Understanding RSA (Draft)

RSA is one of the first public-key encryption algorithms ever used. For this reason, it serves well as a pedagogical example for readers curious about cryptography.

In this post, I’ll explore the mathematical foundations of the system, with a focus on number theory.

Although this article leans toward the mathematical side, it’s written to invite coders and curious readers to engage with the concepts.

A basic understanding of arithmetic and modular arithmetic will be helpful. I'll link to external resources where appropriate, rather than covering every concept in depth.

For a more technical and programmer-oriented point of view, there are other resources out there. Here I've linked some basic implementations in JavaScript.

In mathematics, it's often useful to begin with simple cases to build intuition. For example, prime numbers can be understood at varying levels of complexity.

I’ll start with the most familiar definition, using basic examples to illustrate key ideas.

Another valuable habit is to revisit concepts multiple times. The more deeply you internalize them, the more naturally you’ll be able to apply them later on.

Let’s begin by understanding the system.

RSA relies on a pair of keys: one public, which can be shared openly, and one private, which must be kept secret by its owner.

The standard example involves Bob and Alice exchanging messages.
Since they want to encrypt their communication using RSA, each of them has such a key pair.

Confident in the system, Alice wants to send a message to Bob. She uses Bob’s public key to encrypt the message.

At this point, Bob (and Bob only) can decrypt the message using his private key.

The security of this system relies on the fact that Bob's private key is known only to him.

Using this private key, Bob can decrypt messages that were encrypted with his corresponding public key through a fascinating mathematical process based on modular arithmetic.

Key Generation

Generating such public/private key pairs involves fundamental number theory concepts, particularly prime numbers.
You may recall that a prime number is a positive integer greater than 1, divisible only by 1 and itself.

Example: Prime

$3$ and $7$ are prime numbers, while $21$ is not. It can be expressed as a product of primes: $3 \times 7$ .

Prime numbers are the atoms of the integers. Every positive integer can be constructed as a product of primes (factorization).

Example: Prime factorization

$21 = 7 \times 3$ or $3 \times 7$

This is formalized in a famous result known as the Fundamental Theorem of Arithmetic, or Unique Factorization Theorem (UFT).

Theorem: Unique Factorization Theorem

Every positive integer can be uniquely factorized (up to ordering) into its prime factors.

Remark

Notice that 1 is not included in the theorem’s statement, as it can be seen as a product of no primes.

Another example of prime factorization:

Example: Prime factorization

$6615 = 3^3 \times 7^2 \times 5$

Now let’s return to RSA and the key generation process.
Bob can generate a pair of keys using the following steps:

Definition: RSA Key Generation

Choose two primes: $p$ and $q$
Compute $n = p \times q$
Compute $\phi(n) = (p − 1)(q − 1)$
Choose $e$ such that $1 < e < \phi(n)$ where $e$ is coprime to $\phi(n)$ ( $gcd(e, \phi(n)) = 1$ )
Find $d$ such that $e \times d \equiv 1 \pmod{\phi(n)}$
The public key is $(e, n)$ ; the private key consists of $(d, p, q)$

Some of these steps rely on concepts we haven’t yet defined.
Let’s walk through them one by one.

Step 1: Choose two primes

Bob first chooses two distinct prime numbers: $p$ and $q$ .

These primes should be large enough (at least 20 digits) to ensure the system’s security.
It is notoriously difficult to factor the product of two large primes and this is the basis of RSA’s strength.

Step 2: Compute $n = p \times q$

This is straightforward.

Step 3: Compute $\phi(n) = (p − 1)(q − 1)$

Here we introduce $\phi(n)$ , the Euler's totient function.

Definition: Euler's Totient Function

Given a positive integer $n$ , the totient function $\phi(n)$ counts the number of integers from $0$ to $n - 1$ that are coprime to $n$ . By convention, $\phi(1) = 1$ .

Example

$\phi(12) = 4$ because the integers $1, 5, 7$ , and $11$ are coprime to $12$ .

But what does “coprime” mean?

Two positive integers are coprime if they have no common prime factors other than 1.

In particular, if $n$ is a prime number, then $\phi(n) = n - 1$ . Why?

It also follows that when $p$ and $q$ are coprime (distinct primes are coprime) $\phi(n) = (p − 1)(q − 1)$ .

Note: computing $\phi(n)$ from just $n$ would require factoring $n$ , which is copmputationlly hard (recall step 1) if you don't know $p$ and $q$ .

Step 4: Choose $e$ such that $1 < e < \phi(n)$ where $e$ is coprime to $\phi(n)$ ( $gcd(e, \phi(n)) = 1$ )

Now Bob must choose an exponent $e$ .

It should satisfy:

$1 < e < \phi(n)$
$e$ is coprime to $\phi(n)$ or, algorithmically, $gcd(e, \phi(n)) = 1$

A common choice is $e = 2^{16} + 1$ (65,537); large enough for security, small enough for efficiency.

To check whether $e$ and $\phi(n)$ are coprime, Bob can use the greatest common divisor (gcd).

Definition: GCD

The greatest common divisor of two integers is the largest positive integer that divides both numbers without leaving a remainder.

Example: GCD

The gcd of $12$ and $15$ is $3$ , since it divides both without a remainder.

To compute the gcd, Bob can use the Euclidean algorithm, one of the oldest known algorithms (from Elements, c. 300 BC). The algorithm is based on the following principle:

Theorem

If $a \neq 0$ and $b = aq + r$ for some $q$ and $r$ , then $\gcd(a, b) = \gcd(a, r)$

It's extremely easy top write the algorithm in javascript:

Let $a$ and $b$ be two positive integers (swap if $b > a$ )
If $b = 0$ , then $\gcd(a, b) = a$
Otherwise, replace $a$ with $b$ , and $b$ with $r$
Repeat until $b = 0$

$r$ is the reminder computed using javascript remainder operator %. The last non-zero remainder is the gcd.

function gcd(a, b) {
  return b === 0 ? a : gcd(b, a % b);
}

Notice the nice recursion! Now, Bob can algorithmically determine whether two integers are coprime:

Definition: Coprime

Two integers are coprime if their greatest common divisor (gcd) is 1.

Example: Coprime

The integers 8 and 15 are coprime because their gcd is 1.

Step 5: Find $d$ such that $e \times d \equiv 1 \pmod{\phi(n)}$

The equation $e \times d = 1 \mod \phi(n)$ must be read as $e \times d$ is congruent $1$ modulo $\phi(n)$ .

We now delve into modular arithmetic, starting with its foundation: modular congruence.

Definition: Modular Congruence

Let $a$ and $b$ be integers, and let $m$ be a positive integer. We say that $a$ is congruent to $b$ modulo $m$ (written as $a \equiv b \pmod m$ ), if there exists an integer $k$ such that: $a = b + km$ .

Nothe: $b$ is the remainder when dividing $a$ by $m$ .

JavaScript doesn’t have a true mod operator, only a remainder operator %, which behaves slightly differently for negative numbers.
(See this StackOverflow post).

There is anyway a proposal.

Now, the equation

e \times d \equiv 1 \pmod{\phi(n)}

can be rewritten as:

d \equiv e^{-1} \pmod{\phi(n)}

That is: $d$ is the modular inverse of $e$ modulo $\phi(n)$ .

Such a modular inverse exists only if $e$ and $\phi(n)$ are coprime (and by step 4 they are).

To compute $d$ , Bob can use the Extended Euclidean Algorithm, a standard method for finding modular inverses.

Here’s a nice explanation
Or see this one on Brilliant

For theoretical reasons, I'll introduce a more elegant method based on Euler's Theorem, which provides deeper insight into why RSA encryption\decription works so smootlhy.

Theorem: Euler's Theorem

Let $m$ be a positive integer. For any integer $a$ that is coprime to $m$ , we have:

a^{ \phi(m) } \equiv 1 \pmod m

Since Bob knows $\phi(n)$ , he can use Euler's Theorem to compute $e^{-1}$ :

e^{\phi(n)} \equiv 1 \pmod n

This implies:

e^{\phi(n) - 1} \equiv e^{-1} \pmod n

So Bob can compute:

d = e^{\phi(n) - 1} \pmod{\phi(n)}

to obtain the modular inverse.

$e^{\phi(n) - 1}$ is calculated through the fast exponentiation algorithm (also known as exponentiation by squaring or binary exponentiation)

Encryption/Decritpion

Encryption

Now Bob have already shared his public-key $(e,n)$ to Alice.

Alice will be able to send a message to Bob in the following way:

She converts the message into a series of chuncks, each of wich is represented by an integer $m$ ranging from $1$ to $n$
To encrypt each chunk $c$ , she compute $c = m^{e} \pmod n$

Decritpion

Bob can decrypt each received chunk using the formula:

c^d \pmod n = (m^e)^d \pmod n = m^{de} \pmod n

Remember that $d$ is the modular inverse ( $e^{-1}$ ) of $e$ . Thus $de \equiv 1 \pmod{\phi(n)}$ , and the equation becomes:

m^{de} \pmod n = m^{1 \pmod {\phi(n)}} \pmod n

By definition of modular congruence, $1 \pmod {\phi(n)}$ can be written as $1 + k \times \phi(n)$ for some $k$ :

m^{1 \pmod {\phi(n)}} \pmod n = m^{1 + k \times \phi(n)} \pmod n

Using the power properties:

m^{1 + k \times \phi(n)} \pmod n = m^1*m^{k*\phi(n)} \pmod n= m*(m^{\phi(n)})^k \pmod n

We introduced Euler's Theorem for a reason. In fact, in number theory it's used every time when dealing with powers as it simplifies the problem significantly. Euler tells us that $m^{\phi(n)} = 1 \pmod n$ , thus:

m*(m^{\phi(n)})^k \pmod n = m*(1)^k \pmod n = m \pmod n

Thus for Bob, recovering the message for each chunk $c$ will simply evaluate to:

c^d \pmod n = m \pmod n

Exercise: Rewrite the encryption and decryption process by yourself, focusing only on one chunk as explained.

Conclusion

I hope to have explained the theoretical part of RSA for generating keys and encryption/decryption. For users encountering this concept for the first time, it will certainly be overwhelming and that's normal. Hopefully, you can come back to this while learning the basic concepts.