3.3.

MODULAR ARITHMETIC, RSA ALGORITHM 52

3.3. Modular Arithmetic, RSA Algorithm

3.3.1. Congruences Modulo m. Given an integer m ≥ 2, we

say that a is congruent to b modulo m, written a ≡ b (mod m), if
m|(a − b). Note that the following conditions are equivalent

1. a ≡ b (mod m).
2. a = b + km for some integer k.
3. a and b have the same remainder when divided by m.

The relation of congruence modulo m is an equivalence relation. It

partitions Z into m equivalence classes of the form
[x] = [x]m = {x + km | k ∈ Z} .
For instance, for m = 5, each one of the following rows is an equivalence
class:
. . . −10 −5 0 5 10 15 20 . . .
. . . −9 −4 1 6 11 16 21 . . .
. . . −8 −3 2 7 12 17 22 . . .
. . . −7 −2 3 8 13 18 23 . . .
. . . −6 −1 4 9 14 19 24 . . .
Each equivalence class has exactly a representative r such that 0 ≤ r <
m, namely the common remainder of all elements in that class when di-
vided by m. Hence an equivalence class may be denoted [r] or x + m Z,
where 0 ≤ r < m. Often we will omit the brackets, so that the equiva-
lence class [r] will be represented just r. The set of equivalence classes
(i.e., the quotient set of Z by the relation of congruence modulo m) is
denoted Zm = {0, 1, 2, . . . , m − 1}. For instance, Z5 = {0, 1, 2, 3, 4}.
Remark : When writing “r” as a notation for the class of r we may
stress the fact that r represents the class of r rather than the integer r
by including “ (mod p)” at some point. For instance 8 = 3 (mod p).
Note that in “a ≡ b (mod m)”, a and b represent integers, while in
“a = b (mod m)” they represent elements of Zm .
Reduction Modulo m: Once a set of representatives has been chosen
for the elements of Zm , we will call “r reduced modulo m”, written
“r mod m”, the chosen representative for the class of r. For instance,
if we choose the representatives for the elements of Z5 in the interval
from 0 to 4 (Z5 = {0, 1, 2, 3, 4}), then 9 mod 5 = 4. Another possibility
is to choose the representatives in the interval from −2 to 2 (Z5 =
{−2, −1, 0, 1, 2}), so that 9 mod 5 = −1
 3.3. MODULAR ARITHMETIC, RSA ALGORITHM 53

In Zm it is possible to define an addition and a multiplication in

the following way:
[x] + [y] = [x + y] ; [x] · [y] = [x · y] .

As an example, tables 3.3.1 and 3.3.2 show the addition and multi-
plication tables for Z5 and Z6 respectively.

+ 0 1 2 3 4 · 0 1 2 3 4
0 0 1 2 3 4 0 0 0 0 0 0
1 1 2 3 4 0 1 0 1 2 3 4
2 2 3 4 0 1 2 0 2 4 1 3
3 3 4 0 1 2 3 0 3 1 4 2
4 4 0 1 2 3 4 0 4 3 2 1
Table 3.3.1. Operational tables for Z5

+ 0 1 2 3 4 5 · 0 1 2 3 4 5
0 0 1 2 3 4 5 0 0 0 0 0 0 0
1 1 2 3 4 5 0 1 0 1 2 3 4 5
2 2 3 4 5 0 1 2 0 2 4 0 2 4
3 3 4 5 0 1 2 3 0 3 0 3 0 3
4 4 5 0 1 2 3 4 0 4 2 0 4 2
5 5 0 1 2 3 4 5 0 5 4 3 2 1
Table 3.3.2. Operational tables for Z6

A difference between this two tables is that in Z5 every non-zero

element has a multiplicative inverse, i.e., for every x ∈ Z5 such that
x 6= 0 there is an x−1 such that x · x−1 = x−1 · x = 1; e.g. 2−1 = 4
(mod 5). However in Z6 that is not true, some non-zero elements like
2 have no multiplicative inverse. Furthermore the elements without
multiplicative inverse verify that they can be multiply by some other
non-zero element giving a product equal zero, e.g. 2 · 3 = 0 (mod 6).
These elements are called divisors of zero. Of course with this definition
zero itself is a divisor of zero. Divisors of zero different from zero are
called proper divisors of zero. For instance in Z6 2 is a proper divisor
of zero. In Z5 there are no proper divisors of zero.
In general:

1. The elements of Zm can be classified into two classes:

 3.3. MODULAR ARITHMETIC, RSA ALGORITHM 54

(a) Units: elements with multiplicative inverse.

(b) Divisors of zero: elements that multiplied by some other
non-zero element give product zero.
2. An element [a] ∈ Zm is a unit (has a multiplicative inverse) if
and only if gcd(a, m) = 1.
3. All non-zero elements of Zm are units if and only if m is a prime
number.

The set of units in Zm is denoted Z∗m . For instance:

Z∗2 = {1}
Z∗3 = {1, 2}
Z∗4 = {1, 3}
Z∗5 = {1, 2, 3, 4}
Z∗6 = {1, 5}
Z∗7 = {1, 2, 3, 4, 5, 6}
Z8∗ = {1, 3, 5, 7}
Z9∗ = {1, 2, 4, 5, 7, 8}

Given an element [a] in Z∗m , its inverse can be computed by using

the Euclidean algorithm to find gcd(a, m), since that algorithm also
provides a solution to the equation ax + my = gcd(a, m) = 1, which is
equivalent to ax ≡ 1 (mod m).
Example: Find the multiplicative inverse of 17 in Z∗64 . Answer : We
use the Euclidean algorithm:

64 = 3 · 17 + 13 → r = 13
17 = 1 · 13 + 4 → r =4
13 = 3·4+1 → r =1
4 = 4·1+0 → r =0

Now we compute backward:

1 = 13 − 3 · 4 = 13 − 3 · (17 − 1 · 13) = 4 · 13 − 3 · 17
= 4 · (64 − 3 · 17) − 3 · 17 = 4 · 64 − 15 · 17 .

Hence (−15) · 17 ≡ 1 (mod 64), but −15 ≡ 49 (mod 64), so the in-
verse of 17 in (Z∗64 , ·) is 49. We will denote this by writing 17−1 = 49
(mod 64), or 17−1 mod 64 = 49.
 3.3. MODULAR ARITHMETIC, RSA ALGORITHM 55

3.3.2. Euler’s Phi Function. The number of units in Zm is equal

to the number of positive integers not greater than and relatively
prime to m, i.e., the number of integers a such that 1 ≤ a ≤ m and
gcd(a, m) = 1. That number is given by the so called Euler’s phi
function:
φ(m) = number of positive integers not greater than m
and relatively prime to m .
For instance, the positive integers not greater than and relatively prime
to 15 are: 1, 2, 4, 7, 8, 11, 13, 14, hence φ(15) = 8.
We have the following results:

1. If p is a prime number and s ≥ 1, then φ(ps ) = ps − ps−1 =

ps (1 − 1/p). In particular φ(p) = p − 1.
2. If m1 , m2 are two relatively prime positive integers, then φ(m1 m2 ) =
φ(m1 ) φ(m2 ).1
3. If m = ps11 ps22 . . . pskk , where the pk are prime and the sk are
positive, then
φ(m) = m (1 − 1/p1 ) (1 − 1/p2 ) . . . (1 − 1/pk ) .

For instance
φ(15) = φ(3 · 5) = φ(3) · φ(5) = (3 − 1) · (5 − 1) = 2 · 4 = 8 .

3.3.3. Euler’s Theorem. If a and m are two relatively prime

positive integers, m ≥ 2, then
aφ(m) ≡ 1 (mod m) .
The particular case in which m is a prime number p, Euler’s theorem
is called Fermat’s Little Theorem:
ap−1 ≡ 1 (mod p) .
For instance, if a = 2 and p = 7, then we have, in fact, 27−1 = 26 =
64 = 1 + 9 · 7 ≡ 1 (mod 7).
A consequence of Euler’s Theorem is the following. If gcd(a, m) = 1
then
x ≡ y (mod φ(m)) ⇒ ax ≡ ay (mod m) .
1A function f (x) of positive integers such that gcd(a, b) = 1 ⇒ f (ab) =
f (a)f (b) is called multiplicative.
 3.3. MODULAR ARITHMETIC, RSA ALGORITHM 56

Consequently, the following function is well defined:

Z∗m × Zφ(m) → Z∗m
([a]m , [x]φ(m) ) 7→ [ax ]m
Hence, we can compute powers modulo m in the following way:
an = an mod φ(m) (mod m) ,
if gcd(a, m) = 1. For instance:
39734888 mod 100 = 39734888 mod φ(100) mod 100
= 39734888 mod 40 mod 100 = 38 mod 100 = 6561 mod 100 = 61 .

An even more efficient way to compute powers modulo m is given

in Appendix A, paragraph A.1.

3.3.4. Application to Cryptography: RSA Algorithm. The

RSA algorithm is an encryption scheme designed in 1977 by Ronald
Rivest, Adi Shamir and Leonard Adleman. It allows encrypting a mes-
sage with a key (the encryption key) and decrypting it with a different
key (the decryption key). The encryption key is public and can be
given to everybody. The decryption key is private and is known only
by the recipient of the encrypted message.
The RSA algorithm is based on the following facts. Given two
prime numbers p and q, and a positive number m relatively prime to p
and q, Euler’s theorem tells us that:
mφ(pq) = m(p−1)(q−1) = 1 (mod pq) .
Assume now that we have two integers e and d such that e · d = 1
(mod φ(pq)). Then we have that
(me )d = me·d = m (mod pq) .
e
So, given m we can recover m modulo pq by raising to the dth power.
The RSA algorithm consists of the following:

1. Generate two large primes p and q. Find their product n = pq.

2. Find two numbers e and d (in the range from 2 to φ(n)) such
that e · d = 1 (mod φ(n)). This requires some trial and error.
First e is chosen at random, and the Euclidean algorithm is
used to find gcd(e, m), solving at the same time the equation
ex + my = gcd(e, m). If gcd(e, m) = 1 then the value obtained
 3.3. MODULAR ARITHMETIC, RSA ALGORITHM 57

for x is d. Otherwise, e is no relatively prime to φ(n) and we

must try a different value for e.

3. The public encryption key will be the pair (n, e). The private
decryption key will be the pair (n, d). The encryption key is
given to everybody, while the decryption key is kept secret by
the future recipient of the message.
4. The message to be encrypted is divided into small pieces, and
each piece is encoded numerically as a positive integer m smaller
than n.
5. The number me is reduced modulo n; m0 = me mod n.

6. The recipient computes m00 = m0 d mod n, with 0 ≤ m00 < n.

It remains to prove that m00 = m. If m is relatively prime to p and

q, then from Euler’s theorem we get that m00 = m (mod n), and since
both are in the range from 0 to n − 1 they must be equal. The case in
which p or q divides m is left as an exercise.

3.3.5. The Chinese Remainder Theorem. Let m1 , m2 , . . . , mk

be pairwise relatively prime integers greater than or equal to 2. The
following system of congruences


 x ≡ r1 (mod m1 )

x ≡ r2 (mod m2 )

 ...
 x ≡ r (mod m )
k k

has a unique solution modulo M = m1 m2 . . . mk .

We can find a solution to that system in the following way. Let
Mi = M/mi , and si = the inverse of Mi in Zmi . Then
x = M1 s1 r1 + M2 s2 r2 + · · · + Mk sk rk
is a solution to the system.
Example: A group of objects can be arranged in 3 rows leaving 2
left, in 5 rows leaving 4 left, and in 7 rows leaving 6 left. How many
objects are there? Answer : We must solve the following system of
congruences: 
 x ≡ 2 (mod 3)
x ≡ 4 (mod 5)

x ≡ 6 (mod 7)
 3.3. MODULAR ARITHMETIC, RSA ALGORITHM 58

We have: M = 3 · 5 · 7 = 105, M1 = 105/3 = 35 ≡ 2 (mod 3),

M2 = 105/5 = 21 ≡ 1 (mod 5), M3 = 105/7 = 15 ≡ 1 (mod 7); s1 =
“inverse of 2 in Z3 ” = 2, s2 = “inverse of 1 in Z5 ” = 1, s3 = “inverse
of 1 in Z7 ” = 1. Hence the solution is
x = 35 · 2 · 2 + 21 · 1 · 4 + 15 · 1 · 6 = 314 ≡ 104 (mod 105) .
Hence, any group of 104 + 105 k objects is a possible solution to the
problem.