HOW RSA WORKS Let G = (Z/nZ) , and let a {0, ..., n 1} such that (a, n) = 1.

1. Then by the extended Euclidean algorithm we have that ar + ns = 1 for some r, s Z, and from this ar = sn + 1 so that ar 1(mod n). Consequently a G, and so by Lagranges theorem | a | divides |G| = (n), so that (n) = k o(a) for some k Z, where I have used the fact that o(a) = | a |. We have thus proved (Eulers theorem) whenever (a, n) = 1, that a(n) 1(mod n). Now let N N, M Z such that (M, N ) = 1, and d Z such that (d, (N )) = 1. If we have that M1 M d (mod N ) for some M1 N, and d is the (N )-modular inverse of d (that is, d d dd 1(mod (N ))) then observe that
d M1 M dd M 1+l(N ) (mod N ),

for some l Z, from which we see that

d M1 (M )(M (N ) )r (mod N )

M (1)r M (mod N ). The point is this: ones public key consists of the pair N, d whereas ones private key consists of the factorization N = pq into two distinct large primes. By the multiplicativity of we have that (N ) = (p)(q ) = (p 1)(q 1). The RSA encryption scheme enables any party with the public key N, d to send an encrypted message M by sending the number M d (mod N ), from which only parties with d (mod N ). Given the private key p, q can feasibly obtain d and consequently M M1 (p 1)(q 1) = (N ), one can quickly compute the unique inverse representative d {0, ..., (N ) 1} for which dd 1(mod (N )) using the extended Euclidean algorithm or simply by nding the rst j for which dj 1(mod (N )). Cracking RSA therefore entails either nding the prime factorization of N or computing the inverse mod (N ) of d.