Modern publickey (asymmetric) cryptography is based upon a branch of mathematics known as number theory, which is concerned solely with the solution of equations that yield only integer results. These type of equations are known as diophantine equations, named after the Greek mathematician Diophantos of Alexandria (ca. 200 CE) from his book Arithmetica that addresses problems requiring such integral solutions.
One of the oldest diophantine problems is known as the Pythagorean problem, which gives the length of one side of a right triangle when supplied with the lengths of the other two side, according to the equation
where is the length of the hypotenuse. While two sides may be known to be integral values, the resultant third side may well be irrational. The solution to the Pythagorean problem is not beyond the scope, but is beyond the purpose of this chapter. Therefore, example integral solutions (known as Pythagorean triplets) will simply be presented here. It is left as an exercise for the reader to find additional solutions, either by bruteforce or derivation.
3  4  5 
5  12  13 
7  24  25 
8  15  17 
Asymmetric encryption methods rely heavily on the use of prime numbers, usually exceedingly long primes, for their operation. By definition, prime numbers are divisible only by themselves and 1. In other words, letting the symbol  denote divisibility (i.e.  a  b means "b divides into a"), a prime number strictly adheres to the following mathematical definition
The Fundamental Theorem of Arithmetic states that all numbers can be decomposed into a unique prime factorization. Any number greater than 1 is considered either prime or composite. A composite number is composed of more than one prime factor
in which is a unique prime number and is the exponent.
543,312 = 2^{4} 3^{2} 5^{0} 7^{3} 11^{1} 553,696 = 2^{5} 3^{0} 5^{0} 7^{0} 11^{3} 13^{1}
As can be seen, according to this systematic decomposition, each factorization is unique.
In order to deterministically verify whether an integer is prime or composite, only the primes need be examined. This type of systematic, thorough examination is known as a bruteforce approach. Primes and composites are noteworthy in the study of cryptography since, in general, a public key is a composite number which is the product of two or more primes. One (or more) of these primes may constitute the private key.
There are several types and categories of of prime numbers, three of which are of importance to cryptography and will be discussed here briefly.
Fermat primes take the following form
Note that not all Fermat "primes" are, in fact, prime. The [1] Wolfram Alpha engine reports Fermat Primes, an example input request being "4th Fermat Prime".
The Fermat primes
are indeed prime numbers. However, the absolute
"primeness" of Fermat primes was disproven by Euler when he showed
demonstrating that this Fermat prime was in fact, composite.
Mersenne primes  another type of formulaic prime generation  follow the form
where is a prime number. The [2] Wolfram Alpha engine reports Mersenne Primes, an example input request being "4th Mersenne Prime".
The first five Mersenne primes are as follows
It is easily shown that , meaning that all Mersenne primes are not in fact prime, as was the case with Fermat primes.
Two numbers are said to be coprime if the largest integer that divides evenly into both of them is 1. Mathematically, this is written
where is the greatest common divisor. Two rules can be derived from the above definition
The Prime Number Theorem estimates the probability that any integer, chosen randomly will be prime. The estimate is given below, with defined as the number of primes
is asymptotic to , that is to say . What this means is that generally, a randomly chosen number is prime with the approximate probabilty .
The Euclidean Algorithm is used to discover the greatest common divisor of two integers. In cryptography, it is most often used to determine if two integers are coprime, i.e.  .
In order to find where efficiently when working with very large numbers, as with cryptosystems, a method exists to do so. The Euclidean algorithm operates as follows  First, divide by , writing the quotient , and the remainder . Note this can be written in equation form as . Next perform the same operation using in 's place: . Continue with this pattern until the final remainder is zero. Numerical examples and a formal algorithm follow which should make this inherent pattern clear.
When , stop with .
Example 1  To find gcd(17,043,12,660)
17,043 = 1 12,660 + 4383 12,660 = 2 4,383 + 3894 4,383 = 1 3,894 + 489 3,894 = 7 489 + 471 489 = 1 471 + 18 471 = 26 18 + 3 18 = 6 3 + 0
gcd (17,043,12,660) = 3 \ </math>
Example 2  To find gcd(2,008,1,963)
2,008 = 1 1,963 + 45 1,963 = 43 45 + 28 45 = 1 28 + 17 28 = 1 17 + 11 17 = 1 11 + 6 11 = 1 6 + 5 6 = 1 5 + 1 5 = 5 1 + 0
gcd (2,008,1963) = 1 Note: the two number are coprime.
Euclidean Algorithm(a,b) Input: Two integers a and b such that a > b Output: An integer r = gcd(a,b) 1. Set a_{0} = a, r_{1} = r 2. r = a_{0} mod r_{1} 3. While(r_{1} mod r 0) do: 4. a_{0} = r_{1} 5. r_{1} = r 6. r = a_{0} mod r_{1} 7. Output r and halt
In order to solve the type of equations represented by Bézout's identity, as shown below
where , , , and are integers, it is often useful to use the extended Euclidean algorithm. Equations of the form above occur in public key encryption algorithms such as RSA (RivestShamirAdleman) in the form where . There are two methods in which to implement the extended Euclidean algorithm; the iterative method and the recursive method.
As an example, we shall solve an RSA key generation problem with e = 2^{16} + 1, p = 3,217, q = 1,279. Thus, 62,537d + 51,456w = 1.
This method computes expressions of the form r_{i} = ax_{i} + by_{i} for the remainder in each step i of the Euclidean algorithm. Each modulus can be written in terms of the previous two remainders and their whole quotient as follows:
By substitution, this gives:
The first two values are the initial arguments to the algorithm:
The expression for the last nonzero remainder gives the desired results since this method computes every remainder in terms of a and b, as desired.
Step  Quotient  Remainder  Substitute  Combine terms  

1  4,110,048 = a  4,110,048 = 1a + 0b  
2  65,537 = b  65,537 = 0a + 1b  
3  62  46,754 = 4,110,048  65,537 62  46,754 = (1a + 0b)  (0a + 1b) 62  46,754 = 1a  62b  
4  1  18,783 = 65,537  46,754 1  18,783 = (0a + 1b)  (1a  62b) 1  18,783 = 1a + 63b  
5  2  9,188 = 46,754  18,783 2  9,188 = (1a  62b)  (1a + 62b) 2  9,188 = 3a  188b  
6  2  407 = 18,783  9,188 2  407 = (1a + 63b)  (3a  188b) 2  407 = 7a + 439b  
7  22  234 = 9,188  407 22  234 = (3a  188b)  (7a + 439b) 22  234 = 157a  9,846b  
8  1  173 = 407  234 1  173 = (7a + 439b)  (157a  9,846b) 1  173 = 164a + 10,285b  
9  1  61 = 234  173 1  61 = (157a  9,846b)  (164a + 10,285b) 1  61 = 321a + 20,131b  
10  2  51 = 173  61 2  51 = (164a + 10,285b)  (321a +20,131b) 2  51 = 806a + 50,547b  
11  1  10 = 61  51 1  61 = (321a +20,131b)  (806a + 50,547b) 1  10 = 1,127a  70,678b  
12  5  1 = 51 10 5  1 = (806a + 50,547b)  (1,127a  70,678b) 5  1 = 6,441a + 403,937b  
13  10  0  End of algorithm 
Putting the equation in its original form yields , it is shown that and . During the process of key generation for RSA encryption, the value for w is discarded, and d is retained as the value of the private key In this case
d = 0x629e1 = 01100010100111100001
This is a direct method for solving Diophantine equations of the form . Using this method, the dividend and the divisor are reduced over a series of steps. At the last step, a trivial value is substituted into the equation, and is then worked backward until the solution is obtained.
Using the previous RSA vales of and
Euclidean Expansion  Collect Terms  Substitute  Retrograde Substitution  Solve For d_{x}  

4,110,048  w_{0}  + 65,537d_{0} = 1  
(62 65,537 + 46,754)  w_{0}  + 65,537d_{0} = 1  
65,537  (62w_{0} + d_{0})  + 46,754w_{0} = 1  w_{1} = 62w_{0} + d_{0}  4,595 = (62)(6441) + d_{0}  d_{0} = 403,937 
65,537  w_{1}  + 46,754d_{1} = 1  d_{1} = w_{0}  w_{1} = 6,441  
(1 46,754 + 18,783)  w_{1}  + 46,754d_{1} = 1  
46,754  (w_{1} + d_{1})  + 18,783w_{1} = 1  w_{2} = w_{1} + d_{1}  1,846 = 4,595 + d_{1}  d_{1} = 6,441 
46,754  w_{2}  + 18,783d_{2} = 1  d_{2} = w_{1}  
(2 18,783 + 9,188)  w_{2}  + 18,783d_{2} = 1  
18,783  (2w_{2} + d_{2})  + 9,188w_{2} = 1  w_{3} = 2w_{2} + d_{2}  903 = (2)(1,846) + d_{2}  d_{2} = 4,595 
18,783  w_{3}  + 9,188d_{3} = 1  d_{3} = w_{2}  
(2 9,188 + 407)  w_{3}  + 9,188d_{3} = 1  
9,188  (2w_{3} + d_{3})  + 407w_{3} = 1  w_{4} = 2w_{3} + d_{3}  40 = (2)(903) + d_{3}  d_{3} = 1846 
9,188  w_{4}  + 407d_{4} = 1  d_{4} = w_{3}  
(22 407 + 234)  w_{4}  + 407d_{4} = 1  
407  (22w_{4} + d_{4})  + 234w_{4} = 1  w_{5} = 22w_{4} +d_{4}  23 = (22)(40) + d_{4}  d_{4} = 903 
407  w_{5}  + 234d_{5} = 1  d_{5} = w_{4}  
(1 234 + 173)  w_{5}  + 234d_{5} = 1  
234  (w_{5} + d_{5})  + 173w_{5} = 1  w_{6} = w_{5} +d_{5}  17 = 23 + d_{5}  d_{5} = 40 
234  w_{6}  + 173d_{6} = 1  d_{6} = w_{5}  
(1 173 + 61)  w_{6}  + 173d_{6} = 1  
173  (w_{6} + d_{6})  + 61w_{6} = 1  w_{7} = w_{6} +d_{6}  6 = 17 + d_{6}  d_{6} = 23 
173  w_{7}  + 61d_{7} = 1  d_{7} = w_{6}  
(2 61 + 51)  w_{7}  + 61d_{7} = 1  
61  (2w_{7} + d_{7})  + 51w_{7} = 1  w_{8} = 2w_{7} +d_{7}  5 = (2)(6) + d_{7}  d_{7} = 17 
61  w_{8}  + 51d_{8} = 1  d_{8} = w_{7}  
(1 51 + 10)  w_{8}  + 51d_{8} = 1  
51  (w_{8} + d_{8})  + 10w_{8} = 1  w_{9} = w_{8} +d_{8}  1 = 5 + d_{8}  d_{8} = 6 
51  w_{9}  + 10d_{9} = 1  d_{9} = w_{8}  
(5 10 + 1)  w_{9}  + 10d_{9} = 1  
10  (5w_{9} + d_{9})  + 1w_{9} = 1  w_{10} = 5w_{9} +d_{9}  0 = (5)(1) + d_{9}  d_{9} = 5 
10  w_{10}  + 1d_{10} = 1  d_{10} = w_{9}  
(1 10 + 0)  w_{10}  + 1d_{10} = 1  
1  (10w_{10} + d_{10})  + 0w_{10} = 1  w_{11} = 10w_{10} +d_{10}  1 = (10)(0) + d_{10}  d_{10} = 1 
1  w_{11}  + 0d_{11} = 1  d_{11} = w_{10}  w_{11} = 1, d_{11} = 0 
Significant in cryptography, the totient function (sometimes known as the phi function) is defined as the number of nonnegative integers less than that are coprime to . Mathematically, this is represented as
Which immediately suggests that for any prime
The totient function for any exponentiated prime is calculated as follows
The Euler totient function is also multiplicative
where
A field is simply a set which contains numerical elements that are subject to the familiar addition and multiplication operations. Several different types of fields exist; for example, , the field of real numbers, and , the field of rational numbers, or , the field of complex numbers. A generic field is usually denoted .
Cryptography utilizes primarily finite fields, nearly exclusively composed of integers. The most notable exception to this are the Gaussian numbers of the form which are complex numbers with integer real and imaginary parts. Finite fields are defined as follows
Since cryptography is concerned with the solution of diophantine equations, the finite fields utilized are primarily integer based, and are denoted by the symbol for the field of integers, .
A finite field contains exactly elements, of which there are nonzero elements. An extension of is the multiplicative group of , written , and consisting of the following elements
in other words, contains the elements coprime to
Finite fields form an abelian group with respect to multiplication, defined by the following properties
The product of two nonzero elements is nonzero The associative law holds The commutative law holds There is an identity element Any nonzero element has an inverse
A subscript following the symbol for the field represents the set of integers modulo , and these integers run from to as represented by the example below
The multiplicative order of is represented and consists of all elements such that . An example for is given below
If is prime, the set consists of all integers such that . For example
Composite n  Prime p 

Every finite field has a generator. A generator is capable of generating all of the elements in the set by exponentiating the generator . Assuming is a generator of , then contains the elements for the range . If has a generator, then is said to be cyclic.
The total number of generators is given by
For (Prime) Total number of generators generators Let , then , is a generator Since is a generator, check if , and , , therefore, is not a generator , and , , therefore, is not a generator Let , then , is a generator Let , then , is a generator Let , then , is a generator There are a total of generators, as predicted by the formula
For (Composite) Total number of generators generators Let , then , is a generator Let , then , is a generator There are a total of generators as predicted by the formula
Number theory contains an algebraic system of its own called the theory of congruences. The mathematical notion of congruences was introduced by Karl Friedrich Gauss in Disquisitiones (1801).
If and are two integers, and their difference is evenly divisible by , this can be written with the notation
This is expressed by the notation for a congruence
where the divisor is called the modulus of congruence. can equivalently be written as
where is an integer.
Note in the examples that for all cases in which , it is shown that . with this in mind, note that
Represents that is an even number.
Represents that is an odd number.
All congruences (with fixed ) have the following properties in common
These properties represent an equivalence class, meaning that any integer is congruent modulo to one specific integer in the finite field .
If the modulus of an integer , then for every integer
which can be understood to mean is the remainder of divided by , or as a congruence
Two numbers that are incongruent modulo must have different remainders. Therefore, it can be seen that any congruence holds if and only if and are integers which have the same remainder when divided by .
is equivalent to implies is the remainder of divided by
Suppose for this section we have two congruences, and . These congruences can be added or subtracted in the following manner
If these two congruences are multiplied together, the following congruence is obtained
or the special case where
Note: The above does not mean that there exists a division operation for congruences. The only possibility for simplifying the above is if and only if and are coprime. Mathematically, this is represented as
The set of equivalence classes defined above form a commutative ring, meaning the residue classes can be added, subtracted and multiplied, and that the operations are associative, commutative and have additive inverses.
Often, it is necessary to perform an operation on a congruence where , when what is desired is a new integer such that with the resultant being the least nonnegative residue modulo m of the congruence. Reducing a congruence modulo is based on the properties of congruences and is often required during exponentiation of a congruence.
Input: Integers and from with Output: Integer such that 1. Let 2. 3. 4. Output
Given ∴
Note that is the least nonnegative residue modulo
Assume you begin with . Upon multiplying this congruence by itself the result is . Generalizing this result and assuming is a positive integer
This simplifies to implies implies
Sometimes it is useful to know the least nonnegative residue modulo of a number which has been exponentiated as . In order to find this number, we may use the repeated squaring method which works as follows:
1. Begin with 2. Square and so that 3. Reduce modulo to obtain 4. Continue with steps 2 and 3 until is obtained. Note that is the integer where would be just larger than the exponent desired 5. Add the successive exponents until you arrive at the desired exponent 6. Multiply all 's associated with the 's of the selected powers 7. Reduce the resulting for the desired result
To find : Adding exponents: Multiplying least nonnegative residues associated with these exponents: Therefore:
While finding the correct symmetric or asymmetric keys is required to encrypt a plaintext message, calculating the inverse of these keys is essential to successfully decrypt the resultant ciphertext. This can be seen in cryptosystems Ranging from a simple affine transformation
Where
To RSA public key encryption, where one of the deciphering (private) keys is
For the elements where , there exists such that . Thus, is said to be the inverse of , denoted where is the power of the integer for which .
Find This is equivalent to saying First use the Euclidean algorithm to verify . Next use the Extended Euclidean algorithm to discover the value of . In this case, the value is . Therefore, It is easily verified that
Where is defined as prime, any integer will satisfy the following relation:
When and
An additional condition states that if is not divisible by , the following equation holds
Fermat's Little Theorem also has a corollary, which states that if is not divisible by and then
If , then
If one wants to solve a system of congruences with different moduli, it is possible to do so as follows:
A simultaneous solution exists if and only if with , and any two solutions are congruent to one another modulo .
The steps for finding the simultaneous solution using the Chinese Remainder theorem are as follows:
Given: Using the Extended Euclidean algorithm:
If is prime and , examining the nonzero elements of , it is sometimes important to know which of these are squares. If for some , there exists a square such that . Then all squares for can be calculated by where . is a quadratic residue modulo if there exists an such that . If no such exists, then is a quadratic nonresidue modulo . is a quadratic residue modulo a prime if and only if .
For the finite field , to find the squares , proceed as follows:
The values above are quadratic residues. The remaining (in this example) 9 values are know as quadratic nonresidues. the complete listing is given below.
Quadratic residues: Quadratic nonresidues:
The Legendre symbol denotes whether or not is a quadratic residue modulo the prime and is only defined for primes and integers . The Legendre of with respect to is represented by the symbol . Note that this does not mean divided by . has one of three values: .
The Jacobi symbol applies to all odd numbers where , then:
If is prime, then the Jacobi symbol equals the Legendre symbol (which is the basis for the SolovayStrassen primality test).
