What's the "best" proof of quadratic reciprocity?

I think by far the simplest easiest to remember elementary proof of QR is due to Rousseau. All it uses is the Chinese remainder theorem and Euler's formula $a^{(p-1)/2}\equiv (\frac{a}{p}) \mod p$. The mathscinet review does a very good job of outlining the proof. I'll try to explain how I remember it here (but the lack of formatting is really rough for this argument).

Here's the outline. Consider $(\mathbb{Z}/p)^\times \times (\mathbb{Z}/q)^\times = (\mathbb{Z}/pq)^\times$. We want to split that group in "half", that is consider a subset such that exactly one of x and -x is in it. There are three obvious ways to do that. For each of these we take the product of all the elements in that "half." The resulting three numbers are equal up to an overall sign. Calculating that sign on the $(\mathbb{Z}/p)^\times$ part and the $(\mathbb{Z}/q)^\times$ part give you the two sides of QR.

In more detail. First let me describe the three "obvious" halves:

1. Take the first half of $(\mathbb{Z}/p)^\times$ and all of the other factor
2. Take all of the first factor and the first half of $(\mathbb{Z}/q)^\times$
3. Take the first half of $(\mathbb{Z}/pq)^\times$

The three products are then (letting P = (p-1)/2 and Q=(q-1)/2):

1. $(P!^{q-1}, (q-1)!^P)$
2. $((p-1)!^Q, Q!^{p-1})$
3. $\left(\frac{(p-1)!^Q P!}{q^P P!},\frac{(q-1)!^P Q!}{p^Q Q!}\right)$

All of these are equal to each other up to overall signs. Looking at the second component it's clear that the sign relating 1 and 3 is $\left(\frac{p}{q}\right)$. Similarly, the sign relating 2 and 3 is $\left(\frac{q}{p}\right)$. So the sign relating 1 and 2 is $\left(\frac{p}{q}\right) \left(\frac{q}{p}\right)$. But to get from 1 to 2 we just changed the signs of $\frac{p-1}{2} \frac{q-1}{2}$ elements. QED

The question asked for the nicest proof for a first undergraduate course. Has anyone who offered a proposal used their favorite choice in a course? (Obviously the suggestions referring to $K$-theory or Hilbert symbols weren't suggested in that spirit.) I've taught an undergrad number theory class several times and initially I gave the Gauss sum proof. But I realized afterwards that to the students this truly comes out of nowhere (it seems too magical), so I hunted around for other proofs, preferably some which build on more basic ideas that I could present earlier in the course. The Eisenstein (sine-function) proof doesn't fit that requirement, and Zolotarev seems too far-out if the students have not had group theory (which most have not). So what else is available?

There is a proof due to V. Lebesgue (not H. Lebesgue!) that is based on counting points on hyperspheres mod $p$. It can be found in Ireland-Rosen's book. For an odd prime $p$ and positive integer $n$, let

$$N_n(p) = \#\{(x_1,\dots,x_n) \in ({\mathbf Z}/(p))^n : x_1^2 + \cdots + x_n^2 = 1\}.$$

This is the number of mod $p$ points on the sphere in $n$-space mod $p$. Earlier in the course I have the students discover numerically that every number mod $p$ is a sum of two squares. That is,

$$\#\{(x,y) \in ({\mathbf Z}/(p))^2 : x^2 + y^2 = a\}$$

is positive for every $a$ in ${\mathbf Z}/(p)$. This could be shown by the pigeonhole principle, since $x^2$ and $a - y^2$ each take $(p+1)/2$ values mod $p$ and thus have an overlap. But more precisely, if you look at examples, you quickly discover that this 2-variable count is independent of $a$ when $a$ is nonzero (from a more adv. point of view, the independence is because the norm map on unit groups $(({\mathbf Z}/(p))[t]/(t^2+1))^\times \to ({\mathbf Z}/(p))^\times$ is a homomorphism so its fibers have the same size, but that is a crazy explanation in an elem. number theory course). Enough data suggest what that uniform value is for any nonzero $a \bmod p$, and then we prove that in class. With this 2-variable count we return to the hypersphere count and get a simple recursive formula connecting $N_n(p)$ to $N_{n-2}(p)$. If you let $n = q$ be an odd prime, the recursive formula involves $p^{(q-1)/2}$ plus $N_{q-2}(p)$ times a multiple of $q$, so $N_q(p) \bmod q$ involves $(\frac{p}{q})$. [Note: Although the application will use $N_q(p)$, you must think about $N_n(p)$ for general odd $n$ first since the recursion from $n$ back to $n-2$ makes no sense in general when the number of variables is only an odd prime: $n-2$ usually isn't prime when $n$ is.]

At the same time, the set being counted by $N_n(p)$ is invariant under cyclic shifts of the coordinates. On the very first problem set I have the students discover numerically that the number of cyclic shifts of an $n$-tuple is always a divisor of $n$. So when we let $n = q$ be an odd prime, $N_n(p) = N_q(p)$ is the number of constant $q$-tuples on the unit sphere mod $p$ plus a multiple of $q$. A constant $q$-tuple is basically counting whether or not $q \bmod p$ is a square. So $N_q(p) \bmod q$ is related to $(\frac{q}{p})$.

In the two approaches to counting $N_q(p) \bmod q$, one involves $(\frac{p}{q})$ and the other involves $(\frac{q}{p})$. This implies the QR relation mod $q$, which is actual equality since $1$ is not $-1 \bmod q$.

One nice thing about this approach is that it can also be used to prove the supplementary law for $(\frac{2}{p})$, by counting

$$\#\{(x,y) \in ({\mathbf Z}/(p))^2 : x^2 + y^2 \equiv 1 \bmod p\}$$

in two ways. First there is the exact formula for the count (not just mod $p$) which I mentioned before. Second, most solutions in this count come in packets of size 8 (permute coordinates and change signs to get 8 solutions out of one solution). The exceptions which don't fall into packets of size 8 (when $x$ is $\pm y$ mod $p$ or $x$ or $y$ is $0$ mod $p$) depend on whether or not 2 mod $p$ is a square (does $2x^2 \equiv 1 \bmod p$ have a solution?), and comparing these two formulas mod 8 implies the usual rule for $(\frac{2}{p})$.

Since I am able to get the students to work on ideas that are used in the proof much earlier on during the semester (one doesn't need quadratic residues to numerically look at solutions of $x^2 + y^2 \equiv a \bmod p$, for instance), this proof nicely ties together things they have seen throughout the course. So that's why this is my vote for the best proof to give in an undergrad course.

The following variant of a proof going back to V. Lebesgue and Eisenstein is due to Aurelien Bessard (2010). See also W. Castryck, A shortened classical proof of the quadratic reciprocity law, Amer. Math. Monthly 115 (2008), 550-551.

Let $p = 2m+1$ and $q$ be distinct odd primes and let $N$ denote the number of solutions of the equation $$ x_1^2 + \ldots + x_p^2 = 1 $$ in the finite field ${\mathbb F}_q$.

1. The group ${\mathbb Z}/p{\mathbb Z}$ acts on the solution space $X$ by shifting indices: if $(x_1, \ldots, x_p) \in X$, then so is $(x_a,x_{a+1}, \ldots)$ for each $a \in {\mathbb Z}/p{\mathbb Z}$, where the indices have to be read modulo $p$. Each orbit has exactly $p$ elements except if there is an $x$ with $(x,x,\ldots,x) \in X$: the orbit of this element has $1$ element. Now $(x,x,\ldots,x) \in X$ if and only if $px^2 = 1$ is solvable in ${\mathbb F}_q$, hence $$ N \equiv \Big( \frac pq \Big) + 1 \bmod p. $$

2. We make a change of variables to transform the diagonal equation into an equation where counting the number of solutions is easier. To this end, consider the matrix $$ A = \left( \begin{matrix} 0 & 1 & & & & & & \\\ 1 & 0 & & & & & & \\\ & & 0 & 1 & & & & \\\ & & 1 & 0 & & & & \\\ & & & & \ddots & & & \\\ & & & & & 0 & 1 & \\\ & & & & & 1 & 0 & \\\ & & & & & & & a \end{matrix} \right) $$ with $a = (-1)^{(p-1)/2}$. Since $\det A = 1$, this matrix is congruent to the unit matrix, hence $X$ and the solution spaces $X'$ of the equation $x^T A x = 1$, i.e., of $$ 2(y_1z_1 + \ldots + y_m z_m) + ax_p^2 = 1 $$ are isomorphic (recall that $p = 2m+1$).

   For counting the number of solutions of $X'$, observe that if $(y_1, \ldots, y_m) = 0$, we have $q^m \cdot (1+a^{(q-1)/2})$ possibilities for choosing $z_1, \ldots, z_m$ and $x_p$.

   If $y = (y_1, \ldots, y_m) \ne 0$, on the other hand, then for each choice of $y$ and $x_p$ we have to count the number of points on a hyperplane of dimension $m$; there are $q^{m-1}$ points on such a hyperplane, and the number of overall possibilities in this case is $(q^m-1) \cdot q \cdot q^{m-1} = q^m(q^m-1)$.

3. Thus we find \begin{align*} N & = q^m (1+a^{(q-1)/2} + q^m(q^m-1) = q^m(q^m + (-1)^{\frac{p-1}2 \frac{q-1}2}) \\\ & \equiv \Big(\frac qp \Big) \Big[ \Big(\frac qp \Big) + (-1)^{\frac{p-1}2 \frac{q-1}2} \Big] \equiv 1 + (-1)^{\frac{p-1}2 \frac{q-1}2} \Big(\frac qp \Big) \bmod p. \end{align*} Comparing with the congruence from 1. gives the quadratic reciprocity law.