Euler's Totient and Fermat's Theorem

Module 04c | Number Theory and RSA

euler_phi(), power_mod(), and the theoretical backbone of RSA

Question: Compute $3^{1{,}000{,}000} \bmod 7$ without a computer. Sounds impossible? Fermat says you only need to know that $3^6 \equiv 1 \pmod{7}$. Then $3^{1{,}000{,}000} = 3^{6 \cdot 166666 + 4} = (3^6)^{166666} \cdot 3^4 \equiv 1^{166666} \cdot 81 \equiv 81 \bmod 7 \equiv 4$. That's the power of this notebook.

Objectives

By the end of this notebook you will be able to:

1. Define Euler's totient function $\varphi(n)$ and compute it for any $n$.

2. Derive the product formula $\varphi(pq) = (p-1)(q-1)$ that makes RSA work.

3. State and verify Fermat's Little Theorem and its generalization, Euler's theorem.

4. Connect $\varphi(n)$ to element orders and Lagrange's theorem from Module 01e.

5. Explain why Euler's theorem guarantees RSA decryption correctness.

Prerequisites

• Completion of 04a: Divisibility and GCD, you know what $\gcd(a, n)$ means.

• Completion of 04b: Extended Euclidean Algorithm, you know that $a$ has a modular inverse iff $\gcd(a, n) = 1$.

• From 01e: Subgroups and Lagrange, element orders must divide the group size.

From Inverses to Counting: What Is $\varphi(n)$?

In 04b, we discovered that $a$ has a multiplicative inverse modulo $n$ precisely when $\gcd(a, n) = 1$. The set of all such invertible elements forms the multiplicative group $(\mathbb{Z}/n\mathbb{Z})^*$.

A natural question: how big is this group? That is, how many integers in $\{1, 2, \ldots, n\}$ are coprime to $n$?

This count has a name: Euler's totient function, written $\varphi(n)$.

Euler's Totient Function: Definition

Let's compute it the hard way first, by listing and counting.

Common mistake: "$\varphi(n)$ counts numbers less than $n$." No! It counts numbers from 1 to $n$ that are coprime to $n$. For example, $\varphi(12) = 4$ (only $\{1, 5, 7, 11\}$ are coprime to 12), not 11.

Look at the table above. Notice anything about the prime values ($n = 2, 3, 5, 7, 11, 13, 17, 19$)?

Formulas for $\varphi(n)$

Rule 1: Primes

If $p$ is prime, then every integer from 1 to $p - 1$ is coprime to $p$ (nothing shares a factor with a prime except its own multiples). So:

Rule 2: Prime powers

For $p^k$, the only integers in $\{1, \ldots, p^k\}$ that are not coprime to $p^k$ are the multiples of $p$: there are $p^{k-1}$ of them. So:

Rule 3: Multiplicativity

When $\gcd(m, n) = 1$:

This follows from the Chinese Remainder Theorem (coming up in 04d).

Checkpoint: Before running the next cell, predict $\varphi(15)$.

$15 = 3 \times 5$ and $\gcd(3, 5) = 1$, so $\varphi(15) = \varphi(3) \cdot \varphi(5) = 2 \cdot 4 = \;$? Write your answer down, then verify.

The RSA Formula: $\varphi(pq) = (p-1)(q-1)$

This is the single most important application of $\varphi$. If $p$ and $q$ are distinct primes:

This works because $\gcd(p, q) = 1$ (distinct primes are always coprime), so the multiplicativity rule applies.

Crypto foreshadowing: RSA key generation picks two large primes $p, q$ and computes $n = pq$. The "secret" that makes RSA work is knowledge of $\varphi(n) = (p-1)(q-1)$. Anyone who knows $n$ but doesn't know $p$ and $q$ cannot efficiently compute $\varphi(n)$, and without $\varphi(n)$, they cannot find the decryption key. Factoring $n$ and computing $\varphi(n)$ are computationally equivalent problems.

Fermat's Little Theorem

Now we come to the power result. Fermat's Little Theorem (1640) says:

If $p$ is prime and $\gcd(a, p) = 1$, then $a^{p-1} \equiv 1 \pmod{p}$.

Equivalently: $a^p \equiv a \pmod{p}$ for all $a$ (even when $p \mid a$).

Why does this work? The multiplicative group $(\mathbb{Z}/p\mathbb{Z})^*$ has order $p - 1$. By Lagrange's theorem (01e), every element's order divides the group size. So $\text{ord}(a)$ divides $p - 1$, which means $a^{p-1} = a^{\text{ord}(a) \cdot k} = (a^{\text{ord}(a)})^k = 1^k = 1$.

Let's verify this experimentally.

Using Fermat to Simplify Large Powers

Remember our opening question? $3^{1{,}000{,}000} \bmod 7$.

Since $7$ is prime and $\gcd(3, 7) = 1$, Fermat tells us $3^6 \equiv 1 \pmod{7}$.

So we reduce the exponent modulo 6:

Euler's Theorem: The Generalization

Fermat's Little Theorem only works modulo a prime. Euler generalized it to any modulus:

If $\gcd(a, n) = 1$, then $a^{\varphi(n)} \equiv 1 \pmod{n}$.

When $n = p$ is prime, $\varphi(p) = p - 1$, and Euler's theorem reduces to Fermat's. But Euler's theorem works for composite $n$ too, and that's what RSA needs.

Why does this work? Same argument as before, now in the group $(\mathbb{Z}/n\mathbb{Z})^*$ of order $\varphi(n)$. By Lagrange's theorem, $\text{ord}(a)$ divides $\varphi(n) = |(\mathbb{Z}/n\mathbb{Z})^*|$, so $a^{\varphi(n)} \equiv 1$.

Checkpoint: Predict $2^{\varphi(15)} \bmod 15$ before running the next cell.

We computed $\varphi(15) = 8$ above, and $\gcd(2, 15) = 1$. So Euler says $2^8 \equiv \;$? $\pmod{15}$.

Common mistake: "$a^{\varphi(n)} \equiv 1 \pmod{n}$ for all $a$." No! The theorem requires $\gcd(a, n) = 1$. Look at $a = 3$ in the table above: $\gcd(3, 15) = 3 \neq 1$, so Euler's theorem does not apply, and indeed $3^8 \not\equiv 1 \pmod{15}$. The coprimality condition is essential.

Mass Verification: Euler's Theorem for Many $n$

One example is convincing. Hundreds are better. Let's verify $a^{\varphi(n)} \equiv 1 \pmod{n}$ for all coprime $a$ and many values of $n$.

Connection to Element Orders

In 01e, we learned that in a group of order $N$, every element's order divides $N$ (Lagrange's theorem). The group $(\mathbb{Z}/n\mathbb{Z})^*$ has order $\varphi(n)$. So:

This is exactly why Euler's theorem works: $a^{\varphi(n)} = a^{\text{ord}(a) \cdot k} = 1^k = 1$.

Some elements have order exactly $\varphi(n)$ (these are the generators of the group, recall 01d). Others have smaller orders, but those smaller orders still divide $\varphi(n)$.

Why RSA Decryption Works

Now for the payoff. RSA encryption uses a public key $(n, e)$ and a private key $d$ where:

This means $ed = 1 + k\varphi(n)$ for some integer $k$. Decryption raises the ciphertext $c = m^e \bmod n$ to the power $d$:

By Euler's theorem, $m^{\varphi(n)} \equiv 1 \pmod{n}$ (when $\gcd(m, n) = 1$). So:

Euler's theorem is the ENTIRE reason RSA decryption recovers the original message.

Let's see this in action.

Exercises

Exercise 1 (Worked): Computing $\varphi(n)$ from Prime Factorization

Compute $\varphi(360)$ using the prime factorization $360 = 2^3 \cdot 3^2 \cdot 5$.

Strategy: Use multiplicativity and the prime-power formula:

Exercise 2 (Guided): Fermat's Theorem as a Primality Hint

Fermat's Little Theorem says: if $p$ is prime, then $a^{p-1} \equiv 1 \pmod{p}$ for all $1 \leq a < p$.

What about the converse? If $a^{n-1} \equiv 1 \pmod{n}$ for some $a$, does that prove $n$ is prime? (Spoiler: no! These are called Carmichael numbers.)

Your task: test whether $n = 561$ passes the Fermat test for base $a = 2$, and then check if 561 is actually prime.

Exercise 3 (Independent): RSA by Hand

Carry out a complete mini-RSA by hand (with SageMath to check your work):

1. Let $p = 11$, $q = 23$. Compute $n$ and $\varphi(n)$.

2. Choose $e = 3$. Verify $\gcd(e, \varphi(n)) = 1$.

3. Find $d = e^{-1} \bmod \varphi(n)$ using the extended Euclidean algorithm (or inverse_mod).

4. Encrypt the message $m = 42$: compute $c = m^e \bmod n$.

5. Decrypt: compute $c^d \bmod n$ and verify you recover $m = 42$.

6. Explain which theorem guarantees that step 5 recovers $m$.

Summary

Next: The Chinese Remainder Theorem, another essential tool for RSA, and the reason $\varphi$ is multiplicative.