Fermat and Euler’s Theorems

Definition: A reduced set of residues (RSR)

modulo m is a set of integers R so that every
integer relatively prime to m is congruent to
exactly one integer in R.

Fact. a ≡ b (mod m) implies gcd(a, m) =

gcd(b, m).

Fact. All RSR’s modulo m have the same size.

Definition: φ(m) is the size of a RSR modulo

m. φ is called the Euler Phi or totient function.

The standard CSR modulo m is {0, . . . , m − 1}.

The standard RSR modulo m is

{1 ≤ r ≤ m; gcd(r, m) = 1}.

Example: φ(12) = 4 because {1, 5, 7, 11} is the

standard RSR modulo 12.
1
Fact. φ is multiplicative, that is, φ(ab) =
φ(a)φ(b) whenever gcd(a, b) = 1.

Some special formulas for φ: Let p be prime.

Then
φ(p) = p − 1,

φ(pα ) = pα − pα−1,

!
Y 1
φ(n) = n 1− .
p|n
p

When p 6= q are primes, we have

φ(pq) = (p − 1)(q − 1).
Proof: Begin with the CSR {0, 1, . . . , pq − 1}.
Delete all q multiples of p. Delete all p multi-
ples of q. 0 was deleted twice, so add 1 back.
We get φ(pq) = pq − p − q + 1 = (p − 1)(q − 1).
2
 Fermat’s “Little” Theorem

Theorem. Let p be prime and a be an integer

which is not a multiple of p. Then

ap−1 ≡ 1 (mod p).

Proof: Since gcd(a, p) = 1, the set

{ai mod p; i = 1, . . . , p − 1} is the same as the
set {1, . . . , p − 1}. Therefore,
 
p−1 p−1 p−1
ap−1
Y Y Y
i= (ai) ≡  i · 1 (mod p).
i=1 i=1 i=1
p−1
Q 
Since gcd i=1 i, p = 1, we can cancel and
get ap−1 ≡ 1 (mod p).

Example. 97 is prime and 2 is not a multiple

of 97, so 296 ≡ 1 (mod 97).

3
 Euler’s Theorem

Theorem. Let m > 1 and gcd(a, m) = 1.

Then
aφ(m) ≡ 1 (mod m).

Proof: Let {r1, . . . , rφ(m) } be a RSR modulo

m. Then {ar1, . . . , arφ(m) } is a RSR modulo m,
too. Therefore, for all i, there is a unique j so
that ri ≡ arj (mod m). Then
 
φ(m) φ(m) φ(m)
φ(m)
Y Y Y
a ri = (ari) ≡  ri (mod m).
i=1 i=1 i=1
 
Qφ(m)
Since gcd i=1 ri , m = 1, we can cancel and
get aφ(m) ≡ 1 (mod m).

4
Example. Let m = 13 × 23 = 299, where 13
and 23 are primes. Then

φ(m) = φ(299) = (13−1)(23−1) = 12×22 = 264.

Note that gcd(5, 299) = 1. Euler’s Theorem
says 5264 ≡ 1 (mod 299), that is,
299 | (5264 − 1).

5
Example of the use of Euler’s theorem.

Find the two low-order decimal digits of

33862513119442 .

First, 33862513 ≡ 13 (mod 100), so the

answer is the same as the two low-order deci-
mal digits of 13119442
(because (100k + 13)n ≡ 13n (mod 100) and
the two low-order decimal digits of m are m mod
100).

Second,

φ(100) = φ(22 )φ(52) = 2(2 − 1) · 5(5 − 1) = 40.

Now 119442 ≡ 2 (mod 40), so by Euler,
13119442 ≡ 132 (mod 100).

Finally, 33862513119442 ≡ 13119442 ≡ 132 =

169 ≡ 69 (mod 100), and the two low-order
decimal digits of 33862513119442 are 69.
6
 A Corollary of Euler’s Theorem

Here is an alternate way to compute the mul-

tiplicative inverse a−1 of a modulo m: Recall
that a−1 is the residue class mod m such that
a−1a ≡ aa−1 ≡ 1 (mod m). It is defined only
when gcd(a, m) = 1. In that situation we have
aφ(m) ≡ 1 (mod m) by Euler’s Theorem.

Factoring out one a gives

a · aφ(m)−1 ≡ 1 (mod m),

whence a−1 ≡ aφ(m)−1 (mod m). For a prime
modulus p we have a−1 ≡ ap−2 (mod p).

For large m, computing a−1 mod m by this for-

mula requires roughly the same number of bit
operations as computing a−1 mod m by the Ex-
tended Euclidean Algorithm. (The latter must
be used if one does not know φ(m).)
7
 How to compute an mod m swiftly

Here is an algorithm for computing an mod m

in O(log2 n) multiplications.

procedure power(a,n,m)
e = n;
y = 1;
z = a;
repeat {
if (e is odd) y = (y*z)%m;
if (e <= 1) return (y);
z = (z*z)%m;
e = floor(e/2);
}
end power;

8
 Finding large primes

Fermat’s Little Theorem says that if p is prime

and p does not divide a, then ap−1 ≡ 1 (mod p).

This theorem gives a test for compositeness:

If p is odd and p does not divide a and ap−1 6≡
1 (mod p), then p is not prime.

If the converse of Fermat’s theorem were true,

it would give a fast test for primality. The
converse would say, if p is odd and p does not
divide a and ap−1 ≡ 1 (mod p), then p is prime.

Unfortunately, this converse is not a true state-

ment, although it is true for most p and most
a. Consider p = 341 = 11 × 31 and a = 2. We
have 2340 ≡ 1 (mod 341).

The test, “Is 2m−1 ≡ 1 (mod m)?” is widely

used as a test for primality of very large odd
numbers m, as the probability that it fails is
incredibly small.
9
Now we will see some applications of number
theory to cryptography.

A cipher is a way of converting ordinary text

M , called plaintext, into meaningless symbols
C, called ciphertext, and converting it back to
plaintext under the control of a key K.

Here M and C are strings of letters or bits, and

K is a number or a bit string.

The conversion of plaintext to ciphertext is

called encryption and is written C = EK (M ).

The conversion of ciphertext back to plaintext

is called decryption and is written M = DK (C).

A basic property of ciphers is that DK (EK (M )) =

M for every M .

Another important property of ciphers is that

if you know C, but not M or K, then it should
be hard to find M or K.
10
The ciphers just described are the one-key or
symmetric ciphers. They use the same key to
decipher as to encipher. Until the 1970s, all
known ciphers were of this type.

The Caesar rotate-the-alphabet cipher is a sim-

ple one-key cipher. The key K is the amount
of rotation of the alphabet.

Modern one-key ciphers usually use bit opera-

tions, like shift and xor, to achieve high speed
for the enciphering and deciphering algorithms.

Some modern one-key ciphers are the Data

Encryption Standard, DES, and the Advanced
Encryption Standard, AES.

11
Around 1980, two-key or asymmetric ciphers
were invented.

They use different, but related, keys for en-

ciphering and deciphering: C = EK1 (M ) and
M = DK2 (C).

Of course, if K1 and K2 are the correct keys,

then M = DK2 (EK1 (M )) for every M .

The remarkable property of two-key ciphers is

that if you know the enciphering key K1, then
you cannot easily find the deciphering key K2.
In fact, K1 and the enciphering algorithm E
are made public. Hence asymmetric ciphers
are also called public-key ciphers.

Most public-key ciphers use arithmetic with

large numbers and their algorithms are slow
compared those of to one-key ciphers.

RSA (Rivest-Shamir-Adleman) and ElGamal are

examples of public-key ciphers.
12
Here is a typical use of a public-key cipher.

Suppose Alice wants to email a long secret

letter M to Bob. If the two have previously
agreed on a secret AES key, Alice would just
encipher M using AES with that key and send
the ciphertext to Bob.

But if Alice and Bob did not share a secret AES

key, then Alice could chose a random AES key
K, encipher M using AES and K, and send
the ciphertext C to Bob. She would then find
Bob’s public enciphering key K1 from Bob’s
web page, say, and send C1 = EK1 (K) to Bob.

Bob would decipher C1 with DK2 (C1) = K,

where K2 is Bob’s secret deciphering key. Then
Bob would use AES and K to decipher C.

Note that it does not matter that the public-

key cipher is slow because it used only to trans-
mit the very short message K and not the long
message M .
13
The first application is not a cipher but rather
a way for Alice and Bob to choose a common
AES key. It uses fast exponentiation and con-
gruences, but not Euler’s theorem.

Diffie-Hellman key-exchange protocol

This protocol allows two users to choose a

common secret key, for DES or AES, say, while
communicating over an insecure channel (with
eavesdroppers).

The two users agree on a common large prime

p and a constant value a, which may be publicly
known and available to everyone. It is best if
the smallest exponent e > 0 for which ae ≡
1 (mod p) is e = p − 1, but the protocol will
work if e < p − 1 provided e is still large.

14
Alice secretly chooses a random xA in
0 < xA < p − 1 and computes yA = axA mod p.
Bob secretly chooses a random xB in
0 < xB < p − 1 and computes yB = axB mod p.

Alice sends yA to Bob. Bob sends yB to Alice.

An eavesdropper, knowing p and a, and seeing
yA and yB , cannot compute xA or xB from this
data unless he can solve the Discrete Loga-
rithm Problem quickly. (See below.)

x
Alice computes KA = yBA mod p.

x
Bob computes KB = yAB mod p.

Then

KA ≡ axA·xB ≡ KB (mod p)
and 0 < KA, KB < p, so KA = KB .

15
Alice and Bob choose certain agreed-upon bits
from KA to use as their key for a single-key
cipher like DES or AES.

Although this protocol provides secure com-

munication between Alice and whoever is at
the other end of the communication line, it
does not prove that Bob is the other party. To
guarantee that Bob is at the other end, they
would have to use a signature system like RSA.

16
 Discrete Logarithms

The Diffie-Hellman key exchange and several

other crypto algorithms could all be broken if
we could compute discrete logarithms quickly,
that is, if we could easily solve the exponential
congruence ax ≡ b mod p.

By analogy to ordinary logarithms, we may

write x = loga b when p is understood from
the context. These discrete logarithms enjoy
many properties of ordinary logarithms, such as
loga bc = loga b + loga c, except that the arith-
metic with logarithms must be done modulo
p − 1 because ap−1 ≡ 1 mod p.

17
 The RSA public-key cipher

Rivest-Shamir-Adleman. Let n = pq be the

product of two large primes.
Then φ(n) = φ(pq) = (p − 1)(q − 1). Choose a
random e in 1 < e < n−1 with gcd(e, φ(n)) = 1.
Use Extended Euclid to compute d = e−1 mod
φ(n), so that ed ≡ 1 (mod (p − 1)(q − 1)).

Encode plaintext as (blocks) 0 ≤ M < n.

Encipher M as C = E(M ) = M e mod n.
Decipher C as M = D(C) = C d mod n.

This works, that is, D(E(M )) = M for all M

in 0 ≤ M < n, provided that ed ≡ 1 (mod φ(n)).
Write ed = 1+kφ(n). Then D(E(M )) ≡ (M e)d =
M ed = M 1+kφ(n) = M · (M φ(n))k ≡ M (mod n),
since M φ(n) ≡ 1 (mod n) by Euler’s Theorem.

18
Each user of RSA has her own set of keys:
Make n and e public, but keep d secret. The
factors p and q are not needed after e and d
are computed, but in any case should not be
revealed.

If many users wish to communicate securely in

pairs, then RSA requires fewer total keys to be
stored than DES or AES.

Cryptanalysis: Since n is public and one can

easily compute d from e and the factors of n, a
direct approach to breaking RSA is to factor n.
Using the best currently-known methods, this
is about as hard as solving the Discrete Log-
arithm Problem with the same sized modulus.
For a modulus n of 400 decimal digits, this is
too hard for current algorithms and computers.

19
 Pohlig-Hellman cipher

This is NOT a public-key cipher.

Let n = p = prime. Then φ(p) = p − 1 and

ed ≡ 1 (mod p − 1).

Keep all of p, e, d secret. All three are the

“key”. There is just one user or one pair of
users.

Encode plaintext as (blocks) 0 ≤ M < p.

Encipher M as C = E(M ) = M e mod p.
Decipher C as M = D(C) = C d mod p.

This works, that is, D(E(M )) = M for all M

in 0 ≤ M < p, provided that ed ≡ 1 (mod φ(p)).
Write ed = 1+kφ(p). Then D(E(M )) ≡ (M e)d =
M ed = M 1+kφ(p) = M · (M φ(p))k ≡ M (mod p),
since M φ(p) ≡ 1 (mod p) by Euler’s Theorem.
20
 RSA Signatures

RSA has no direct authentication: Anyone can

send any message to you and claim it came
from anyone. However, one can sign RSA mes-
sages as follows:

Suppose both Alice and Bob have complete

RSA public-key ciphers, with different primes,
moduli, and exponents. Write EA(M ) = M eA mod
nA and DA(C) = C dA mod nA for Alice’s RSA
enciphering and deciphering functions, where
nA is the product of Alice’s two secret primes
and eA and dA are Alice’s enciphering and deci-
phering exponents. Likewise define Bob’s en-
ciphering function EB (·) and his deciphering
function DB (·).

21
Suppose nA < nB . Then Alice can sign (and
encipher) a message M to Bob by sending C =
EB (DA(M )) to Bob. Bob can decipher C by
applying DB to it (to get DA(M )) and then
check the signature by applying EA to the lat-
ter.

In case nA > nB , Alice can sign (and enci-

pher) a message M to Bob by sending C =
DA(EB (M )) to Bob. Bob checks it by apply-
ing EA to C and then DB to the result.

In both cases, Bob and only Bob knows DB (·),

so only Bob can do that part of the calculation.
Bob obtains Alice’s enciphering function EA(·)
from a public directory.

22
 Discrete Logarithms

The Diffie-Hellman key exchange, the ElGamal

public key cryptosystem, the Pohlig-Hellman
private key cryptosystem and the Digital Sig-
nature Algorithm could all be broken if we could
compute discrete logarithms quickly, that is,
if we could solve the exponential congruence
ax ≡ b mod p easily.

By analogy to ordinary logarithms, we may

write x = loga b when p is understood from
the context. These discrete logarithms enjoy
many properties of ordinary logarithms, such as
loga bc = loga b + loga c, except that the arith-
metic with logarithms must be done modulo
p − 1 because ap−1 ≡ 1 mod p.

23
Neglecting powers of log p, the congruence may
be solved in O(p) time and O(1) space by rais-
ing a to successive powers modulo p and com-
paring each with b.

It may also be solved in O(1) time and O(p)

space by looking up x in a precomputed ta-
ble of pairs (x, ax mod p) sorted by the second
coordinate.

24
Shanks’ “giant step–baby step” algorithm is
a meet-in-the-middle method which solves the
√ √
congruence in O( p) time and O( p) space
as follows.
√
Let m = ⌈ p − 1⌉.

Compute and sort the m ordered pairs (j, amj mod

p), for j from 0 to m − 1, by the second coor-
dinate.

Compute and sort the m ordered pairs (i, ba−i mod

p), for i from 0 to m − 1, by the second coor-
dinate.

Find a pair (j, y) in the first list and a pair (i, y)

in the second list.

This search will succeed because every integer

between 0 and p − 1 can be written as a two-
digit number ji in radix m.

Finally, x = mj + i mod p − 1.
25
Example: Solve 5x ≡ 44 (mod 97).

√
We have p = 97, m = ⌈ 97 − 1 ⌉ = 10, a = 5,
b = 44. Then am ≡ 510 ≡ 53 (mod 97) and
a−1 ≡ a95 ≡ 39 (mod 97).

j amj mod p i b · a−i mod p

j 53j mod 97 i 44 · 39i mod 97
0 1 0 44
1 53 1 67
2 93 2 91
3 79 3 57
4 16 4 89
5 72 5 76
6 33 6 54
7 3 7 69
8 62 8 72
9 85 9 92
Note that 72 is in the second and fourth columns,
so 550 ≡ 535 ≡ 72 ≡ 44·398 ≡ 44·5−8 (mod 97).
This shows that x = 5 · 10 + 8 = 58.
26