Cryptography/Mathematical Background

Modern public-key (asymmetric) cryptography is based upon a branch of mathematics known as number theory, which is concerned solely with the solution of equations that yield only integer results. These type of equations are known as diophantine equations, named after the Greek mathematician Diophantos of Alexandria (ca. 200 CE) from his book Arithmetica that addresses problems requiring such integral solutions.

One of the oldest diophantine problems is known as the Pythagorean problem, which gives the length of one side of a right triangle when supplied with the lengths of the other two side, according to the equation

${\displaystyle a^{2}+b^{2}=c^{2}\ }$ 

where ${\displaystyle c\ }$  is the length of the hypotenuse. While two sides may be known to be integral values, the resultant third side may well be irrational. The solution to the Pythagorean problem is not beyond the scope, but is beyond the purpose of this chapter. Therefore, example integral solutions (known as Pythagorean triplets) will simply be presented here. It is left as an exercise for the reader to find additional solutions, either by brute-force or derivation.

Asymmetric key algorithms rely heavily on the use of prime numbers, usually exceedingly long primes, for their operation. By definition, prime numbers are divisible only by themselves and 1. In other words, letting the symbol | denote divisibility (i.e. - ${\displaystyle a|b}$  means "${\displaystyle b}$  divides into ${\displaystyle a}$ "), a prime number strictly adheres to the following mathematical definition

${\displaystyle p\ }$  | ${\displaystyle b\ }$  Where ${\displaystyle b=1\ }$  or ${\displaystyle p\ }$  only

The Fundamental Theorem of Arithmetic states that all integers can be decomposed into a unique prime factorization. Any integer greater than 1 is considered either prime or composite. A composite number is composed of more than one prime factor

${\displaystyle c\ }$  | ${\displaystyle b\ }$  where ultimately ${\displaystyle b=p_{0}^{e_{0}}p_{1}^{e_{1}}\cdot \cdot \cdot p_{n}^{e_{n}}\ }$ 

in which ${\displaystyle p_{n}\ }$  is a unique prime number and ${\displaystyle e_{n}\ }$  is the exponent.

543,312 = 24 ${\displaystyle \cdot }$  32 ${\displaystyle \cdot }$  50 ${\displaystyle \cdot }$  73 ${\displaystyle \cdot }$  111
553,696 = 25 ${\displaystyle \cdot }$  30 ${\displaystyle \cdot }$  50 ${\displaystyle \cdot }$  70 ${\displaystyle \cdot }$  113 ${\displaystyle \cdot }$  131

As can be seen, according to this systematic decomposition, each factorization is unique.

In order to deterministically verify whether an integer ${\displaystyle a\ }$  is prime or composite, only the primes ${\displaystyle p\leq {\sqrt {c}}\ }$  need be examined. This type of systematic, thorough examination is known as a brute-force approach. Primes and composites are noteworthy in the study of cryptography since, in general, a public key is a composite number which is the product of two or more primes. One (or more) of these primes may constitute the private key.

There are several types and categories of prime numbers, three of which are of importance to cryptography and will be discussed here briefly.

Fermat numbers take the following form

${\displaystyle F_{n}=2^{2^{n}}+1\ }$ 

If F_n is prime, then it is called a Fermat prime.

${\displaystyle F_{0}=2^{2^{0}}+1=3\ }$ 
${\displaystyle F_{1}=2^{2^{1}}+1=5\ }$ 
${\displaystyle F_{2}=2^{2^{2}}+1=17\ }$ 
${\displaystyle F_{3}=2^{2^{3}}+1=257\ }$ 
${\displaystyle F_{4}=2^{2^{4}}+1=65,537\ }$ 
${\displaystyle F_{5}=2^{2^{5}}+1=4,294,967,297\ }$ 

The only Fermat numbers known to be prime are ${\displaystyle F_{0}-F_{4}\ }$ . Moreover, the primality of all Fermat numbers was disproven by Euler, who showed that ${\displaystyle F_{5}=641\cdot 6,700,417}$ .

Mersenne primes - another type of formulaic prime generation - follow the form

${\displaystyle M_{p}=2^{p}-1\ }$ 

where ${\displaystyle p\ }$  is a prime number. The [1] Wolfram Alpha engine reports Mersenne Primes, an example input request being "4th Mersenne Prime".

The first four Mersenne primes are as follows

${\displaystyle M_{2}=2^{2}-1=3\ }$ 
${\displaystyle M_{3}=2^{3}-1=7\ }$ 
${\displaystyle M_{5}=2^{5}-1=31\ }$ 
${\displaystyle M_{7}=2^{7}-1=127\ }$ 

Numbers of the form M_p = 2^p without the primality requirement are called Mersenne numbers. Not all Mersenne numbers are prime, e.g. M₁₁ = 2¹¹−1 = 2047 = 23 · 89.

Two numbers are said to be coprime if the largest integer that divides evenly into both of them is 1. Mathematically, this is written

${\displaystyle \gcd(a,b)=1\ }$ 

where ${\displaystyle \gcd \ }$  is the greatest common divisor. Two rules can be derived from the above definition

If ${\displaystyle ab\ }$  | ${\displaystyle c\ }$  and ${\displaystyle \gcd(b,c)=1\ }$ , then ${\displaystyle a\ }$  | ${\displaystyle c\ }$ 

If ${\displaystyle ab=c^{2}\ }$  with ${\displaystyle \gcd(a,b)=1\ }$ , then both ${\displaystyle a\ }$  and ${\displaystyle b\ }$  are squares, i.e. - ${\displaystyle a=a_{0}^{2}\ }$ , ${\displaystyle b=b_{0}^{2}\ }$ 

The Prime Number Theorem estimates the probability that any integer, chosen randomly will be prime. The estimate is given below, with ${\displaystyle \pi (x)\ }$  defined as the number of primes ${\displaystyle \leq x\ }$ 

${\displaystyle \pi (x)\approx {\frac {x}{\ln x}}\ }$ 

${\displaystyle \pi (x)\ }$  is asymptotic to ${\displaystyle {\frac {x}{\ln x}}\ }$ , that is to say ${\displaystyle \quad \lim _{x\to \infty }{\frac {\pi (x)}{\frac {x}{\ln x}}}=1\ }$ . What this means is that generally, a randomly chosen number is prime with the approximate probability ${\displaystyle {\tfrac {1}{\ln x}}\ }$ .

The Euclidean Algorithm is used to discover the greatest common divisor of two integers. In cryptography, it is most often used to determine if two integers are coprime, i.e. - ${\displaystyle \gcd(a,b)=1\ }$ .

In order to find ${\displaystyle \gcd(a,b)\ }$  where ${\displaystyle a>b\ }$  efficiently when working with very large numbers, as with cryptosystems, a method exists to do so. The Euclidean algorithm operates as follows - First, divide ${\displaystyle a\ }$  by ${\displaystyle b\ }$ , writing the quotient ${\displaystyle q_{1}\ }$ , and the remainder ${\displaystyle r_{1}\ }$ . Note this can be written in equation form as ${\displaystyle a=q_{1}b+r_{1}\ }$ . Next perform the same operation using ${\displaystyle b\ }$  in ${\displaystyle a\ }$ 's place: ${\displaystyle b=q_{2}r_{1}+r_{2}\ }$ . Continue with this pattern until the final remainder is zero. Numerical examples and a formal algorithm follow which should make this inherent pattern clear.

${\displaystyle a=q_{1}b+r_{1}\ }$ 
${\displaystyle b=q_{2}r_{1}+r_{2}\ }$ 
${\displaystyle r_{1}=q_{3}r_{2}+r_{3}\ }$ 
${\displaystyle r_{2}=q_{4}r_{3}+r_{4}\ }$ 
${\displaystyle \cdot \ }$ 
${\displaystyle \cdot \ }$ 
${\displaystyle \cdot \ }$ 
${\displaystyle r_{n-2}=q_{n}r_{n-1}+r_{n}\ }$ 

When ${\displaystyle r_{n}=0\ }$ , stop with ${\displaystyle \gcd(a,b)=r_{n-1}\ }$ .

Example 1 - To find gcd(17,043,12,660)

17,043 = 1 ${\displaystyle \cdot }$  12,660 + 4383
12,660 = 2 ${\displaystyle \cdot }$  4,383 + 3894
 4,383 = 1 ${\displaystyle \cdot }$  3,894 + 489
 3,894 = 7 ${\displaystyle \cdot }$  489 + 471
   489 = 1 ${\displaystyle \cdot }$  471 + 18
   471 = 26 ${\displaystyle \cdot }$  18 + 3
    18 = 6 ${\displaystyle \cdot }$  3 + 0

gcd (17,043,12,660) = 3

Example 2 - To find gcd(2,008,1,963)

2,008 = 1 ${\displaystyle \cdot }$  1,963 + 45
1,963 = 43 ${\displaystyle \cdot }$  45 + 28
   45 = 1 ${\displaystyle \cdot }$  28 + 17
   28 = 1 ${\displaystyle \cdot }$  17 + 11
   17 = 1 ${\displaystyle \cdot }$  11 + 6
   11 = 1 ${\displaystyle \cdot }$  6 + 5
    6 = 1 ${\displaystyle \cdot }$  5 + 1
    5 = 5 ${\displaystyle \cdot }$  1 + 0

gcd (2,008,1963) = 1 Note: the two number are coprime.

Euclidean Algorithm(a,b)
Input:     Two integers a and b such that a > b
Output:    An integer r = gcd(a,b)
  1.   Set a0 = a, r1 = r
  2.   r = a0 mod r1
  3.   While(r1 mod r ${\displaystyle \neq }$  0) do:
  4.      a0 = r1
  5.      r1 = r
  6.      r = a0 mod r1
  7.   Output r and halt

In order to solve the type of equations represented by Bézout's identity, as shown below

${\displaystyle au+bv=\gcd(a,b)\ }$ 

where ${\displaystyle a\ }$ , ${\displaystyle b\ }$ , ${\displaystyle u\ }$ , and ${\displaystyle v\ }$  are integers, it is often useful to use the extended Euclidean algorithm. Equations of the form above occur in public key encryption algorithms such as RSA (Rivest-Shamir-Adleman) in the form ${\displaystyle ed+w(p-1)(q-1)=1\ }$  where ${\displaystyle \gcd(e,(p-1)(q-1))=1\ }$ . There are two methods in which to implement the extended Euclidean algorithm; the iterative method and the recursive method.

As an example, we shall solve an RSA key generation problem with e = 2¹⁶ + 1, p = 3,217, q = 1,279. Thus, 62,537d + 51,456w = 1.

This method computes expressions of the form ${\displaystyle r_{i}=ax_{i}+by_{i}}$  for the remainder in each step ${\displaystyle i}$  of the Euclidean algorithm. Each modulus can be written in terms of the previous two remainders and their whole quotient as follows:

${\displaystyle r_{i}=r_{i-2}-\left\lfloor {\frac {r_{i-2}}{r_{i-1}}}\right\rfloor \cdot r_{i-1}}$ 

By substitution, this gives:

${\displaystyle r_{i}=(ax_{i-2}+by_{i-2})-\left\lfloor {\frac {r_{i-2}}{r_{i-1}}}\right\rfloor \cdot (ax_{i-1}+by_{i-1})}$ 

${\displaystyle r_{i}=a(x_{i-2}-\left\lfloor {\frac {r_{i-2}}{r_{i-1}}}\right\rfloor \cdot x_{i-1})+b(y_{i-2}-\left\lfloor {\frac {r_{i-2}}{r_{i-1}}}\right\rfloor \cdot y_{i-1})}$ 

The first two values are the initial arguments to the algorithm:

${\displaystyle r_{1}=a=a(1)+b(0)\ }$ 

${\displaystyle r_{2}=b=a(0)+b(1)\ }$ 

The expression for the last non-zero remainder gives the desired results since this method computes every remainder in terms of a and b, as desired.

Putting the equation in its original form ${\displaystyle ed+w(p-1)(q-1)=1\ }$  yields ${\displaystyle (65,537)(403,937)+(-6,441)(3,217-1)(1,279-1)=1\ }$ , it is shown that ${\displaystyle d=403,937\ }$  and ${\displaystyle w=-6,441\ }$ . During the process of key generation for RSA encryption, the value for w is discarded, and d is retained as the value of the private key In this case

d = 0x629e1 = 01100010100111100001

This is a direct method for solving Diophantine equations of the form ${\displaystyle au+bv=\gcd(a,b)\ }$ . Using this method, the dividend and the divisor are reduced over a series of steps. At the last step, a trivial value is substituted into the equation, and is then worked backward until the solution is obtained.

Using the previous RSA vales of ${\displaystyle (p-1)(p-1)=4,110,048\ }$  and ${\displaystyle e=2^{16}+1=65,537\ }$ 

Significant in cryptography, the totient function (sometimes known as the phi function) is defined as the number of nonnegative integers ${\displaystyle a\ }$  less than ${\displaystyle n\ }$  that are coprime to ${\displaystyle n\ }$ . Mathematically, this is represented as

${\displaystyle \phi (n)=\left|{\bigg \{}0\leq a\leq n|\gcd(a,n)=1{\bigg \}}\right|}$ 

Which immediately suggests that for any prime ${\displaystyle p\ }$ 

${\displaystyle \phi (p)=p-1\ }$ 

The totient function for any exponentiated prime is calculated as follows

${\displaystyle \phi (p^{\alpha })\ }$ 

${\displaystyle =p^{\alpha }-p^{\alpha -1}\ }$ 

${\displaystyle =p^{\alpha }\left(1-{\tfrac {1}{p}}\right)\ }$ 

The Euler totient function is also multiplicative

${\displaystyle \phi (ab)=\phi (a)\phi (b)\ }$ 

where ${\displaystyle \gcd(a,b)=1\ }$ 

A field is simply a set ${\displaystyle \mathbb {F} }$  which contains numerical elements that are subject to the familiar addition and multiplication operations. Several different types of fields exist; for example, ${\displaystyle \mathbb {R} }$ , the field of real numbers, and ${\displaystyle \mathbb {Q} }$ , the field of rational numbers, or ${\displaystyle \mathbb {C} }$ , the field of complex numbers. A generic field is usually denoted ${\displaystyle \mathbb {F} }$ .

Cryptography utilizes primarily finite fields, nearly exclusively composed of integers. The most notable exception to this are the Gaussian numbers of the form ${\displaystyle a+bi\ }$  which are complex numbers with integer real and imaginary parts. Finite fields are defined as follows

${\displaystyle \left(\mathbb {Z} /n\mathbb {Z} \right)=\mathbb {Z} _{n}\ }$  The set of integers modulo ${\displaystyle n\ }$ 

${\displaystyle \left(\mathbb {Z} /p\mathbb {Z} \right)=\mathbb {Z} _{p}\ }$  The set of integers modulo a prime ${\displaystyle p\ }$ 

Since cryptography is concerned with the solution of diophantine equations, the finite fields utilized are primarily integer based, and are denoted by the symbol for the field of integers, ${\displaystyle \mathbb {Z} }$ .

A finite field ${\displaystyle \mathbb {F} _{n}\ }$  contains exactly ${\displaystyle n\ }$  elements, of which there are ${\displaystyle n-1\ }$  nonzero elements. An extension of ${\displaystyle \mathbb {Z} _{n}\ }$  is the multiplicative group of ${\displaystyle \mathbb {Z} _{n}\ }$ , written ${\displaystyle \left(\mathbb {Z} /n\mathbb {Z} \right)^{*}=\mathbb {Z} _{n}^{*}\ }$ , and consisting of the following elements

${\displaystyle a\in \mathbb {Z} _{n}^{*}\ }$  such that ${\displaystyle \gcd(a,n)=1\ }$ 

in other words, ${\displaystyle \mathbb {Z} _{n}^{*}\ }$  contains the elements coprime to ${\displaystyle n\ }$ 

Finite fields form an abelian group with respect to multiplication, defined by the following properties

${\displaystyle \centerdot }$  The product of two nonzero elements is nonzero ${\displaystyle \left(ab=c|c\neq 0\right)\ }$ 
${\displaystyle \centerdot }$  The associative law holds ${\displaystyle \left(\left(ab\right)c=a\left(bc\right)\right)\ }$ 
${\displaystyle \centerdot }$  The commutative law holds ${\displaystyle \left(ab=ba\right)\ }$ 
${\displaystyle \centerdot }$  There is an identity element ${\displaystyle \left(I\cdot a=a\right)\ }$ 
${\displaystyle \centerdot }$  Any nonzero element has an inverse ${\displaystyle \left(a\cdot a^{-1}=1\right)\ }$ 

A subscript following the symbol for the field represents the set of integers modulo ${\displaystyle n\ }$ , and these integers run from ${\displaystyle 0\ }$  to ${\displaystyle n-1\ }$  as represented by the example below

${\displaystyle \mathbb {Z} _{12}=\{0,1,2,3,4,5,6,7,8,9,10,11\}\ }$ 

The multiplicative order of ${\displaystyle \mathbb {Z} _{n}}$  is represented ${\displaystyle \mathbb {Z} _{n}^{*}}$  and consists of all elements ${\displaystyle a\in \mathbb {Z} _{n}}$  such that ${\displaystyle \gcd(a,n)=1\ }$ . An example for ${\displaystyle \mathbb {Z} _{12}}$  is given below

${\displaystyle \mathbb {Z} _{12}^{*}=\{1,5,7,11\}\ }$ 

If ${\displaystyle p\ }$  is prime, the set ${\displaystyle \mathbb {Z} _{p}^{*}}$  consists of all integers ${\displaystyle a\ }$  such that ${\displaystyle 1\leq a\leq p\ }$ . For example

Every finite field has a generator. A generator ${\displaystyle g\ }$  is capable of generating all of the elements in the set ${\displaystyle \mathbb {Z} _{n}}$  by exponentiating the generator ${\displaystyle g\,{\bmod {\,}}n\ }$ . Assuming ${\displaystyle g\ }$  is a generator of ${\displaystyle \mathbb {Z} _{n}^{*}}$ , then ${\displaystyle \mathbb {Z} _{n}^{*}}$  contains the elements ${\displaystyle g^{i}\,{\bmod {\,}}n\ }$  for the range ${\displaystyle 0\leq i\leq \phi (n)-1}$ . If ${\displaystyle \mathbb {Z} _{n}^{*}}$  has a generator, then ${\displaystyle \mathbb {Z} _{n}}$  is said to be cyclic.

The total number of generators is given by

${\displaystyle \phi \left(\phi \left(n\right)\right)}$ 

For ${\displaystyle n=p=13\ }$  (Prime)

${\displaystyle \mathbb {Z} _{13}=\{0,1,2,3,4,5,6,7,8,9,10,11,12\}}$ 
${\displaystyle \mathbb {Z} _{13}^{*}=\{1,2,3,4,5,6,7,8,9,10,11,12\}}$ 

Total number of generators ${\displaystyle \phi \left(\phi \left(13\right)\right)=\phi \left(12\right)=4}$  generators

Let ${\displaystyle g=2\ }$ , then ${\displaystyle g=\{2,4,8,3,6,12,11,9,5,10,7,1\}\ }$ , ${\displaystyle g=2\ }$  is a generator

Since ${\displaystyle 2\ }$  is a generator, check if ${\displaystyle \gcd(i,p-1)=1\ }$ 
${\displaystyle 2^{2}=4\ }$ , and ${\displaystyle i=2\ }$ , ${\displaystyle \gcd \left(2,12\right)=2\neq 1\ }$ , therefore, ${\displaystyle 4\ }$  is not a generator
${\displaystyle 2^{3}=8\ }$ , and ${\displaystyle i=3\ }$ , ${\displaystyle \gcd \left(3,12\right)=3\neq 1\ }$ , therefore, ${\displaystyle 4\ }$  is not a generator

Let ${\displaystyle g=6\ }$ , then ${\displaystyle g=\{6,10,8,9,2,12,7,3,5,4,11,1\}\ }$ , ${\displaystyle g=6\ }$  is a generator
Let ${\displaystyle g=7\ }$ , then ${\displaystyle g=\{7,10,5,9,11,12,6,3,8,4,2,1\}\ }$ , ${\displaystyle g=7\ }$  is a generator
Let ${\displaystyle g=11\ }$ , then ${\displaystyle g=\{11,4,5,3,7,12,2,9,8,10,6,1\}\ }$ , ${\displaystyle g=11\ }$  is a generator

There are a total of ${\displaystyle 4\ }$  generators, ${\displaystyle \left(2,6,7,11\right)}$  as predicted by the formula ${\displaystyle \phi \left(\phi \left(n\right)\right).}$ 

For ${\displaystyle n=10\ }$  (Composite)

${\displaystyle \mathbb {Z} _{9}=\{0,1,2,3,4,5,6,7,8,9\}\ }$ 
${\displaystyle \mathbb {Z} _{9}^{*}=\{1,3,7,9\}\ }$ 

Total number of generators ${\displaystyle \phi \left(\phi \left(10\right)\right)=\phi \left(4\right)=2\ }$  generators

Let ${\displaystyle g=3\ }$ , then ${\displaystyle g=\{3,9,7,1,3,9,7,1,3\}\ }$ , ${\displaystyle g=3\ }$  is a generator
Let ${\displaystyle g=7\ }$ , then ${\displaystyle g=\{7,9,3,1,7,9,3,1,7\}\ }$ , ${\displaystyle g=7\ }$  is a generator

There are a total of ${\displaystyle 2\ }$  generators ${\displaystyle \left(3,7,\right)\ }$  as predicted by the formula ${\displaystyle \phi \left(\phi \left(n\right)\right).}$ 

Number theory contains an algebraic system of its own called the theory of congruences. The mathematical notion of congruences was introduced by Karl Friedrich Gauss in Disquisitiones (1801).

If ${\displaystyle a\ }$  and ${\displaystyle b\ }$  are two integers, and their difference is evenly divisible by ${\displaystyle m\ }$ , this can be written with the notation

${\displaystyle \left(a-b\right)|m\ }$ 

This is expressed by the notation for a congruence

${\displaystyle a\equiv b\,{\bmod {\,}}m}$ 

where the divisor ${\displaystyle m\ }$  is called the modulus of congruence. ${\displaystyle a\equiv b\,{\bmod {\,}}m}$  can equivalently be written as

${\displaystyle a-b=mk\ }$ 

where ${\displaystyle k\ }$  is an integer.

Note in the examples that for all cases in which ${\displaystyle a\equiv 0\,{\bmod {\,}}m}$ , it is shown that ${\displaystyle a|m\ }$ . with this in mind, note that

${\displaystyle a\equiv 0\,{\bmod {\,}}2}$  Represents that ${\displaystyle a\ }$  is an even number.

${\displaystyle a\equiv 1\,{\bmod {\,}}2}$  Represents that ${\displaystyle a\ }$  is an odd number.

All congruences (with fixed ${\displaystyle m\ }$ ) have the following properties in common

${\displaystyle a\equiv a\,{\bmod {\,}}m}$ 

${\displaystyle a\equiv b\,{\bmod {\,}}m}$  if and only if ${\displaystyle b\equiv a\,{\bmod {\,}}m}$ 

If ${\displaystyle a\equiv b\,{\bmod {\,}}m}$  and ${\displaystyle b\equiv c\,{\bmod {\,}}m}$  then ${\displaystyle a\equiv c\,{\bmod {\,}}m}$ 

Given ${\displaystyle a\equiv a\,{\bmod {\,}}m}$  there exists a unique ${\displaystyle b\ }$  such that ${\displaystyle 0\leq b\leq m-1\ }$ 

These properties represent an equivalence class, meaning that any integer is congruent modulo ${\displaystyle m\ }$  to one specific integer in the finite field ${\displaystyle \mathbb {Z} _{m}}$ .

If the modulus of an integer ${\displaystyle m>2\ }$ , then for every integer ${\displaystyle a\ }$ 

${\displaystyle a=mk+r\,\left(r\in \mathbb {Z} _{m}\right)}$ 

which can be understood to mean ${\displaystyle r\ }$  is the remainder of ${\displaystyle a\ }$  divided by ${\displaystyle m\ }$ , or as a congruence

${\displaystyle a\equiv r\,{\bmod {\,}}m}$ 

Two numbers that are incongruent modulo ${\displaystyle m\ }$  must have different remainders. Therefore, it can be seen that any congruence ${\displaystyle a\equiv b\,{\bmod {\,}}m}$  holds if and only if ${\displaystyle a\ }$  and ${\displaystyle b\ }$  are integers which have the same remainder when divided by ${\displaystyle m\ }$ .

${\displaystyle 10\equiv 3\,{\bmod {\,}}7}$  is equivalent to
${\displaystyle 10=\left(7\cdot 1\right)+3\ }$  implies
${\displaystyle 3\ }$  is the remainder of ${\displaystyle 10\ }$  divided by ${\displaystyle 7\ }$ 

Suppose for this section we have two congruences, ${\displaystyle a\equiv b\,{\bmod {\,}}m}$  and ${\displaystyle c\equiv d\,{\bmod {\,}}m}$ . These congruences can be added or subtracted in the following manner

${\displaystyle a+c\equiv b+d\,{\bmod {\,}}m}$ 

${\displaystyle a-c\equiv b-d\,{\bmod {\,}}m}$ 

If these two congruences are multiplied together, the following congruence is obtained

${\displaystyle ac\equiv bd\,{\bmod {\,}}m}$ 

or the special case where ${\displaystyle c=d\ }$ 

${\displaystyle ac\equiv bc\,{\bmod {\,}}m}$ 

Note: The above does not mean that there exists a division operation for congruences. The only possibility for simplifying the above is if and only if ${\displaystyle c\ }$  and ${\displaystyle m\ }$  are coprime. Mathematically, this is represented as

${\displaystyle ac\equiv bc\,{\bmod {\,}}m}$  implies that ${\displaystyle a\equiv b\,{\bmod {\,}}m}$  if and only if ${\displaystyle \gcd \left(c,m\right)=1}$ 

The set of equivalence classes defined above form a commutative ring, meaning the residue classes can be added, subtracted and multiplied, and that the operations are associative, commutative and have additive inverses.

Often, it is necessary to perform an operation on a congruence ${\displaystyle a\equiv b\,{\bmod {\,}}m}$  where ${\displaystyle b>m\ }$ , when what is desired is a new integer ${\displaystyle d\ }$  such that ${\displaystyle 0\leq d\leq m-1\ }$  with the resultant ${\displaystyle d\ }$  being the least nonnegative residue modulo m of the congruence. Reducing a congruence modulo ${\displaystyle m\ }$  is based on the properties of congruences and is often required during exponentiation of a congruence.

Input: Integers ${\displaystyle b\ }$  and ${\displaystyle m\ }$  from ${\displaystyle a\equiv b\,{\bmod {\,}}m}$  with ${\displaystyle b>m\ }$ 
Output: Integer ${\displaystyle d\ }$  such that ${\displaystyle 0\leq d\leq m-1\ }$ 

1. Let ${\displaystyle q=\left\lfloor {\tfrac {b}{m}}\right\rfloor }$ 
2.     ${\displaystyle c=qm\ }$ 
3.     ${\displaystyle d=b-c\ }$ 
4. Output ${\displaystyle d\ }$ 

Given ${\displaystyle 289\equiv 49\,{\bmod {\,}}5}$ 

${\displaystyle 9=\left\lfloor {\tfrac {49}{5}}\right\rfloor }$ 
${\displaystyle 45=9\cdot 5\ }$ 
${\displaystyle 4=49-45\ }$ 

∴ ${\displaystyle 289\equiv 49\equiv 4\,{\bmod {\,}}5}$ 

Note that ${\displaystyle 4\ }$  is the least nonnegative residue modulo ${\displaystyle 5\ }$ 

Assume you begin with ${\displaystyle a\equiv b\,{\bmod {\,}}m}$ . Upon multiplying this congruence by itself the result is ${\displaystyle a^{2}\equiv b^{2}\,{\bmod {\,}}m}$ . Generalizing this result and assuming ${\displaystyle n\ }$  is a positive integer

${\displaystyle a^{n}\equiv b^{n}\,{\bmod {\,}}m}$ 

${\displaystyle 9\equiv 4\,{\bmod {\,}}13}$ 
${\displaystyle 81\equiv 16\,{\bmod {\,}}13}$ 
${\displaystyle 729\equiv 64\,{\bmod {\,}}13}$ 

This simplifies to

${\displaystyle 81\equiv 16\,{\bmod {\,}}13}$  implies ${\displaystyle 16\equiv 3\,{\bmod {\,}}13}$ 
${\displaystyle 729\equiv 64\,{\bmod {\,}}13}$  implies ${\displaystyle 256\equiv 9\,{\bmod {\,}}13}$ 

Sometimes it is useful to know the least nonnegative residue modulo ${\displaystyle m\ }$  of a number which has been exponentiated as ${\displaystyle a^{2}\equiv \,{\bmod {\,}}m}$ . In order to find this number, we may use the repeated squaring method which works as follows:

1. Begin with ${\displaystyle a\equiv \,{\bmod {\,}}m}$ 
2. Square ${\displaystyle a\ }$  and ${\displaystyle b\ }$  so that ${\displaystyle a^{2}\equiv b^{2}\,{\bmod {\,}}m}$ 
3. Reduce ${\displaystyle b\ }$  modulo ${\displaystyle m\ }$  to obtain ${\displaystyle a^{\equiv }b_{1}\,{\bmod {\,}}m}$ 
4. Continue with steps 2 and 3 until ${\displaystyle a^{2^{n}}\equiv b_{n}\,{\bmod {\,}}m}$  is obtained.
   Note that ${\displaystyle n\ }$  is the integer where ${\displaystyle 2^{n+1}\ }$  would be just larger than the exponent desired
5. Add the successive exponents until you arrive at the desired exponent
6. Multiply all ${\displaystyle b_{i}\ }$ 's associated with the ${\displaystyle a\ }$ 's of the selected powers
7. Reduce the resulting ${\displaystyle b\,{\bmod {\,}}m}$  for the desired result

To find ${\displaystyle 6^{149}{\bmod {\,}}11}$ :

${\displaystyle 6\equiv 6\,{\bmod {\,}}11}$ 
${\displaystyle 6^{2}=36\equiv 3\,{\bmod {\,}}11}$ 
${\displaystyle 6^{4}\equiv 9\,{\bmod {\,}}11}$ 
${\displaystyle 6^{8}\equiv 81\equiv 4\,{\bmod {\,}}11}$ 
${\displaystyle 6^{16}\equiv 16\equiv 5\,{\bmod {\,}}11}$ 
${\displaystyle 6^{32}\equiv 25\equiv 3\,{\bmod {\,}}11}$ 
${\displaystyle 6^{64}\equiv 9\,{\bmod {\,}}11}$ 
${\displaystyle 6^{128}\equiv 81\equiv 4\,{\bmod {\,}}11}$ 

Adding exponents:

${\displaystyle 128+16+4+1\ }$ 

Multiplying least nonnegative residues associated with these exponents:

${\displaystyle 4\cdot 5\cdot 9\cdot 6=1080\ }$ 
${\displaystyle 1080\,{\bmod {\,}}11=2}$ 

Therefore: 

${\displaystyle 6^{149}\equiv 2\,{\bmod {\,}}11}$ 

While finding the correct symmetric or asymmetric keys is required to encrypt a plaintext message, calculating the inverse of these keys is essential to successfully decrypt the resultant ciphertext. This can be seen in cryptosystems Ranging from a simple affine transformation

${\displaystyle C\equiv aP+b\,{\bmod {\,}}N}$ 

Where

${\displaystyle P\equiv a^{-1}C+b^{-1}\,{\bmod {\,}}N}$ 

To RSA public key encryption, where one of the deciphering (private) keys is

${\displaystyle d_{A}=e_{A}^{-1}\,{\bmod {\,}}\phi \left(n_{A}\right)}$ 

For the elements ${\displaystyle a\in \mathbb {Z} _{m}}$  where ${\displaystyle \gcd \left(a,m\right)=1}$ , there exists ${\displaystyle b\in \mathbb {Z} _{m}}$  such that ${\displaystyle ab\equiv 1\,{\bmod {\,}}m}$ . Thus, ${\displaystyle b\ }$  is said to be the inverse of ${\displaystyle a\ }$ , denoted ${\displaystyle a^{-n}\,{\bmod {\,}}m}$  where ${\displaystyle n\ }$  is the ${\displaystyle n^{th}\ }$  power of the integer ${\displaystyle b\ }$  for which ${\displaystyle ab\equiv 1\,{\bmod {\,}}m}$ .

Find ${\displaystyle 633^{-1}\,{\bmod {\,}}2801}$ 

This is equivalent to saying ${\displaystyle 633b\equiv 1\,{\bmod {\,}}2801}$ 

First use the Euclidean algorithm to verify ${\displaystyle \gcd \left(633,2801\right)=1\ }$ .
Next use the Extended Euclidean algorithm to discover the value of ${\displaystyle b\ }$ .
In this case, the value is ${\displaystyle 177\ }$ .

Therefore, ${\displaystyle 633^{-1}\,{\bmod {\,}}2801=177}$ 

It is easily verified that ${\displaystyle \left(633\right)\left(177\right)\equiv 1\,{\bmod {\,}}2801}$ 

Where ${\displaystyle p\ }$  is defined as prime, any integer will satisfy the following relation:

${\displaystyle a^{p}\equiv a\,{\bmod {\,}}p}$ 

When ${\displaystyle a=2\ }$  and ${\displaystyle p=19\ }$