fermat’slittletheorem.rsa. · fermat’slittle theorem thechinese remaindertheorem rsa p.13...

Fermat’s little theorem. RSA.

Fermat’s littletheorem

The Chineseremainder theorem

RSA

p. 2

Computing large numbers modulo n

(a) In modulo arithmetic, you can always reduce a large numberto its remainder

a ≡ a rem n (mod n).

(b) Addition, subtraction, and multiplication preserve congruence:

if a ≡ b (mod n) and c ≡ d (mod n), then

a+ c ≡ b+ d (mod n),a− c ≡ b− d (mod n), and

ac ≡ bd (mod n).

(c) Instead of a congruence relation, you can work with the equal-ity of the remainders

a ≡ b (mod n) if and only if a rem n= b rem n



RSA

p. 3

Example

Find x such that (258 + 132 + 15)≡ x (mod 21).

In fact, we need to compute the remainder (258+132+15) rem 21:

252 ≡ 625≡ 16 (mod 21)

254 ≡ (252)2 ≡ 162 ≡ 256≡ 4 (mod 21)

258 ≡ (254)2 ≡ 42 ≡ 16 (mod 21)

132 ≡ 169≡ 1 (mod 21)

258 + 132 + 15≡ 16+ 1+ 15≡ 32≡ 11 (mod 21)

Also we can say that

(258 + 132 + 15) rem 21= 11.



RSA

p. 4

Example

Compute x = 12135 rem 137.



RSA

p. 5

Example

Compute x = 12135 rem 137.

122 ≡ 144≡ 7 (mod 137)

124 ≡ (122)2 ≡ 72 ≡ 49 (mod 137)

128 ≡ (124)2 ≡ 492 ≡ 2401≡ 72 (mod 137)

1216 ≡ (128)2 ≡ 722 ≡ 5184≡ 115 (mod 137)

1232 ≡ (1216)2 ≡ 1152 ≡ 13225≡ 73 (mod 137)

1264 ≡ (1232)2 ≡ 732 ≡ 5329≡ 123 (mod 137)

12128 ≡ (1264)2 ≡ 1232 ≡ 15129≡ 59 (mod 137)

12135 ≡ 12128 · 124 · 122 · 12≡ 59 · 49 · 7 · 12≡ 242844≡ 80 (mod 137)



RSA

p. 6

Lemma 1

Lemma. Let p be a prime. If k is not a multiple of p, then if

ak ≡ bk (mod p)

thena ≡ b (mod p)

Proof.p | (ak− bk)

p | k(a− b)

By the lemma we proved in the previous lecture, p | k or p | (a− b).Since p - k, we conclude that p | (a− b), or equivalently,

a ≡ b (mod p).



RSA

p. 7

Observation

x 5 6 7 8 9 10 11 12 13 14 15 16

x rem 7 5 6 0 1 2 3 4 5 6 0 1 2

When computing remainders of the division by p for a sequence ofconsecutive integers, we get all numbers from 0 to p− 1.

Can we come up with other ways for producing these numbers?



RSA

p. 8

Observation

For example, we take every second integer: 2, 4, 6, 8, . . .

x 1 2 3 4 5 6 7 8 9 10 11 12 13 14

x rem 7 2 4 6 1 3 5 0

We generate the same numbers, even though they are permuted.

Can we try another sequence: 3, 6, 9, 12, 15, . . . right?

Yes, we can, but we can prove a more general result.



RSA

p. 9

Lemma 2

Lemma. Let p be a prime. If k is not a multiple of p, the sequence

k rem p, 2k rem p, 3k rem p, . . . (p− 1)k rem p

is a permuation of1, 2, 3, . . . p− 1.

Proof. All remainders are in the interval between 1 and p− 1.Let’s prove by contradiction that all of them are different.Assume that exist two distinct integers 1≤ i 6= j ≤ p− 1 such that

ik rem p = jk rem p

ik ≡ jk (mod p)

By Lemma 1, i ≡ j (mod p), and so i = j, because both are integersbetween 1 and p − 1. Therefore, all remainders are different, andthis proves the lemma.



RSA

p. 10

Examples

k = 2 and p = 5:

2 rem 5= 24 rem 5= 46 rem 5= 18 rem 5= 3

k = 12 and p = 7:

12 rem 7= 524 rem 7= 336 rem 7= 148 rem 7= 660 rem 7= 472 rem 7= 2



RSA

p. 11

Fermat’s little theorem

Theorem. Let p be a prime. If k is not a multiple of p (i.e. p - k)then

kp−1 ≡ 1 (mod p)

Proof.

1·2·3 · · · (p−1) = (k rem p︸︷︷︸

≡k (mod p)

)(2k rem p︸︷︷︸

≡2k (mod p)

)·(3k rem p︸︷︷︸

...

) · · · ((p−1)k rem p)

1 · 2 · 3 · · · (p− 1)≡ k · 2k · 3k · · · (p− 1)k (mod p)

≡ 1 · 2 · 3 · · · (p− 1) · kp−1 (mod p).

1≡ kp−1 (mod p). (by Lemma 1)



RSA

p. 12


Theorem. Let p be a prime. If k is not a multiple of p then

kp−1 ≡ 1 (mod p)

Using this theorem, we can find an inverse, x ,

kx ≡ 1 (mod p).

How can we do that?If k is not a multiple of p and p is a prime than kp−2 is an inverse!

k · kp−2 = kp−1 ≡ 1 (mod p)

Because we need an inverse modulo p, the remainder (kp−2 rem p)is an inverse too.

Notice the difference with the Extended Euclid’s algorithm that canbe used for computing an inverse even when p is not a prime.



RSA

p. 13


Compute an inverse of 12 modulo 137, that is find x such that

12x ≡ 1 (mod 137)

137 is a prime, so we apply the theorem,

12 · 12137−2 ≡ 1 (mod 137).

The inverse isx = 12137−2 = 12135.

Or, in fact, just the remainder 12135 rem 137 is also the inverse, andwe have computed it already: 12135 rem 137= 80. Let’s check:

12 · 80≡ 960≡ 1 (mod 137)

Thus 80 is a multiplicative inverse, indeed.



RSA

p. 14



kp−1 ≡ 1 (mod p)

Find x such that12274 ≡ x (mod 137).

By Fermat’s little theorem, 12136 ≡ 1 (mod 137), so



RSA

p. 15



kp−1 ≡ 1 (mod p)

Find x such that12274 ≡ x (mod 137).


12274 ≡ 12136 · 12136 · 122 ≡ 1 · 1 · 122 ≡ 144≡ 13 (mod 137)



RSA

p. 16


Find x such that

201540321 ≡ x (mod 2017).




RSA

p. 17


Find x such that

201540321 ≡ x (mod 2017).


201540321 ≡ 20152016·20·2015≡ 120·2015≡ 2015≡ −2 (mod 2017)



RSA

p. 18

The Chinese remainder theorem

Theorem (Chinese remainder). Let n1 , n2 , . . . , nk be pairwiserelatively prime positive integers greater than one and a1, a2 , . . . ,an arbitrary integers. Then the system

x ≡ a1 (mod n1),x ≡ a2 (mod n2),

. . .

x ≡ ak (mod nk)

has a unique solution modulo n= n1 · n2 · · ·nk.

(That is, there is a solution x with 0≤ x < n, and all other solutionsare congruent modulo n to this solution.)



RSA

p. 19

RSA cryptosystem

RSA is a public key cryptosystem introduced by Ronald Rivest, AdiShamir, and Leonard Adleman.

Constructing a publuc key:

1. You pick two large primes p and q. (How large? In practice, iftheir decimal representations are more than 200 digits long,they are large enough).

2. Let n= pq.

3. You pick an integer e such that gcd�

e, (p− 1)(q− 1)�

= 1.

The public key is a pair (n, e).



RSA

p. 20

RSA encryption

You are given the public key (n, e), such that n= pq, andgcd

�

e, (p− 1)(q− 1)�

= 1. Where p and q are unknown primes.

1. You break the message (a long string of digits) into blocks sothat each is less than n

Message= 17519273︸︷︷︸

M1<n

40137520︸︷︷︸

M2<n

43028230︸︷︷︸

M3<n

14459489︸︷︷︸

M4<n

2. Each block is encrypted separately:

Ci = M ei rem n

3. The encrypted blocks can be transmitted to the receiver.



RSA

p. 21

RSA decryption

The decryption key is an integer d such that

ed ≡ 1 (mod (p− 1)(q− 1))

So, d is the multiplicative inverse of e modulo (p− 1)(q− 1).If p and q are unknown, it’s hard to compute d.

To decrypt each encrypted block Ci, you compute C di rem n.

Turns out that the original message

Mi = C di rem n.

Let’s show that this is the case.



RSA

p. 22

RSA decryption

The decryption key d is such that ed ≡ 1 (mod (p− 1)(q− 1))

ed = 1+ k(p− 1)(q− 1)

Ci ≡ M ei (mod pq)

C di ≡ (M

ei )

d ≡ M1+k(p−1)(q−1)i (mod pq)

≡ Mi ·Mk(p−1)(q−1)i (mod pq)

If a ≡ b (mod pq), there exists t s.t. a− b = t pq, and so

a ≡ b (mod q) and a ≡ b (mod p).

Therefore,

C di ≡ Mi ·M

k(p−1)(q−1)i (mod p)

C di ≡ Mi ·M

k(p−1)(q−1)i (mod q)



RSA

p. 23

RSA decryption

Take the first:

C di ≡ Mi · (M

p−1i )k(q−1) (mod p)

If p | Mi, then Mi ≡ 0 (mod p). This means C di ≡ 0 (mod p).

Hence,C d

i ≡ 0≡ Mi (mod p)

If p - Mi, then M p−1i ≡ 1 (mod p) by Fermat’s little theorem, hence

C di ≡ Mi · 1k(q−1) ≡ Mi (mod p)

Therefore in any case,

C di ≡ Mi (mod p)

Similarly,C d

i ≡ Mi (mod q)



RSA

p. 24

RSA decryption

We have shown that

C di ≡ Mi (mod p)

C di ≡ Mi (mod q)

Recall that we want to prove that

C di ≡ Mi (mod pq)

If this is the case, then we can decrypt Ci by taking the remainderC d

i rem pq.

C di − Mi is a multiple of p and a multiple of q, which are primes.

But because the prime factorization is unique, the difference C di −Mi

should be also a multiple of pq. Thus


This is why RSA decryption works!



RSA

p. 25

RSA decryption

We have shown that

C di ≡ Mi (mod p)

C di ≡ Mi (mod q)

Recall that we want to prove that


If this is the case, then we can decrypt Ci by taking the remainderC d

i rem pq.

C di −Mi is a multiple of p and a multiple of q, which are primes. But

because the prime factorization is unique, the difference C di − Mi

should be also a multiple of pq. Thus


This is why RSA decryption works!

fermat’slittletheorem.rsa. · fermat’slittle theorem thechinese remaindertheorem rsa p.13...

Documents