UNIVERSITÉ LIBRE DE BRUXELLES 2022-2023
FACULTÉ DES SCIENCES
INFO-F-405: Introduction to cryptography
Introduction to modular arithmetic
Theoretical background
Euler φ function
The Euler φ function gives the number of integers between 0 and n − 1 coprime to
n. For example, φ(20) = 8 because only the 8 integers {1, 3, 7, 9, 11, 13, 17, 19} are
coprime to 20.
A direct consequence of this theorem is that for any p, a prime number, φ(p) = p−1.
More generally, φ(pm ) = pm − pm−1 = (p − 1) · pm−1 .
Let us also note this property of φ that if gcd(m, n) = 1, then φ(m·n) = φ(m)·φ(n).
As a result, it is easy to compute φ(n) when we know the prime factors factorization
of n. Indeed, if n = pm1 1 · pm2 2 · · · pmv v , with all the pi prime numbers, we have:
φ(n) = (p1 − 1)pm1 1 −1 (p2 − 1)pm2 2 −1 · · · (pv − 1)pmv v −1 (1)
For example 20 = 22 · 5 and φ(20) = (2 − 1) · 2 · (5 − 1) = 8
Additive structure of multiplication
For modulus n of the form pk , 2pk where p is a prime and k > 0, there exists an integer
g (called the generator) such that the set of powers of g, {g0 , g1 , g2 , · · · , gφ(n)−1 } is
the set of all integers coprime to n.
For example, if n = 10, we have g = 3 and {1, 3, 9, 27} ≡ {1, 3, 7, 9}.
Furthermore, gφ(n) ≡ 1 ≡ g0 , meaning that the exponents of g can be reduced mod
φ(n). If we multiply two integers a = gα and b = gβ mod n, their exponents add
mod φ(n) : ab = gα gβ = g(α+β) mod φ(n) .
For example, modulo 10, 7 ≡ 33 and 9 ≡ 32 , hence 7 · 9 = 33+2 ≡ 31 = 3 because
φ(10) = 4.
To compute the multiplicative inverse of an integer a = gα mod n, one can simply
take the additive inverse of the exponent mod φ(n). Hence a−1 ≡ g(−α) mod φ(n)
�Modular exponentiation
Modular exponentiation is the computation of ab mod n. Working modulo n, if
we have a generator g and a ≡ gα , to compute ab , one can simply compute (gα )b =
gα·b mod φ(n) .
In the same way a multiplication mod n is equivalent to an addition mod φ(n) of the
exponents, the modular exponentiation mod n is equivalent to a multiplication mod
φ(n) of the exponents.
Theorem(Euler) For all a coprime with n, it holds that:
aφ(n) ≡ 1 mod n (2)
Multiplicative group of integers modulo n
So far, we have worked with Zn with either addition or multiplication. Let us re-
member that a group requires four properties:
• closure
• associativity
• ∃ neutral (identity) element
• all elements of the group have an inverse
Working with the multiplicative group Z∗8 for instance, we would find that not all
values in Z8 have an inverse, as shown in the below table.
0 1 2 3 4 5 6 7
0 0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6 7
2 0 2 4 6 0 2 4 6
3 0 3 6 1 4 7 2 5
4 0 4 0 4 0 4 0 4
5 0 5 2 7 4 1 6 3
6 0 6 4 2 0 6 4 2
7 0 7 6 5 4 3 2 1
We deduce from this table that the elements of Z∗8 are {1, 3, 5, 7} because they have
an inverse. More generally, any value a in Zn coprime to n is in Z∗n .
2
�Group order and element order
The order of a group refers to the cardinality of the group, i.e. the number of
elements. The order of an element a is the smallest positive integer m such that
am = n where n is the neutral (or identity) element.
Exercises
Exercise 1
Compute as fast as possible, without writing 78130*8012*700451*19119 mod 20.
Answer of exercise 1
Working modulo 20, we can ignore multiples of 100 and hence keep only the two
last digits of each numbers. We see that 78130 ≡ 30 ≡ 10 and 8012 ≡ 12. Since
12 · 10 is an obvious multiple of 20, the whole product is 0.
Exercise 2
Compute by exhaustive search 23−1 in Z57 (the answer is a single digit number).
Using this result, solve 23x + 52 ≡ 5 in Z57 . Could you solve an equation of the
form 19x + a ≡ b using the same method?
Answer of exercise 2
• 23 · 5 = 115 ≡ 1 mod 57.
• x ≡ (5 − 52) · 23−1 ≡ 50
• No because 19 is not invertible as 57 = 19 · 3 (not coprime)
Exercise 3
Show that n − 1 is self inverse in Zn .
Answer of exercise 3
(n − 1)2 = n2 − 2n + 1 ≡ 1 mod n
Exercise 4
Show that for n = pq, φ(n) = (p − 1)(q − 1) for p, q two prime numbers.
3
� Answer of exercise 4
Let S1 be the multiples of p less than pq and let S2 be the multiples of q less than pq.
Total number of coprimes φ(pq) = pq − 1 − |S1 | − |S2 | since only multiples of
p or q can divide pq. Since |S1 | = q − 1 and |S2 | = p − 1, we have φ(pq) =
pq − 1 − q + 1 − p + 1 = pq − p − q + 1 = (p − 1) · (q − 1)
Exercise 5
Compute 2i mod 25 until cycling back to 1(it might take a while but less than 25
steps). Then:
• Deduce the value of φ(25).
• Compute 18 ∗ 22 mod 25 without doing any multiplication using the previous
results.
• Solve 16x ≡ 1 mod 25.
• Compute 172024 mod 25.
Answer of exercise 5
0 ‐> 1 11 ‐> 23
1 ‐> 2 12 ‐> 21
2 ‐> 4 13 ‐> 17
3 ‐> 8 14 ‐> 9
4 ‐> 16 15 ‐> 18
5 ‐> 7 16 ‐> 11
6 ‐> 14 17 ‐> 22
7 ‐> 3 18 ‐> 19
8 ‐> 6 19 ‐> 13
9 ‐> 12 20 ‐> 1
10 ‐> 24
• φ(25) = 20
• 18 · 22 = 215 · 217 = 232 ≡ 212 ≡ 21 (remember we compute the exponent
mod φ(25) = 20)
• x ≡ 16−1
−1
⇔ x ≡ 24 ≡ 2−4
⇔ x ≡ 2−4 · 1 ≡ 2−4 · 220 ≡ 216 ≡ 11
4
� • 172024 ≡ 174 ≡ 213·4 ≡ 252 ≡ 212 ≡ 21
Ex. 6 — Asymmetric Cryptography - Euler φ(n) Function
1. Compute the Euler φ(n) function for all n ∈ {2, 3, 4, 5, 36}.
2. Give the results of 232 mod 31, 316 mod 32 and 814 mod 25 without perform-
ing the actual exponentiations but by using only the Euler Theorem.
Answer of exercise 6
1. • φ(2) = 21 − 20 = 2 − 1 = 1
• φ(3) = 31 − 30 = 3 − 1 = 2
• φ(4) = φ(22 ) = 21 − 21 = 4 − 2 = 2
• φ(5) = 51 − 50 = 5 − 1 = 4
• φ(36) = φ(22 32 ) = φ(22 ) · φ(32 ) = (22 − 21 ) · (32 − 31 ) = 2 · 6 = 12
2. • According to Euler Theorem we have 230 = 2φ(31) = 1 mod 31.
Therefore, we can compute 232 mod 31 = 22 · 230 mod 31 = 4 · 1 mod
31 = 4 mod 31.
We conclude that 230 ≡ 4 (mod 31).
5
• Similarly, according to Euler Theorem we have 316 = 3φ(2 ) = 3φ(32) =
1 mod 32.
Therefore, 316 ≡ 1 (mod 32).
• Since 8 and 25 are coprime, we can apply Euler’s theorem. Let us first
compute φ(25). φ(25) = φ(52 ) = 52 − 51 = 20
Because the exponent is lower than φ(25), it is difficult to actually
compute anything. However, we can still lower the exponent base to
increase the exponent to a value greater than φ(25): 814 = (23 )14 = 242 .
We can now apply Euler’s theorem: 242 = 220 · 220 · 22 ≡ 1 · 1 · 22
mod 25 ≡ 4 mod 25.
Ex. 7 — Cyclic Groups and Generators
Working with the multiplicative group Z∗p for p = 19 …
1. List all the elements of Z∗19 and determine the order of the group.
2. Determine the order ord(a) of each element a ∈ Z∗19 . Use the following two
facts to simplify the amount of calculations:
Fact (1) If a ∈ Z∗p then ord(a) divides the order of Z∗p .
Fact (2) ord(ak ) is equal to ord(a)/gcd(ord(a), k).
5
�3. List all the generators of Z∗19 .
Answer of exercise 7
1. Since p is prime, the order of the group Z∗p = p − 1 = 19 − 1 = 18. The
elements of |Z∗19 | are {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18}.
2. Recall that the order of an element a ∈ Z∗p is the smallest number i such that
ai mod p = 1 where 1 ≤ i ≤ |Z∗p |.
Obviously, the order ord(1) = 1.
For any other value a ̸= 1, we need to explore a wider range of possibilities.
From Fact (1), we know that i divides ord(Z∗19 ) = 18. As a result, the
candidates for i are {1, 2, 3, 6, 9, 18}.
Using Fact (2) we know that computing ord(2) will enable us to easily cal-
culate ord(4), ord(8) and ord(16). Similarly, computing ord(3) will enable
us to easily calculate ord(9).
Finally, let us not forget that we from Euler’s theorem, a18 ≡ 1 mod 19
since φ(19) = 18.
To sum up, what we need to do is to compute the order for the elements
a ∈ {2, 3, 5, 6, 7, 10, 11, 12, 13, 14, 15, 17} by finding the smallest integer
i ∈ {2, 3, 6, 9} such that
ai mod 19 = 1.
If such integer i doesn’t exist then the order of a equals automatically to 18
(which is the order of the group Z∗19 ) from Euler’s theorem.
For 2:
• 22 = 4
• 23 = 8
• 26 = 64 ≡ 7 mod 19
• 29 = 23 · 26 = 8 · 7 = 56 ≡ 18 mod 19
• Since none of the values worked, we deduce from Euler’s theorem that
218 ≡ 1 mod 19 and that ord(2) = 18.
This enables us to compute 4, 8 and 16 easily:
• 4 = 22 ⇔ 218 = (22 )9 ⇒ ord(4) = 9
• 8 = 23 ⇔ 218 = (23 )6 ⇒ ord(8) = 6
6
� 18
• 16 = 24 . From Fact (2) we know that ord(24 ) = gcd(ord(2),4)
=
18
gcd(18,4)
= 182 = 9:
The complete list of ord(a) can be found in the below table.
a 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
ord(a) 1 18 18 9 9 9 3 6 9 18 3 6 18 18 18 9 9 2
3. Since Z∗19 is a cyclic group (because 19 is a prime) the number of gener-
ators can be determined by computing |Z∗φ(p) |. Hence we need to calcu-
late |Z∗φ(19) | = |Z∗18 |. Applying Euler phi function this results in |Z∗18 | =
φ(18) = 6.
