1

Fermat and Mersenne Numbers

Tutorial

R01942039





2

Content
1 Introduction .......................................................................................................... 2

2 Background of Fermat Numbers ........................................................................ 5

3 Geometric Interpretation of Fermat Numbers ................................................. 7

4 Factoring Status of Fermat Numbers .................. Error! Bookmark not defined.

5 Basic Properties of Fermat Numbers ............................................................... 10

6 Primality of Fermat Numbers .......................................................................... 12

7 Infinitude of Fermat Primes ................................. Error! Bookmark not defined.

8 Divisibility of Fermat Numbers ............................ Error! Bookmark not defined.

9 Mersenne Numbers and Fermat Numbers .......... Error! Bookmark not defined.

10 Applications of Prime numbers ........................................................................ 17

11 Reference ............................................................................................................ 22









3

1. Introduction
Prime numbers are widely studied in the field of number theory and it has many
beautiful properties and applications. Euclid first proved that the number of primes is
infinite. There is no largest prime number as much as there is no largest number!
Euclid started by looking at the known primes and adding one to their product. For
example both 2 and 3 are primes: their product + 1 is also a prime: 2*3+1=7. The nice
but not beautiful thing about this is that sometimes this algorithm will produce primes
and sometimes it will not!
Although Euclid did not find the way to using this procedure to find only primes,
he did find that this can easily be used to show that there are infinitely many primes!!
Proof: Let us suppose that

are prime numbers. Multiply them together and

add 1, calling this number a new integer q . If q is a prime number, then we have a
new prime. If q is not a prime, it must be divisible by a prime number r . But r cannot
be

or any other from our original list of prime numbers, because if you divide q by
any of

you will get a remainder 1, which means that q is not divisible by

any of these prime numbers. So r is a new prime. Whichever way you choose to look
at it, either you have found a new prime q, or if q is not a prime, than you have found
that it has a new prime for a prime factor.
Fig.1 Counting function of prime numbers.
The distribution of primes seems to be complicated and a little bit random. The
sequence of primes can be presented graphically in terms of a step
function or counting function which is traditionally denoted . The height
of the graph at horizontal position x indicates the number of primes less than or equal
to x. Hence at each prime value of x we see a vertical jump of one unit. The positions
4

of primes constitute just about the most fundamental, inarguable, nontrivial
information available to our consciousness. Zooming much further, we would expect
to see the "granular" nature of the actual graph vanish into the pixelation of the
screen.
Fig.2 Approximate by x/log x.
In 1896, de la Valee Poussin and Hadamard simultaneously proved what had been
suspected for several decades, and what is now known as the prime number theorem:
(1)
In words, the (discontinuous) prime counting function is asymptotic to the
(smooth) logarithmic function x/log x. This means that the ratio of to x/log x can
be made arbitrarily close to 1 by considering large enough x. Hence x/log x provides
an approximation of the number of primes less than or equal to x, and if we take
sufficiently large x this approximation can be made as accurate as we would like
(proportionally speaking - very simply, as close to 100% accuracy as is desired).








0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
0
200
400
600
800
1000
1200
1400


(x)
x/ln(x)
5

2. Background of Fermat Numbers
One approach to investigate prime numbers is to study numbers of a certain form.
For example, it has been proven that there are infinitely many primes in the form a +
nd, where d 2 and gcd(d, a) = 1 (Dirichlets theorem). On the other hand, it is still an
open question to whether there are infinitely many primes of the form

+ 1
In this paper, we will discuss in particular numbers of the form 2

+1 where n
is a nonnegative integer. They are called Fermat numbers, named after the French
mathematician Pierre de Fermat (1601 1665) who first studied numbers in this form.
It is still an open problem to whether there are infinitely many primes in the form of
2

+1. We will not be able to answer this question in this paper, but we will prove
some basic properties of Fermat numbers and discuss their primality and divisibility.
We will also briefly mention numbers of the form 2 1
n
where n is a positive integer.
They are called Mersenne numbers, named after the French mathematician Marin
Mersenne. In section 9, we will see how Mersenne numbers relate to the primality of
Fermat numbers.


Pierre de Fermat (1601 1665) Marin Mersenne (1588 1648)
Fig.3 Fermat and Marin Mersenne.

Fermat first conjectured that all the numbers in the form of 2

+1 are primes.
However, in 1732, Leonhard Euler refuted this claim by showing that F5 =2
3
+1=
4,294,967,297 = 641 x 6,700,417 is a composite. Euler proved that every factor
of F
n
must have the form k2
n+1
+ 1 (later improved to k2
n+2
+ 1 by Lucas
1
). It is

1
A theorem of douard Lucas: Any prime divisor p of F
n
=2

n
+ 1 is of the form k2
n+2
+ 1.
6

widely believed that Fermat was aware of the form of the factors later proved by Euler,
so it seems curious why he failed to follow through on the straightforward calculation
to find the factor. One common explanation is that Fermat made a computational
mistake and was so convinced of the correctness of his claim that he failed to
double-check his work.
It then became a question to whether there are infinitely many primes in the form
of 2

+1. Primes in this form are called Fermat primes. Up-to-date there are only
five known Fermat primes. (See section4 for more details on the current status of
Fermat numbers.) In fact, little is known about Fermat numbers with large n. Each of
the following is still an open problem:
1. Is F
n
composite for all n > 4?
2. Are there infinitely many Fermat primes?
3. Are there infinitely many composite Fermat numbers?
In 1796, the German mathematician Carl Friedrich Gauss (1977 1855) found an
interesting relationship between the Euclidean construction (i.e. by ruler and compass)
of regular polygons and Fermat primes. His theorem is known as Gausss Theorem.

Gausss Theorem:
There exists an Euclidean construction of the regular n- polygons if and only if
n = 2

, where n 3, i 0, j 0, and

are distinct Fermat primes.

Gausss theorem implies that all 2

-gons for n 2 are constructible. Moreover, since

so far only five Fermat numbers are known to be prime, it implies that for n odd, there
are only 2
5
1 = 31 n-gons that are known to be Euclidean constructible. If it turns
out that there is only a finite number of Fermat primes, then this theorem would imply
that there is only a finite number of Euclidean constructible n-gons for n odd. The
figure below shows five Euclidean constructible n-gons.

Fig. 4 Triangle, pentagon, heptadecagon, 257-gon and 65537-gon.






7

3. Geometric Interpretation of Fermat Numbers
As Gausss theorem suggests, Fermat numbers might be closely related to some
of the problems in Geometry. It is hence useful if we can understand what they mean
geometrically. A Fermat number Fn = 2

+1 (for n 1) can be thought of as a

square whose side length is 2

1
plus a unit square (see figure5). Hence, determining
whether a (Fermat) number is a composite or not is equivalent to determining whether
we can rearrange the unit-square blocks to form a rectangle. Moreover, determining
whether an integer d divides a (Fermat) number is the same as deciding whether we
can reorganize the blocks to form a rectangle with base d; or alternatively, we can also
think of it as determining whether we can fill the area with a number of r d
unit-square blocks for some integer r (see figure5).


F2 = 4

+ 1 = 17

F2 = 17 is not a composite because no matter how you
rearrange the blocks, you cannot get a rectangle.

F2 = 17 is not divisible by 3.
Fig.5 Geometric interpretation of Fermat numbers

Some of the properties we will prove in section5 can be easily understood if we
interpret them geometrically. We will also make remarks on several of them.




8

4. Factoring Status of Fermat Numbers
Because of the size of Fermat numbers, it is difficult to factorize or to prove
primality of those. Ppin's test gives a necessary and sufficient condition for primality
of Fermat numbers, and can be implemented by modern computers. The elliptic curve
method is a fast method for finding small prime divisors of numbers. Distributed
computing project Fermatsearch has successfully found some factors of Fermat
numbers. Yves Gallot's proth.exe has been used to find factors of large Fermat
numbers. douard Lucas, improving the above mentioned result by Euler, proved in
1878 that every factor of Fermat number Fn , with n at least 2, is of the form k 2
n+2
+
1 , where k is a positive integer; this is in itself almost sufficient to prove the primality
of the known Fermat primes.
The below table only shows the factoring status of Fermat numbers up to n = 200.
For an up-to-date process of Fermat numbers and other details, see
http://www.prothsearch.net/fermat.html#Summary.

Prime
Composite with no known factors
Composite with complete factorization
Composite with incomplete factorization
Unknown


9

Completely factored Fermat numbers (Prime factors =k 2
m+2
+ 1)
m

k

n

Year

Discoverer
5

5

7

1732

L. Euler

52347

7

1732

L. Euler
6

1071

8

1855

T. Clausen; F. Landry 1880

262814145745

8

1855

T. Clausen; F. Landry & H. Le
Lasseur 1880
7

116503103764643

9

13 Sep 1970

M. A. Morrison & J. Brillhart

11141971095088142685

9

13 Sep 1970

M. A. Morrison & J. Brillhart
8

604944512477

11

1980

R. P. Brent & J. M. Pollard

[59 digits]

11

1980

R. P. Brent & J. M. Pollard
9

37

16

1903

A. E. Western

[46 digits]

11

15 Jun 1990

A. K. Lenstra, M. S. Manasse & a
larger team

[96 digits]

11

15 Jun 1990

A. K. Lenstra, M. S. Manasse & a
larger team
10

11131

12

15 Aug 1953

J. L. Selfridge

395937

14

1962

J. Brillhart

[37 digits]

12

20 Oct 1995

R. P. Brent

[248 digits]

13

1995

R. P. Brent
11

39

13

1899

A. Cunningham

119

13

1899

A. Cunningham

10253207784531279

14

17 May 1988

R. P. Brent

434673084282938711

13

13 May 1988

R. P. Brent

[560 digits]

13

20 Jun 1988

R. P. Brent & F. Morain
46 digit k = 3640431067210880961102244011816628378312190597
37 digit k = 1137640572563481089664199400165229051

Further, on May 14, 2013 and as part of PrimeGrid's Proth Prime Search,

Marshall
Bishop found that 57 2
2747499
+ 1 divides F
2747497
. This is now the largest Fermat
number known to be composite.



10

5. Basic Properties of Fermat Numbers
In this section, we will prove some basic properties of Fermat numbers.
Theorem1. For n 1, Fn =

+ 1.
Proof.

+ 1 = 2

1
+ 1 1

+ 1 = 2

+ 1 = Fn
Remark1. This theorem is obvious if we interpret it geometrically:


Fig 6. Any Fermat number

is exactly a square with side length

1 plus
a unit square.

Theorem2. For n 1,

+ 2.
Proof. We will prove this by induction.
When n = 1, we have

+ 2 = 3 + 2 = 5 =

Now assume

+ 2
Then,

+ 2 =

+ 2
= (

2)

+ 2 (induction hypothesis)
= (2

1) (2

+ 1) + 2
= 2

1
+ 1 =

Remark2. To understand the proof of Theorem2 geometrically, we can think of

2
as a square with side length

1 minus a unit square (Theorem1, see Fig. 7 (a)).

It is divisible by

= 2

1
+ 1 because we can form a rectangle by moving the
top row and make it a column on the right (Fig. 7 (b)). To see that it is also divisible
by

for 2 k n, we can use the induction hypothesis that

divides

2 = 2

1
1. It means that we can fill each column of the rectangle in
11

figure7 (a) evenly by r

number of blocks for some integer r.

(a) A 2

1
x 2

1
square minus (b) A (2

1
1) x (2

1
+ 1) rectangle
a unit square

(c) Each column can be filled evenly by Fn-k.
Fig 7. Geometric interpretation of

+ 2













12

6. Primality of Fermat Numbers
Recall that we have defined Fermat numbers to be numbers in the form of 2

+ 1
where n is a nonnegative integer. There is actually another definition for Fermat
numbers, namely numbers in the form of 2

+ 1 where n is a nonnegative integer.

We have chosen the former definition because it seems to be more commonly used
and it gives the properties that we have proved earlier. However, if we are only
interested in Fermat numbers that are primes, then it does not matter which definition
we use, as we will see from the next theorem.

Theorem3. [Reference3] If 2

+ 1 is a prime, then n is a power of 2.

Proof. Suppose n is a positive integer that is not a power of 2. Then we can write n =
s for some nonnegative integer r and some positive odd integer s. Also recall the
identity

= (a b)(

b + + a

),
which implies that a b divides

. Now substituting a = 2

, b = 1 and n = s,
we have 2

+ 1 divides 2

= 2

+ 1. However, r < n, which means that

2

+ 1 is not a prime. Hence, n must be a power of 2 in order for 2

+ 1 to be a
prime.
The next theorem concerns the properties of Fermat primes.

Theorem4. [Reference1, p. 31] No Fermat prime can be expressed as the difference of
two pth powers, where p is an odd prime.
Proof. Assume for contradiction that there is such a Fermat prime. Then, Fn =

= (a b) (

b + + a

), where a > b and p is an odd prime.

Since Fn is a prime, it must be the case that a b = 1. Moreover, by Fermats Little
Theorem,

a (mod p) and

b (mod p). Thus, Fn =

a b = 1
(mod p). This implies p | Fn 1 =2

, which is impossible because the only integer

that divides 2

is 2.

Note:
Fermat's little theorem states that if p is a prime number, then for any integer a, the
number a
p
a is an integer multiple of p. In the notation of modular arithmetic, this is
expressed as

mod
If a is not divisible by p, Fermat's little theorem is equivalent to the statement
that a
p 1
1 is an integer multiple of p:

1 mod
13

7. Infinitude of Fermat Primes
As we have noted before, there are only five known Fermat primes so far. In fact, it
has been shown that Fn is composite for 5 n 32 and many other larger n (from
section4). Whether there is an infinite number of Fermat primes is still an open
question, and below shows a heuristic argument that suggests there is only a finite
number of them. This argument is to due to Hardy and Wright [Reference1, p.158].

There is only a finite number of Fermat primes.
Recall that the Prime Number Theorem says ~/log, where (x) is the number
of primes x. Hence (x) < /log for some constant A, and the probability that x
is a prime is at most /log. For x = 2

+ 1, the probability that it is a prime is

/log 2

+ 1) /log 2

)= /2

log 2)] /2

.Hence, the expected number of

primes in this form is /2

= 2 which is a finite number.

However, we must be careful that this argument does not prove that there are really
only finitely many Fermat primes. After all, they are only heuristic, as we can see in a
similar argument below.

There are infinitely many primes in the form of

+ 1.
Using the exact same argument as above, the expected number of primes in this form
is >

which diverges

But we know from Theorem3 that the sets {2

+ 1: it is a prime} and {2

+ 1: it is a
prime} are the same set. This latter argument suggests Hardy and Wrights argument
does not take into account of the properties of Fermat numbers. It is to say that the
variable x is not that random. It works largely because gaps between successive
Fermat numbers are extremely large. Nevertheless, given any number (even a number
of a particular form), it is more likely to be a composite than prime. Therefore,
bounding the probability of it being a prime by a lower bound gives a weaker
argument that bounding it from above.






14

8. Divisibility of Fermat Numbers
In the last two sections, we focused on the primality of Fermat numbers and the
properties of Fermat primes. However, if a Fermat number is found to be composite,
we are interested in what its factorization is, or at least, what properties do its divisors
have to have. We will end our discussion of Fermat numbers in this section by
proving several theorems about their divisors

Theorem 5. [Reference1, p.37] Let q =

be a power of an odd prime p, where m

1. Then the Fermat number Fn is divisible by q if and only if ordq2 = 2

2
.
Proof. First suppose q | Fn, then q | (2

+ 1) (2

1) = 2

1
1, and hence
2

1
1 (mod q). It follows that 2

= kordq2 for some positive integer k. Thus, k

is a power of 2 and so is ordq2. Let e = ordq2 = 2

. If j < n + 1, then we have q |

2

1 = 2

1. But this is impossible because q | 2

+ 1 and q 2. Hence, j
= n + 1 and so ordq2 = 2

. Conversely, if we assume that ordq2 = 2

, then q |
2

1
1 = (2

+ 1) (2

1). Since q is an odd prime, q divides either 2

+ 1 or
2

1. But q cannot divide 2

1 because2

< ordq2. Hence q | 2

+ 1 = Fn.

Theorem 6(Euler). [Reference1, p. 38] If p is a prime and p | Fn, then p is of the form
p = k2

+ 1, where k is a positive integer.

Proof. By Fermats little theorem, 2

1 (mod p), and it follows that ordq2 | p 1.

Hence, k ordq2 = p 1 for some positive integer k, and by Theorem18, p = kordq2 + 1
= k2

+ 1













2
In number theory, given an integer a and a positive integer n with gcd(a,n) = 1, the multiplicative
order of a modulo n is the smallest positive integer k with
a
k
1 (mod n).
The order of a modulo n is usually written ord
n
(a),
15

9. Mersenne Numbers and Fermat Numbers
Recall that we have defined Mersenne numbers to be numbers of the form M
n

=2

1 where n is a positive integer. Some definitions require n to be a prime.

However, like the case of Fermat numbers, if we are only interested in Mersenne
numbers that are primes, then it does not matter which definition we choose. We can
see that in the following theorem. Mersenne primes take their name from the
17th-century French scholar Marin Mersenne, who compiled what was supposed to be
a list of Mersenne primes with exponents up to 257. His list was largely incorrect, as
Mersenne mistakenly included M
67
and M
257
(which are composite), and
omitted M
61
, M
89
, and M
107
(which are prime). Mersenne gave little indication how he
came up with his list.
Though it was believed by early mathematicians that M
p
is prime for all
primes p, M
p
is very rarely prime. In fact, of the 1,622,441 prime numbers p up to
25,964,951, M
p
is prime for only 42 of them. The smallest counterexample is the
Mersenne number
M
11
= 2
11
1 = 2047 = 23 89.
The lack of any simple test to determine whether a given Mersenne number is prime
makes the search for Mersenne primes a difficult task, since Mersenne numbers grow
very rapidly. TheLucasLehmer primality test (LLT) is an efficient primality test that
greatly aids this task. The search for the largest known prime has somewhat of a cult
following. Consequently, a lot of computer power has been expended searching for
new Mersenne primes, much of which is now done using distributed computing.
Mersenne primes are used in pseudorandom number generators such as
the Mersenne twister, ParkMiller random number generator, Generalized Shift
Register and Fibonacci RNG.
The best method presently known for testing the primality of Mersenne numbers
is the LucasLehmer primality test. Specifically, it can be shown that for
prime p > 2, M
p
= 2
p
1 is prime if and only if M
p
divides S
p2
, where S
0
= 4 and,
for k > 0,

2. The search for Mersenne primes was revolutionized by the

introduction of the electronic digital computer as can be seen in Fig.8.

16


Fig.8 Graph of number of digits in largest known Mersenne prime by
year electronic era.

Theorem7. [Reference4] A Mersenne number Mn = 2

1 is prime only if n is a
prime.
Proof. Recall the identity 2

1 = (2

1) (1 + 2

+ 2

+ + 2

).
Hence if n = ab is not a prime, then Mn = 2

1 is divisible by 2

1 1.

The next theorem shows how Mersenne numbers relate to the primality of the
associated Fermat numbers.

Theorem8. [Reference1, p.44] If p is a prime, then all Mersenne numbers Mp are
prime or pseudoprimes
3
to the base 2.
Proof. Let Mp =2

1 be a Mersenne number where p is a prime. If Mp is a

composite, then p is odd. By Fermats little theorem, (Mp 1)/2 = 2

1 0 (mod
p). So (Mp 1)/2 = kp for some positive integer k. Hence, Mp = 2

1 | 2

1 =
2
/
1. It is equivalent to say that 2
/
1 (mod Mp), which implies
that 2

1 (mod Mp).





3
Fermat's little theorem states that if p is prime and a is coprime to p, then a
p1
1 is divisible by p. If
a composite integer x is coprime to an integer a > 1 and x divides a
x1
1, then x is called a Fermat
pseudoprime to base a. Some sources use variations of this definition, for example to only allow odd
numbers to be pseudoprimes.
17

10. Applications of Prime numbers
1. Pseudorandom Number Generation
Fermat primes are particularly useful in generating pseudo-random sequences of
numbers in the range 1 N, where N is a power of 2. The most common method
used is to take any seed value between 1 and P 1, where P is a Fermat prime. Now
multiply this by a number A, which is greater than the square root of P and is
a primitive root modulo P (i.e., it is not a quadratic residue). Then take the result
modulo P. The result is the new value for the RNG.
V

= (

)mod
This is useful in computer science since most data structures have members with
2
X
possible values. For example, a byte has 256 (2
8
) possible values (0255).
Therefore to fill a byte or bytes with random values a random number generator
which produces values 1256 can be used, the byte taking the output value 1. Very
large Fermat primes are of particular interest in data encryption for this reason. This
method produces only pseudorandom values as, after P 1 repetitions, the sequence
repeats. A poorly chosen multiplier can result in the sequence repeating sooner
than P 1.

2.RSA Encryption
RSA is an algorithm for public-key cryptography that is based on the presumed
difficulty of factoring large integers, the factoring problem. RSA stands for Ron
Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm
in 1977. A user of RSA creates and then publishes the product of two large prime
numbers, along with an auxiliary value, as their public key. The prime factors must be
kept secret. Anyone can use the public key to encrypt a message, but with currently
published methods, if the public key is large enough, only someone with knowledge
of the prime factors can feasibly decode the message. Whether breaking
RSA encryption is as hard as factoring is an open question known as the RSA
problem.

The RSA algorithm involves three steps: key generation, encryption and decryption.
Key generation:
RSA involves a public key and a private key. The public key can be known by
everyone and is used for encrypting messages. Messages encrypted with the public
key can only be decrypted in a reasonable amount of time using the private key. The
keys for the RSA algorithm are generated the following way:
1. Choose two distinct prime numbers p and q.
18

For security purposes, the integers p and q should be chosen at random, and
should be of similar bit-length. Prime integers can be efficiently found using
a primality test.
2. Compute n = pq.
n is used as the modulus for both the public and private keys. Its length, usually
expressed in bits, is the key length.
3. Compute (n) = (p)(q) = (p 1)(q 1), where is Euler's totient function.
4. Choose an integer e such that 1 < e < (n) and gcd(e, (n)) = 1; i.e. e and (n)
are coprime.
e is released as the public key exponent.
e having a short bit-length and small Hamming weight results in more
efficient encryption most commonly 2
16
+ 1 = 65,537. However,
much smaller values of e (such as 3) have been shown to be less secure
in some settings.
5. Determine d as d
1
e (mod(n)), i.e., d is the multiplicative
inverse of e (modulo (n)).
This is more clearly stated as solve for d given de 1 (mod (n))
This is often computed using the extended Euclidean algorithm.
d is kept as the private key exponent.
By construction, de 1 (mod (n)). The public key consists of the modulus n and
the public (or encryption) exponent e. The private key consists of the modulus n and
the private (or decryption) exponent d, which must be kept secret. p, q, and (n) must
also be kept secret because they can be used to calculate d.

Encryption:
Alice transmits her public key (n, e) to Bob and keeps the private key secret. Bob
then wishes to send message M to Alice.
He first turns M into an integer m, such that 0 m < n by using an agreed-upon
reversible protocol known as a padding scheme. He then computes the
ciphertext c corresponding to
c

mod
This can be done quickly using the method of exponentiation by squaring. Bob then
transmits c to Alice.
Decryption:
Alice can recover m from c by using her private key exponent d via computing
m

mod
Given m, she can recover the original message M by reversing the padding scheme.
(In practice, there are more efficient methods of calculating c
d
using the precomputed
19

values below.)
Using the Chinese remainder algorithm
For efficiency many popular crypto libraries (like OpenSSL, Java and .NET) use the
following optimization for decryption and signing based on the Chinese remainder
theorem. The following values are precomputed and stored as part of the private key:
p and q: the primes from the key generation,

= mod 1,

= mod 1 and

mod .
These values allow the recipient to compute the exponentiation m = c
d
(mod pq) more
efficiently as follows:

mod .

mod .
h =

mod . (if

<

then some libraries

compute h as

mod )
m =

+
This is more efficient than computing m c
d
(mod pq) even though two modular
exponentiations have to be computed. The reason is that these two modular
exponentiations both use a smaller exponent and a smaller modulus.

A working example
Here is an example of RSA encryption and decryption. The parameters used here are
artificially small, but one can also use OpenSSL to generate and examine a real
keypair.
1. Choose two distinct prime numbers, such as p=61 and q=53.
2. Compute n = pq giving n=6153=3233
3. Compute the totient of the product as (n) = (p1)(q1) giving
(3233) = (611)(531)=3120.
4. Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime
number for e leaves us only to check that e is not a divisor of 3120.
Let e=17
5. Compute d, the modular multiplicative inverse of e (mod (n)) yielding
d=2753.
The public key is (n = 3233, e = 17). For a padded plaintext message m, the
encryption function is
c
7
mod 3233.
The private key is (n = 3233, d = 2753). For an encrypted ciphertext c, the decryption
function is c
2753
(mod 3233).
20

m=c
2753
(mod 3233).
For instance, in order to encrypt m = 65, we calculate
c 65
7
mod 3233=2790
To decrypt c = 2790, we calculate
. m=2790
2753
(mod 3233)=65.

Practical implementations use the Chinese remainder theorem to speed up the
calculation using modulus of factors (mod pq using mod p and mod q).
The values d
p
, d
q
and q
inv
, which are part of the private key are computed as follows:

= mod 1 = 2753(mod 61 1) = 53

= mod 1 = 2753(mod53 1) = 49

mod = 53

mod 61 = 38
(Hence:

mod = 38 53 mod 61 = 1 )
Here is how d
p
, d
q
and q
inv
are used for efficient decryption. (Encryption is efficient
by choice of public exponent e)

mod = 2790
53
mod 61 = 4

mod = 2790
49
mod 53 = 12
h =

mod = 38 8mod 61 = 1
m =

+ = 12 +1 53 = 65
(same as above but computed more efficiently)

Proof using Fermat's little theorem
The proof of the correctness of RSA is based on Fermat's little theorem. This theorem
states that if p is prime and p does not divide an integer a then

1 mod
We want to show that (m
e
)
d
m (mod pq) for every integer m when p and q are
distinct prime numbers and e and d are positive integers satisfying
1 mod 1 1
We can write
1 = h 1 1
for some nonnegative integer h.
To check two numbers, like m
ed
and m, are congruent mod pq it suffices (and in fact is
equivalent) to check they are congruent mod p and mod q separately. (This is part of
the Chinese remainder theorem, although it is not the significant part of that theorem.)
To show m
ed
m (mod p), we consider two cases: m 0 (mod p) and m 0 (mod p).
In the first case m
ed
is a multiple of p, so m
ed
0 m (mod p). In the second case

mod
21

where we used Fermat's little theorem to replace m
p1
mod p with 1.
The verification that m
ed
m (mod q) proceeds in a similar way, treating separately
the cases m 0 (mod q) and m 0 (mod q), using Fermat's little theorem for
modulus q in the second case.
This completes the proof that, for any integer m,
m
ed
m (mod pq).
































22

11. Reference
[1]. M. Krizek, F. Luca and L. Somer, 17 Lectures on Fermat Numbers From
Number Theory to Geometry, Springer-Verlag, New York, 2001.
[2]. W. Keller, Prime factors k2n + 1 of Fermat numbers Fm and complete factoring
status.
http://www.prothsearch.net/fermat.html#Summary
[3]. Fermat number
http://en.wikipedia.org/wiki/Fermat_numbers
[4]. Mersenne number
http://en.wikipedia.org/wiki/Mersenne_numbers
[5]. Distribution of primes tutorial
http://empslocal.ex.ac.uk/people/staff/mrwatkin/zeta/ss-e.htm
[6] Fermat Numbers - William Stein - University of Washington
[7] Sarah Flannery and David Flannery. In Code: A Mathematical Journey, 2001
[8] RSA
http://en.wikipedia.org/wiki/RSA_(algorithm)