YALE UNIVERSITY
DEPARTMENT OF COMPUTER SCIENCE

	CPSC 467b: Cryptography and Computer Security	Handout #7
Professor M. J. Fischer		February 9, 2010

The Legendre and Jacobi Symbols

Let a ≥ 0, n

Z+. Let QR(a,n) hold if (a,n) = 1 and a is a quadratic residue modulo n. Let QNR(a,n) hold if (a,n) = 1 and a is a quadratic non-residue modulo n (i.e., there is no y

Z*_n such that a ≡ y² (mod n)).

For a prime p, the structure of quadratic residues can be fairly easily explained. Let g be a primitive root of Z*_p. Then every element of Z*_p is uniquely expressible as g^k for some k

{0,…,p - 2}.

Theorem 1 Let p be a prime, g a primitive root of p, a ≡ g^k (mod p). Then a is a quadratic residue iff k is even.

Conversely, suppose a ≡ y² (mod p). Write y ≡ g^ℓ (mod p). Then g^k ≡ g^2ℓ (mod p). Multiplying both sides by g^-k, we have 1 ≡ g⁰ ≡ g^2ℓ-k (mod p). But then ϕ(p)∣2ℓ - k. Since 2∣ϕ(p) = p - 1, it follows that 2∣k, as desired. __

Theorem 2 (Euler) Let p be an odd prime, and let a ≥ 0, (a,p) = 1. Then

{ a(p-1)∕2 ≡ 1 (mod p) if QR (a,p) h olds; - 1 (mod p) if QN R(a,p) holds.

If QR(a,p) holds, then a is a quadratic residue modulo p, so k is even by Theorem 1. Write k = 2r for some r. Then a^(p-1)∕2 ≡ g^2r(p-1)∕2 ≡ (g^r)^p-1 ≡ 1 (mod p) by Fermat’s theorem.

If QNR(a,p) holds, then a is a quadratic non-residue modulo p, so k is odd by Theorem 1. Write k = 2r + 1 for some r. Then a^(p-1)∕2 ≡ g^{(2r+1)(p-1)∕2} ≡ g^r(p-1)g^(p-1)∕2 ≡ g^(p-1)∕2 (mod p). Let b = g^(p-1)∕2. Clearly b² ≡ 1 (mod p), so b ≡ ±1 (mod p).¹ Since g is a primitive root modulo p and (p - 1)∕2 < p - 1, b = g^(p-1)∕2 ⁄≡ 1 (mod p). Hence, b ≡-1 (mod p). __ Definition: The Legendre symbol is a function of two integers a and p, written ( )
a
p

. It is defined for a ≥ 0 and p an odd prime as follows:

A multiplicative property of the Legendre symbols follows immediately from Theorem 1.

Observation 3 Let a,b ≥ 0, p an odd prime. Then

( ab) (a) (-b) p = p ⋅ p .

Corollary 4 Let a ≥ 0 and let p be an odd prime. Then

(a-) (p- 1)∕2 p ≡ a (mod p).

The Jacobi symbol extends the domain of the Legendre symbol. Definition: The Jacobi symbol is a function of two integers a and n, written ( )
an

, that is defined for all a ≥ 0 and all odd positive integers n. Let ∏ _i=1^kp_i^e_i be the prime factorization of n. Then

Here

denotes the previously-defined Legendre symbol. (Note that by this definition, ( )
0
1

= 1, and

= 0 for odd n ≥ 3.)

We have seen that if (a,p) = 1 and p is prime, then the Legendre symbol ( )
ap

= 1 iff a is a quadratic residue modulo p. It is not true for the Jacobi symbol that (a)
n

≡ 1 (mod n) implies that a is a quadratic residue modulo n. For example, ( 8)
15

= 1, but 8 is not a quadratic residue modulo 15. However, the converse does hold:

Observation 5 If ( )
an ⁄≡ 1 (mod n), then a is not a quadratic residue modulo n.

The usefulness of the Jacobi symbol (a)
n

stems from its ability to be computed efficiently, even without knowning the factorization of either a or n. The algorithm is based on the following theorem, which is stated without proof.

Theorem 6 Let n be an odd positive integer, a,b ≥ 0. Then the following identities hold:

$( ) { 0- = 1 if n = 1; n 0 if n > 1$
$( ) { 2- 1 if n ≡ ±1 (mod 8); n = - 1 if n ≡ ±3 (mod 8)$
$(a ) ( b ) n- = n- if a ≡ b (mod n).$
$(ab ) ( a) (b ) -n = n- ⋅ n-$
(Quadratic reciprocity). If a is odd, then
$( ) { (n) a- - a if a ≡ n ≡ 3 (mod 4); n = (n) otherw ise. a$

int jacobi(int a, int n)
/⋆ Precondition: a, n >= 0; n is odd ⋆/
{
  int ans;

  if (a == 0)
    ans = (n==1) ? 1 : 0;
  else if (a == 2) {
    switch (n%8) {
    case 1:
    case 7:
      ans = 1;
      break;
    case 3:
    case 5:
      ans = -1;
      break;
    }
  }
  else if ( a >= n )
    ans = jacobi(a%n, n);
  else if (a%2 == 0)
    ans = jacobi(2,n)⋆jacobi(a/2, n);
  else
    ans = (a%4 == 3 && n%4 == 3) ? -jacobi(n,a) : jacobi(n,a);
  return ans;
}