Solved Examples

1) A very simple example of RSA encryption

This is an extremely simple example using numbers you can work out on a pocket calculator
(those of you over the age of 35 45 can probably even do it by hand).

1. Select primes p=11, q=3.

2. n = pq = 11.3 = 33
phi = (p-1)(q-1) = 10.2 = 20
3. Choose e=3
Check gcd(e, p-1) = gcd(3, 10) = 1 (i.e. 3 and 10 have no common factors except 1),
and check gcd(e, q-1) = gcd(3, 2) = 1
therefore gcd(e, phi) = gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1
4. Compute d such that ed ≡ 1 (mod phi)
-1 -1
i.e. compute d = e mod phi = 3 mod 20
i.e. find a value for d such that phi divides (ed-1)
i.e. find d such that 20 divides 3d-1.
Simple testing (d = 1, 2, ...) gives d = 7
Check: ed-1 = 3.7 - 1 = 20, which is divisible by phi.
5. Public key = (n, e) = (33, 3)
Private key = (n, d) = (33, 7).

This is actually the smallest possible value for the modulus n for which the RSA algorithm
works.

Now say we want to encrypt the message m = 7,

e
c = m mod n = 73 mod 33 = 343 mod 33 = 13.
Hence the ciphertext c = 13.

To check decryption we compute

d 7
m' = c mod n = 13 mod 33 = 7.
Note that we don't have to calculate the full value of 13 to the power 7 here. We can make use of
the fact that
a = bc mod n = (b mod n).(c mod n) mod n
so we can break down a potentially large number into its components and combine the results of
easier, smaller calculations to calculate the final value.

One way of calculating m' is as follows:-

Note that any number can be expressed as a sum of powers of 2. So first compute values of 132,
134, 138, ... by repeatedly squaring successive values modulo 33.
2 4 8
13 = 169 ≡ 4, 13 = 4.4 = 16, 13 = 16.16 = 256 ≡ 25.

1
Then, since 7 = 4 + 2 + 1, we have m' = 137 = 13(4+2+1) = 134.132.131
≡ 16 x 4 x 13 = 832 ≡ 7 mod 33

Now if we calculate the ciphertext c for all the possible values of m (0 to 32), we get

m 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

c 0 1 8 27 31 26 18 13 17 3 10 11 12 19 5 9 4

m 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

c 29 24 28 14 21 22 23 30 16 20 15 7 2 6 25 32

Note that all 33 values of m (0 to 32) map to a unique code c in the same range in a sort of
random manner. In this case we have nine values of m that map to the same value of c - these are
known as unconcealed messages. m = 0, 1 and n-1 will always do this for any n, no matter how
large. But in practice, higher values shouldn't be a problem when we use large values for n in the
order of several hundred bits.

If we wanted to use this system to keep secrets, we could let A=2, B=3, ..., Z=27. (We
specifically avoid 0 and 1 here for the reason given above). Thus the plaintext message
"HELLOWORLD" would be represented by the set of integers m1, m2, ...

(9,6,13,13,16,24,16,19,13,5)

Using our table above, we obtain ciphertext integers c1, c2, ...

(3,18,19,19,4,30,4,28,19,26)

Note that this example is no more secure than using a simple Caesar substitution cipher, but it
serves to illustrate a simple example of the mechanics of RSA encryption.

Remember that calculating me mod n is easy, but calculating the inverse c-e mod n is very
difficult, well, for large n's anyway. However, if we can factor n into its prime factors p and q,
the solution becomes easy again, even for large n's. Obviously, if we can get hold of the secret
exponent d, the solution is easy, too.

2
 2) A slightly less simple example of the RSA algorithm

This time, to make life slightly less easy for those who can crack simple Caesar substitution
codes, we will group the characters into blocks of three and compute a message representative
integer for each block.

ATTACKxATxSEVEN = ATT ACK XAT XSE VEN

In the same way that a decimal number can be represented as the sum of powers of ten, e.g.
135 = 1 x 102 + 3 x 101 + 5,
we could represent our blocks of three characters in base 26 using A=0, B=1, C=2, ..., Z=25

ATT = 0 x 262 + 19 x 261 + 19 = 513

2
ACK = 0 x 26 + 2 x 261 + 10 = 62
2
XAT = 23 x 26 + 0 x 261 + 19 = 15567
2
XSE = 23 x 26 + 18 x 261 + 4 = 16020
2 1
VEN = 21 x 26 + 4 x 26 + 13 = 14313

For this example, to keep things simple, we'll not worry about numbers and punctuation
characters, or what happens with groups AAA or AAB.

In this system of encoding, the maximum value of a group (ZZZ) would be 263-1 = 17575, so we
require a modulus n greater than this value.

1. We "generate" primes p=137 and q=131 (we cheat by looking for suitable primes around
√n)
2. n = pq = 137.131 = 17947
phi = (p-1)(q-1) = 136.130 = 17680
3. Select e = 3
check gcd(e, p-1) = gcd(3, 136) = 1, OK and
check gcd(e, q-1) = gcd(3, 130) = 1, OK.
4. Compute d = e-1 mod phi = 3-1 mod 17680 = 11787.
5. Hence public key, (n, e) = (17947, 3) and private key (n, d) = (17947, 11787).

Question: Why couldn't we use e=17 here?

To encrypt the first integer that represents "ATT", we have

e 3
c = m mod n = 513 mod 17947 = 8363.
We can verify that our private key is valid by decrypting
d 11787
m' = c mod n = 8363 mod 17947 = 513.

Overall, our plaintext is represented by the sequence of integers m

3
(513, 62, 15567, 16020, 14313)

We compute corresponding ciphertext integers c = me mod n, (which is still possible by using a

calculator) and send this to the person who has the private key.

(8363, 5017, 11884, 9546, 13366)

You are welcome to compute the inverse of these ciphertext integers using m = cd mod n to
verify that the RSA algorithm still holds. However, this is now outside the realms of hand
calculations unless you are very patient.

To help you carry out these modular arithmetic calculations, download our free modular
arithmetic command line programs (last updated 18 June 2009).

Note that this is still a very insecure example. Starting with the knowledge that the modulus
17947 is probably derived from two prime numbers close to its square root, a little testing of
suitable candidates from a table of prime numbers will get you the answer pretty quickly.

√17947 = 133.97, so working downwards from a table of prime numbers we try:

131: 17947 / 131 = 137 exactly, so we have it.

You could also write a simple computer program to factor n that just divides by every odd
number starting from 3 until it reaches a number greater than the square root of n.

3) A real example

In practice, we use a modulus of size in the order of 1024 bits. That is over 300 decimal digits.
One example is

n=

119294134840169509055527211331255649644606569661527638012067481954943056851150
33

380631595703771562029730500011862877084668996911289221224545711806057499598951
70

800421052634273763222742663931161935178395707735056322315966811219273374739732
20

312512599061231322250945506260066557538238517575390621262940383913963

4
This is composed of the two primes

p=

109337661836325758176115170347306682871557999846322234541387456711212734562876
70

008290843302875521274970245314593222946129064538358581018615539828479146469

q=

109106169673491102317237340786149226453370608821417489682098342251389760111799
93

394299810159736904468554021708289824396553412180514827996444845438176099727

With a number this large, we can encode all the information we need in one big integer. We put
our message into an octet string and then convert to a large integer.

Also, rather than trying to represent the plaintext as an integer directly, we generate a random
session key and use that to encrypt the plaintext with a conventional, much faster symmetrical
algorithm like Triple DES or AES-128. We then use the much slower public key encryption
algorithm to encrypt just the session key.

The sender A then transmits a message to the recipient B in a format something like this:-

Session key encrypted with RSA = xxxx

Plaintext encrypted with session key = xxxxxxxxxxxxxxxxx

The recipient B would extract the encrypted session key and use his private key (n,d) to decrypt
it. He would then use this session key with a conventional symmetrical decryption algorithm to
decrypt the actual message. Typically the transmission would include in plaintext details of the
encryption algorithms used, padding and encoding methods, initialisation vectors and other
details required by the recipient. The only secret required to be kept, as always, should be the
private key.

5
If Mallory intercepts the transmission, he can either try and crack the conventionally-encrypted
plaintext directly, or he can try and decrypt the encryped session key and then use that in turn.
Obviously, this system is as strong as its weakest link.

When signing, it is usual to use RSA to sign the message digest of the message rather than the
message itself. A one-way hash function like SHA-1 or SHA-256 is used. The sender A then
sends the signed message to B in a format like this

Hash algorithm = hh
Message content = xxxxxxxxx...xxx
Signature = digest signed with RSA = xxxx

The recipient will decrypt the signature to extract the signed message digest, m; independently
compute the message digest, m', of the actual message content; and check that m and m' are
equal. Putting the message digest algorithm at the beginning of the message enables the recipient
to compute the message digest on the fly while reading the message.

4) A worked example of RSA public key encryption

Let’s suppose that Alice and Bob want to communicate, using RSA technology (It’s always
Alice and Bob in the computer science literature.) The message that Alice wants to send Bob is
the number 1275. [That’s not very interesting. If she wanted

to send the message “Hi Bob”, she would turn that into a number by writing it using the ASCI
encoding. In hex, this is 4869 2042 6F62 - and so in decimal, “Hi Bob” becomes the number
79616349990754. But that’s too big for this purpose, so I’ll just use 1275 - even though that is
04FB in hexadecimal, which doesn’t mean much at all when you convert it to text.] Alice has put
up on the internet somewhere that her modulus is 186101 and that her public key is 907. Bob on
the other hand, has disclosed to the world that his modulus is 189781 and that his public key is
5437.

The security of the system relies on the difficulty in factoring the two modulii. Alice and Bob
both know how to do that for their two numbers (because they chose them by picking two primes
and multiplying them together). In practice, one uses much larger numbers than the 6 digit
numbers we’ve used here, so it might not take you too long to discover that 186101 = 149 ×
1249 and that 189781 = 173 × 1097.

If you know that information, it is easy to compute Alice and Bob’s private keys. For Alice, we
are going to use the fact that elements of Z186101 which have inverses under multiplication

6
form a group with (148−1)×(1249−1) = 184704 elements, to tell us that x184704 ≡ 1 mod 186101
for almost all x. [It doesn’t work for x which are divisible by 149 or 1249, but there are only
1397=149+1249-1 such numbers amongst the 186101 possibilities modulo 186101. The odds of
getting such a nasty number go down even further as the size of the numbers increases.1 ] To find
Alice’s private key we have to solve

907x ≡ 1 mod 184704.

We can do this very quickly using Euclid’s algorithm.

184704 = 203 × 907 + 583

907 = 1 × 583 + 324

583 = 1 × 324 + 259

324 = 1 × 259 + 65

259 = 3 × 65 + 64

65 = 1 × 64 + 1

64 = 64 × 1

and writing this in reverse, we can compute that 907 × 2851 − 14 × 184704 = 1, and so Alice’s
private key is 2851.

In a similar way, we can compute Bob’s private key. This time we want to solve

5437x ≡ 1 mod 188512 .

Remember that the 188512 comes from (173 − 1) × (1097 − 1), and so you can’t find it without
knowing how to factor Bob’s modulus. Bob can do that because he got it by multiplying 173 by
1097, but it is hard to do without that inside information. Bob finds his private key the same way
as for Alice, and I’ll leave it to you to check that it is 49269.

Now to send the message 1275, Alice first “decodes” it using her private key. That is, she
computes 12752851 mod 186101. If you do that, you get 127296. Only Alice knows how to do
this, because only she knows her private key, 2851. Then she takes this number, 127296 and
encodes it with Bob’s public key. That is, she computes 1272965437 mod 189781. When she does
this, she obtains the number 182522. That is the message she transmits to Bob.

To decode the message, Bob first uses his private key. So he computes 18252249269 mod
189781. The answer he gets from this is 127296. He is the only one who can do this, because he
is the only one who knows his private key. At this stage he has recovered the intermediate
7
number in Alice’s encoding of the message. Now he can complete the decoding, by using the
publicly available details from Alice’s public key. He computes 127296907 mod 186101, and
obtains 1275, the original message. If 1275 seems to be a sensible message, he will know that it
came from Alice, because she was the only one who knows how to transform the 1275 into the
127296 intermediate step.

Try duplicating this with smaller numbers, where you can do the computations with your
calculator. Unfortunately, you’ll need to keep the primes really small, (less than 15 will probably
work) and that makes the examples uninspiring, but will help you see that you have at least got
the right idea.

You might ask, how did Alice compute 12752851 in a reasonable amount of time? Alice does
this by first writing 2851 = 2048 + 512 + 256 + 32 + 2 + 1, that is, writing 2851 in binary as
101100100011. She then does the computations

12751 ≡ 12751 ≡ 1275 mod 186101

12752 ≡ 12752 ≡ 136817 mod 186101

12754 ≡ 1368172 ≡ 108505 mod 186101

12758 ≡ 1085052 ≡ 27462 mod 186101

127516 ≡ 274622 ≡ 80192 mod 186101

127532 ≡ 801922 ≡ 36809 mod 186101

127564 ≡ 368092 ≡ 87201 mod 186101

1275128 ≡ 872012 ≡ 113642 mod 186101

1275256 ≡ 1136422 ≡ 25269 mod 186101

1275512 ≡ 252692 ≡ 9830 mod 186101

12751024 ≡ 98302 ≡ 42481 mod 186101

12752048 ≡ 424812 ≡ 13964 mod 186101

So far, she has done just 11 multiplications. Then she uses this information to compute

12753 ≡ 12751 × 12752 ≡ 65038 mod 186101

127535 ≡ 12753 × 127532 ≡ 166579 mod 186101

8
1275291 ≡ 127535 × 1275256 ≡ 52333 mod 186101

1275803 ≡ 1275291 × 1275512 ≡ 50226 mod 186101

12752851 ≡ 1275803 × 12752048 ≡ 127296 mod 186101

which is an additional 5 multiplications, so it only takes her a total of 16 multiplications to

compute 12752851 mod 186101. And you could do it yourself in just this way on any calculator
which will handle 11 digit numbers, because, in the intermediate computations, the worst you
ever might have to do is 186100 × 186100 = 34 633 210 000.

I should also say a little bit about security. Suppose that you were able to discover Alice’s private
key of 2851. You know that that has been chosen so that 907 × 2851 ≡ 1 mod |G|, where |G| is
the number of elements in the group of integers with inverses modulo 186101. So the number of
elements in this group is a divisor of 907×2851−1 = 2585856. We know that this number is
about 186101, because most elements have inverses, so if we calculate 2585856/186101 =
13.8949, it’s easy to guess that the order of the group is actually 2585856/14 = 184704. Now, the
way things work, if 186101 = pq, then 184704 = (p−1)(q−1) = pq−p−q+1, so p + q = 186101 −
184704 + 1 = 1398. So (x − p)(x − q) = x2 − 1398x + 186101, and so p and q are the solutions of
the quadratic equation x2 − 1398x + 186101 = 0. There’s a formula for this, and you quickly get
x = 149 or 1249. So, you see that any method to hack RSA encryption provides a way of
factoring the modulus. Mathematicians haven’t come up with any really good ways of factoring
very large numbers, despite much trying, and believe that this is a very hard problem. The
security of RSA depends on that belief being correct.

1
Even the nasty numbers still work for encoding and decoding — its just that they can betray the
factors of the modulus and so give anyone who stumbles upon such a thing a way of cracking the
code. If you want to see what happens in this case, try sending the message 1249. The main thing
to understand is that, while 1249184704 ≠ 1 mod 186101, it still happens to be the case that 1249k ≡
1249 mod 186101 whenever k ≡ 1 mod 184704.

5) An Example of the RSA Algorithm

P = 61 <= first prime number (destroy this after computing E and D)

Q = 53 <= second prime number (destroy this after computing E and D)

PQ = 3233 <= modulus (give this to others)

9
E = 17 <= public exponent (give this to others)

D = 2753 <= private exponent (keep this secret!)

Your public key is (E,PQ).

Your private key is D.

The encryption function is: encrypt(T) = (T^E) mod PQ

= (T^17) mod 3233

The decryption function is: decrypt(C) = (C^D) mod PQ

= (C^2753) mod 3233

To encrypt the plaintext value 123, do this:

encrypt(123) = (123^17) mod 3233

= 337587917446653715596592958817679803 mod 3233

= 855

To decrypt the ciphertext value 855, do this:

decrypt(855) = (855^2753) mod 3233

= 50432888958416068734422899127394466631453878360035509315554967564501

05562861208255997874424542811005438349865428933638493024645144150785

17209179665478263530709963803538732650089668607477182974582295034295

10
04079035818459409563779385865989368838083602840132509768620766977396

67533250542826093475735137988063256482639334453092594385562429233017

51977190016924916912809150596019178760171349725439279215696701789902

13430714646897127961027718137839458696772898693423652403116932170892

69617643726521315665833158712459759803042503144006837883246101784830

71758547454725206968892599589254436670143220546954317400228550092386

36942444855973333063051607385302863219302913503745471946757776713579

54965202919790505781532871558392070303159585937493663283548602090830

63550704455658896319318011934122017826923344101330116480696334024075

04695258866987658669006224024102088466507530263953870526631933584734

81094876156227126037327597360375237388364148088948438096157757045380

08107946980066734877795883758289985132793070353355127509043994817897

90548993381217329458535447413268056981087263348285463816885048824346

58897839333466254454006619645218766694795528023088412465948239275105

77049113329025684306505229256142730389832089007051511055250618994171

23177795157979429711795475296301837843862913977877661298207389072796

76720235011399271581964273076407418989190486860748124549315795374377

12441601438765069145868196402276027766869530903951314968319097324505

45234594477256587887692693353918692354818518542420923064996406822184

49011913571088542442852112077371223831105455431265307394075927890822

60604317113339575226603445164525976316184277459043201913452893299321

61307440532227470572894812143586831978415597276496357090901215131304

15756920979851832104115596935784883366531595132734467524394087576977

78908490126915322842080949630792972471304422194243906590308142893930

11
29158483087368745078977086921845296741146321155667865528338164806795

45594189100695091965899085456798072392370846302553545686919235546299

57157358790622745861957217211107882865756385970941907763205097832395

71346411902500470208485604082175094910771655311765297473803176765820

58767314028891032883431850884472116442719390374041315564986995913736

51621084511374022433518599576657753969362812542539006855262454561419

25880943740212888666974410972184534221817198089911953707545542033911

96453936646179296816534265223463993674233097018353390462367769367038

05342644821735823842192515904381485247388968642443703186654199615377

91396964900303958760654915244945043600135939277133952101251928572092

59788751160195962961569027116431894637342650023631004555718003693586

05526491000090724518378668956441716490727835628100970854524135469660

84481161338780654854515176167308605108065782936524108723263667228054

00387941086434822675009077826512101372819583165313969830908873174174

74535988684298559807185192215970046508106068445595364808922494405427

66329674592308898484868435865479850511542844016462352696931799377844

30217857019197098751629654665130278009966580052178208139317232379013

23249468260920081998103768484716787498919369499791482471634506093712

56541225019537951668976018550875993133677977939527822273233375295802

63122665358948205566515289466369032083287680432390611549350954590934

06676402258670848337605369986794102620470905715674470565311124286290

73548884929899835609996360921411284977458614696040287029670701478179

49024828290748416008368045866685507604619225209434980471574526881813

18508591501948527635965034581536416565493160130613304074344579651083

12
80304062240278898042825189094716292266898016684480963645198090510905

79651307570379245958074479752371266761011473878742144149154813591743

92799496956415653866883891715446305611805369728343470219206348999531

91764016110392490439179803398975491765395923608511807653184706473318

01578207412764787592739087492955716853665185912666373831235945891267

87095838000224515094244575648744840868775308453955217306366938917023

94037184780362774643171470855830491959895146776294392143100245613061

11429937000557751339717282549110056008940898419671319709118165542908

76109008324997831338240786961578492341986299168008677495934077593066

02207814943807854996798945399364063685722697422361858411425048372451

24465580270859179795591086523099756519838277952945756996574245578688

38354442368572236813990212613637440821314784832035636156113462870198

51423901842909741638620232051039712184983355286308685184282634615027

44187358639504042281512399505995983653792227285847422071677836679451

34363807086579774219853595393166279988789721695963455346336497949221

13017661316207477266113107012321403713882270221723233085472679533015

07998062253835458948024820043144726191596190526034069061930939290724

10284948700167172969517703467909979440975063764929635675558007116218

27727603182921790350290486090976266285396627024392536890256337101471

68327404504583060228676314215815990079164262770005461232291921929971

69907690169025946468104141214204472402661658275680524166861473393322

65959127006456304474160852916721870070451446497932266687321463467490

41185886760836840306190695786990096521390675205019744076776510438851

51941619318479919134924388152822038464729269446084915299958818598855

13
19514906630731177723813226751694588259363878610724302565980914901032

78384821401136556784934102431512482864529170314100400120163648299853

25166349056053794585089424403855252455477792240104614890752745163425

13992163738356814149047932037426337301987825405699619163520193896982

54478631309773749154478427634532593998741700138163198116645377208944

00285485000269685982644562183794116702151847721909339232185087775790

95933267631141312961939849592613898790166971088102766386231676940572

95932538078643444100512138025081797622723797210352196773268441946486

16402961059899027710532570457016332613431076417700043237152474626393

99011899727845362949303636914900881060531231630009010150839331880116

68215163893104666659513782749892374556051100401647771682271626727078

37012242465512648784549235041852167426383189733332434674449039780017

84689726405462148024124125833843501704885320601475687862318094090012

63241969092252022679880113408073012216264404133887392600523096072386

15855496515800103474611979213076722454380367188325370860671331132581

99227975522771848648475326124302804177943090938992370938053652046462

55147267884961527773274119265709116613580084145421487687310394441054

79639308530896880365608504772144592172500126500717068969428154627563

70458838904219177398190648731908014828739058159462227867277418610111

02763247972904122211994117388204526335701759090678628159281519982214

57652796853892517218720090070389138562840007332258507590485348046564

54349837073287625935891427854318266587294608072389652291599021738887

95773647738726574610400822551124182720096168188828493894678810468847

31265541726209789056784581096517975300873063154649030211213352818084

14
 76122990409576427857316364124880930949770739567588422963171158464569

84202455109029882398517953684125891446352791897307683834073696131409

74522985638668272691043357517677128894527881368623965066654089894394

95161912002160777898876864736481837825324846699168307281220310791935

64666840159148582699993374427677252275403853322196852298590851548110

40229657916338257385513314823459591633281445819843614596306024993617

53097925561238039014690665163673718859582772525683119989984646027216

46279764077057074816406450769779869955106180046471937808223250148934

07851137833251073753823403466269553292608813843895784099804170410417

77608463062862610614059615207066695243018438575031762939543026312673

77406936404705896083462601885911184367532529845888040849710922999195

65539701911191919188327308603766775339607722455632113506572191067587

51186812786344197572392195263333856538388240057190102564949233944519

65959203992392217400247234147190970964562108299547746193228981181286

05556588093851898811812905614274085809168765711911224763288658712755

38928438126611991937924624112632990739867854558756652453056197509891

14578114735771283607554001774268660965093305172102723066635739462334

13638045914237759965220309418558880039496755829711258361621890140359

54234930424749053693992776114261796407100127643280428706083531594582

305946326827861270203356980346143245697021484375 mod 3233

= 123

15