The Euler-Fermat Theorem and RSA
The Euler-Fermat Theorem and RSA
The Euler-Fermat Theorem and RSA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>The</strong> <strong>Euler</strong>-<strong>Fermat</strong> <strong>The</strong>orem <strong>and</strong> <strong>RSA</strong>Michael BrockwayMarch 10, 20081 <strong>Euler</strong>-<strong>Fermat</strong> <strong>The</strong>oremIf m, n are relatively prime positive integers, thenm ϕ(n) ≡ 1 (mod n)Here, ϕ(n) denotes <strong>Euler</strong>’s totient function of n, the number of positiveintegers smaller than n, relatively prime to n.To prove this theorem, assume m, n are relatively prime <strong>and</strong> let b i , i =1, ..., ϕ(n) be an enumeration of the distinct positive integers smaller than n,relatively prime to n.Consider the integers mb i , i = 1, ..., ϕ(n).<strong>The</strong>se integers are also relatively prime to n. For suppose, on the other h<strong>and</strong>,mb i <strong>and</strong> n had a common prime factor p. <strong>The</strong>n p | mb i would imply p | m orp | b i . This in turn would imply, in the former case, p is a common factor ofm, n, contradicting the relative primeness of these numbers, or in the lattercase, p is a common factor of b i , n, impossible by definition of b i .<strong>The</strong> integers mb i , i = 1, ..., ϕ(n) are, for distinct i, also incongruent mod n.For if mb i ≡ mb j mod n then n | m(b i − b j ). But m, n are relatively primeso by Euclid’s lemma, n | (b i − b j ). Given the definition of the b i , this is onlypossible when i = j.Thus the numbers mb i , i = 1, ..., ϕ(n) are pairwise incongruent mod n, <strong>and</strong>relatively prime to n. <strong>The</strong>ir least nonnegative residues mod n, {mb i %n, i =1, ..., ϕ(n)}, are therefore a permutation of the original {b i , i = 1, ..., ϕ(n)}.<strong>The</strong> products of the two sets of integers must therefore be congruent mod n:1
m ϕ(n) b 1 b 2 ...b ϕ(n) ≡ b 1 b 2 ...b ϕ(n) (mod n)Since each b i is relatively prime to n, it can be cancelled from this congruence,leavingm ϕ(n) ≡ 1 (mod n)as required.2 Corollaries• <strong>Fermat</strong>’s Little <strong>The</strong>orem: if p is prime <strong>and</strong> not a factor of m, thenm p−1 ≡ 1 (mod p). This follows because when p is prime, ϕ(p) = p − 1.• If p, q are prime <strong>and</strong> not factors of m, then m (p−1)(q−1) ≡ 1(mod pq).This follows because in this case, ϕ(pq) = (p − 1)(q − 1).• For any k, m, prime p, prime q, if k ≡ 1 (mod (p − 1)(q − 1)) thenm k ≡ m (mod pq).<strong>The</strong> third corollary needs a little work to prove. If the primes p, q are notfactors of m, it follows from the second corollary, for k = k ′ (p−1)(q−1)+1 (forsome k ′ ), so making use of the second corollary, m k = (m (p−1)(q−1) ) k′ m ≡ (mod pq)1 k m = m.On the other h<strong>and</strong>, suppose p divides m. <strong>The</strong>n m k ≡ 0 ≡ m (mod p). Thus,by <strong>Fermat</strong>’s little theorem, whether or not p divides m, m k ≡ m (mod p).Similarly (whether or not q divides m) m k ≡ m (mod q). From the relativeprimeness of p, q it follows that m k ≡ m (mod pq).3 <strong>RSA</strong>An <strong>RSA</strong> cryptosystem is generated from a pair of prime numbers, p, q, sufficientlylarge that it is computationally infeasible to recover their values fromknowledge of their product n.To generate keys, take an integer e relatively prime to (p−1)(q−1) <strong>and</strong> (usingthe extended Euclidian algorithm) compute d = e −1 mod (p−1)(q−1). (Thisd is the least nonnegative residue.)2
Publish n, e: these comprise the public key. d is the private key.It is immediate from the third corollary above that for any integer m, m ed ≡m (mod n).A message can be divided into a sequence of blocks of bits m which constituteintegers < n. For each such m let c = m e % n (ie, least nonnegative residuemod n). <strong>The</strong>n c d ≡ (m e ) d ≡ m ed ≡ m (mod n). Thus the least nonnegativeresidue c d % n is the original bit block m.<strong>The</strong> sequence of such bit-blocks c is the ciphertext obtained from the messagevia the public key. <strong>The</strong> reasoning above shows that computing c d % n foreach c recovers the plaintext m: this is the decryption process.To summarize, the following mappings are inverse to each other:• Encryption: m ↦→ c = m e % n.• Decryption: c ↦→ c d % n = m.3