Discrete Mathematics,

Number Theory and Cryptography

Discrete Mathematics. Chapter 4 1 / 35

Outline

1 Divisibility and Modular Arithmetic

2 Primes and Greatest Common Divisors

3 Solving Congruences

4 Cryptography

Discrete Mathematics. Chapter 4 2 / 35

Definition: Assume 2 integers a and b, such that a =/ 0 (a is
not equal 0). We say that a divides b if there is an integer
c such that b = ac. If a divides b we say that a is a factor
of b and that b is multiple of a.
• The fact that a divides b is denoted as a | b.

Examples:
• 4 | 24 True or False ? True
• 4 is a factor of 24
• 24 is a multiple of 4
• 3 | 7 True or False ? False
 Division

Let a be an integer and d a positive integer. Then there are unique

integers, q and r, with 0 <= r < d, such that
a = dq + r.

Definitions: Example: a= 14, d = 3

• a is called the dividend, 14 = 3*4 + 2
• d is called the divisor, 14/3=3.666
14 div 3 = 4
• q is called the quotient and
14 mod 3 = 2
• r the remainder of the division.

Relations:
• q = a div d , r = a mod d
 Division
Definition
If a and b are integers with a = 0, then a divides b if there exists an
integer c such that b = ac.

When a divides b we write a|b.

We say that a is afactorordivisorof b and b is
amultipleof a. If a|b then b/a is an integer (namely the c
above).
If a does not divide b, we write a ƒ |b.
Theorem

Let
1 If a|b
a, b, cand
be integers, a|(b +ac).
a|c, thenwhere = 0.
2 If a|b, then a|bc for all integers c.
3 If a|b and b|c, then a|c.

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 5 / 35

Division Algorithm

When an integer is divided by a positive integer, there is aquotientand

aremainder. This is traditionally called the “Division Algorithm”, but it
is really a theorem.

Theorem
If a is an integer and d a positive integer, then there are unique
integers q and r , with 0 ≤ r < d, such that a = dq + r

a is called the dividend.

d is called the divisor.
q is called the quotient. q = a div d
r is called the remainder. r = a mod d

Discrete Mathematics. Chapter 4 6 / 35

Congruence Relation

Definition
If a and b are integers and m is a positive integer, then a is congruent
to b modulo m iff m|(a − b).

The notation a ≡ b( mod m) says that

a is congruent to b modulo m.
We say that a ≡ b( mod m) is a congruence and that m is its
modulus.
Two integers are congruent mod m if and only if they have the
same remainder when divided by m.
If a is not congruent to b modulo m, we write a ƒ≡ b( mod m).

7 / 35
Congruence: Examples

Example: Determine
Whether 17 is congruent to 5 modulo 6, and
Whether 24 and 14 are congruent modulo 6.
Clicker
1 No and No.
2 No and Yes.
3 Yes and No.
4 Yes and Yes.

Discrete Mathematics. Chapter 4 6 / 35

 Congruence: Examples

Example: Determine
Whether 17 is congruent to 5 modulo 6, and
Whether 24 and 14 are congruent modulo 6.
Clicker
1 No and No.
2 No and Yes.
3 Yes and No.
4 Yes and Yes.
Solution: 17 ≡ 5( mod 6) because 6 divides 17 − 5 =
12.

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 6 / 35

 Congruence: Examples

Example: Determine
Whether 17 is congruent to 5 modulo 6, and
Whether 24 and 14 are congruent modulo 6.
Clicker
1 No and No.
2 No and Yes.
3 Yes and No.
4 Yes and Yes.
Solution: 17 ≡ 5( mod 6) because 6 divides 17 − 5 = 12.
24 ≡ 14( mod 6) since 24 − 14 = 10 is not divisible by 6.

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 6 / 35

Terminology

The uses of “mod” in the following expressions are different.

a ≡ b( mod m), and
a mod m = b

a ≡ b( mod m) describes abinary relationon the set of integers.

In a mod m = b, the notation mod denotes afunction(from integers

to integers).
The relationship between these notations is made clear in this
theorem.
Theorem
Let a and b be integers, and let m be a positive integer.
Then a ≡ b( mod m) if and only if a mod m = b mod m

Discrete Mathematics. Chapter 4 7 / 35

A Theorem on Congruences

Theorem
Let m be a positive integer. The integers a and b are congruent
modulo m if and only if there is an integer k such that a = b +
km.
Proof.
If a ≡ b( mod m), then (by the definition of congruence)
m|(a − b). Hence, there is an integer k such that a − b = km
and equivalently a = b + km.
Conversely, if there is an integer k such that a = b + km, then
km = a − b. Hence, m|(a − b) and a ≡ b( mod m).

Discrete Mathematics. Chapter 4 8 / 35

Congruences of Sums and Products
Theorem
Let m be a positive integer. If a ≡ b( mod m) and c ≡ d ( mod m),
then a + c ≡ b + d ( mod m) and ac ≡ bd ( mod m).

Proof.
Since a ≡ b( mod m) and c ≡ d ( mod m), by the Theorem above
there are integers s and t with b = a + sm and d = c + tm.
Therefore,
b + d = (a + sm) + (c + tm) = (a + c) + m(s + t ), and
bd = (a + sm)(c + tm) = ac + m(at + cs + stm).
Hence, a + c ≡ b + d ( mod m) and ac ≡ bd ( mod m).
Corollary
Let m be a positive integer and let a and b be integers. Then
(a + b) mod m = ((a mod m) + (b mod m)) mod m
ab mod m = ((a mod m)(b mod m)) mod m.
Discrete Mathematics. Chapter 4 9 / 35
Arithmetic modulo m

Let Zm = {0, 1, . . . , m − 1}.

The operation +m is defined as a +m b = (a + b) mod m.
This is addition modulo m.
The operation ·m is defined as a ·m b = (a · b) mod m.
This is multiplication modulo m.
Using these operations is said to be doing arithmetic
modulo m.
Example: Find 7 +11 9 and 7 ·11 9.

Discrete Mathematics. Chapter 4 10 / 35

Arithmetic modulo m

Let Zm = {0, 1, . . . , m − 1}.

The operation +m is defined as a +m b = (a + b) mod m.
This is addition modulo m.
The operation ·m is defined as a ·m b = (a · b) mod m.
This is multiplication modulo m.
Using these operations is said to be doing arithmetic
modulo m.
Example: Find 7 +11 9 and 7 ·11 9.
Solution: Using the definitions above:
7 +11 9 = (7 + 9) mod 11 = 16 mod 11 = 5
7 ·11 9 = (7 · 9) mod 11 = 63 mod 11 = 8

Discrete Mathematics. Chapter 4 10 / 35

 Arithmetic modulo m
The operations +m and ·m satisfy many of the same properties as
ordinary addition and multiplication.
Closure:If a, b ∈ Zm , then a +m b and a ·m b belong to Zm.
Associativity:If a, b, c ∈ Zm, then (a +m b) +m c = a +m (b +m c)
and
(a ·m b) ·m c = a ·m (b ·m c).
Commutativity:If a, b ∈ Zm, then a +m b = b +m a and a ·m b = b
·m a.
Identity elements:The elements 0 and 1 are identity elements for
addition and multiplication modulo m, respectively. If
a ∈ Zm then a +m 0 = a and a ·m 1 = a.
Additive inverses:If 0 ƒ= a ∈ Zm, then m − a is the additive inverse
of a
modulo m. Moreover, 0 is its own additive inverse.
a +m (m − a) = 0 and 0 +m 0 = 0.
Distributivity:If a, b, c ∈ Zm, then
Discrete Mathematics. Chapter 4 11 / 35
 Base b Representation of Integers

Theorem
Let b be a positive integer greater than 1. Every positive integer n can
be expressed uniquely in the form:

n = ak bk + a k−1 b k−1 + · · · + a1b + a0

where k is a nonnegative integer, a0, a1, . . . ak ∈ {0, . . . , b − 1}

and ak = 0. The a0, a1, . . . ak are called the base-b digits of the
representation.

This representation of n is called thebase b expansion of n and it is

denoted by (ak ak−1 . . . a1a0)b
b = 2 is binary. b = 8 is octal. b = 10 is decimal. b = 16 is
hexadecimal, etc.
See Textbook Section 4.2 for algorithms on binary
representations.
Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 12 / 35
 Primes
Definition
A positive integer p > 1 is called prime iff the only positive factors of p
are 1 and p. Otherwise it is called composite.

Theorem (Fundamental Theorem of Arithmetic)

Every positive integer greater than 1 can be written uniquely as a
prime or as the product of its prime factors, written in order of
nondecreasing size.

Example: 765 = 3 · 3 · 5 · 17 = 32 · 5 · 17.

Theorem (Euclid (325-265 BCE))
There are infinitely many primes.

Proof by contradiction. If there were only finitely many primes then

multiply them all and add 1. This would be a new prime. Contradiction.
Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 13 / 35
 The Sieve of Eratosthenes (276-194 BCE)
How to find all primes between 2 and n?
1 Write the numbers 2, . . . , n into a list. Let i :=
2 2. Remove all strict multiples of i from the list.
3 Let k be the smallest number present in the list s.t. k > i.
Then let i := k .

If i >
4 √
n then stop else goto step 2.

Trial division: A very inefficient method of determining if a number n

√
is prime, is to try every integer i ≤ n and see if n is divisible by i.

Testing if a number is prime can be done efficiently in polynomial time

[Agrawal-Kayal-Saxena 2002], i.e., polynomial in the number of bits
used to describe the input number.
Efficient randomized tests had been available previously.

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 14 / 35

 Distribution of Primes
What part of the numbers are primes?
Do primes get scarce among the large numbers?
The prime number theorem gives an asymptotic estimate for the
number of primes not exceeding x .

Theorem (Prime Number Theorem)

The ratio of the number of primes not exceeding x and x/ ln(x )
approaches 1 as x grows without bound.
(ln(x ) is the natural logarithm of x.)

The theorem tells us that the number of primes not exceeding

x , can be approximated by x/ ln(x ).
The odds that a randomly selected positive integer less than x is
prime are approximately (x/ ln(x ))/x = 1/ ln(x ).
The k -th prime is approximately of size k · ln(k ).

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 15 / 35

 Greatest common divisor
A systematic way to find the gcd using factorization:
• Let a=p1a1 p2a2 p3a3 … pkak and b= p1b1 p2b2 p3b3 … pkbk
gcd(a,b)= p1 min(a1,b1) p2 min(a2,b2) p3 min(a3,b3) … pk min(ak,bk)

Examples:
• gcd(24,36) = ?
• 24 = 2*2*2*3=23*3
• 36= 2*2*3*3=22*32
• gcd(24,36) =22*3 = 12
 Greatest Common Divisor
Definition
Let a, b ∈ Z − {0}. The largest integer d such that d|a and also d|b
is called the greatest common divisor of a and b. It is denoted by
gcd (a, b).

Example: gcd (24, 36) = 12.

Definition
The integers a and b are relatively prime (coprime) iff gcd (a, b) =
1.

Example: 17 and 22. (Note that 22 is not a prime.)

Definition

The integers a1, a2, . . . , an are pairwise relatively prime iff

gcd (ai , aj ) = 1 whenever 1 ≤ i < j ≤ n.

Example: 10, 17 and 21 are pairwise relatively prime, since

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 16 / 35
 Least Common Multiple

Definition
The least common multiple of the positive integers a and b is the
smallest positive integer that is divisible by both a and b.
It is denoted by lcm(a, b).

Example: lcm(45, 21) = 7 · 45 = 15 · 21 = 315.

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 17 / 35

 Gcd and Lcm by Prime Factorizations
Suppose that the prime factorizations of a and b are:
b = p b12 p b . . . bn
a = pa 1 pa 2 . . . pan ,
1 2 n 1 2 n
p
where each exponent is a nonnegative integer (possibly zero). Then

gcd (a, b) = 1 1 1 p 2 2 2 . . . n n n
min(a ,b ) min(a ,b ) min(a ,b )

p p
This number clearly divides a and b. No larger number can divide both
a and b. Proof by contradiction and the prime factorization of a
postulated larger divisor.

. . .n
max(a ,b ) max(a ,b ) max(a ,b )
lcm(a, b) = 1 1 1
p2 2 2 nn

p p
This number is clearly a multiple of a and b. No smaller number can be
a multiple of both a and b. Proof by contradiction and the prime
factorization of a postulated smaller multiple.

Factorization is avery inefficientmethod to compute gcd and lcm.

The Euclidian algorithm is much better.
Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 18 / 35
 Euclidian Algorithm
Lemma
Let a = bq + r , where a, b, q, and r are
integers. Then gcd (a, b) = gcd (b, r ).

Proof.
Suppose that d divides both a and b. Then d also divides a − bq = r .
Hence, any common divisor of a and b must also be a common divisor
of b and r .
For the opposite direction suppose that d divides both b and r . Then d
also divides bq + r = a. Hence, any common divisor of b and r must
also be a common divisor of a and b.
Therefore, gcd (a, b) = gcd (b, r ).

This means that if a > b then gcd (a, b) = gcd (b, a mod b),
which directly yields the algorithm.
(Note that both arguments have gotten smaller.) One can show that its
complexity is O(log b).
Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 19 / 35
 Gcd as a Linear Combination

Theorem (Bézout’s Theorem)

If a and b are positive integers, then there exist integers s and t such
that gcd (a, b) = sa + tb

(Proof in exercises of Section 5.2).

The numbers s and t are called Bézout coefficients of a and b.
Example: 2 = gcd (6, 14) = (−2) · 6 + 1 · 14.
The Bézout coefficients can be computed as follows. First use the
Euclidian algorithm to find the gcd and then work backwards (by
division and substitution) to express the gcd as a linear combination of
the original two integers.

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 20 / 35

 Linear Congruences

Definition
A congruence of the form

ax ≡ b( mod m)

where m is a positive integer, a, b are integers and x is an integer

variable is called a linear congruence.

The solution of the congruence are all the integers x that satisfy
it.
Definition

An integer a such that aa ≡ 1( mod m) is called a multiplicative

inverse of a modulo m.
Multiplicative inverses can be used to solve congruences. If ax ≡
b(
mod m) then aax ≡ (ab)( Discrete
Richard Mayr (University of Edinburgh, UK)
mod Mathematics.
m) andChapterthus4 x ≡ (ab)( mod m). 21 / 35
 Multiplicative Inverses

Example: Let m = 15.

Find a multiplicative inverse of 8 modulo 15.
Clicker.
1 1
2 2
3 3
4 4
5 5
6 ≥6

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 22 / 35

 Multiplicative Inverses

Example: Let m = 15.

Find a multiplicative inverse of 8 modulo 15.
Clicker.
1 1
2 2
3 3
4 4
5 5
6 ≥6
2 · 8 = 16 ≡ 1( mod 15).
Thus 2 is a multiplicative inverse of 8 modulo 15.

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 22 / 35

 Multiplicative Inverses

Find a multiplicative inverse of 7 modulo 15.

Clicker.
1 ≤3
2 between 4 and 8
3 between 9 and 11
4 between 12 and 14

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 23 / 35

 Multiplicative Inverses

What is the multiplicative inverse of 5 modulo 15?

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 24 / 35

 Multiplicative Inverses

What is the multiplicative inverse of 5 modulo 15?

1 · 5 ≡ 5(
mod 15)
2 · 5 ≡ 10(
mod 15)
3 · 5 ≡ 0(
mod 15)
4 · 5 ≡ 5(
mod 15)
5 · 5 ≡ 10(
mod 15)
6 · 5 ≡ 0(
mod 15)
7 · 5 ≡ 5(
Richard Mayr (University of Edinburgh, UK)
mod 15)
Discrete Mathematics. Chapter 4 24 / 35
 The multiplicative group
ZTheorem
m
∗

If a and m are relatively prime integers and m > 1, then a multiplicative

inverse of a modulo m exists. Furthermore, this inverse is unique
modulo m.
Proof. Since gcd (a, m) = 1, by Bézout’s Theorem there are integers
s
and t such that sa + tm = 1.
Hence, sa + tm ≡ 1( mod m).
Since tm ≡ 0( mod m), it follows that sa ≡ 1( mod m).
Consequently, s is a multiplicative inverse of a modulo m.
Uniqueness: Exercise.
Definition

Let Zm∗ = {x | 1 ≤ x < m and gcd (x, m) = 1}. Together with

multiplication modulo m, this is called the multiplicative group modulo
m. It is closed, associative, has a neutral element (namely 1) and
every element has an inverse.
Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 25 / 35
 The Chinese Remainder Theorem
Let
x ≡ 2( mod 3)
x ≡ 3( mod 5)
x ≡ 2( mod 7)
What is x ? (Or rather, what is the smallest x that satisfies these?)
Theorem (Chinese Remainder Theorem)
Let m1, m2, . . . , mn be pairwise relatively prime positive integers
greater than one and a1, a2, . . . , an arbitrary integers. Then the
system
x ≡ a1( mod
x a2( mod m2)
m 1) ≡
...
x ≡ an( mod mn)

has a unique solution modulo m = m1m2 . . . mn. (I.e., there is a

solution x with 0 ≤ x < m and all other solutions are congruent modulo
m to this solution.)
Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 26 / 35
 The Chinese Remainder Theorem: Proof
We will construct a solution x .
First, let Mk = m/mk for k = 1, 2, . . . , n and m = m1m2 . . . mn.
Since gcd (mk , Mk ) = 1, the number Mk has a multiplicative inverse yk
modulo mk . I.e.,
Mk yk ≡ 1( mod mk )
Now we let
x = a1M 1y1 + a2M 2y2 + · · · + an M n y n
Why does this x satisfy all the congruences?
If j ƒ= k then Mj ≡ 0( mod mk ), since Mj contains mk as a factor.
Thus
x mod mk = 0 + ak Mk yk mod mk
= (ak mod mk )
(Mk yk mod mk )
= (ak mod mk ) · 1
= ak mod mk
Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 27 / 35
 Fermat’s Little Theorem (Pierre de Fermat (1601-65))
Theorem
If p is prime and p ƒ |a, then ap−1 ≡ 1( mod p).
Furthermore, for every integer a we have ap ≡ a( mod p).

Proof sketch: ax mod p = (a mod p)x mod p. Also p ƒ |a. So

without restriction we consider only 0 < a < p.
Consider the powers of a1, a2, a3, . . . modulo p.
These form a subgroup of Zp∗which has some size k and we
have
ak ≡ 1 mod p.
By Lagrange’s theorem, k divides the size of Zp∗which is p
− 1, so
p − 1 = km for some positive integer m. Thus

ap−1 ≡ akm ≡ (ak )m ≡ 1m ≡ 1

mod p
Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 28 / 35
 Fermat’s Little Theorem

Fermat’s little theorem is useful in computing the remainders modulo p

of large powers of integers.

Example: Find 7222 mod 11.

By Fermat’s little theorem, we know that 710 ≡ 1 mod 11, and so
(710)k ≡ 1( mod 11) for every positive integer k .
Therefore, 7222 = 722·10+2 = (710)2272 ≡ 122 · 49 ≡ 5( mod 11).
Hence, 7222 mod 11 = 5.

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 29 / 35

 Number Theory in Cryptography
Terminology:Two parties Alice and Bob want to communicate
securely s.t. a third party Eve who intercepts messages cannot learn
the content of the messages.
Symmetric Cryptosystems:Alice and Bob share a secret. Only they
know a secret key K that is used to encrypt and decrypt messages.
Given a message M, Alice encodes it (possibly with padding) into m,
and then sends the ciphertext encrypt (m, K ) to Bob. Then Bob uses
K to decrypt it and obtains decrypt (encrypt (m, K ), K ) = m.
Example: AES.
Public Key Cryptosystems:Alice and Bob do a-priori not share a
secret. How can they establish a shared secret when others are
listening to their messages?
Idea: Have a two-part key, i.e., a key pair. A public key that is used to
encrypt messages, and a secret key to decrypt them. Alice uses Bob’s
public key to encrypt a message (everyone can do that). Only Bob
can decrypt the message with his secret key.

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 30 / 35

 RSA: an example of a Public Key
Cryptosystem
Named after Rivest, Shamir, Adelman (1976 at MIT). Discovered
earlier by Clifford Cocks, working secretly for the UK government.
Still widely used, e.g., in PGP and ssh.
Described here because it is easy to explain with elementary
number theory.
Cryptography:Caveats
There do not exist any cryptosystems that are proven to be
secure for complexity theoretic reasons (i.e., easy to encrypt, hard
to decrypt).
The only systems proven secure are so for information theoretic
reasons. Random one-time pad: secret key longer than message
and used only once (Vernam scheme). Message: mn . . . m0 bits.
Secret key: kn . . . k0 bits. Ciphertext: ci = mi xor ki . Decryption:
mi = ci xor ki .

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 31 / 35

 Cryptography:More Caveats
RSA could be broken with an efficient algorithm to factorize
numbers,but possibly also by other means. It is an open question
if an efficient method to break RSA would imply an efficient
factorization method.
A 768 bit RSA key has been broken, and experts believe 1024 bit
could be broken with sufficient resources.
Many experts increasingly doubt the security of RSA in general,
and recommend to use Elliptic curve cryptography systems
instead. (Also based on number theory, but harder to explain.)
Key generation relies on strong random number generation.
Vulnerabilities have been deliberately inserted by the NSA into
some systems (e.g., Dual_EC_DRBG).
Closed source implementationsof cryptographic software are
likely to contain more such backdoors, and cannot be considered
secure.

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 32 / 35

 Description of RSA: Key generation

Choose two distinct prime numbers p and q. Numbers p and q

should be chosen at random, and be of similar bit-length. Prime
integers can be efficiently found using a primality test.
Let n = pq and k = (p − 1)(q − 1). (In particular, k = |Zn∗|).
Choose an integer e such that 1 < e < k and gcd (e, k ) =
1; i.e., e and k are coprime.
e (for encryption) is released as the public key exponent.
(e must not be very small.)
Let d be the multiplicative inverse of e modulo k ,
i.e., de ≡ 1( mod k ). (Computed using the extended Euclidean
algorithm.) d (for decryption) is the private key and kept secret.
The public key is (n, e) and the private key is (n, d ).

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 33 / 35

 RSA: Encryption and Decryption
Alice transmits her public key (n, e) to Bob and keeps the private
key secret.
Encryption: Bob then wishes to send message M to Alice. He first
turns M into an integer m, such that 0 ≤ m < n by using an
agreed-upon reversible protocol known as a padding scheme. He then
computes the ciphertext c corresponding to

c ≡ me mod n

This can be done quickly using the method of exponentiation by

squaring. Bob then transmits c to Alice.
Decryption: Alice can recover m from c by using her private key
exponent d via computing

m ≡ cd mod n

Given m, she can recover the original message M by reversing the

padding scheme.
Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 34 / 35
 RSA: Correctness of decryption

Given that c ≡ me mod n, why is cd ≡ m mod n ?

cd ≡ (me)d ≡ med ( mod n).

By construction, d and e are each others multiplicative inverses
modulo k , i.e., ed ≡ 1( mod k ). Also k = (p − 1)(q − 1).
Thus ed − 1 = h(p − 1)(q − 1) for some integer
h.
We consider med modulo p. If p ƒ |m then

mod p)
med = mh(p−1)(q−1)m = (mp−1)h(q−1)m ≡ 1h(q−1)m ≡ m(

by Fermat’s little theorem. Otherwise med ≡ 0 ≡ m( mod p).

Symmetrically, med ≡ m( mod q).
Since p, q are distinct primes, we have med ≡ m( mod pq).
Since n = pq, we have cd ≡ med ≡ m( mod n).

Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 35 / 35