The Euler-Fermat Theorem and RSA

The Euler-Fermat Theorem and RSAMichael BrockwayMarch 10, 20081 Euler-Fermat TheoremIf m, n are relatively prime positive integers, thenm ϕ(n) ≡ 1 (mod n)Here, ϕ(n) denotes Euler’s totient function of n, the number of positiveintegers smaller than n, relatively prime to n.To prove this theorem, assume m, n are relatively prime and let b i , i =1, ..., ϕ(n) be an enumeration of the distinct positive integers smaller than n,relatively prime to n.Consider the integers mb i , i = 1, ..., ϕ(n).These integers are also relatively prime to n. For suppose, on the other hand,mb i and n had a common prime factor p. Then p | mb i would imply p | m orp | b i . This in turn would imply, in the former case, p is a common factor ofm, n, contradicting the relative primeness of these numbers, or in the lattercase, p is a common factor of b i , n, impossible by definition of b i .The integers mb i , i = 1, ..., ϕ(n) are, for distinct i, also incongruent mod n.For if mb i ≡ mb j mod n then n | m(b i − b j ). But m, n are relatively primeso by Euclid’s lemma, n | (b i − b j ). Given the definition of the b i , this is onlypossible when i = j.Thus the numbers mb i , i = 1, ..., ϕ(n) are pairwise incongruent mod n, andrelatively prime to n. Their least nonnegative residues mod n, {mb i %n, i =1, ..., ϕ(n)}, are therefore a permutation of the original {b i , i = 1, ..., ϕ(n)}.The products of the two sets of integers must therefore be congruent mod n:1

m ϕ(n) b 1 b 2 ...b ϕ(n) ≡ b 1 b 2 ...b ϕ(n) (mod n)Since each b i is relatively prime to n, it can be cancelled from this congruence,leavingm ϕ(n) ≡ 1 (mod n)as required.2 Corollaries• Fermat’s Little Theorem: if p is prime and not a factor of m, thenm p−1 ≡ 1 (mod p). This follows because when p is prime, ϕ(p) = p − 1.• If p, q are prime and not factors of m, then m (p−1)(q−1) ≡ 1(mod pq).This follows because in this case, ϕ(pq) = (p − 1)(q − 1).• For any k, m, prime p, prime q, if k ≡ 1 (mod (p − 1)(q − 1)) thenm k ≡ m (mod pq).The third corollary needs a little work to prove. If the primes p, q are notfactors of m, it follows from the second corollary, for k = k ′ (p−1)(q−1)+1 (forsome k ′ ), so making use of the second corollary, m k = (m (p−1)(q−1) ) k′ m ≡ (mod pq)1 k m = m.On the other hand, suppose p divides m. Then m k ≡ 0 ≡ m (mod p). Thus,by Fermat’s little theorem, whether or not p divides m, m k ≡ m (mod p).Similarly (whether or not q divides m) m k ≡ m (mod q). From the relativeprimeness of p, q it follows that m k ≡ m (mod pq).3 RSAAn RSA cryptosystem is generated from a pair of prime numbers, p, q, sufficientlylarge that it is computationally infeasible to recover their values fromknowledge of their product n.To generate keys, take an integer e relatively prime to (p−1)(q−1) and (usingthe extended Euclidian algorithm) compute d = e −1 mod (p−1)(q−1). (Thisd is the least nonnegative residue.)2

Publish n, e: these comprise the public key. d is the private key.It is immediate from the third corollary above that for any integer m, m ed ≡m (mod n).A message can be divided into a sequence of blocks of bits m which constituteintegers < n. For each such m let c = m e % n (ie, least nonnegative residuemod n). Then c d ≡ (m e ) d ≡ m ed ≡ m (mod n). Thus the least nonnegativeresidue c d % n is the original bit block m.The sequence of such bit-blocks c is the ciphertext obtained from the messagevia the public key. The reasoning above shows that computing c d % n foreach c recovers the plaintext m: this is the decryption process.To summarize, the following mappings are inverse to each other:• Encryption: m ↦→ c = m e % n.• Decryption: c ↦→ c d % n = m.3