Department of Electrical Engineering, IIT Bombay
November 1, 2024
In a group G, an element y \in G is called a quadratic residue if there exists an x \in G with x^2 = y
In an abelian group, the set of quadratic residues form a group
Proposition: Let p > 2 be prime. Every quadratic residue in \mathbb{Z}_p^* has exactly two square roots
The integers 1,2,\ldots, \frac{p-1}{2} have distinct squares
Since x^2 = (p-x)^2 \bmod p, the squares of \left\{\frac{p+1}{2},\frac{p+3}{2},\ldots, p-1\right\} already appear in S
Lemma: Exactly half the elements of \mathbb{Z}_p^* are quadratic residues
Proposition: Let p > 2 be a prime. Then \mathcal{J}_p(x) = x^{\frac{p-1}{2}} \bmod p
Core idea of proof
\mathbb{Z}_p^* is cyclic \implies There exists a g \in \mathbb{Z}_p^* such that \mathbb{Z}_p^* = \{g^0, g^1, \ldots,g^{\frac{p-1}{2}-1},g^{\frac{p-1}{2}},g^{\frac{p-1}{2}+1},\ldots,g^{p-2}\}
\mathcal{QR}_p is exactly those g^i where i \in \{0,1,\ldots,p-2\} is an even integer
Proposition: Let p > 2 be a prime, and x,y \in \mathbb{Z}_p^*. Then \mathcal{J}_p(xy) = \mathcal{J}_p(x) \cdot\mathcal{J}_p(y).
Corollary: Let p > 2 be a prime, x, x' \in \mathcal{QR}_p and y, y' \in \mathcal{QNR}_p. Then
We consider quadratic residues in \mathbb{Z}_N^*, where N = pq for distinct odd primes p,q
From the CRT, we have \mathbb{Z}_N^* \simeq \mathbb{Z}_p^* \times \mathbb{Z}_q^*
Proposition: Let y \in \mathbb{Z}_N^*. Then y \in \mathcal{QR}_N \iff y_p \in \mathcal{QR}_p and y_q \in \mathcal{QR}_q
Exactly 1/4 of the elements of \mathbb{Z}_N^* are quadratic residues
Let N = pq where p,q are distinct, odd primes
For x \in \mathbb{Z}_N^*, we define \mathcal{J}_N(x) = \mathcal{J}_p([x \bmod p]) \cdot \mathcal{J}_q([x \bmod q])
Lemma: If x is a quadratic residue modulo N, then \mathcal{J}_N(x) = +1
\mathcal{J}_N(x) = +1 even when \mathcal{J}_p(x) = \mathcal{J}_q(x) = -1
Proposition: Let N=pq with p,q distinct, odd primes. Then
Proposition: Let N=pq be a product of distinct, odd primes, and x,y \in \mathbb{Z}_N^*. Then \mathcal{J}_N(xy) = \mathcal{J}_N(x) \cdot\mathcal{J}_N(y).
Corollary: If x, x' \in \mathcal{QR}_N and y, y' \in \mathcal{QNR}_N^{+1}. Then
For a prime p > 2, checking if x is a quadratic residue is easy
When the factorization of N=pq is known, checking if x is a quadratic residue modulo N is also easy
When the factorization of N is unknown, there is no known polynomial-time algorithm for deciding if x is a quadratic residue modulo N or not
\mathcal{J}_N(x) can be calculated in polynomial-time even when N has unknown factorization
If \mathcal{J}_N(x) = -1, then x is not a quadratic residue
But if \mathcal{J}_N(x) = +1, then there is no known polynomial-time algorithm for deciding quadratic residuosity of x
Let m,n be odd, positive integers, and let a,b \in \mathbb{Z}. Then
See chapter 12 of Shoup
There is no known method for directly choosing uniformly from \mathcal{QNR}_N^{+1} if the factorization of N is unknown
But it is possible if the receiver can help
The receiver picks a uniform z \in \mathcal{QNR}_N^{+1} and includes it as part of the public key
To generate a uniform element y from \mathcal{QNR}_N^{+1}, the sender
The public key is \langle N, z \rangle where z \in \mathcal{QNR}_N^{+1}
The private key is \langle p, q \rangle where N=pq
To send a message m = m_1m_2 \cdots m_l \in \{0,1\}^l
Receiver decrypts message bits as \hat{m}_i as 0 or 1 depending on whether \left( c_i^{\frac{p-1}{2}} \bmod p, c_i^{\frac{q-1}{2}} \bmod q\right) equals (1,1) or (-1,-1)