RSA (step-by-step)

This module demonstrates step-by-step encryption or decryption with the RSA method. The sender uses the public key of the recipient for encryption; the recipient uses his associated private key to decrypt.

Prime factors

The security of RSA is based on the fact that it is easy to calculate the product n of two large primes p and q. However, it is very difficult to determine only from the product n the two primes that yield the product. This decomposition is also called the factorization of n.

As a starting point for RSA choose two primes p and q.

p is not prime!
q is not prime!
p and q are not different!

For the algorithm to work, the two primes must be different.

For demonstration we start with small primes. To make the factorization difficult, the primes must be much larger. Currently, values of n with several thousand binary digits are used for secure communication.

( Bit)

Public key

The product n is also called module in the RSA method. The public key consists of the module n and an exponent e.

e and n have a common divisor.

This e may even be pre-selected and the same for all participants.

Secret key

RSA uses the Euler φ function of n to calculate the secret key. This is defined as

Here it is used that p and q are different. Otherwise, the φ function would calculate differently.

It is important for RSA that the value of the φ function is coprime to e (the largest common divisor must be 1).

To determine the value of φ(n), it is not enough to know n. Only with the knowledge of p and q we can efficiently determine φ(n).

The secret key also consists of n and a d with the property that e × d is a multiple of φ(n) plus one.

Expressed in formulas, the following must apply:

e × d = 1 (mod φ(n))

In this case, the mod expression means equality with regard to a residual class. It is x = y (mod z) if and only if there is an integer a with xy = z × a.

For the chosen values of p, q, and e, we get d as:

This d can always be determined (if e was chosen with the restriction described above)—for example with the extended Euclidean algorithm.

Encryption and decryption

Internally, this method works only with numbers (no text), which are between 0 and n.

Encrypting a message m (number) with the public key (n, e) is calculated:

m' := me (mod n)

Decrypting with the private key (n, d) is done analogously with

m'' := m'd (mod n).

This is

m'' = me × d (mod n).

RSA now exploits the property that

xa = xb (mod n)


a = b (mod φ(n))

As e and d were chosen appropriately, it is

m'' = m.

The order does not matter. You could also first raise a message with the private key, and then power up the result with the public key—this is what you use with RSA signatures.


In the following two text boxes, you can see how the encryption and decryption works for concrete input (numbers).

Plaintext number too big. The maximum value is . Please choose bigger primes.
Ciphertext number too big. The maximum value is . Please choose bigger primes.

Used library

This page uses the library BigInteger.js to work with big numbers.

As a result, you can calculate arbitrarily large numbers in JavaScript, even those that are actually used in RSA applications.

CTOAUTHORS: Timm Knape (thanks to Bernhard Esslinger for the review)

The security of RSA is based on the fact that it is not possible at present to factorize the product of two large primes in a reasonable time. However, this is only a reasonable assumption, but no certain knowledge: So far, there is no known fast method. We do not know if factoring is at least as severe as other severe problems, and whether it is NP-complete.

Attack with quantum computers

Due to the principle, a quantum computer with a sufficient number of entangled quantum bits (Qbits) can quickly perform a factorization because it can simultaneously test every possible factor simultaneously. So far, however, there is no known quantum computer, which has just an approximately large computing capacity. Thus, effective quantum computers are currently a myth that will probably not be ready for production in the next few years. However, factoring may be over in 20 years and RSA loses its security.

Size of prime factors

The larger the prime factors are, the longer actual algorithms will take and the more Qbits will be needed in future quantum computers. At the moment, the product should consist of at least 4096 binary digits to be secure. 

Reuse of primes

Prime numbers may not be reused! If you have two products each consisting of two primes and you know that one of the primes used is the same, then this shared prime can be determined quickly with the Euclidean algorithm. And by dividing the products by this shared prime, one obtains the other prime number.

Early implementations of RSA made this mistake to reduce the time it takes to find a prime number. Also on resource-constrained devices it came in recent times due to lack of entropy. Current implementations should not commit this error anymore.

Choice of primes

Basically, the primes have to be selected randomly enough. If only n/2-bit numbers are used for an n-bit number, this considerably reduces the search space for attackers. However, neither of the two primes may be too small to avoid an early hit via a brute-force attack with all primes. A clever choice between the two extremes is necessary and not trivial. The two primes should not be too close to each other, but also not too far apart.

Other great implementations of RSA in the browser

This let the user see how (N, e, d) can be chosen (like we do here too), but also translates text messages into numbers.

Here you can input the message as text (it is assumed the user already has chosen N, e, and d).

Both are from 2012, use no arbitrary long-number library (but pure JavaScript), and look didactically very well.