Quadratic residuosity problem

From Wikipedia, the free encyclopedia

The quadratic residuosity problem (QRP[1]) in computational number theory is to decide, given integers and , whether is a quadratic residue modulo or not. Here for two unknown primes and , and is among the numbers which are not obviously quadratic non-residues (see below).

The problem was first described by Gauss in his Disquisitiones Arithmeticae in 1801. This problem is believed to be computationally difficult. Several cryptographic methods rely on its hardness, see § Applications.

An efficient algorithm for the quadratic residuosity problem immediately implies efficient algorithms for other number theoretic problems, such as deciding whether a composite of unknown factorization is the product of 2 or 3 primes.[2]

Precise formulation[edit]

Given integers and , is said to be a quadratic residue modulo if there exists an integer such that


Otherwise we say it is a quadratic non-residue. When is a prime, it is customary to use the Legendre symbol:

This is a multiplicative character which means for exactly of the values , and it is for the remaining.

It is easy to compute using the law of quadratic reciprocity in a manner akin to the Euclidean algorithm, see Legendre symbol.

Consider now some given where and are two, different unknown primes. A given is a quadratic residue modulo if and only if is a quadratic residue modulo both and and .

Since we don't know or , we cannot compute and . However, it is easy to compute their product. This is known as the Jacobi symbol:

This can also be efficiently computed using the law of quadratic reciprocity for Jacobi symbols.

However, can not in all cases tell us whether is a quadratic residue modulo or not! More precisely, if then is necessarily a quadratic non-residue modulo either or , in which case we are done. But if then it is either the case that is a quadratic residue modulo both and , or a quadratic non-residue modulo both and . We cannot distinguish these cases from knowing just that .

This leads to the precise formulation of the quadratic residue problem:

Problem: Given integers and , where and are unknown, different primes, and where , determine whether is a quadratic residue modulo or not.

Distribution of residues[edit]

If is drawn uniformly at random from integers such that , is more often a quadratic residue or a quadratic non-residue modulo ?

As mentioned earlier, for exactly half of the choices of , then , and for the rest we have . By extension, this also holds for half the choices of . Similarly for . From basic algebra, it follows that this partitions into 4 parts of equal size, depending on the sign of and .

The allowed in the quadratic residue problem given as above constitute exactly those two parts corresponding to the cases and . Consequently, exactly half of the possible are quadratic residues and the remaining are not.


The intractability of the quadratic residuosity problem is the basis for the security of the Blum Blum Shub pseudorandom number generator. It also yields the public key Goldwasser–Micali cryptosystem.[3][4] as well as the identity based Cocks scheme.

See also[edit]


  1. ^ Kaliski, Burt (2011). "Quadratic Residuosity Problem". Encyclopedia of Cryptography and Security. p. 1003. doi:10.1007/978-1-4419-5906-5_429. ISBN 978-1-4419-5905-8.
  2. ^ Adleman, L. (1980). "On Distinguishing Prime Numbers from Composite Numbers". Proceedings of the 21st IEEE Symposium on the Foundations of Computer Science (FOCS), Syracuse, N.Y. pp. 387–408. doi:10.1109/SFCS.1980.28. ISSN 0272-5428.
  3. ^ S. Goldwasser, S. Micali (1982). "Probabilistic encryption & how to play mental poker keeping secret all partial information". Proceedings of the fourteenth annual ACM symposium on Theory of computing - STOC '82. pp. 365–377. doi:10.1145/800070.802212. ISBN 0897910702. S2CID 10316867.
  4. ^ S. Goldwasser, S. Micali (1984). "Probabilistic encryption". Journal of Computer and System Sciences. 28 (2): 270–299. doi:10.1016/0022-0000(84)90070-9.