The proof uses the fact that the residue classes modulo a prime number are a field. See the article prime field for more details.
Because the modulus is prime, Lagrange's theorem applies: a polynomial of degree k can only have at most k roots. In particular, x2 ≡ a (mod p) has at most 2 solutions for each a. This immediately implies that besides 0 there are at least p − 1/2 distinct quadratic residues modulo p: each of the p − 1 possible values of x can only be accompanied by one other to give the same residue.
In fact, This is because
So, the distinct quadratic residues are:
Since the integers mod p form a field, for each a, one or the other of these factors must be zero. Therefore,
or
Now if a is a quadratic residue, a ≡ x2,
So every quadratic residue (mod p) makes the first factor zero.
Applying Lagrange's theorem again, we note that there can be no more than p − 1/2 values of a that make the first factor zero. But as we noted at the beginning, there are at least p − 1/2 distinct quadratic residues (mod p) (besides 0). Therefore, they are precisely the residue classes that make the first factor zero. The other p − 1/2 residue classes, the nonresidues, must make the second factor zero, or they would not satisfy Fermat's little theorem. This is Euler's criterion.
Alternative proof
This proof only uses the fact that any congruence has a unique (modulo ) solution provided does not divide . (This is true because as runs through all nonzero remainders modulo without repetitions, so does : if we have , then , hence , but and aren't congruent modulo .) It follows from this fact that all nonzero remainders modulo the square of which isn't congruent to can be grouped into unordered pairs according to the rule that the product of the members of each pair is congruent to modulo (since by this fact for every we can find such an , uniquely, and vice versa, and they will differ from each other if is not congruent to ). If is not a quadratic residue, this is simply a regrouping of all nonzero residues into pairs, hence we conclude that . If is a quadratic residue, exactly two remainders were not among those paired, and such that . If we pair those two absent remainders together, their product will be rather than , whence in this case . In summary, considering these two cases we have demonstrated that for we have . It remains to substitute (which is obviously a square) into this formula to obtain at once Wilson's theorem, Euler's criterion, and (by squaring both sides of Euler's criterion) Fermat's little theorem.
Examples
Example 1: Finding primes for which a is a residue
Let a = 17. For which primes p is 17 a quadratic residue?
We can test prime p's manually given the formula above.
In one case, testing p = 3, we have 17(3 − 1)/2 = 171 ≡ 2 ≡ −1 (mod 3), therefore 17 is not a quadratic residue modulo 3.
In another case, testing p = 13, we have 17(13 − 1)/2 = 176 ≡ 1 (mod 13), therefore 17 is a quadratic residue modulo 13. As confirmation, note that 17 ≡ 4 (mod 13), and 22 = 4.
We can do these calculations faster by using various modular arithmetic and Legendre symbol properties.
If we keep calculating the values, we find:
(17/p) = +1 for p = {13, 19, ...} (17 is a quadratic residue modulo these values)
(17/p) = −1 for p = {3, 5, 7, 11, 23, ...} (17 is not a quadratic residue modulo these values).
Example 2: Finding residues given a prime modulus p
Which numbers are squares modulo 17 (quadratic residues modulo 17)?
We can manually calculate it as:
12 = 1
22 = 4
32 = 9
42 = 16
52 = 25 ≡ 8 (mod 17)
62 = 36 ≡ 2 (mod 17)
72 = 49 ≡ 15 (mod 17)
82 = 64 ≡ 13 (mod 17).
So the set of the quadratic residues modulo 17 is {1,2,4,8,9,13,15,16}. Note that we did not need to calculate squares for the values 9 through 16, as they are all negatives of the previously squared values (e.g. 9 ≡ −8 (mod 17), so 92 ≡ (−8)2 = 64 ≡ 13 (mod 17)).
We can find quadratic residues or verify them using the above formula. To test if 2 is a quadratic residue modulo 17, we calculate 2(17 − 1)/2 = 28 ≡ 1 (mod 17), so it is a quadratic residue. To test if 3 is a quadratic residue modulo 17, we calculate 3(17 − 1)/2 = 38 ≡ 16 ≡ −1 (mod 17), so it is not a quadratic residue.
In practice, it is more efficient to use an extended variant of Euclid's algorithm to calculate the Jacobi symbol. If is an odd prime, this is equal to the Legendre symbol, and decides whether is a quadratic residue modulo .
On the other hand, since the equivalence of to the Jacobi symbol holds for all odd primes, but not necessarily for composite numbers, calculating both and comparing them can be used as a primality test, specifically the Solovay–Strassen primality test. Composite numbers for which the congruence holds for a given are called Euler–Jacobi pseudoprimes to base .
Gauss, Carl Friedrich (1986), Disquisitiones Arithemeticae (Second, corrected edition), translated by Clarke, Arthur A. (English), New York: Springer, ISBN0-387-96254-9
Gauss, Carl Friedrich (1965), Untersuchungen über höhere Arithmetik (Disquisitiones Arithemeticae & other papers on number theory) (Second edition), translated by Maser, H. (German), New York: Chelsea, ISBN0-8284-0191-8