How does Euler's Theorem show that $(m^e)^d ≡ m \bmod n$

Question

In this thread Henrick Hellström says that when $ed \equiv 1\ (mod\ \phi(n))$ then $(m^e)^d \equiv m\ (mod\ n)$. So I thought this is how Euler's theorem is related to RSA. But at least I thought that due to Euler's theorem the prerequisite for $(m^e)^d \equiv m\ (mod\ n)$ was $ed \equiv 1\ (mod\ \phi(n))$, until I read the comments of the answer and @poncho says that

Minor nit: it's not true that e,d must meet (satisfy) the equation $ed \equiv 1\ (mod\ \phi(n))$. One counterexample is $n=133, e=5, d=11$. That has $ed \equiv 55\ (mod\ \phi(n)=108)$, however $(m^e)^d \equiv m\ (mod\ n)$ for all m. This is a minor point, however we should avoid telling beginners things which aren't true.

So $ed \equiv 1\ (mod\ \phi(n))$ doesn't need to be true in order for $(m^e)^d \equiv m\ (mod\ n)$ to work. At this point I am really confused about the relation between Euler's theorem and RSA, and why we need $gcd(e,d)=1$.

EDIT: Also this website says that $(m^e)^d \equiv m^{\phi(n)}\ (mod\ n)$. How could this be true? Wouldn't this imply that $ed =\phi(n)$?

Answer 1

I thought that Euler's theorem basically proved that, for $(m^e)^d \equiv m \pmod n$ to work, $ed \equiv 1 \pmod {\phi(n)}$ must be true

No; a direct application of Euler's theorem shows that if $ed \equiv 1 \pmod {\phi(n)}$ is true (and $\gcd(m,n)=1$, Euler's theorem needs that as well), then we always have $(m^e)^d \equiv m \pmod n$

However, it does not imply the converse (and in fact, the converse is not true).

A stronger statement would be (assuming $n = pq$ for distinct primes $p, q$) that if $ed \equiv 1 \pmod{ p - 1}$ and $ed \equiv 1 \pmod{ q - 1}$, then we have $(m^e)^d \equiv m \pmod n$ for all $m$.

And, in this case, the converse is true; if we have $(m^e)^d \equiv m \pmod n$ for all $m$, then we necessarily have $ed \equiv 1 \pmod{ p - 1}$ and $ed \equiv 1 \pmod{ q - 1}$. In fact, if we have either $ed \not\equiv 1 \pmod{ p - 1}$ or $ed \not\equiv 1 \pmod{ q - 1}$, then we'll necessarily have $(m^e)^d \not\equiv m \pmod n$ for at least 1/3 of the possible $m$ values.

Another (perhaps more common) way of writing these two equivalences is to express it as $ed \equiv 1 \pmod{ \lambda(n) }$ for the function $\lambda(n) = \text{lcm}(p-1, q-1)$.

How does these stronger statements relate to your original relation? Well, if we have $ed \equiv 1 \pmod{\phi(n)}$, then we necessarily have $ed \equiv 1 \pmod{\lambda(n)}$ (and hence RSA "works")