Did you know?

## RSA (step-by-step)

This module demonstrates step-by-step encryption and decryption with the RSA method. The sender uses the public key of the recipient for encryption; the recipient uses his associated private key to decrypt.

## Primes

The security of RSA is based on the fact that it is easy to calculate the product n of two large primes p and q. However, it is very difficult to determine only from the product n the two primes that yield the product. This decomposition is also called the factorization of n.

As a starting point for RSA choose two primes p and q.

For the algorithm to work, the two primes must be different.

## Public key

The product n is also called modulus in the RSA method.

n = p × q = ( bit)

For demonstration we start with small primes. To make the factorization difficult, the primes must be much larger. Currently, values of n with several thousand binary digits are used for secure communication.

The public key consists of the modulus n and an exponent e.

e and φ(n) have a common divisor, they are not coprime.

This e may even be pre-selected and the same for all participants.

## Secret key

RSA uses the Euler φ function of n to calculate the secret key. This is defined as

φ(n) = (p − 1) × (q − 1) =

The prerequisit here is that p and q are different. Otherwise, the φ function would be calculated differently.

It is important for RSA that the value of the φ function is coprime to e (the largest common divisor must be 1).

gcd(e, φ(n)) =

To determine the value of φ(n), it is not enough to know n. Only with the knowledge of p and q we can efficiently determine φ(n).

The secret key also consists of a d with the property that e × d − 1 is a multiple of φ(n).

Expressed in formulas, the following must apply:

e × d = 1 (mod φ(n))

In this case, the mod expression means equality with regard to a residual class. It is x = y (mod z) if and only if there is an integer a with xy = z × a.

For the chosen values of p, q, and e, we get d as:

d =

This d can always be determined (if e was chosen with the restriction described above) — for example with the extended Euclidean algorithm.

## Encryption and decryption

Internally, this method works only with numbers (no text), which are between 0 and n − 1.

A message m (number) is encrypted with the public key ( n, e) by calculating:

m' := me (mod n)

Decrypting with the private key (n, d) is done analogously with

m'' := (m')d (mod n).

This is

m'' = me × d (mod n).

RSA exploits the property that

xa = xb (mod n)

if

a = b (mod φ(n))

As e and d were chosen appropriately, it is

m'' = m.

The order does not matter. You could also first raise a message with the private key, and then power up the result with the public key — this is what you use with RSA signatures.

## Messages

In the following two text boxes 'Plaintext' and 'Ciphertext', you can see how encryption and decryption work for concrete inputs (numbers).

A plaintext number is too big. The maximum value is as n = . Please choose bigger primes to get a bigger n.
A ciphertext number is too big. The maximum value is as n = . Please choose bigger primes to get a bigger n.

## Used library

This page uses the library BigInteger.js to work with big numbers.

As a result, you can calculate arbitrarily large numbers in JavaScript, even those that are actually used in RSA applications.

CTOAUTHORS: Timm Knape (thanks to Bernhard Esslinger for the review), last update 2021-04-27

This is an implementation of RSA ("textbook RSA") purely for educational purposes. In reality the encryption operations will be padded and a hybrid encryption approach will be used: For example only a session key is encrypted with RSA. This session key will be used with a symmetric encryption algorithm to encrypt the payload.

The security of RSA is based on the fact that it is not possible at present to factorize the product of two large primes in a reasonable time. However, this is only a reasonable assumption, but no certain knowledge: So far, there is no known fast method. We do not know if factoring is at least as severe as other severe problems, and whether it is NP-complete.

### Sample usage

You can encrypt one or more integers as long as they are not bigger than the modulus. If the modulus is bigger than 255, you can also enter text. It is converted to bytes using the UTF-8 encoding. One or more bytes are encoded into one number by padding them to three decimal places and concatenating as many bytes as possible.

a) Given the default values p=11, q=13, n=143, e=23 and d=47, and entering the three integers 6, 13, 111 as plaintext, this plugin calculates at once the according encrypted numbers 128, 52, 67. And vice versa, if you also enter an integer in the Ciphertext field, the arrow rotates to upward and the decrypted number is shown in the Plaintext field.

b) If the modulus is big enough an additional field "Plaintext (enter text)" appears. In this field you can enter any text that is converted into one or more plaintext numbers. Decoding also works, if the decoded numbers are valid encoded character bytes.

### Attack with quantum computers

Due to the principle, a quantum computer with a sufficient number of entangled quantum bits (qubits) can quickly perform a factorization because it can simultaneously test every possible factor simultaneously. So far, however, there is no known quantum computer, which has just an approximately large computing capacity. Thus, effective quantum computers are currently a myth that will probably not be ready for production in the next few years. However, factoring may be over in 20 years and RSA loses its security.

### Size of prime factors

The larger the prime factors are, the longer actual algorithms will take and the more qubits will be needed in future quantum computers. At the moment, the product (modulus) should consist of at least 4096 binary digits to be secure.

### Reuse of primes

Prime numbers may not be reused! If you have two products each consisting of two primes and you know that one of the primes used is the same, then this shared prime can be determined quickly with the Euclidean algorithm. And by dividing the products by this shared prime, one obtains the other prime number.

Early implementations of RSA made this mistake to reduce the time it takes to find a prime number. Also on resource-constrained devices it came in recent times due to lack of entropy. Current implementations should not commit this error anymore.

### Choice of primes

Basically, the primes have to be selected randomly enough. If only n/2-bit numbers are used for an n-bit number, this considerably reduces the search space for attackers. However, neither of the two primes may be too small to avoid an early hit via a brute-force attack with all primes. A clever choice between the two extremes is necessary and not trivial. The two primes should not be too close to each other, but also not too far apart.

### Other great implementations of RSA in the browser

https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSAWorksheetv4e.html

This let the user see how (N, e, d) can be chosen (like we do here too), and also translates text messages into numbers.

https://www.cs.drexel.edu/~jpopyack/Courses/CSP/Fa17/notes/10.1_Cryptography/RSA_Express_EncryptDecrypt_v2.html

Here you can input the message as text (it is assumed the user already has chosen N, e, and d).

Both are from 2012, use no arbitrary long-number library (but pure JavaScript), and look didactically very well.