Why can we ignore $y$ when using the extended Euclidean algorithm to calculate an RSA decryption exponent?

Question

I have a follow-up question about the extended Euclidean algorithm, as applied to RSA key generation, described in this answer.

Let us say we have $p=5$, $q=11$ and $e=17$, so that $N=55$ and $φ(N)=40$.

We can verify that $\gcd(e, φ(N)) = 1$, so $e$ is a valid encryption exponent.

Now the answer says we should use the extended Euclidean algorithm to find $x$ and $y$ such that $e \cdot x + φ(N) \cdot y = 1$, so that $e \cdot x \equiv 1 \pmod{φ(N)}$, and then let the decryption exponent be $d = x$.

By applying the extended Euclidean algorithm, we find that $x = -7$.

My first question is, how come $17 \cdot (-7) \equiv 1 \pmod{φ(N)}$?

Also, in the answer I linked to above, it says:

"The value of $y$ does not actually matter, since it will get eliminated modulo $φ(n)$ regardless of its value. The EED will give you that value, but you can safely discard it."

I'm not sure what this is supposed to mean. Could someone please explain it more clearly?

Answer 1

By definition of the notation $a\equiv b\pmod c$, this means $a-b$ is a multiple of $c>0$. Therefore, $17\cdot-7\equiv1\pmod{\varphi(N)}$ means that $(17\cdot-7)-1$ is a multiple of $\varphi(N)$.

Thus the answer to: "how come $17\cdot-7\equiv1\pmod{\varphi(N)}$" is just: because $(17\cdot-7)-1$ is $-120$, which is a multiple of $\varphi(N)=40$.

Addition trying to answer the question in the title: when you found $x$ and $y$ such that $e\cdot x+\varphi(N)\cdot y=1$ using the extended Euclidean algorithm, that implies $e\cdot x-1$ is a multiple of $\varphi(N)$, thus you have an $x$ with $e\cdot x\equiv1\pmod\varphi(N)$, irrespective of $y$.

---

Now how does it relate to choosing the private exponent in RSA?

Well you can use $d=-7$, it will work, but numerically computing $x^d\bmod N$ will require computing a modular inverse modulo $N$, and raising to the power $7$ modulo $N$ (in any order).

Or you can use that $-7\equiv33\pmod{\varphi(N)}$ and select $d=33$, obtained as $-7+40$; that would be a common $d$. More generally, any $d=x+k\cdot\varphi(N)$ will do from a mathematical standpoint (yet it is most common to restrict to $1<d<N$).

Or you can use $d=13$, which is the smallest positive private exponent possible, obtained by inverting $e$ modulo $\lambda(N)=\operatorname{lcm}(p-1,q-1)=20$ using the extended Euclidian algorithm and keeping the smallest positive representative; that's also common, and can save a little work: raising to power $13$ can be done with $5$ multiplications, rather than $6$ multiplications for power $33$.