EX of RSA Algorithm

Example 1

A very simple example of RSA encryption

This is an extremely simple example using numbers you can work out on a pocket calculator (those of
you over the age of 35 can probably even do it by hand on paper).

1. Select primes p=11, q=3.

2. n = pq = 11.3 = 33
phi = (p-1)(q-1) = 10.2 = 20
3. Choose e=3
Check gcd(e, p-1) = gcd(3, 10) = 1 (i.e. 3 and 10 have no common factors except 1),
and check gcd(e, q-1) = gcd(3, 2) = 1
therefore gcd(e, phi) = gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1
4. Compute d such that ed ≡ 1 (mod phi)
i.e. compute d = e^-1 mod phi = 3^-1 mod 20
i.e. find a value for d such that phi divides (ed-1)
i.e. find d such that 20 divides 3d-1.
Simple testing (d = 1, 2, ...) gives d = 7
Check: ed-1 = 3.7 - 1 = 20, which is divisible by phi.
5. Public key = (n, e) = (33, 3)
Private key = (n, d) = (33, 7).

This is actually the smallest possible value for the modulus n for which the RSA algorithm works.

Now say we want to encrypt the message m = 7,

c = m^e mod n = 7^3 mod 33 = 343 mod 33 = 13.
Hence the ciphertext c = 13.

To check decryption we compute

m' = c^d mod n = 13^7 mod 33 = 7.
Note that we don't have to calculate the full value of 13 to the power 7 here. We can make use of the fact
that a = bc mod n = (b mod n).(c mod n) mod n so we can break down a potentially large number into its
components and combine the results of easier, smaller calculations to calculate the final value.

One way of calculating m' is as follows:-

m' = 13^7 mod 33 = 13^(3+3+1) mod 33 = 13^3.13^3.13 mod 33
= (13^3 mod 33).(13^3 mod 33).(13 mod 33) mod 33
= (2197 mod 33).(2197 mod 33).(13 mod 33) mod 33
= 19.19.13 mod 33 = 4693 mod 33
= 7.

Now if we calculate the ciphertext c for all the possible values of m (0 to 32), we get

m 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
c 0 1 8 27 31 26 18 13 17 3 10 11 12 19 5 9 4

m 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
c 29 24 28 14 21 22 23 30 16 20 15 7 2 6 25 32
Note that all 33 values of m (0 to 32) map to a unique code c in the same range in a sort of random
manner. In this case we have nine values of m that map to the same value of c - these are known as
unconcealed messages. m = 0 and 1 will always do this for any N, no matter how large. But in practice,
higher values shouldn't be a problem when we use large values for N.

If we wanted to use this system to keep secrets, we could let A=2, B=3, ..., Z=27. (We specifically avoid
0 and 1 here for the reason given above). Thus the plaintext message "HELLOWORLD" would be
represented by the set of integers m1, m2, ...

{9,6,13,13,16,24,16,19,13,5}
Using our table above, we obtain ciphertext integers c1, c2, ...
{3,18,19,19,4,30,4,28,19,26}
Note that this example is no more secure than using a simple Caesar substitution cipher, but it serves to
illustrate a simple example of the mechanics of RSA encryption.

Remember that calculating m^e mod n is easy, but calculating the inverse c^-e mod n is very difficult, well,
for large n's anyway. However, if we can factor n into its prime factors p and q, the solution becomes
easy again, even for large n's. Obviously, if we can get hold of the secret exponent d, the solution is
easy, too.

Example 2

This time, to make life slightly less easy for those who can crack simple Caesar substitution codes, we
will group the characters into blocks of three and compute a message representative integer for each
block.
ATTACKxATxSEVEN = ATT ACK XAT XSE VEN
In the same way that a decimal number can be represented as the sum of powers of ten, e.g.
135 = 1 x 10^2 + 3 x 10^1 + 5,
we could represent our blocks of three characters in base 26 using A=0, B=1, C=2, ..., Z=25

ATT = 0 x 26^2 + 19 x 26^1 + 19 = 513

ACK = 0 x 26^2 + 2 x 26^1 + 10 = 62
XAT = 23 x 26^2 + 0 x 26^1 + 19 = 15567
XSE = 23 x 26^2 + 18 x 26^1 + 4 = 16020
VEN = 21 x 26^2 + 4 x 26^1 + 13 = 14313

For this example, to keep things simple, we'll not worry about numbers and punctuation characters, or
what happens with groups AAA or AAB.

In this system of encoding, the maximum value of a group (ZZZ) would be 26^3-1 = 17575, so we require
a modulus n greater than this value.

1. We "generate" primes p=137 and q=131 (we cheat by looking for suitable primes around √n)
2. n = pq = 137.131 = 17947
phi = (p-1)(q-1) = 136.130 = 17680
3. Select e = 3
check gcd(e, p-1) = gcd(3, 136) = 1, OK and
check gcd(e, q-1) = gcd(3, 130) = 1, OK.
4. Compute d = e^-1 mod phi = 3^-1 mod 17680 = 11787.
5. Hence public key, (n, e) = (17947, 3) and private key (n, d) = (17947, 11787).
Question: Why couldn't we use e=17 here?

To encrypt the first integer that represents "ATT", we have

c = m^e mod n = 513^3 mod 17947 = 8363.
We can verify that our private key is valid by decrypting
m' = c^d mod n = 8363^11787 mod 17947 = 513.

Overall, our plaintext is represented by the set of integers m

{513, 62, 15567, 16020, 14313}
We compute corresponding ciphertext integers c = m^e mod n, (which is still possible by using a
calculator)
{8363, 5017, 11884, 9546, 13366}
You are welcome to compute the inverse of these ciphertext integers using m = c ^d mod n to verify that
the RSA algorithm still holds. However, this is now outside the realms of hand calculations unless you
are very patient.

To help you carry out these modular arithmetic calculations, download our free modular arithmetic
command line programs.

Note that this is still a very insecure example. Starting with the knowledge that the modulus 17947 is
probably derived from two prime numbers close to its square root, a little testing of suitable candidates
from a table of prime numbers would get you the answer pretty quickly. Or just work methodically through
the table of prime numbers dividing n by each value until you get no remainder. You could also write a
simple computer program to factor n that just divides by every odd number starting from 3 until it reaches
a number greater than the square root of n.

Example 3

Key Generation Encryption

C = Pe % n
1. Generate two large prime
numbers, p and q Decryption
2. Let n = pq P = Cd % n
3. Let m = (p-1)(q-1) x % y means the remainder of x
4. Choose a small number e, divided by y
coprime to m
5. Find d, such that de % m = 1

Publish e and n as the public key.

Keep d and n as the secret key.

The reasons why this algorithm works are discussed in the mathematics section. Its security comes from
the computational difficulty of factoring large numbers. To be secure, very large numbers must be used
for p and q - 100 decimal digits at the very least.

I'll now go through a simple worked example.

Key Generation
1) Generate two large prime numbers, p and q
To make the example easy to follow I am going to use small numbers, but this is not secure. To find
random primes, we start at a random number and go up ascending odd numbers until we find a prime.
Lets have:

p=7
q = 19

2) Let n = pq

n = 7 * 19
= 133

3) Let m = (p - 1)(q - 1)

m = (7 - 1)(19 - 1)
= 6 * 18
= 108

4) Choose a small number, e coprime to m

e coprime to m, means that the largest number that can exactly divide both e and m (their greatest
common divisor, or gcd) is 1. Euclid's algorithm is used to find the gcd of two numbers, but the details
are omitted here.

e = 2 => gcd(e, 108) = 2 (no)

e = 3 => gcd(e, 108) = 3 (no)
e = 4 => gcd(e, 108) = 4 (no)
e = 5 => gcd(e, 108) = 1 (yes!)

5) Find d, such that de % m = 1

This is equivalent to finding d which satisfies de = 1 + nm where n is any integer. We can rewrite this as
d = (1 + nm) / e. Now we work through values of n until an integer solution for e is found:

n = 0 => d = 1 / 5 (no)
n = 1 => d = 109 / 5 (no)
n = 2 => d = 217 / 5 (no)
n = 3 => d = 325 / 5
= 65 (yes!)

To do this with big numbers, a more sophisticated algorithm called extended Euclid must be used.

Public Key Secret Key

n = 133 n = 133
e=5 d = 65

Communication
Encryption

The message must be a number less than the smaller of p and q. However, at this point we don't know p
or q, so in practice a lower bound on p and q must be published. This can be somewhat below their true
value and so isn't a major security concern. For this example, lets use the message "6".

C = Pe % n
= 65 % 133
= 7776 % 133
= 62

Decryption

This works very much like encryption, but involves a larger exponation, which is broken down into
several steps.

P = Cd % n
= 6265 % 133
= 62 * 6264 % 133
= 62 * (622)32 % 133
= 62 * 384432 % 133
= 62 * (3844 % 133)32 % 133
= 62 * 12032 % 133

We now repeat the sequence of operations that reduced 6265 to 12032 to reduce the exponent down to 1.

= 62 * 3616 % 133
= 62 * 998 % 133
= 62 * 924 % 133
= 62 * 852 % 133
= 62 * 43 % 133
= 2666 % 133
=6

Example 4

()

RSA Key Generation

From two selected primes the computer will generate the public and the private key:
Pick 2 (different) primes: p = q=
n= (n = p.q)
 φ= (φ = φ(n) = (p-1).(q-1); needed to determine e and d)
e= (arbitrary, but less than n and relatively prime to φ)
d= (inverse of e modulo φ: e.d mod φ = 1)

From these numbers the keys are composed:

• the public key is the pair (e,n).

• the private key is the pair (d,n).

Only the public key (e,n) is published; all the other numbers involved (p,q,φ,d) must be kept private! The
main property of this construction is that it is 'difficult' to compute d just from the numbers e and n
('difficult' in the sense that the computation is more and more time-consuming the larger numbers are
involved). More precisely:

• It is 'difficult' to compute d without knowing φ.

• It is 'difficult' to factorize n into p.q (which is needed for computing φ).

RSA Encryption
First of all we need the public key of the person to whom we want to send the message:
(e,n) = ( , ) (Enter appropriate values or )

Next we need the message. For simplicity let us demonstrate this here with just one letter. (In secure
applications letters are never encrypted individually, but in whole blocks.)
Pick a letter to cipher:
Before we can encrypt this letter we must :
m= (here we take just the index in the alphabet)

itself is very simple: m' = (m' = me mod n)

The value m' is the encrypted message sent to the receiver.

RSA Decryption
First of all we need the private key of the person who got the encrypted message:
(d,n) = ( , ) (Enter appropriate values or )

Next we need the encrypted message:

m' = (Enter an appropriate value or )

again is very simple: m = (m = m'd mod n)

The should match with the above chosen letter:

Example 4

Pick 2 (different) primes: p = q=

n= (n = p.q)
φ= (φ = φ(n) = (p-1).(q-1); needed to determine e and d)
e= (arbitrary, but less than n and relatively prime to φ)
d= (inverse of e modulo φ: e.d mod φ = 1)

From these numbers the keys are composed:

• the public key is the pair (e,n).

• the private key is the pair (d,n).

Only the public key (e,n) is published; all the other numbers involved (p,q,φ,d) must be kept private! The
main property of this construction is that it is 'difficult' to compute d just from the numbers e and n
('difficult' in the sense that the computation is more and more time-consuming the larger numbers are
involved). More precisely:

• It is 'difficult' to compute d without knowing φ.

• It is 'difficult' to factorize n into p.q (which is needed for computing φ).

RSA Encryption
First of all we need the public key of the person to whom we want to send the message:
(e,n) = ( , ) (Enter appropriate values or )

Next we need the message. For simplicity let us demonstrate this here with just one letter. (In secure
applications letters are never encrypted individually, but in whole blocks.)
Pick a letter to cipher:
Before we can encrypt this letter we must :
m= (here we take just the index in the alphabet)

itself is very simple: m' = (m' = me mod n)

The value m' is the encrypted message sent to the receiver.

RSA Decryption
First of all we need the private key of the person who got the encrypted message:
(d,n) = ( , ) (Enter appropriate values or )

Next we need the encrypted message:

m' = (Enter an appropriate value or )
again is very simple: m = (m = m'd mod n)

The should match with the above chosen letter:

Example 5

Example

Suppose we wish to encode the plaintext message Pi = 3 (that is, under our encoding some letter has
been assigned the numerical value 3) subject to our choices of p=11, q=17 (thus, n=187) and E=7 (note
that 7 is relatively prime to 187.) Then the ciphertext Ci is given by

Ci = 37 = 2187 130 mod(187).

Thus the receiver must decode the message Ci = 130. To decode this "message" the receiver must
calculate the exponent D. [Note that in this example the factorization of n is relatively easy, so someone
could break the code by factoring n and calculating D. However, in practice, we could choose n large so
that only we would (theoretically) know the factorization.]

Since n = 11 · 17, then , and [WARNING!

WARNING! Will Robinson.] Thus we obtain

Example 6

Calculate 763 mod(160).

D=23. Note that this is somewhat of a non-trivial calculation. For a given calculation the exponent may be
quite large (this is a problem we will also face when doing the decryption process.) However, using the
modulus and writing the exponent in powers of 2, as we did here, can greatly speed this calculation.

Example 7

Why was there a warning in the previous example? If you have been closely examining what has taken
place in the RSA algorithm you may have noticed that although we know the factorization of n (since we
choose the prime factors p and q) and hence , we may not have an easy time
determing , which requires us to know all the factors of what could be a
very large number. This seems to contradict the polynomial time needed to solve for the key. The
solution is (and is a key -- unintentional pun -- element of the RSA algorithm) that the formula for D,
although concise, is not the way the solution is found in practice. The actual method of solution (which
does require polynomial time computation) is based on the Euclidean algorithm.

Returning to our previous example, recall that we want to solve

By our choice of E, 7 and 160 are relatively prime, and thus

using the Euclidean algorithm. Working in reverse gives

In algebraic terms, we say we have written 1 as a linear combination of 7 and 160. Since 160 is the
modulus, we have

Hence D=23! Thus the real key to the solution of D is knowing which requires the knowledge of the
factorization of n since .

Example. 8
Theory :

1. Choose two large random prime numbers and

2. Compute
o is used as the modulus for both the public and private keys
3. Compute the totient: .
4. Choose an integer such that 1 < < , and is coprime to ie: and share no
factors other than 1; gcd( , ) = 1.
o is released as the the public key exponent
5. Compute to satisfy the congruence relation ie: for
some integer .
o is kept as the private key exponent

example

Here is an example of RSA encryption and decryption. The parameters used here are artificially small,
but you can also use OpenSSL to generate and examine a real keypair.

1. Choose two prime numbers

p = 61 and q = 53
 2. Compute

n = 61 * 53 = 3233

3. Compute the totient

φ(n) = (61 − 1)(53 − 1) = 3120

4. Choose e > 1 coprime to 3120

e = 17

5. Choose to satisfy

d = 2753
17 * 2753 = 46801 = 1 + 15 * 3120.

The public key is (n = 3233, e = 17). For a padded message the encryption function is:

The private key is (n = 3233, d = 2753). The decryption function is:

For example, to encrypt m = 123, we calculate

To decrypt c = 855, we calculate