}\ b,\\ 0,\ \mbox{ otherwise,}\\ \end{array} \right. }$$

where the sum is taken over all Dirichlet characters χ mod b. These are the so-called orthogonality relations for the Dirichlet characters. This equation says that the characteristic function δ(p) of the primes in an ordinary equivalence class mod b can be written as a linear combination of Dirichlet characters. Hence

$$\displaystyle\begin{array}{rcl} \sum _{p\equiv a\ \text{mod}\ b} \frac{1} {p^{s}}& =& \sum _{p}\delta (p)p^{-s} {}\\ & =& \sum _{p}\ \Big( \frac{1} {\varphi (b)}\sum _{\chi }\ \overline{\chi (a)}\chi (p)\Big)p^{-s} {}\\ & =& \frac{1} {\varphi (b)}\sum _{p}\ p^{-s} + \frac{1} {\varphi (b)}\sum _{\chi \not =\chi _{0}}\ \overline{\chi (a)}\Big(\sum _{p}\ \chi (p)p^{-s}\Big). {}\\ \end{array}$$

After observing that

$$\displaystyle{ \lim _{s\rightarrow 1^{+}}\sum _{p}p^{-s} = +\infty, }$$

Dirichlet deduced immediately from the above equations the following lemma:

Lemma 4.7

\(\lim _{s\rightarrow 1^{+}}\sum _{ p\equiv a\ \text{mod}\ b}p^{-s} = +\infty \) if for each non-principal Dirichlet character χ mod b, ∑ _p χ(p)p ^−s is bounded as s → 1 ⁺ .

Hence Theorem 4.5 will follow if one can prove that

$$\displaystyle\begin{array}{rcl} & & \text{for all non-principal Dirichlet characters}\ \chi \ \text{mod}\ b, \\ & & \quad \sum _{p}\chi (p)p^{-s}\ \text{is bounded as}\ s \rightarrow 1^{+}. {}\end{array}$$

(4.7)

Let χ be a given Dirichlet character. In order to verify (4.7), Dirichlet introduced his next deep insight into the problem by considering the function

$$\displaystyle{ L(s,\chi ) =\sum _{ n=1}^{\infty }\frac{\chi (n)} {n^{s}},\ s \in \ \mathbf{C}, }$$

which has come to be known as the Dirichlet L-function of χ. We will prove in Chap. 7 that L(s, χ) is analytic in the half-plane Re s > 1, satisfies the infinite-product formula

$$\displaystyle{ L(s,\chi ) =\prod _{q\in P} \frac{1} {1 -\chi (q)q^{-s}},\ \mbox{ Re}\ s > 1, }$$

the Euler-Dirichlet product formula, and is analytic in Re s > 0 whenever χ is non-principal. One can take the complex logarithm of both sides of the Euler-Dirichlet product formula to deduce that

$$\displaystyle{ \log L(s,\chi ) =\sum _{ n=2}^{\infty }\frac{\chi (n)\Lambda (n)} {\log n} n^{-s},\mbox{ Re}\ s > 1, }$$

where

$$\displaystyle{ \Lambda (n) = \left \{\begin{array}{rl} \log q,&\text{if}\ n\ \text{is a power of}\ q,q \in P,\\ 0, &\mbox{ otherwise.}\\ \end{array} \right. }$$

Using algebraic properties of the character χ and the function \(\Lambda \), Dirichlet proved that (4.7) is true if

$$\displaystyle{ \log L(s,\chi )\ \text{is bounded as}\ s \rightarrow 1^{+}\mbox{ whenever}\ \chi \ \text{is non-principal.} }$$

(4.8)

We should point out that Dirichlet did not use functions of a complex variable in his work, but instead worked only with real values of the variable s (Cauchy’s theory of analytic functions of a complex variable, although fully developed by 1825, did not become well-known or commonly employed until the 1840s). Because L(s, χ) is continuous on Re s > 0, it follows that

$$\displaystyle{ \lim _{s\rightarrow 1^{+}}\log L(s,\chi ) =\log L(1,\chi ), }$$

hence (4.8) will hold if

$$\displaystyle{ L(1,\chi )\not =0\ \mbox{ whenever}\ \chi \ \text{is non-principal.} }$$

We have at last come to the heart of the matter, namely

Lemma 4.8

If χ is a non-principal Dirichlet character then L(1,χ)≠0.

If χ is not real, Lemma 4.8 is fairly easy to prove, but when χ is real, this task is much more difficult to do. Dirichlet deduced Lemma 4.8 for real characters by using results from the classical theory of quadratic forms; he established a remarkable formula which calculates L(1, χ) as the product of a certain parameter and the number of equivalence classes of quadratic forms (Sect. 3.12, Chap. 3); because this parameter and the number of equivalence classes are clearly positive, L(1, χ) must be nonzero. At the conclusion of Chap. 7, we will give an elegant proof of Lemma 4.8 for real characters due to de la Vall\(\acute{\mbox{ e}}\) e Poussin [45], and then in Chap. 8 we will prove Dirichlet’s class-number formula for the value of L(1, χ).

Finally, we note that if χ ₀ is the principal character mod b then it is a consequence of the Euler-Dirichlet product formula that

$$\displaystyle{ L(s,\chi _{0}) =\zeta (s)\prod _{q\vert b}\big(1 - q^{-s}\big), }$$

where

$$\displaystyle{ \zeta (s) =\sum _{ n=1}^{\infty } \frac{1} {n^{s}} }$$

is the Riemann zeta function.

At this first appearance in our story of ζ(s), probably the single most important function in analytic number theory, we cannot resist briefly discussing the

• Riemann Hypothesis: all zeros of ζ(s) in the strip 0 < Re s < 1 have real part \(\frac{1} {2}\).

• Generalized Riemann Hypothesis (GRH): if χ is a Dirichlet character then all zeros of L(s, χ) in the strip 0 < Re s ≤ 1 have real part \(\frac{1} {2}\).

Riemann [47] first stated the Riemann Hypothesis (in an equivalent form) in a paper that he published in 1859, in which he derived an explicit formula for the number of primes not exceeding a given real number. By general agreement, verification of the Riemann Hypothesis is the most important unsolved problem in mathematics. One of the most immediate consequences of the truth of the Riemann Hypothesis, and arguably the most significant, is the essentially optimal error estimate for the asymptotic approximation of the cardinality of the set {q ∈ P: q ≤ x} given in the Prime Number Theorem (see the statement of this theorem in the next section). This estimate asserts that there is an absolute, positive constant C such that for all x sufficiently large,

$$\displaystyle{ \left \vert \frac{\big\vert \{q \in P: q \leq x\}\big\vert } {\int _{2}^{x}\frac{1} {\log t}\ dt} - 1\right \vert \leq \frac{C} {\sqrt{x}}. }$$

The integral \(\int _{2}^{x}\frac{1} {\log t} \ dt\) appearing in this inequality, the logarithmic integral of x, is generally a better asymptotic approximation to the cardinality of {q ∈ P: q ≤ x} than the quotient x∕logx. Hilbert emphasized the importance of the Riemann Hypothesis in Problem 8 on his famous list of 23 open problems that he presented in 1900 in his address to the second International Congress of Mathematicians. In 2000, the Clay Mathematics Institute (CMI) published a series of seven open problems in mathematics that are considered to be of exceptional importance and have long resisted solution. In order to encourage work on these problems, which have come to be known as the Clay Millennium Prize Problems, for each problem CMI will award to the first person(s) to solve it $1,000,000 (US). The proof of the Riemann Hypothesis is the second Millennium Prize Problem (as currently listed on the CMI web site).

4.5 The Asymptotic Density of Primes

Theorem 4.3 gives rise to the following natural and interesting question: if S is a nonempty, finite subset of [1, ∞), how large is the necessarily infinite set of primes

$$\displaystyle{ \{p:\chi _{p} \equiv 1\ \mbox{ on}\ S\}\ \mbox{?} }$$

(The meaning of the symbol ≡ used here is as an identity of functions, not as a modular congruence; in subsequent uses of this symbol, its meaning will be clear from the context.) To formulate this question precisely, we need a good way to measure the size of an infinite set of primes. This is provided by the concept of the asymptotic density of a set of primes, which we will discuss in this section.

If \(\Pi \) is a set of primes and P denotes the set of all primes then the asymptotic density of \(\Pi \) in P is

$$\displaystyle{ \lim _{x\rightarrow +\infty }\frac{\big\vert \{p \in \Pi:\ p \leq x\}\big\vert } {\big\vert \{p \in P:\ p \leq x\}\big\vert }, }$$

provided that this limit exists. Roughly speaking, the density of \(\Pi \) is the “proportion” of the set P that is occupied by \(\Pi \). Since the asymptotic density of any finite set is clearly 0 and the asymptotic density of any set whose complement in P is finite is clearly 1, only sets of primes which are infinite and have an infinite complement in P are of interest in terms of their asymptotic densities. We can in fact be a bit more precise: recall that if a(x) and b(x) denote positive real-valued functions defined on (0, +∞), then a(x) is asymptotic to b(x) as x → +∞, denoted by a(x) ∼ b(x), if

$$\displaystyle{ \lim _{x\rightarrow +\infty }\frac{a(x)} {b(x)} = 1. }$$

The Prime Number Theorem (LeVeque [39], Chap. 7; Montgomery and Vaughn [41], Chap. 6) asserts that as x → +∞,

$$\displaystyle{ \vert \{q \in P: q \leq x\}\vert \sim \frac{x} {\log x}, }$$

consequently, if d is the density of \(\Pi \) then as x → +∞,

$$\displaystyle{ \vert \{q \in \Pi: q \leq x\}\vert \sim d\frac{x} {\log x}. }$$

Hence the asymptotic density of \(\Pi \) provides a way to measure precisely the “asymptotic cardinality” of \(\Pi \).

4.6 The Density of Primes Which Have a Given Finite Set of Quadratic Residues

Theorem 4.3 asserts that if S is a given nonempty finite set of positive integers then the set of primes {p: χ _p  ≡ 1 on S} is infinite. In this section, we will prove a theorem which provides a way to calculate the density of the set {p: χ _p  ≡ 1 on S}. This will be given by a formula which depends on a certain combinatorial parameter that is determined by the prime factors of the elements of S. In order to formulate this result, let F denote the Galois field GF(2) of 2 elements, which can be concretely realized as the field \(\mathbb{Z}/2\mathbb{Z}\) of ordinary residue classes mod 2. Let A ⊆ [1, ∞). If n =  | A | , then we let F ⁿ denote the vector space over F of dimension n, arrange the elements a ₁ < … < a _n of A in increasing order, and then define the map v: 2^A → F ⁿ like so: if B ⊆ A then

$$\displaystyle{ \text{the}\;i\text{-th coordinate of}\ v(B) = \left \{\begin{array}{ll} 1,\ \mbox{ if}\ a_{i} \in B, \\ 0,\ \mbox{ if}\ a_{i}\notin B.\\ \end{array} \right. }$$

If we recall that π _odd(z) denotes the set of all prime factors of odd multiplicity of the integer z then we can now state (and eventually prove) the following theorem:

Theorem 4.9

If S is a nonempty, finite subset of [1,∞),

$$\displaystyle\begin{array}{rcl} \mathcal{S}& =\{\pi _{\text{odd}}(z): z \in S\},& {}\\ A& =\bigcup _{X\in \mathcal{S}}\ X, & {}\\ n& = \vert A\vert, & {}\\ \end{array}$$

and

$$\displaystyle{ d =\ \text{the dimension of the linear span of}\ v(\mathcal{S})\ \mbox{ in}\ F^{n}, }$$

then the density of {p: χ _p ≡ 1 on S} is 2 ^−d .

Theorem 4.9 reduces the calculation of the density of {p: χ _p  ≡ 1 on S} to prime factorization of the integers in S and linear algebra over F. If we enumerate the nonempty elements of \(\mathcal{S}\) as S ₁, …, S _m (if \(\mathcal{S}\) has no such elements then S consists entirely of squares, hence the density is clearly 1) then d is just the rank over F of the m × n matrix

$$\displaystyle{ \left (\begin{array}{ll} v(S_{1})(1)\ldots v(S_{1})(n)\\ \vdots\vdots \\ v(S_{m})(1)\ldots v(S_{m})(n) \end{array} \right ), }$$

where v(S _i )(j) is the j-th coordinate of v(S _i ). This matrix is often referred to as the incidence matrix of S. Because there are only two elementary row (column) operations over F, namely row (column) interchange and addition of a row (column) to another row (column), the rank of this matrix is easily calculated by Gauss-Jordan elimination. However, this procedure requires that we first find the prime factors of odd multiplicity of each element of S, and that, in general, is not so easy!

A few examples will indicate how Theorem 4.9 works in practice. Observe first that if S is a finite set of primes of cardinality n, say, then the incidence matrix of S is just the n × n identity matrix over F, hence the dimension of \(v(\mathcal{S})\) in F ⁿ is n, and so the density of {p: χ _p  ≡ 1 on S} is 2⁻ⁿ. Now chose four primes p < q < r < s, say, and let

$$\displaystyle{ S_{1} =\{ p,pq,qr,rs\}. }$$

The incidence matrix of S ₁ is

$$\displaystyle{ \left (\begin{array}{cccc} 1\ 0\ 0\ 0\\ 1\ 1\ 0\ 0 \\ 0\ 1\ 1\ 0\\ 0\ 0\ 1\ 1 \end{array} \right ), }$$

which is row equivalent to

$$\displaystyle{ \left (\begin{array}{cccc} 1\ 0\ 0\ 0\\ 0\ 1\ 0\ 0 \\ 0\ 0\ 1\ 0\\ 0\ 0\ 0\ 1 \end{array} \right ). }$$

It follows from Theorem 4.9 that the density of {p: χ _p  ≡ 1 on S ₁} is 2⁻⁴. If

$$\displaystyle{ S_{2} =\{ p,ps,pqr,pqrs\}, }$$

then the incidence matrix of S ₂ is

$$\displaystyle{ \left (\begin{array}{cccc} 1\ 0\ 0\ 0\\ 1\ 0\ 0\ 1 \\ 1\ 1\ 1\ 0\\ 1\ 1\ 1\ 1 \end{array} \right ), }$$

which is row equivalent to

$$\displaystyle{ \left (\begin{array}{cccc} 1\ 0\ 0\ 0\\ 0\ 1\ 1\ 1 \\ 0\ 0\ 0\ 1\\ 0\ 0\ 0\ 0 \end{array} \right ), }$$

hence Theorem 4.9 implies that the density of {p: χ _p  ≡ 1 on S ₂} is 2⁻³. Because a 2-dimensional subspace of F ⁴ contains exactly 3 nonzero vectors, it follows that if S consists of 4 nontrivial square-free integers such that S is supported on 4 primes, then the density of {p: χ _p  ≡ 1 on S} cannot be 2⁻². However, for example, if

$$\displaystyle{ S_{3} =\{ ps,qr,pqrs\}, }$$

then the incidence matrix of S ₃ is

$$\displaystyle{ \left (\begin{array}{ccc} 1\ 0\ 0\ 1\\ 0\ 1\ 1\ 0 \\ 1\ 1\ 1\ 1 \end{array} \right ), }$$

which is row equivalent to

$$\displaystyle{ \left (\begin{array}{ccc} 1\ 0\ 0\ 1\\ 0\ 1\ 1\ 0 \\ 0\ 0\ 0\ 0 \end{array} \right ), }$$

and so the density of {p: χ _p  ≡ 1 on S ₃} is 2⁻².

We turn now to the

Proof of Theorem 4.9

We first establish a strengthened version of Theorem 4.9 in a special case, and then use it (and another lemma) to prove Theorem 4.9 in general.

Lemma 4.10

(Filaseta and Richman [18] , Theorem  2 ) If \(\Pi \) is a nonempty set of primes and \(\varepsilon: \Pi \rightarrow \{-1,1\}\) is a given function then the density of the set \(\{p:\chi _{p} \equiv \varepsilon \ \mbox{ on}\ \Pi \}\) is \(2^{-\vert \Pi \vert }\) .

Proof

Let

$$\displaystyle\begin{array}{rcl} X& =\{ p:\chi _{p} \equiv \varepsilon \ \mbox{ on}\ \Pi \}, & {}\\ K& = \text{product of the elements of}\ \Pi.& {}\\ \end{array}$$

If \(n \in \mathbb{Z}\) then we let [n] denote the ordinary residue class mod 4K which contains n. The proof of Lemma 4.10 can now be outlined in a series of three steps.

Step 1. :

Use the LQR to show that

$$\displaystyle{ X =\bigcup _{n\in U(4K):X\cap [n]\not =\emptyset }\ \{p: p \in [n]\}. }$$

Step 2 (and its implementation). :

Here we will make use of the Prime Number Theorem for primes in arithmetic progressions, to wit, if a ∈ Z, b ∈ [1, ∞), gcd(a, b) = 1, and AP(a, b) denotes the arithmetic progression with initial term a and common difference b, then as x → +∞,

$$\displaystyle{ \vert \{p \in AP(a,b): p \leq x\}\vert \sim \frac{1} {\varphi (b)} \frac{x} {\log x}. }$$

For a proof of this important theorem, see either LeVeque [39], Sect. 7.4, or Montgomery and Vaughn [41], Sect. 11.3. In our situation it asserts that if n ∈ U(4K) then as x → +∞,

$$\displaystyle{ \vert \{p \in [n]: p \leq x\}\vert \sim \frac{1} {\varphi (4K)} \frac{x} {\log x}. }$$

From this it follows that

$$\displaystyle{ \text{the density}\ d_{n}\ \mbox{ of}\ \{p: p \in [n]\}\ \mbox{ is}\ \frac{1} {\varphi (4K)},\ \text{for all}\ n \in U(4K). }$$

(4.9)

Because the decomposition of X in Step 1 is pairwise disjoint, (4.9) implies that

$$\displaystyle{ \text{density of}\ X =\sum _{n\in U(4K):X\cap [n]\not =\emptyset }\ d_{n} = \frac{\vert \{n \in U(4K): X \cap [n]\not =\emptyset \}\vert } {\varphi (4K)}. }$$

(4.10)

Step 3. :

Use the group structure of U(4K) and the LQR to prove that

$$\displaystyle{ \vert \{n \in U(4K): X \cap [n]\not =\emptyset \}\vert = \frac{\varphi (4K)} {2^{\vert \Pi \vert }}. }$$

(4.11)

From (4.10) and (4.11) it follows that the density of X is \(2^{-\vert \Pi \vert }\), as desired, hence we need only implement Steps 1 and 3 in order to finish the proof.

Implementation of Step 1. We claim that

$$\displaystyle{ \mbox{ if}\ p,p^{{\prime}}\ \text{are odd primes and}\ p \equiv p^{{\prime}}\ \mbox{ mod}\ 4K\ \mbox{ then}\ \chi _{ p} \equiv \chi _{p^{{\prime}}}\ \mbox{ on}\ \Pi. }$$

(4.12)

Because X is disjoint from \(\{2\} \cup \Pi \) and

$$\displaystyle{ P\setminus (\{2\} \cup \Pi ) =\bigcup _{n\in U(4K)}\ \{p: p \in [n]\}, }$$

(4.13)

the decomposition of X as asserted in Step 1 follows immediately from (4.12).

We verify (4.12) by using the LQR. Assume that p ≡ p ^′ mod 4K and let \(q \in \Pi \). Suppose first that p or q is ≡ 1 mod 4. Then p ^′ or q is ≡ 1 mod 4, and so the LQR implies that

$$\displaystyle\begin{array}{rcl} \chi _{p}(q)& =& \chi _{q}(p) {}\\ & =& \chi _{q}(p^{{\prime}} + 4kK)\ \text{for some}\ k \in \mathbb{Z} {}\\ & =& \chi _{q}(p^{{\prime}}),\ \mbox{ since}\ q\mbox{ divides}\ 4kK {}\\ & =& \chi _{p^{{\prime}}}(q). {}\\ \end{array}$$

Suppose next that p ≡ 3 ≡ q mod 4. Then p ^′ ≡ 3 mod 4 hence it follows from the LQR that

$$\displaystyle{ \chi _{p}(q) = -\chi _{q}(p) = -\chi _{q}(p^{{\prime}}) = -(-\chi _{ p^{{\prime}}}(q)) =\chi _{p^{{\prime}}}(q). }$$

Implementation of Step 3. Define the equivalence relation ∼ on the set of residue classes {[n]: n ∈ U(4K)} like so:

$$\displaystyle{ [n] \sim [n^{{\prime}}]\ \text{if for all odd primes}\ p \in [n],\ q \in [n^{{\prime}}],\ \chi _{ p} \equiv \chi _{q}\ \mbox{ on}\ \Pi. }$$

We first count the number of equivalence classes of ∼ . It is a consequence of (4.12) that the sets

$$\displaystyle{ \{q \in \Pi:\chi _{p}(q) = 1\} }$$

are the same for all p ∈ [n], and so we let I(n) denote this subset of \(\Pi \). Now if n ∈ U(4K) and p ∈ [n] then (4.13) implies that \(p\notin \Pi \). Hence for all p ∈ [n], χ _p takes only the values ± 1 on \(\Pi \). It follows that

$$\displaystyle{ [n] \sim [n^{{\prime}}]\ \text{if and only if}\ I(n) = I(n^{{\prime}}). }$$

On the other hand, by virtue of Lemma 4.4, if \(S \subseteq \Pi \) then there exits infinitely many primes p such that

$$\displaystyle{ S =\{ q \in \Pi:\chi _{p}(q) = 1\}, }$$

and so we use (4.13) to find n ₀ ∈ U(4K) such that [n ₀] contains at least one of these primes p, hence

$$\displaystyle{ S = I(n_{0}). }$$

We conclude that

$$\displaystyle{ \text{the number of equivalence classes of}\ \sim \ \text{is}\ 2^{\vert \Pi \vert }. }$$

(4.14)

Let E _n denote the equivalence class of ∼ which contains [n]. We claim that

$$\displaystyle{ \text{multiplication by}\ n\ \mbox{ maps}\ E_{1}\ \text{bijectively onto}\ E_{n}. }$$

(4.15)

If this is true then | E _n  | is constant as a function of n ∈ U(4K), hence (4.14) implies that

$$\displaystyle{ \varphi (4K) = 2^{\vert \Pi \vert }\vert E_{ n}\vert,\ \text{for all}\ n \in U(4K). }$$

(4.16)

If we now choose p ∈ X then there is n ₀ ∈ U(4K) such that p ∈ [n ₀], hence it follows from (4.12) that

$$\displaystyle{ E_{n_{0}} =\{ [n]: X \cap [n]\not =\emptyset \}, }$$

and so, in light of (4.16),

$$\displaystyle{ \varphi (4K) = 2^{\vert \Pi \vert }\vert \{n \in U(4K): X \cap [n]\not =\emptyset \}\vert, }$$

which is (4.11).

It remains only to verify (4.15). Because U(4K) is a group under the multiplication induced by multiplication of ordinary residue classes mod 4K, it is clear that multiplication by n on E ₁ is injective, so we need only prove that nE ₁ = E _n .

We show first that nE ₁ ⊆ E _n . Let [n ^′] ∈ E ₁. We must prove: [nn ^′] ∈ E _n , i.e., [nn ^′] ∼ [n], i.e.,

$$\displaystyle{ \mbox{ if}\ p \in [nn^{{\prime}}],q \in [n]\ \text{are odd primes then}\ \chi _{ p} \equiv \chi _{q}\ \mbox{ on}\ \Pi. }$$

(4.17)

In order to verify (4.17), let p ∈ [nn ^′], q ∈ [n], p ^′ ∈ [n ^′], q ^′ ∈ [1] be odd primes. Because [n ^′] ∼ [1],

$$\displaystyle{ \chi _{p^{{\prime}}} \equiv \chi _{q^{{\prime}}}\ \mbox{ on}\ \Pi. }$$

(4.18)

The choice of p, q, p ^′, q ^′ implies that

$$\displaystyle{ pq^{{\prime}}\equiv p^{{\prime}}q\ \mbox{ mod}\ 4K. }$$

This congruence and the LQR when used in an argument similar to the one that was used to prove (4.12) imply that

$$\displaystyle{ \chi _{p}\chi _{q^{{\prime}}} \equiv \chi _{p^{{\prime}}}\chi _{q}\ \mbox{ on}\ \Pi. }$$

(4.19)

Because \(\chi _{q^{{\prime}}}\) and \(\chi _{p^{{\prime}}}\) are both nonzero on \(\Pi \), we can use (4.18) to cancel \(\chi _{q^{{\prime}}}\) and \(\chi _{p^{{\prime}}}\) from each side of (4.19) to obtain

$$\displaystyle{ \chi _{p} \equiv \chi _{q}\ \mbox{ on}\ \Pi. }$$

We show next that E _n  ⊆ nE ₁. Let [n ^′] ∈ E _n . The group structure of U(4K) implies that there exits n ₀ ∈ U(4K) such that

$$\displaystyle{ [nn_{0}] = [n^{{\prime}}], }$$

(4.20)

so we need only show that [n ₀] ∈ E ₁, i.e.,

$$\displaystyle{ \chi _{p} \equiv \chi _{q}\ \mbox{ on}\ \Pi,\ \text{for all odd primes}\ p \in [n_{0}],q \in [1]. }$$

(4.21)

Toward that end, choose odd primes p ^′ ∈ [n], q ^′ ∈ [n ^′]. Because [n] ∼ [n ^′],

$$\displaystyle{ \chi _{p^{{\prime}}} \equiv \chi _{q^{{\prime}}}\ \mbox{ on}\ \Pi, }$$

(4.22)

and so because of (4.20), we have that for all p ∈ [n ₀], q ∈ [1],

$$\displaystyle{ pp^{{\prime}}\equiv qq^{{\prime}}\ \mbox{ mod}\ 4K. }$$

Equation (4.21) is now a consequence of this congruence, (4.22), and our previous reasoning. QED

We will prove Theorem 4.9 by combining Lemma 4.10 with the next lemma, a simple result in enumerative combinatorics.

Lemma 4.11

If A is a nonempty finite subset of \([1,\infty ),n = \vert A\vert,\mathcal{S}\subseteq 2^{A},F =\) the Galois field of order 2, v: 2 ^A → F ⁿ is the map defined at the beginning of this section, and

$$\displaystyle{ d = \text{the dimension of the linear span of}\ v(\mathcal{S})\ \mbox{ in}\ F^{n}, }$$

then the cardinality of the set

$$\displaystyle{ \mathcal{N} =\{ N \subseteq A: \vert N \cap S\vert \ \text{is even, for all}\ S \in \mathcal{S}\} }$$

is 2 ^n−d .

Proof

Without loss of generality take A = [1, n]. Observe first that if N, T ⊆ A, then

$$\displaystyle{ \vert N \cap T\vert \ \text{is even if and only if}\ \sum _{i=1}\ v(N)(i)v(T)(i) = 0\ \mbox{ in}\ F. }$$

Hence there is a bijection of the set of all solutions in F ⁿ of the system of linear equations

$$\displaystyle{ \sum _{1}^{n}\ v(S)(i)x_{ i} = 0,S \in \mathcal{S}, }$$

(*)

onto \(\mathcal{N}\) given by

$$\displaystyle{ (x_{1},\ldots,x_{n}) \rightarrow \{ i: x_{i} = 1\}. }$$

If \(m = \vert \mathcal{S}\vert \) and σ: F ⁿ → F ^m is the linear transformation whose representing matrix is the coefficient matrix of the system (*) then

$$\displaystyle{ \text{the set of all solutions of (*) in}\ F^{n} =\ \text{the kernel of}\ \sigma. }$$

But d is the rank of σ and so the kernel of σ has dimension n − d. Hence

$$\displaystyle{ \vert \mathcal{N}\vert = \vert \text{the set of all solutions of (*) in}\ F^{n}\vert = \vert \text{kernel of}\ \sigma \vert = 2^{n-d}. }$$

QED

We proceed to prove Theorem 4.9. Let \(S,\mathcal{S},A,n,\) and d be as in the hypothesis of that theorem, let

$$\displaystyle\begin{array}{rcl} X& =\{ p:\chi _{p} \equiv 1\ \mbox{ on}\ S\}, & {}\\ \mathcal{N}& =\{ N \subseteq A: \vert N \cap S\vert \ \text{is even, for all}\ S \in \mathcal{S}\},& {}\\ \end{array}$$

and for each prime p, let

$$\displaystyle{ N(p) =\{ q \in A:\chi _{p}(q) = -1\}. }$$

Then since X is disjoint from A,

$$\displaystyle\begin{array}{rcl} p \in X& \ \mbox{ iff} & 1 =\chi _{p}(z) =\prod _{q\in \pi _{ \mbox{ odd}}(z)}\chi _{p}(q),\ \text{for all}\ z \in S, {}\\ & \ \mbox{ iff }& \vert N(p) \cap \pi _{\mbox{ odd}}(z)\vert \ \text{is even, for all}\ z \in S, {}\\ & \ \mbox{ iff }& N(p) \in \mathcal{N}. {}\\ \end{array}$$

Hence

$$\displaystyle{ X =\bigcup _{N\in \mathcal{N}}\{p: N(p) = N\} }$$

and this union is pairwise disjoint. Hence

$$\displaystyle{ \text{density of}\ X =\sum _{N\in \mathcal{N}}\ \text{density of}\ \{p: N(p) = N\}. }$$

Lemma 4.10 implies that

$$\displaystyle{ \text{density of}\ \{p: N(p) = N\} = 2^{-n}\ \text{for all}\ N \in \mathcal{N}, }$$

and so

$$\displaystyle\begin{array}{rcl} \text{density of}\ X& =& 2^{-n}\vert \mathcal{N}\vert {}\\ & =& 2^{-n}(2^{n-d}),\ \text{by Lemma <InternalRef RefID="FPar4">4.11</InternalRef>} {}\\ & =& 2^{-d}. {}\\ \end{array}$$

QED

The next question which naturally arises asks: what about a version of Theorem 4.9 for quadratic non-residues, i.e., for what finite, nonempty subsets S of [1, ∞) is it true that S is a set of non-residues of infinitely many primes? In contrast to what occurs for residues, this can fail to be true for certain finite subsets S of [1, ∞), and there is a simple obstruction that prevents it from being true. Suppose that there is a subset T of S such that | T | is odd and ∏ _i ∈ T i is a square, and suppose that S is a set of non-residues of infinitely many primes. We can then choose p to exceed all of the prime factors of the elements of T and such that χ _p (z) = −1, for all z ∈ T. Hence

$$\displaystyle{ -1 = (-1)^{\vert T\vert } =\prod _{ i\in T}\ \chi _{p}(i) =\chi _{p}\Big(\prod _{i\in T}\ i\Big) = 1, }$$

a clear contradiction. It follows that the presence of such subsets T of S prevents S from being a set of non-residues of infinitely many primes. The next theorem asserts that those subsets are the only obstructions to S having this property.

Theorem 4.12

If S is a finite, nonempty subset of [1,∞) then S is a set of non-residues of infinitely many primes if and only if for all subsets T of S of odd cardinality, ∏ _i∈T i is not a square.

This theorem lies somewhat deeper than Theorem 4.9. We will prove it in Chap. 5, where we will once again delve into the theory of algebraic numbers. But before we get to that, we will discuss how to use quadratic residues to design zero-knowledge proofs.

4.7 Zero-Knowledge Proofs and Quadratic Residues

A major issue in modern electronic communication is the secure verification of identification, namely, guaranteeing that the person with whom you are communicating is indeed who you think he is. A typical scenario proceeds as follows: person P sends an electronic message to person V in the form of an identification number. V wants to securely verify that P validly possesses the ID number, without knowing anything more about P. Moreover, for security reasons, P does not want V to be able to find out anything about him during the verification procedure, i.e., V is to have zero knowledge of P. In addition to all of this, V wants to make it virtually impossible for any other person C to use the verification procedure to deceive V into thinking that C is P. An identity-verification algorithm which satisfies all of these requirements is called a zero-knowledge proof.

Zero-knowledge proofs which employ quadratic residues were devised in the 1980s because of the need to maintain security when verifying identification numbers using smart cards, electronic banking and stock transactions, and other similar types of communication. In a zero-knowledge proof there are two parties, the prover, a person who wants his identity verified without divulging any other information about himself, and a verifier, a person who must be convinced that the prover is who he says he is. The identity of the prover is verified by checking that he has certain secret information that only he possesses. Security is maintained because the procedures used in the zero-knowledge proof guarantee that the probability that someone pretending to be the prover can convince the verifier that she is the prover is extremely small. Moreover, the verifier checks only that the prover is in possession of the secret information, without being able to discover what the secret information is.

We will describe a zero-knowledge proof discovered by Adi Shamir [53] in 1985 (we follow Rosen [48], Sects. 11.3 and 11.5 for the exposition in this section and in Sects. 4.8 and 4.9 below). The prover P starts by choosing two very large primes p and q such that p ≡ q ≡ 3 mod 4 (to maintain security, these primes should have hundreds of digits), computing n = pq, and then sending n to the verifier V. Let I be a positive integer that represents particular information, e.g. the personal identification number of P. P selects a positive number c such that the integer w obtained by concatenating I with c (the integer obtained by writing the digits of I followed by the digits of c) is a quadratic residue modulo n, i.e., there is a solution in integers of the congruence x ² ≡ w mod n, with gcd(x, n) = 1. P sends w to V, and then finds a solution u of this congruence. Finding u can easily be done by means of Euler’s criterion. In order to see that, note first that χ _p (w) = χ _q (w) = 1 and recall that p ≡ q ≡ 3 mod 4. Euler’s criterion therefore implies that

$$\displaystyle\begin{array}{rcl} & w^{\frac{1} {2} (p-1)} \equiv \chi _{p}(w) = 1\ \mbox{ mod}\ p,& {}\\ & w^{\frac{1} {2} (q-1)} \equiv \chi _{q}(w) = 1\ \mbox{ mod}\ q,& {}\\ \end{array}$$

hence

$$\displaystyle{ \big(w^{\frac{1} {4} (p+1)}\big)^{2} = w^{\frac{1} {2} (p+1)} = w^{\frac{1} {2} (p-1)} \cdot w \equiv w\ \mbox{ mod}\ p, }$$

and similarly,

$$\displaystyle{ \big(w^{\frac{1} {4} (q+1)}\big)^{2} \equiv w\ \mbox{ mod}\ q. }$$

The prover then finds a solution u of x ² ≡ w mod n by using the Chinese remainder theorem to solve the congruences

$$\displaystyle\begin{array}{rcl} & u \equiv w^{\frac{1} {4} (p+1)}\ \mbox{ mod}\ p,& {}\\ & u \equiv w^{\frac{1} {4} (q+1)}\ \mbox{ mod}\ q.& {}\\ \end{array}$$

Of course, in order to find u in this way, one must know the primes p and q.

P convinces V that P knows u by using an interactive proof that is composed of iterations of the following four-step cycle:

1. (i)

   P chooses a random number r and sends V a message containing two integers: x, where x ≡ r ² mod n, with gcd(x, n) = 1 and 0 ≤ x < n, and y, where \(y \equiv w\overline{x}\) mod n, 0 ≤ x < n, and \(\overline{x}\) denotes the inverse of x modulo n.

2. (ii)

   V checks that xy ≡ w mod n, then chooses a random bit b equal to either 0 or 1, and sends b to P.

3. (iii)

   If b = 0, P sends r to V. If b = 1 then P calculates \(s \equiv u\overline{r}\) mod n, 0 ≤ s < n, and sends s to V.

4. (iv)

   V computes the square modulo n of what P has sent. If V sent 0, she checks that this square is x, i.e., r ² ≡ x mod n. If V sent 1 then she checks that this square is y, i.e., s ² ≡ y mod n.

This cycle can be iterated many times to guarantee security and to convince V that P knows his private information u, which shows that P validly possesses the identification number I, i.e., that P is who he says he is. By passing this test over many cycles, P has shown that he can produce either r or s upon request. Hence P must know u because in each cycle, he knows both r and s, and u ≡ rs mod n. Moreover, V is unable to discover what u is because that would require V to be able to solve the square-root problem x ² ≡ w mod n without knowing p and q. This problem is known in cryptology circles as the quadratic residuosity problem, and is regarded to be computationally intractable, hence essentially impossible to solve in any feasible length of time, when the modulus n is the product of two very large unknown primes.

Because the bit chosen by V is random, the probability that it is a 0 is 1∕2 and the probability that it is a 1 is 1∕2. If someone does not know u, the modular square root of w, then the probability that they will pass one iteration of the cycle is almost exactly 1∕2. If an impostor is attempting to deceive V into believing that she, the impostor, is P, the probability of the impostor passing, say, 30 iterations of the cycle is hence approximately 1∕2³⁰, less than one in a billion. This makes it virtually impossible for V to be deceived in this manner.

We now ask the following question: what has quadratic reciprocity got to do with all of this? We begin our answer to this question by recalling that in the initial steps of the Shamir zero-knowledge proof, the prover needs to find an integer c such that the concatenation w of I with c is a quadratic residue of n = pq, where p and q are very large primes. This can be done if and only if χ _p (w) = χ _q (w) = 1, hence the prover must be able to compute Legendre symbols quickly and efficiently. As we have seen, if one can find sufficiently many factors of w then the LQR can be used to perform this computation in the desired manner. Unfortunately, one of the outstanding, and very difficult, unsolved problems in computational number theory is the design of a computationally fast and efficient algorithm for factoring very large integers, and the ID number I, and also the integer w in Shamir’s algorithm, is often taken to be large for reasons of security. This difficulty precludes quadratic reciprocity from being used directly to compute Legendre symbols in Shamir’s algorithm. On the other hand, fortunately, there is a very fast and efficient algorithm for computing Legendre symbols which avoids factoring, so much so that when using it, one can, using high-speed computers, of course, very quickly find the quadratic residues required in Shamir’s zero-knowledge proof. We will now describe this algorithm for computing Legendre symbols, and it is in the verification of this algorithm that quadratic reciprocity will find its application.

4.8 Jacobi Symbols

The device on which our algorithm is based is a generalization of the Legendre symbol, due to Jacobi. We first define the Jacobi symbol χ ₁(m) to be 1 for all integers m. Now let n > 1 be an odd integer, with prime factorization \(n = p_{1}^{t_{1}}\cdots p_{k}^{t_{k}}\). If m is a positive integer relatively prime to n, then the Jacobi symbol χ _n (m) is defined as the product of Legendre symbols

$$\displaystyle{ \chi _{n}(m) =\prod _{ i=1}^{k}\ \chi _{ p_{i}}(m)^{t_{i} }. }$$

We emphasize here that this notation for the Jacobi symbol is not standard; we have chosen it to align with the character-theoretic notation we have used for Legendre symbols.

The Jacobi symbols satisfy exactly the same algebraic properties of the Legendre symbols, i.e.,

1. (a)

   if a and b are both relatively prime to n and a ≡ b mod n then χ _n (a) = χ _n (b);

2. (b)

   if a and b are both relatively prime to n then χ _n (ab) = χ _n (a)χ _n (b).

It follows from (a) and (b) that if n > 1 and we define the Jacobi symbol χ _n (m) to be zero whenever gcd(m, n) > 1 then χ _n is a real Dirichlet character of modulus n. Moreover the Jacobi symbols satisfy an exact analog of the first and second supplementary laws for the Legendre symbols:

1. (c)

   \(\chi _{n}(-1) = (-1)^{\frac{1} {2} (n-1)}\);

2. (d)

   \(\chi _{n}(2) = (-1)^{\frac{1} {8} (n^{2}-1) }\).

But that is not all! The Jacobi symbols also satisfy an exact analog of the Law of Quadratic Reciprocity, to wit,

Theorem 4.13 (Reciprocity Law for the Jacobi Symbol)

If m and n are relatively prime odd positive integers then

$$\displaystyle{ \chi _{m}(n)\chi _{n}(m) = (-1)^{\frac{1} {2} (m-1)\cdot \frac{1} {2} (n-1)}. }$$

Because they are necessary for the verification of the algorithm for the computation of Legendre symbols that we require, we will now prove properties (a), (b) and (d) and Theorem 4.13. As the verification of (a) and (b) are easy consequences of the definition of the Jacobi symbol and the analogous properties of the Legendre symbol, we can safely leave those details to the reader.

In order to verify (d), begin by letting \(p_{1}^{t_{1}}\cdots p_{m}^{t_{m}}\) be the prime factorization of n. Then from Theorem 2.6 it follows that

$$\displaystyle{ \chi _{n}(2) =\prod _{ i=1}^{m}\ \chi _{ p_{i}}(2)^{t_{i} } = (-1)^{\sigma }, }$$

where

$$\displaystyle{ \sigma =\sum _{ i=1}^{m}\ \frac{t_{i}(p_{i}^{2} - 1)} {8} . }$$

We have that

$$\displaystyle{ n^{2} =\prod _{ i=1}^{m}\ \big(1 + (p_{ i}^{2} - 1)\big)^{t_{i} }. }$$

Because p _i ² − 1 ≡ 0 mod 8, for i = 1, …, m, it follows that

$$\displaystyle{ \big(1 + (p_{i}^{2} - 1)\big)^{t_{i} } \equiv 1 + t_{i}(p_{i}^{2} - 1)\ \mbox{ mod}\ 64 }$$

and

$$\displaystyle{ \big(1 + t_{i}(p_{i}^{2} - 1)\big)\big(1 + t_{ j}(p_{j}^{2} - 1)\big) \equiv 1 + t_{ i}(p_{i}^{2} - 1) + t_{ j}(p_{j}^{2} - 1)\ \mbox{ mod}\ 64. }$$

Hence

$$\displaystyle{ n^{2} \equiv 1 +\sum _{ i=1}^{m}\ t_{ i}(p_{i}^{2} - 1)\ \mbox{ mod}\ 64, }$$

which implies that

$$\displaystyle{ \frac{n^{2} - 1} {8} \equiv \sum _{i=1}^{m}\ \frac{t_{i}(p_{i}^{2} - 1)} {8} =\sigma \ \mbox{ mod}\ 8. }$$

Therefore

$$\displaystyle{ \chi _{n}(2) = (-1)^{\sigma } = (-1)^{\frac{1} {8} (n^{2}-1) }. }$$

QED

We begin the proof of Theorem 4.13 by letting \(p_{1}^{a_{1}}\cdots p_{s}^{a_{s}}\) and \(q_{1}^{b_{1}}\cdots q_{r}^{b_{r}}\) be the prime factorizations of m and n. Then

$$\displaystyle{ \chi _{n}(m) =\prod _{ i=1}^{r}\chi _{ q_{i}}(m)^{b_{i} } =\prod _{ i=1}^{r}\ \prod _{ j=1}^{s}\chi _{ q_{i}}(p_{j})^{b_{i}a_{j} } }$$

and

$$\displaystyle{ \chi _{m}(n) =\prod _{ j=1}^{s}\chi _{ p_{j}}(n)^{a_{j} } =\prod _{ j=1}^{s}\ \prod _{ i=1}^{r}\chi _{ p_{j}}(q_{i})^{b_{i}a_{j} }. }$$

Hence

$$\displaystyle{ \chi _{n}(m)\chi _{m}(n) =\prod _{ i=1}^{r}\ \prod _{ j=1}^{s}\left [\chi _{ q_{i}}(p_{j})\chi _{p_{j}}(q_{i})\right ]^{a_{j}b_{i} }. }$$

Because m and n are odd and relatively prime, all of the primes in the prime factorizations of m and n are odd and no prime factor of m is a factor of n. The LQR thus implies that

$$\displaystyle{ \chi _{q_{i}}(p_{j})\chi _{p_{j}}(q_{i}) = (-1)^{\frac{1} {2} (p_{j}-1_{)} \frac{1} {2} (q_{i}-1)}. }$$

Hence

$$\displaystyle{ \chi _{n}(m)\chi _{m}(n) =\prod _{ i=1}^{r}\ \prod _{ j=1}^{s}(-1)^{a_{j}\frac{1} {2} (p_{j}-1)b_{i}\frac{1} {2} (q_{i}-1)} = (-1)^{\kappa }, }$$

(4.23)

where

$$\displaystyle{ \kappa =\sum _{ i=1}^{r}\sum _{ j=1}^{s}\ \frac{a_{j}(p_{j} - 1)} {2} \cdot \frac{b_{i}(q_{i} - 1)} {2}. }$$

We have that

$$\displaystyle{ \sum _{i=1}^{r}\sum _{ j=1}^{s}\ \frac{a_{j}(p_{j} - 1)} {2} \cdot \frac{b_{i}(q_{i} - 1)} {2} =\sum _{ j=1}^{s}\ \frac{a_{j}(p_{j} - 1)} {2} \sum _{i=1}^{r}\ \frac{b_{i}(q_{i} - 1)} {2}. }$$

Because

$$\displaystyle{ m =\prod _{ i=1}^{s}\ \big(1 + (p_{ i} - 1)\big)^{a_{i} } }$$

and p _i − 1 is even, it follows that

$$\displaystyle{ \big(1 + (p_{i} - 1)\big)^{a_{i} } \equiv 1 + a_{i}(p_{i} - 1)\ \mbox{ mod}\ 4, }$$

and

$$\displaystyle{ \big(1 + a_{i}(p_{i} - 1)\big)\big(1 + a_{j}(p_{j} - 1)\big) \equiv 1 + a_{i}(p_{i} - 1) + a_{j}(p_{j} - 1)\ \mbox{ mod}\ 4. }$$

Hence

$$\displaystyle{ m \equiv 1 +\sum _{ i=1}^{s}\ a_{ i}(p_{i} - 1)\ \mbox{ mod}\ 4, }$$

and so

$$\displaystyle{ \sum _{i=1}^{s}\ \frac{a_{i}(p_{i} - 1)} {2} \equiv \frac{m - 1} {2} \ \mbox{ mod}\ 2. }$$

Similarly,

$$\displaystyle{ \sum _{i=1}^{r}\ \frac{b_{i}(q_{i} - 1)} {2} \equiv \frac{n - 1} {2} \ \mbox{ mod}\ 2. }$$

Therefore,

$$\displaystyle{ \kappa =\sum _{ i=1}^{r}\sum _{ j=1}^{s}\ \frac{a_{j}(p_{j} - 1)} {2} \cdot \frac{b_{i}(q_{i} - 1)} {2} \equiv \frac{m - 1} {2} \cdot \frac{n - 1} {2} \ \mbox{ mod}\ 2. }$$

(4.24)

It now follows from (4.23) and (4.24) that

$$\displaystyle{ \chi _{n}(m)\chi _{m}(n) = (-1)^{\kappa } = (-1)^{\frac{1} {2} (m-1)\cdot \frac{1} {2} (n-1)}. }$$

QED

4.9 An Algorithm for Fast Computation of Legendre Symbols

The key ingredient of the algorithm for the computation of Legendre symbols that we want is a formula for the computation of certain Jacobi symbols. That formula uses data given in the form of two finite sequences of integers which are generated by a successive division and factorization procedure. In order to state that formula we start with two relatively prime positive integers a and b with a > b. We will generate two finite sequences of integers from a and b by using a modification of the Euclidean algorithm as follows: let a = R ₀ and b = R ₁. Using the division algorithm and then factoring out the highest power of 2 from the remainder, we obtain

$$\displaystyle{ R_{0} = R_{1}q_{1} + 2^{s_{1} }R_{2}, }$$

where gcd(R ₁, R ₂) = 1 and R ₂ is odd. Now successively apply the division algorithm as follows, factoring out the highest power of 2 from the remainders as you do so:

$$\displaystyle\begin{array}{rcl} R_{1}& =& R_{2}q_{2} + 2^{s_{2} }R_{3} {}\\ R_{2}& =& R_{3}q_{3} + 2^{s_{3} }R_{4} {}\\ & \vdots & {}\\ R_{n-2}& =& R_{n-1}q_{n-1} + 2^{s_{n-1} } \cdot 1 {}\\ R_{n}& =& 1,\ s_{n} = 0. {}\\ \end{array}$$

Note that R _i is an odd positive integer and s _i is a nonnegative integer for i = 1, …, n, and gcd(R _i , R _i+1) = 1 for i = 0, …, n − 1. Because R _i+1 < R _i for each i, this division process will always terminate. The formula for the computation of the Jacobi symbols that is required can now be stated and proved:

Proposition 4.14

If a and b are relatively prime positive integers such that a > b, b is odd, and R _i and s _i , i = 1,…,n, are the sequences of integers generated by the preceding algorithm, then

$$\displaystyle{ \chi _{b}(a) = (-1)^{\sigma }, }$$

where

$$\displaystyle{ \sigma =\sum _{ i=1}^{n-1}\ \left (s_{ i}\frac{R_{i}^{2} - 1} {8} + \frac{(R_{i} - 1)(R_{i+1} - 1)} {4} \right ). }$$

Proof

From properties (a), (b), and (d) of the Jacobi symbol, it follows that

$$\displaystyle\begin{array}{rcl} \chi _{b}(a)& =& \chi _{R_{1}}(R_{0}) =\chi _{R_{1}}(2^{s_{1} }R_{2}) {}\\ & =& \chi _{R_{1}}(2)^{s_{1} }\chi _{R_{1}}(R_{2}) {}\\ & =& (-1)^{s_{1}\cdot \frac{R_{1}^{2}-1} {8} }\chi _{R_{ 1}}(R_{2}), {}\\ \end{array}$$

and it follows from Theorem 4.13 that

$$\displaystyle{ \chi _{R_{1}}(R_{2}) = (-1)^{\frac{R_{1}-1} {2} \frac{R_{2}-1} {2} }\chi _{R_{ 2}}(R_{1}), }$$

hence

$$\displaystyle{ \chi _{b}(a) = (-1)^{\sigma _{1}}\chi _{R_{ 2}}(R_{1}), }$$

where

$$\displaystyle{ \sigma _{1} = s_{1}\frac{R_{1}^{2} - 1} {8} + \frac{(R_{1} - 1)(R_{2} - 1)} {4} . }$$

In the same manner, we obtain for i = 2…, n − 1,

$$\displaystyle{ \chi _{R_{i}}(R_{i-1}) = (-1)^{\sigma _{i}}\chi _{R_{ i+1}}(R_{i}), }$$

where

$$\displaystyle{ \sigma _{i} = s_{i}\frac{R_{i}^{2} - 1} {8} + \frac{(R_{i} - 1)(R_{i+1} - 1)} {4} . }$$

When all of these equations are combined, the desired expression for χ _b (a) is produced. QED

The algorithm for the computation of Legendre symbols can now be described in a simple three-step procedure like so: let p be an odd prime, a a positive integer less than p; we wish to compute the Legendre symbol χ _p (a).

Step 1. :

Factor a = 2^s b where b is odd (in Shamir’s algorithm, this step can always be avoided by concatenating an odd integer to the integer I).

Theorem 2.6 implies that

$$\displaystyle{ \chi _{p}(a) =\chi _{p}(2)^{s}\chi _{ p}(b) = (-1)^{s\cdot \frac{p^{2}-1} {8} }\chi _{p}(b). }$$

(4.25)

Now use Theorem 4.13 to obtain

$$\displaystyle{ \chi _{p}(b) = (-1)^{\frac{1} {2} (p-1)\frac{1} {2} (b-1)}\chi _{b}(p). }$$

(4.26)

Substitution of (4.26) into (4.25) yields

Step 2. :

Write

$$\displaystyle{ \chi _{p}(a) = (-1)^{\varepsilon }\chi _{b}(p), }$$

where

$$\displaystyle{ \varepsilon = \frac{s(p^{2} - 1)} {8} + \frac{(p - 1)(b - 1)} {4} . }$$

Step 3. :

Use the formula from Proposition 4.14 to compute χ _b (p) and substitute that value into the formula for χ _p (a) in Step 2.

As an example, we use this algorithm to calculate χ ₃₁₁(141) without factoring the argument 141. Because 141 is odd, Step 1 yields s = 0, hence from Step 2 we obtain

$$\displaystyle{ \chi _{311}(141) =\chi _{141}(311). }$$

In Step 3, we need the sequence of divisions

$$\displaystyle\begin{array}{rcl} 311& =& 141 \cdot 12 + 2^{0} \cdot 29 {}\\ 141& =& 29 \cdot 4 + 2^{0} \cdot 25 {}\\ 29& =& 25 \cdot 1 + 2^{2} \cdot 1, {}\\ \end{array}$$

and so the sequences that are required to apply Proposition 4.14 are R ₁ = 141, R ₂ = 29, R ₃ = 25, R ₄ = 1 and s ₁ = 0, s ₂ = 0, s ₃ = 2. Hence from Step 2, we see that

$$\displaystyle{ \chi _{311}(141) = (-1)^{\sigma }, }$$

where

$$\displaystyle\begin{array}{rcl} \sigma & =& 0 \cdot \frac{141^{2} - 1} {8} + 0 \cdot \frac{29^{2} - 1} {8} + 2 \cdot \frac{25^{2} - 1} {8} + \frac{(141 - 1)(29 - 1)} {4} + \frac{(29 - 1)(25 - 1)} {4} {}\\ & \equiv & 0\ \mbox{ mod}\ 2, {}\\ \end{array}$$

hence

$$\displaystyle{ \chi _{311}(141) = 1. }$$

Of course in this simple example, we can obviously factor 141 completely and then use the LQR as before, but the whole point of the example is to calculate χ ₃₁₁(141) without any factoring. In practical applications of quadratic residues in cryptology, such as Shamir’s zero-knowledge proof, the arguments of Legendre symbols are frequently very large, and so complete factorization of the argument becomes computationally unfeasible.

How can the efficiency of our algorithm for the calculation of Legendre symbols be measured when it is implemented for computation on modern high-speed computers? Integer calculations on a computer are done by using base-2 expansions of the integers, which are called bit strings. A bit operation is the addition, subtraction or multiplication of two bit strings of length 1, the division of a bit string of length 2 by a bit string of length 1 using the division algorithm, or the shifting of a bit string by one place. The computational efficiency of an algorithm is measured by its computational complexity, which is an estimate of the number of bit operations that are needed to carry out the algorithm when it is programmed to run on a computer. Because our algorithm for the computation of χ _p (a) uses a variation of the Euclidean algorithm in Step 3, which accounts for most of the computational complexity, one can show that the algorithm requires only \(O\big((\log _{2}a)^{2}\big)\) bit operations to compute χ _p (a), which means that the algorithm is very fast and efficient. Thus one can very quickly determine the integer w that is needed to implement Shamir’s algorithm.

In addition to finding a quadratic residue w of n, the initial steps in Shamir’s algorithm also requires the determination of the square root of w modulo n. The simple procedure that we described for computing this square root uses the powers \(w^{\frac{1} {4} (p+1)}\) and \(w^{\frac{1} {4} (q+1)}\) in an application of the Chinese remainder theorem, with the exponents of w here being extremely large. This situation thus calls for a quick and efficient procedure for the computation of high-powered modular exponentiation, and so we will now present an algorithm which does that.

The problem is to compute, for given positive integers b, n, and N with b < n, the power b ^N mod n. We do this by first expressing the exponent N in its base-2 expansion (a _k a _k−1 … a ₁ a ₀)_base 2. Then compute the nonnegative minimal ordinary residues mod n of \(b,b^{2},\ldots,b^{2^{k} }\) by successively squaring and reducing mod n. The final step is to multiply together the minimal nonnegative ordinary residues of \(b^{2^{i} }\) which correspond to a _i  = 1, reducing modulo n after each multiplication. It can be shown that the nonnegative minimal ordinary residue of b ^N mod n can be computed by this algorithm using only \(O\big((\log _{2}n)^{2}\log _{2}N\big)\) bit operations.

The following example illustrates the calculations which are typically involved. We wish to compute 15⁴⁰² mod 1607. The binary expansion of 402 is 110010010. We calculate that

$$\displaystyle\begin{array}{rcl} 15& \equiv & 15\ \mbox{ mod}\ 1607 {}\\ 15^{2}& \equiv & 225\ \mbox{ mod}\ 1607 {}\\ 15^{4}& \equiv & 808\ \mbox{ mod}\ 1607 {}\\ 15^{8}& \equiv & 422\ \mbox{ mod}\ 1607 {}\\ 15^{16}& \equiv & 1314\ \mbox{ mod}\ 1607 {}\\ 15^{32}& \equiv & 678\ \mbox{ mod}\ 1607 {}\\ {}\\ {}\\ 15^{64}& \equiv & 82\ \mbox{ mod}\ 1607 {}\\ 15^{128}& \equiv & 296\ \mbox{ mod}\ 1607 {}\\ 15^{256}& \equiv & 838\ \mbox{ mod}\ 1607. {}\\ \end{array}$$

It follows that

$$\displaystyle\begin{array}{rcl} 15^{402}& =& 15^{256+128+16+2} {}\\ & \equiv & 838 \cdot 296 \cdot 1314 \cdot 225\ \mbox{ mod}\ 1607 {}\\ & \equiv & 570 \cdot 1314 \cdot 225\ \mbox{ mod}\ 1607 {}\\ & \equiv & 118 \cdot 225\ \mbox{ mod}\ 1607 {}\\ & \equiv & 838\ \mbox{ mod}\ 1607. {}\\ \end{array}$$