MAT102H5Y Summer 2019

Supplementary Notes on Number Theory Applications

Euler’s Theorem, Fermat’s Little Theorem, Chinese Remainder Theorem, RSA

In this section we continue the discussion of congruences from Chapter 7 to develop some nice number
theoretic results that have applications to prime number testing and cryptography.
Recall that two integers a and b are said to be relatively prime if gcd(a, b) = 1.

Euler’s totient function (or Euler’s phi-function) is the function φ : N → N defined by

φ(m) = the number of integers in {1, 2, . . . , m} that are relatively prime with m.

This function is due to mathematician Leonhard Euler, who introduced it in 17631 – although it was
Gauss in 1801 who first used φ for the name of this function.2
Example 1. We have φ(1) = 1 since 1 is the only integer in {1} relatively prime with 1.
Example 2. To compute φ(8), we count how many integers in {1, 2, . . . , 8} are relatively prime with 8.
These are 1, 3, 5, and 7; so φ(8) = 4. Values of φ(m) for small values of m are given below.

integers 1 ≤ k ≤ m
m φ(m)
such that gcd(k, m) = 1
1 1 1 integers 1 ≤ k ≤ m
m φ(m)
2 1 1 such that gcd(k, m) = 1
3 1, 2 2 11
4 1, 3 2 12
5 1, 2, 3, 4 4 13
6 1, 5 2 14
7 1, 2, 3, 4, 5, 6 6 15
8 1, 3, 5, 7 4 16
9 1, 2, 4, 5, 7, 8 6
10 1, 3, 7, 9 4

Exercise 3. Complete the above table for φ(m) for m = 11, 12, . . . , 16.

If p is prime, then all integers from 1 to p − 1 are relatively prime with p. This implies the following
result:
Lemma 4. If p is prime, then φ(p) = p − 1.
Exercise 5. Is the converse of the above statement true? That is, if m > 2 is an integer such that
φ(m) = m − 1, does it necessarily follow that m is prime?
Exercise 6. If p is prime and k ∈ N, what is φ(pk )?
Exercise 7. If p and q are prime, prove that φ(pq) = (p − 1)(q − 1).

1 Euler, Theoremata arithmetica nova methodo demonstrata, http://eulerarchive.maa.org/pages/E271.html

2 Gauss, Disquisitiones Arithmeticae article 38
MAT102H5Y Summer 2019

The main result we would like to prove in this section is called Euler’s Theorem, which implies another
result called Fermat’s Little Theorem as a special case.

Euler’s Theorem
Suppose x, m ∈ N and gcd(x, m) = 1. Then

xφ(m) ≡ 1 (mod m).

Fermat’s Little Theorem (FLT)

If p is prime and a ∈ N with gcd(a, p) = 1, then

ap−1 ≡ 1 (mod p).

Proof: This is the special case of Euler’s theorem where m is prime, and using Lemma 4.

Although FLT is a special case of Euler’s Theorem, it was FLT that was actually proven first – in 1736,
also by Euler.3 Only in 1763 did Euler publish the generalization that is Euler’s Theorem.4
Before we prove Euler’s Theorem, let’s look at some examples.

Example 8. Take m = 8 and x = 7 so that gcd(x, m) = 1. By Euler’s Theorem, we have

7φ(8) ≡ 1 (mod 8) ⇒ 74 ≡ 1 (mod 8).

Example 9. What is the remainder when 32019 is divided by 113?

Solution: Since gcd(3, 113) = 1, we can apply Euler’s Theorem. In fact, 113 is prime, so FLT applies
here, so we know that
3112 ≡ 1 (mod 13).
Using the division algorithm on 2019 we get 2019 = 18 · 112 + 3. Hence

32019 ≡ (3112 )18 · 33 (mod 113) ≡ 27 (mod 113).

So the remainder when 32019 is divided by 113 is 27.

To prove Euler’s Theorem we first need the following results:

Lemma 10. Let m, a, b ∈ N. If m | ab and gcd(a, m) = 1, then m | b.

Exercise 11. Prove Lemma 10 using Bezout’s Identity.

Lemma 12 (The Cancellation Law). Let a, m ∈ N with gcd(a, m) = 1. If ax ≡ ay (mod m), then
x ≡ y (mod m).

Proof. Since ax ≡ ay (mod m), we have m | (ax − ay), or m | a(x − y). Since gcd(a, m) = 1, we can
apply Lemma 10, which proves that m | (x − y), or that x ≡ y (mod m).

3 Euler, Theorematum quorundam ad numeros primos spectantium demonstratio,

http://eulerarchive.maa.org//pages/E054.html
4 Euler, Theoremata arithmetica nova methodo demonstrata, http://eulerarchive.maa.org//pages/E271.html
MAT102H5Y Summer 2019

Proof of Euler’s Theorem

Let x, m ∈ N such that gcd(x, m) = 1.
First define the set
S = {y : 1 ≤ y ≤ m, gcd(y, m) = 1}
to be the set of natural numbers smaller than m and relatively prime with m. We know that there are
exactly φ(m) elements in the set S, so we can label them as S = {a1 , a2 , . . . , aφ(m) }, where gcd(ai , m) = 1
for i = 1, 2, . . . , φ(m).
Since we have gcd(ai , m) = 1 and gcd(x, m) = 1, we must also have
gcd(xai , m) = 1 for any i = 1, 2, . . . , φ(m).

We invoke the Division Algorithm now to write xai as

xai = qm + r for some 0 ≤ r < m,
which implies that xai ≡ r (mod m). Combining with the fact that gcd(xai , m) = 1, this implies that
gcd(r, m) = 1, so r is a natural number smaller than m and relatively prime with m.
In other words, r is in the set S, and we can write r = aj for some 1 ≤ j ≤ φ(m). This means for each
1 ≤ i ≤ φ(m), we have xai ≡ aj (mod m) for some 1 ≤ j ≤ φ(m).
Furthermore, none of the aj ’s are repeated, because no two xai terms are equivalent modulo m. (Other-
wise, xai1 ≡ xai2 (mod m) ⇒ ai1 ≡ ai2 (mod m) by the Cancellation Law, which is a contradiction as
the ai ’s are all distinct and smaller than m.)
Hence, each integer xai is congruent modulo m to distinct elements in S:
xa1 ≡ aj1 (mod m)
xa2 ≡ aj2 (mod m)
..
.
xaφ(m) ≡ ajφ(m) (mod m)
Multiplying all the congruences together gives another congruence, where the right-hand-side is just
φ(m) φ(m)
Y Y
ajk = ai since each element of S appears exactly once. Hence,
k=1 i=1

φ(m) φ(m)
Y Y
xai ≡ ai (mod m) ⇒ xφ(m) ≡ 1 (mod m).
i=1 i=1

by an application of the Cancellation Law.

How does Euler/FLT help when testing primes?

Fermat’s Little Theorem asserts that if p is prime and gcd(a, p) = 1, then ap−1 ≡ 1 (mod p). Note that
the converse of this statement is not true in general: Even if gcd(a, m) = 1 and am−1 ≡ 1 (mod m), we
would not be able to conclude that m is prime. (Can you think of a composite number m and a natural
number a for which this happens?)
This means that we cannot use FLT to tell us when a number is prime.
BUT! We can use FLT to tell us that a number is NOT prime, using the contrapositive of the theorem
statement:

If a, m ∈ N, gcd(a, m) = 1, and am−1 6≡ 1 (mod m), then m is composite.

This is nice, because instead of trying to find factors of large numbers, we could just determine the
congruence class of am−1 modulo m, and if it isn’t [1], then m can’t be prime.
MAT102H5Y Summer 2019

The Chinese Remainder Theorem

The Chinese remainder theorem is another ancient number theory result about remainders when dividing
a number by several integers. It was stated as far back as the 3rd century AD by Chinese mathematician
Sunzi5 (孫子, not to be confused with 孫子, author of The Art of War ).

Chinese Remainder Theorem (General case)

Let m1 , m2 , . . . , mn be pairwise relatively prime integers, that is, gcd(mi , mj ) = 1 whenever i 6= j.
Then the system of n congruences

 x ≡ a1 (mod m1 )




 x ≡ a2 (mod m2 )

..



 .


x ≡ a (mod m )
n n

has a unique solution for x, modulo M = m1 m2 · · · mn .

What does this mean?? First, note that when you are asked to solve the system of congruences, this
means to find x (modulo M ) that satisfies all the congruences simultaneously.
Example 13. Consider the system of congruences

x ≡ 3 (mod 5)
x ≡ 1 (mod 7)

In English, this would be like asking the question

Find a natural number x that leaves

a remainder of 3 when divided by 5 and a remainder of 1 when divided by 7.

Clearly picking x = 8 will work, since 8 ≡ 3 (mod 5) and 8 ≡ 1 (mod 7).

Another solution is x = 78. (verify this yourself!)
The Chinese remainder theorem guarantees the existence of a solution as long as the moduli (here, 5 and
7 are the moduli) are relatively prime, and also guarantees that in the set of integers modulo 5 × 7 = 35,
there is a unique solution.
So here x ≡ 8 (mod 35) is the solution. (Note that 78 and 8 belong to the same congruence class modulo
35; in fact, any integer of the form 8 + 35k for k ∈ Z will work!)

Example 14. Sunzi’s classic example is the system


x ≡ 2 (mod 3)



x ≡ 3 (mod 5)


x ≡ 2 (mod 7)


Verify that x ≡ 23 (mod 105) is a solution to this system.

5 https://en.wikipedia.org/wiki/Chinese_remainder_theorem
MAT102H5Y Summer 2019

How can we construct solutions to these systems of congruences efficiently? To do this, we first define
the notion of the multiplicative inverse of an integer modulo m.

Multiplicative Inverse
Given a, m ∈ N and gcd(a, m) = 1, we say that b is a multiplicative inverse of a modulo m if

ab ≡ 1 (mod m).

Exercise 15. Let m = 15 and a = 2. Verify that b = 8 and b = 53 are both inverses of 2 modulo 15.

Usually, when working modulo m, we are interested in finding the specific inverse in the range 1 ≤ b < m,
to keep numbers small. We will call this quantity the multiplicative inverse of a modulo m.

Example 16. The multiplicative inverse of 7 modulo 30 is 13, since (7)(13) = 91 ≡ 1 (mod 30).

Now we are ready to construct solutions to systems of congruences.

Solution to a system of two congruences

Let m1 , m2 ∈ N and gcd(m1 , m2 ) = 1, and consider the system

x ≡ a (mod m )
1
 x ≡ b (mod m )
2

Perform the following steps:

• Find the multiplicative inverse of m2 modulo m1 , call it t.

• Find the multiplicative inverse of m1 modulo m2 , call it s.

• Modulo M = m1 m2 , the solution is x ≡ atm2 + bsm1 (mod m1 m2 ).

Exercise 17. Prove that x ≡ atm2 + bsm1 (mod m1 m2 ) satisfies both congruences in the given system.

Exercise 18. Prove that x ≡ atm2 + bsm1 (mod m1 m2 ) is the only solution to the given system modulo
m1 m2 .
Example 19. Once again consider the system

x ≡ 3 (mod 5)
x ≡ 1 (mod 7)

We have a = 3, b = 1, m1 = 5, m2 = 7, and inverses t = 3 and s = 3.

Hence the solution, modulo M = m1 m2 = 35, is x ≡ (3)(3)(7) + (1)(3)(5) (mod 35). Simplifying gives
3 · 3 · 7 + 1 · 3 · 5 = 63 + 15 = 78, so the solution is x ≡ 78 (mod 35) ≡ 8 (mod 35), which agrees with our
initial answer.
MAT102H5Y Summer 2019

Solution to a general system of congruences

Let m1 , m2 , . . . , mn ∈ N and gcd(mi , mj ) = 1 for i 6= j, and consider the system



 x ≡ a1 (mod m1 )


 x ≡ a2 (mod m2 )

..



 .


x ≡ a (mod m )
n n

Perform the following steps:

• Let M = m1 m2 · · · mn .
• For each i = 1, 2, . . . , n:

– Define bi = M/mi (the product of all moduli other than mi ).

– Find the multiplicative inverse of bi modulo mi , call it ti .
• Modulo M = m1 m2 · · · mn , the solution is
n
X
x ≡ a1 b1 t1 + a2 b2 t2 + · · · + an bn tn (mod M ) ≡ ai bi ti (mod M ).
i=1

Example 20. Applying the above algorithm to Sunzi’s system, we have M = 3 · 5 · 7 = 105, and the
quantities

a1 = 2 m1 = 3 b1 = 35 t1 = 2
a2 = 3 m2 = 5 b2 = 21 t2 = 1
a3 = 2 m3 = 7 b3 = 15 t3 = 1

3
X
Hence we calculate ai bi ti = 2 · 35 · 2 + 3 · 21 · 1 + 2 · 15 · 1 = 140 + 63 + 30 = 233, and so the solution is
i=1

x ≡ 233 (mod 105) ≡ 23 (mod 105).

The RSA Algorithm

The RSA Algorithm (after Rivest, Shamir, Adleman) is an public-key cryptosystem that is used for
data transmission.6 A public key (based on two large primes p and q) is given out, and anyone who
would like to send a message to the receiver can use this public key to encrypt the data. Any encrypted
message can only be decrypted with the private key, that only the receiver knows. This is based on the
fact that factoring the number N = pq is very difficult.
To discuss the algorithm, we first define the mod operation to be:

a mod m = the remainder obtained from the Division Algorithm when a is divided by m.

This is another way of representing the congruence class of a modulo m.

6 https://en.wikipedia.org/wiki/RSA_(cryptosystem)
MAT102H5Y Summer 2019

Suppose Alice wants to send Bob a message. Bob picks

• two large primes p and q, and
• another number e such that gcd(e, (p − 1)(q − 1)) = 1.

Bob computes N = pq, (p − 1)(q − 1), and d, the multiplicative inverse of e modulo (p − 1)(q − 1).
Then, Bob publishes the public key (e, N ) and keeps the other quantities private.
Suppose Alice wants to send the message x to Bob. They can ensure privacy of the data transmitted in
this manner:

• Alice computes y = xe mod N and sends y to Bob.

• Anyone who sees the message y will not be able to decrypt it and retrieve x.
• Bob knows d, so he computes y d mod N . The result is x, the original message.

Why does this work?

First of all, since d and e are inverses modulo (p − 1)(q − 1), we have
ed ≡ 1 (mod M ), or ed = 1 + kM for some k
so
y d ≡ (xe )d (mod N ) ≡ xed (mod N ) ≡ x1+kM (mod N ).

By Exercise 7 and Fermat’s Little Theorem, we have

xφ(N ) ≡ 1 (mod N ) ⇒ x(p−1)(q−1) ≡ 1 (mod N ) ⇒ xM ≡ 1 (mod N ).

Thus we have
y d ≡ x · (xM )k (mod N ) ≡ x · (1)k (mod N ) ≡ x (mod N ).
This means Bob successfully recovers Alice’s original message x.

Example 21. Suppose Bob picks p = 7, q = 13 as two primes, so that N = 91 and M = (6)(12) = 72.
Also, Bob picks e = 5, which has multiplicative inverse d = 29 modulo M . (Check this!)
Bob’s public key is (N = 91, e = 5).
Alice wants to transmit the message ROFL. To do this she first represents it numerically:

R O F L → 18 15 6 12

Then she computes xe mod N for each number x in the message, and sends the results to Bob.

• 185 mod 91 = 44 • 155 mod 91 = 71 • 65 mod 91 = 41 • 125 mod 91 = 38

So Alice sends the message 44 71 41 38 to Bob.

To decrypt, Bob just raises each block to d = 29 and computes the remainder modulo 91.

• 4429 mod 91 = 18 • 7129 mod 91 = 15 • 4129 mod 91 = 6 • 3829 mod 91 = 12

Bob obtains the message 18 15 6 12, and translates it back to ROFL.

Note that the two primes we used were small enough so that N = 91 = 7 · 13 is easily factorable, and
d obtainable. When p and q are very large, it becomes close to impossible to factor N , protecting the
secrecy of the private key d used to decrypt any sent messages. (Also, the operation is usually done on
blocks of letters and not on single letters, to make the transmission more difficult to attack.)
 MAT102H5Y Summer 2019

Additional Exercises

In the following exercises, define the operation a mod m to be the remainder obtained from the Division
Algorithm when a is divided by m.

1. Compute each quantity:

(a) 312 mod 5 (b) 425 mod 8 (c) 11470 mod 37

2. Find the multiplicative inverse of each integer b modulo m:

(a) b = 4, m = 5 (c) b = 33, m = 7 (e) b = 100, m = 999

(b) b = 13, m = 76 (d) b = 10, m = 9

3. Solve for x in the following congruences of the form ax + b ≡ c (mod m). That is, determine the
congruence class of x among [0], [1], . . . , [m − 1].
(Hint: You may use the results of the previous exercise.)

(a) 4x ≡ 3 (mod 5) (b) 33x + 4 ≡ 2 (mod 7) (c) 100x − 23 ≡ 11 (mod 999)

4. Show that if a, m ∈ N and gcd(a, m) = 1, then a has a multiplicative inverse modulo m.

(Hint: Use Bezout’s Identity.)
5. Use the Chinese Remainder Theorem to find the smallest positive integer y such that
• y divided by 9 leaves a remainder of 7, and
• y divided by 10 leaves a remainder of 9.
6. Use the Chinese Remainder Theorem to find the smallest positive integer x such that

 x ≡ 2 (mod 3)



x ≡ 2 (mod 7)


x ≡ 1 (mod 13)


7. Compute each quantity:

(a) 32019 mod 5 (d) 32019 mod 385

(b) 32019 mod 7 (Hint: 385 = 5 · 7 · 11;
(c) 32019 mod 11 use Chinese Remainder Theorem)

Wilson’s Theorem states that if p is prime, then (p − 1)! ≡ −1 (mod p), where (p − 1)! is the
factorial of p − 1, defined by (p − 1)! = (p − 1)(p − 2) · · · (2)(1).
8. Verify that Wilson’s Theorem holds for p = 5 and p = 7.
9. For larger primes, instead of naively multiplying out (p − 1)!, we make use of the fact that we are
working modulo p. For example, suppose we want to verify the theorem for p = 19.
(a) Except for [1] and [18], list all congruence classes modulo 19.
(b) For each congruence class listed in (a), try to pair it up with its inverse. E.g. the inverse of [2] is
[10], since 2 · 10 ≡ 1 (mod 19). Are you able to completely pair all of them up?
(c) How would you use (b) to prove 18! ≡ −1 (mod 19)?
10. (Difficult) Prove Wilson’s Theorem by repeating the process in the previous exercise, but for a general
prime p. A crucial step in the proof is to show that one can always partition the set of congruence
classes {[2], [3], . . . , [p − 2]} into pairs {[a], [b]} such that ab ≡ 1 (mod p). Why does each [a] have an
inverse modulo p?