Why not just compute a^b and then take mod?

For large exponents (e.g., b = 10^1000), the number a^b has astronomically many digits — far more than any computer can store. The naive approach is completely impractical. The square-and-multiply algorithm keeps intermediate values small by reducing mod m at every multiplication step, never letting any number exceed m^2 in magnitude.

ⁿ

Modular Exponentiation Calculator

Square-and-Multiply · BigInt Support · RSA · Diffie-Hellman

Compute a^b mod m for arbitrarily large integers using the fast binary (right-to-left) algorithm. Full step-by-step table, binary visualization, and cryptographic applications.

Quick Examples

Base (a)

Exponent (b)

Modulus (m > 1)

a^b mod m

—

Final result

b in binary

—

binary representation

Squarings

—

⌊log₂ b⌋ steps

Multiplications

—

popcount(b) − 1

Binary Representation of b

Green = bit 1 (multiply & square). Gray = bit 0 (square only). LSB on left, MSB on right. Capped at 32 bits.

Algorithm Overview

...

Step-by-Step Squaring Table

Columns processed LSB to MSB of b. Green rows: bit = 1, multiplication applied to result. Gray rows: bit = 0, squaring only.

Step	Bit (LSB→MSB)	Current Base a^{2^k} mod m	Result	Operation

🔒

RSA Encryption & Decryption

Public-key cryptography via modular exponentiation

RSA encrypts a message M as C = M^e mod n using public key (e, n). Decryption recovers M as M = C^d mod n using private exponent d. Both operations are exactly modular exponentiation — fast square-and-multiply is what makes RSA practical.

Toy RSA example (p=11, q=13, n=143): φ(n) = (p-1)(q-1) = 10×12 = 120 Public exponent: e = 7 (gcd(7,120)=1) Private exponent: d = 103 (7×103 = 721 = 6×120+1 ≡ 1 mod 120) Encrypt M=2: C = 2^7 mod 143 = 128 Decrypt C=128: M = 128^103 mod 143 = 2 ✓

Try it: use Quick Example "2¹⁰³ mod 143 (toy RSA)" in the calculator.

🔑

Diffie-Hellman Key Exchange

Shared secret over insecure channel

Alice and Bob agree on a prime p and generator g. Alice computes A = g^a mod p and Bob computes B = g^b mod p. The shared key is K = g^ab mod p, which each party computes from the other's public value.

Example: p=23, g=5 Alice's secret a=6: A = 5^6 mod 23 = 8 Bob's secret b=15: B = 5^15 mod 23 = 19 Shared key (Alice): K = B^a mod p = 19^6 mod 23 = 2 Shared key (Bob): K = A^b mod p = 8^15 mod 23 = 2 ✓

Security: finding a from A = g^a mod p is the discrete logarithm problem — computationally hard for large p.

𝕧

Fermat Primality Test

Probabilistic prime detection using modular exponentiation

Fermat's little theorem: if p is prime and gcd(a, p) = 1, then a^p-1 ≡ 1 (mod p). A Fermat primality test checks this condition for several random bases. If any base gives a result other than 1, p is definitely composite. Fast modular exponentiation is what makes these tests feasible on large numbers.

Test p=17 for primality: Choose a=3: 3^16 mod 17 = 1 ✓ (consistent with prime) Choose a=5: 5^16 mod 17 = 1 ✓ (consistent with prime) Test p=15 (composite) with a=2: 2^14 mod 15 = 4 ≠ 1 → 15 is NOT prime ✓

What Is Modular Exponentiation?

Modular exponentiation is the calculation of a^b mod m — raising a base a to an exponent b and keeping only the remainder when divided by modulus m. This operation is a cornerstone of modern number theory and public-key cryptography. No matter how large a and b are, the result is always an integer in the range [0, m−1].

For example, 3⁶⁴⁴ mod 645 = 36. While the intermediate value 3⁶⁴⁴ is an astronomically large number (over 300 decimal digits), the answer is simply 36.

Why Naive Computation Fails

The straightforward approach — compute a^b first, then take the remainder — is completely impractical for large exponents. The number 2¹⁰⁰⁰ already has over 300 decimal digits. RSA uses exponents with thousands of bits, so the naive intermediate value would have more digits than atoms in the observable universe. No computer could store it, let alone compute it.

The key insight is that we can reduce modulo m after every single multiplication, keeping all intermediate values below m². Combining this with the square-and-multiply trick reduces O(b) multiplications to O(log b).

The Square-and-Multiply (Binary Exponentiation) Algorithm

The algorithm processes the binary representation of b from LSB (least significant bit) to MSB. At step k (corresponding to bit k of b):

Always square: compute base = base × base mod m (this accounts for the positional value 2^k)
If bit k = 1: also multiply result = result × base mod m (include this power in the product)
If bit k = 0: skip the multiplication (this power is not in the exponent)

The result accumulates only those powers of a whose corresponding bit in b is 1, exactly matching the binary decomposition b = ∑ b_k · 2^k.

O(log b) Complexity

The algorithm performs exactly ⌊log₂ b⌋ squarings and (popcount(b) − 1) multiplications, where popcount counts the number of 1-bits in b. Since both quantities are O(log b), the total number of modular multiplications is O(log b). Each multiplication involves numbers at most m² in size, requiring O((log m)²) bit operations. The overall bit complexity is O(log b × (log m)²).

For 2048-bit RSA parameters this means roughly 2000 multiplications of 2048-bit numbers — entirely feasible in milliseconds on any modern processor.

RSA Encryption and Decryption

RSA is the most widely deployed public-key cryptosystem. Key generation selects two large primes p and q, computes n = p × q, and chooses public exponent e coprime to φ(n) = (p−1)(q−1). The private exponent d = e⁻¹ mod φ(n) is computed by the Extended Euclidean Algorithm.

Encryption: C = M^e mod n
Decryption: M = C^d mod n

Both operations are pure modular exponentiation. The security of RSA depends on the fact that factoring n (and thus computing φ(n)) is computationally hard, even though encrypting and decrypting are fast.

Diffie-Hellman Key Exchange

Diffie-Hellman (1976) was the first practical public-key cryptographic protocol. Two parties agree publicly on a large prime p and a primitive root g. Each party selects a private random exponent and publishes their public value. The shared secret is g^ab mod p, computed by each party from the other's public value. An eavesdropper who sees both public values cannot compute the shared secret without solving the discrete logarithm problem — believed to be computationally hard for carefully chosen p and g.

Fermat's Little Theorem

Fermat's little theorem states: if p is prime and gcd(a, p) = 1, then a^p−1 ≡ 1 (mod p). This is a necessary condition for primality (though not sufficient — Carmichael numbers satisfy it for all bases while being composite). The Fermat primality test and the more reliable Miller-Rabin test both use modular exponentiation as their core computation.

Reference Table: Example Computations

a	b	m	a^b mod m	b in binary	Squarings
3	644	645	36	1010000100	9
2	10	1000	24	1010	3
7	256	13	9	100000000	8
2	103	143	2	1100111	6
5	6	23	8	110	2
123	456	789	699	111001000	8

Frequently Asked Questions

What is modular exponentiation?

Modular exponentiation is the computation of a^b mod m — raising a base a to an exponent b and taking the remainder when divided by m. The result is always in [0, m−1]. It is the central operation in RSA, Diffie-Hellman, ElGamal, and many primality tests.

Why not compute a^b and then take mod?

For large exponents (RSA uses 65537 or larger) the value a^b has millions of digits. No computer can store it. The square-and-multiply algorithm reduces mod m after every multiplication, keeping intermediate values below m², so all arithmetic stays tractable even for 4096-bit RSA keys.

How does the square-and-multiply algorithm work?

The algorithm scans the binary digits of b from LSB to MSB. At each step k: (1) square the current base mod m to get a^{2^k+1} mod m. (2) If bit k of b is 1, multiply the running result by the current base mod m. This exploits the binary decomposition b = ∑ b_k × 2^k, so a^b = ∏ a^{2^k} over all k where b_k = 1.

What is the time complexity of modular exponentiation?

The algorithm uses O(log b) modular multiplications — ⌊log₂ b⌋ squarings and at most ⌊log₂ b⌋ extra multiplications (one per 1-bit). Each multiplication on numbers < m costs O((log m)²) bit operations, giving total bit complexity O(log b × (log m)²). For 2048-bit b and m this is very fast, completing in milliseconds.

How is modular exponentiation used in RSA?

RSA encryption is C = M^e mod n and decryption is M = C^d mod n. Both are modular exponentiation. The exponents e and d are large integers (often 17 bits and 2048 bits respectively in real usage). The square-and-multiply algorithm is what makes these operations fast enough to be practical. Without it, RSA would be too slow to use.

What is Fermat's little theorem?

Fermat's little theorem states that if p is prime and gcd(a, p) = 1, then a^p−1 ≡ 1 (mod p). This means any base coprime to a prime p, raised to the (p−1)th power, gives 1 mod p. This is the foundation of the Fermat primality test and the RSA exponent choice: the public exponent e must be chosen so that e × d ≡ 1 mod φ(n), relying on Fermat's theorem for correctness.

What is the Diffie-Hellman key exchange?

Diffie-Hellman (DH) allows two parties to establish a shared secret over a public channel. Both agree on prime p and generator g. Alice sends A = g^a mod p, Bob sends B = g^b mod p. Both compute the shared key K = g^ab mod p (Alice as B^a mod p, Bob as A^b mod p). An attacker seeing A and B must solve the discrete logarithm to find a or b — a problem for which no efficient classical algorithm is known for properly chosen p.

Modular Exponentiation Calculator

Binary Representation of b

Algorithm Overview

Fermat's Little Theorem Check

Step-by-Step Squaring Table

RSA Encryption & Decryption

Diffie-Hellman Key Exchange

Fermat Primality Test

What Is Modular Exponentiation?

Why Naive Computation Fails

The Square-and-Multiply (Binary Exponentiation) Algorithm

O(log b) Complexity

RSA Encryption and Decryption

Diffie-Hellman Key Exchange

Fermat's Little Theorem

Reference Table: Example Computations

Frequently Asked Questions

Related Calculators