RSA and Fermat

Fermats Little Theorem:

Theorem 1 If the prime integer p doesnt divide the integer a, then
ap 1

1 mod p:

Moreover, for any integer a;

ap

a mod p:

This theorem shows that the decryption scheme for RSA

recovers the original message
(M e)d = M in Zn for every M < n:
Look at an example:

(F)

Example 2 1447 and 3347 are primes

p = 1447; q = 3347
n = pq = 4843109

(p

1)(q

1) = 1446 3346
= 4838316:

gcd(2663; 4838316) = 1 . Set

e = 2663

e has a multiplicative inverse mod 4838316: In fact (MAPLE

computations)
2663 4811063

1 mod 4838316:

Set
d = 4811063

Encrypt the letter M = 13 via these RSA data:

M ! 132663 in Z4843109

= 3202753:

So the letter M is encrypted with these relatively small p

and q to a 7 digit number (the same number of digits as
n) Imagine how complicated a message would appear in
the more realistic situation of a 200 digit n:
Decrypting:
32027534811063
and reduce mod 4843109 to get back 13:

Equation F follows from Fermats Little Theorem:

Start with the primes p; q; and
n = pq
ed

1 mod(p

1)(q

Message M < n, is encrypted as

M e in Zn

and decrypted as
(M e )d in Zn:
Why is
(M e )d = M in Zn?

1):

Since ed

1 mod(p

1)(q

1)

ed = 1 + some multiple of (p

= 1 + k (p

1)(q

1)(q

1) for some integer k:

Calculate:
(M e )d

1)

= M ed
= M 1+k(p 1)(q 1)
= M (M

(p 1) k(q 1)
)
:

If p doesnt divide M then Fermats little theorem says

(p 1)
M
= 1 in Zp so
(M

(p 1) k(q 1)
)

= 1k(q 1)
= 1 in Zp

and M (M

(p 1) k(q 1)
)

=M

1 in Zp:

If p does divide M then p also divides (M e )d so

0 = M = (M e )d in Zp:
In either case M = (M e )d in Zp:
Exactly the same argument works for the prime q : M =
(M e )d in Zq : So
p divides M ed

M and

q divides M ed

M:

p and q are dierent primes, so that n = pq divides

M ed M and therefore

(M e)d = M in Zn:

We used a special property of prime numbers in the last

step: If p and q are dierent primes and both divide a
number r then their product pq divides r: This follows
from the Fundamental Theorem of Arithmetic which says
that both p and q must appear somewhere in the unique
factorization of r as a product of powers of prime numbers. If both p and q appear, then pq divides r:
Example 3 The previous statement reects a special property of primes. Observe that 6 divides 12 and 3 divides
12 but 18 = 3 6 doesnt divide 12:
Exercise 4 Find 3 more examples of integers a; b; c where
both a and b divide c but ab doesnt divide c:

Why does Fermats little theorem hold? Consider

Zp = f0; 1; 2; 3; : : : ; p

1g

and throw away 0 to get the set which I will denote Zp:

Zp = f1; 2; 3; : : : ; p

1g

Each of these elements have multiplicative inverses: If a

is one of them then gcd(a; p) = 1: So EA tells us that
1 = ax + py
for some integers x; y . Then reading this equation mod p
tells us
1 = ax:
So every a has a multiplicative inverse.(as weve seen in
many examples)

But theres more: Cancellation: If a is in Zp and b and

c are in in Zp then ab = ac can only happen if b = c:
Just like in ordinary arithmetic, multiply both sides of
ab = ac

by the multiplicative inverse of a (call it x as above) to

get
xab = xac

(xa)b = (xa)c
b = c

Exercise 5 If n isnt prime, cancellation doesnthold in

Zn: For n = 6 we have 2 1 = 2 4. Find some other
examples with n = 6 and with n = 10:

A special case of cancellation shows something else we

already observed in examples: The set Zp is closed under
multiplication (i.e. no product can result in 0). Again,
because each of the elements in Zp has a multiplicative
inverse, if a is in Zp and b is also in Zp if we had
ab = 0

then multiply by the multiplicative inverse of a to nd

that b = 0 which is impossible.
These observations will allow us to prove Fermats Little
Theorem.
Exercise 6 Write down the elements of Z5 and multiply
them all together. What element of Z5 do you get?
Exercise 7 Do the same for Z7 .

Key to the proof: Take any element a of Zp and look at

f1a; 2a; 3a; : : : ; (p

1)ag:

You get back exactly the set Zp = f1; 2; 3; : : : p

but in a dierent order:

1g

Example 8 In Z5 = f1; 2; 3; : : : 4g, for a = 2 we get

f2; 4; 6; 8g = f2; 4; 1; 3g
: For a = 3 we get
f3; 6; 9; 12g = f3; 1; 4; 2g:

Exercise 9 Make the calculations above for Z7 = f1; 2; 3; : : : 6g

and a = 2 , a = 3; a = 4.
The fact that you get back all of Zp is a special property
of primes.
Example 10 2 6= 0 in Z8 but
f 1 2; 2 2; 3 2; 4 2; 5 2; 6 2; 7 2g = f 2; 4; 6; 0g

The reason that you get back all of Zp when p is prime

comes from 2 facts:

1. The cancellation property for elements of Zp

2. The "pigeonhole principle": If you have n pigeons

and n holes to put them in, and no hole is occupied
by more than one pigeon, then every hole is occupied.

Take some a in Zp and look at the set

f1a; 2a; 3a; : : : ; (p

1)ag:

By the cancellation property, no two dierent products

(pigeons) can give you the same element of Zp (occupy
the same hole):
x a = y a implies that x = y .

By the pigeonhole principle every element of Zp appears

among 1a; 2a; 3a; : : : ; (p 1)a:

Multiply together all of the elements of Zp :

1 2 3 ::: p

1 = (p

1)!

call the product w some element of Zp: Now take any

element a in Zp and multiply out
1 a 2 a ; 3 a ; : : : (p

1)a

This is w because but its also

ap 1 w

by the commutative law of multiplication. So

ap 1 w = w

= w 1
By the cancellation law ap 1 = 1; which is just what
Fermat said.

Secure Signatures
How to verify a persons identity
Person A transmits data to person B , and person B
wants a method to check the identity of person A.
Person A and B get sets of RSA data:
For sending messages, Person A has (nA; eA) and Person
B has (nB ; eB )
For decrypting messages from Person B; Person A has
(nB ; dB ) and Person B has (nA; eA) for decrypting messages from Person A:
The moduli nA and nB and encryption exponents eA and
eB for sending messages are open to the world, BUT.
The decryption exponent dA is possessed only by intended recipients of messages from person A;
So only Person B in our situation knows dA and only
Person A knows dB .

Person A has a signature, a publicly available message

S.
To convince person B of his identity, person A does a
double encryption: First calculating
T = S dB mod nB ;

(note that the rst encryption uses the decryption key for
messages from Person B ):
Next further encrypts the usual way Person A encrypts:
T eA mod nA = R

He then transmits R to person B . Person B decrypts

R with her standard data for decrytping messages from
person A, recovering T as
T = RdA mod nA:

This is unintelligible, so she checks whether this number

is person As signature.

Remember, T = S dB mod nB so she "encrypts "T with

the data she uses to send messages:
T ea mod nB = (S dB )eB mod nM

= (S eB )dB mod nB
= S:
By seeing that this result is the signature of person A,
the identity has been validated.
Note that in all of this, Person A only used (nB ; dB ; nA; eA)
and not dA while Person B only used (nA; dA; nB ; eB )
and not dB

Example 11 The data for Person A :

nA
eA
dB
S

= 2673157
= 23
= 2437607
= 837361

The data for person B :

nB = 721864639
eB = 19823
dA = 700322447

Person A calculates
8373612437607 mod 2673157 = 1216606;
and then
121660619823 mod 721864639 = 241279367:
Person A then transmits 241279367 to person B . When
person B receives this, she calculates
241279367700322447 mod 721864639 = 1216606;
guesses that this is the signature and nally recovers S
as S = 121660623 mod 2673157.

Exercise 12 With
nA = 33 = 3 11
eA = 3
dB = 7
S = 10

and
nB = 91 = 11 13
eB = 8
dA = 18

encrypt and decrypt S according to the method above.

WHY? Denote by encryptA(M ) and decryptB (M ) the

integers M eA mod nA and M dA mod nA
Similarly encryptB (M ) and decryptB (M ).
The validity of the RSA system says that
decryptA(encryptA(M )) = M;
encryptA(decryptA(M )) = M:
Similarly for B .
Person A calculates
R = encryptA(decryptB (S ))

Person B calculates
encryptB (decryptA(R)):
Therefore, person B will calculate

encryptB (decryptA(encryptA(decryptB (S )))) = encryptB (dec

=S
Person B does recover the signature of person A.

Since person A is the sole owner of dB ; only person A

can calculate decryptB (S ).
Another person claiming that he is person A will substitute a number F in place of decryptB (S ), and transmit
encryptA(F ) to person B . Person B will then calculate
encryptB (decryptA(encryptA(F ))) = encryptB (F )
which is unintelligible unless by chance encryptB (F ) =
S . But for this,
decryptB (S ) = decryptB (encryptB (F ))
= F;
so person has to have been able to calculate decryptB (S );
which means that this person most likely knows dB and
therefore is most likely to be person A:

Euclid Again
Are there enough prime numbers? The classical proof
by Euclid is one of the most beautiful arguments in all of
mathematics.
Theorem 13 There are innitely many primes.
Before we prove it though, do some exercises to gain some
insight into the method of proof. The rst few primes are
2; 3; 5.
Exercise 14 Calculate 2 3 5 + 1:What are its prime
factors?
Exercise 15 Calculate 2 3 5 7 + 1:What are its prime
factors?

Exercise 16 If p1; p2; : : : ; pk are the rst k primes can

any of them appear in the factorization of p1 p2 : : :
pk + 1?
Proof. (of Euclids Theorem, using modern language).
Suppose that there are only nitely many primes. Then
we would list them all out, say fp1; p2; : : : ; pk g is the
entire set of prime numbers. Set S = p1 p2 : : : pk +1:
Since every positive integer has a prime factor, S must
have a prime factor from among fp1; p2; : : : ; pk g. But
S = 1 in Zpi for every prime pi, in other words no prime
divides S: This is a contradiction, so there must be other
primes.