The idea of an asymmetric public-private key

cryptosystem is attributed to Whitfield Diffie and

Martin Hellman, who published this concept in
1976. They also introduced digital signatures and
attempted to apply number theory. Their
formulation used a shared-secret-key created from
exponentiation of some number, modulo a prime
number. However, they left open the problem of
realizing a one-way function, possibly because the
difficulty of factoring was not well-studied at the
time
Ron Rivest, Adi Shamir, and Leonard Adleman at
the Massachusetts Institute of Technology, made
several attempts over the course of a year to create
a one-way function that was hard to invert. Rivest
and Shamir, as computer scientists, proposed many
potential functions, while Adleman, as a
mathematician, was responsible for finding their
weaknesses. They tried many approaches
including "knapsack-based" and "permutation
polynomials". For a time, they thought what they
wanted to achieve was impossible due to
contradictory requirements. In April 1977, they
spent Passover at the house of a student and drank
a good deal of Manischewitz wine before returning
to their homes at around midnight. Rivest, unable
to sleep, lay on the couch with a math textbook
and started thinking about their one-way function.
He spent the rest of the night formalizing his idea,
and he had much of the paper ready by daybreak.
The algorithm is now known as RSA – the initials
of their surnames in same order as their paper.
Clifford Cocks, an English mathematician working
for the British intelligence agency Government
Communications Headquarters (GCHQ), described
an equivalent system in an internal document in
1973.[8] However, given the relatively expensive
computers needed to implement it at the time, it
was considered to be mostly a curiosity and, as far
as is publicly known, was never deployed. His
discovery, however, was not revealed until 1997
due to its top-secret classification.
Kid-RSA (KRSA) is a simplified public-key
cipher published in 1997, designed for educational
purposes. Some people feel that learning Kid-RSA
gives insight into RSA and other public-key
ciphers, analogous to simplified DES
The RSA algorithm involves four steps: key
generation, key distribution, encryption, and
decryption.
A basic principle behind RSA is the observation
that it is practical to find three very large positive
integers e, d, and n, such that with modular
exponentiation for all integers m (with 0 ≤ m < n):
and that knowing e and n, or even m, it can be
extremely difficult to find d. The triple bar (≡) here
denotes modular congruence.
In addition, for some operations it is convenient
that the order of the two exponentiations can be
changed and that this relation also implies:
RSA involves a public key and a private key. The
public key can be known by everyone, and it is
used for encrypting messages. The intention is that
messages encrypted with the public key can only
be decrypted in a reasonable amount of time by
using the private key. The public key is
represented by the integers n and e; and, the
private key, by the integer d (although n is also
used during the decryption process, so it might be
considered to be a part of the private key, too). m
represents the message (previously prepared with a
certain technique explained below).
Key generation
The keys for the RSA algorithm are generated in
the following way:
1. Choose two distinct prime numbers p and q.
 o For security purposes, the integers p and q
should be chosen at random, and should be
similar in magnitude but differ in length
by a few digits to make factoring harder.[2]
Prime integers can be efficiently found
using a primality test.
o p and q are kept secret.
2.Compute n = pq.
o n is used as the modulus for both the
public and private keys. Its length, usually
expressed in bits, is the key length.
o n is released as part of the public key.
3. Compute λ(n), where λ is Carmichael's totient
function. Since n = pq, λ(n) = lcm(λ(p),λ(q)),
and since p and q are prime, λ(p) = φ(p) = p −
1 and likewise λ(q) = q − 1. Hence λ(n) =
lcm(p − 1, q − 1).
o λ(n) is kept secret.
o The lcm may be calculated through the
Euclidean algorithm, since lcm(a,b) = |
ab|/gcd(a,b).
4. Choose an integer e such that 1 < e < λ(n) and
gcd(e, λ(n)) = 1; that is, e and λ(n) are
coprime.
o e having a short bit-length and small
Hamming weight results in more efficient
encryption  – the most commonly chosen
value for e is 216 + 1 = 65,537. The
smallest (and fastest) possible value for e
is 3, but such a small value for e has been
shown to be less secure in some settings.
[15]

o e is released as part of the public key.

5. Determine d as d ≡ e−1 (mod λ(n)); that is, d is
the modular multiplicative inverse of e modulo
λ(n).
o This means: solve for d the equation d⋅e ≡
1 (mod λ(n)); d can be computed
efficiently by using the Extended
Euclidean algorithm, since, thanks to e and
λ(n) being coprime, said equation is a form
of Bézout's identity, where d is one of the
coefficients.
o d is kept secret as the private key
exponent.
The public key consists of the modulus n and the
public (or encryption) exponent e. The private key
consists of the private (or decryption) exponent d,
which must be kept secret. p, q, and λ(n) must also
be kept secret because they can be used to
calculate d. In fact, they can all be discarded after
d has been computed.[16]
In the original RSA paper,[2] the Euler totient
function φ(n) = (p − 1)(q − 1) is used instead of
λ(n) for calculating the private exponent d. Since
φ(n) is always divisible by λ(n) the algorithm
works as well. That the Euler totient function can
be used can also be seen as a consequence of
Lagrange's theorem applied to the multiplicative
group of integers modulo pq. Thus any d satisfying
d⋅e ≡ 1 (mod φ(n)) also satisfies d⋅e ≡ 1 (mod
λ(n)). However, computing d modulo φ(n) will
sometimes yield a result that is larger than
necessary (i.e. d > λ(n)). Most of the
implementations of RSA will accept exponents
generated using either method (if they use the
private exponent d at all, rather than using the
optimized decryption method based on the Chinese
remainder theorem described below), but some
standards such as FIPS 186-4 may require that d <
λ(n). Any "oversized" private exponents not
meeting that criterion may always be reduced
modulo λ(n) to obtain a smaller equivalent
exponent.
Since any common factors of (p − 1) and (q − 1)
are present in the factorisation of n − 1 = pq − 1 =
(p − 1)(q − 1) + (p − 1) + (q − 1),[17] it is
recommended that (p − 1) and (q − 1) have only
very small common factors, if any besides the
necessary 2.
Note: The authors of the original RSA paper carry
out the key generation by choosing d and then
computing e as the modular multiplicative inverse
of d modulo φ(n), whereas most current
implementations of RSA, such as those following
PKCS#1, do the reverse (choose e and compute d).
Since the chosen key can be small whereas the
computed key normally is not, the RSA paper's
algorithm optimizes decryption compared to
encryption, while the modern algorithm optimizes
encryption instead.

Source : https://en.wikipedia.org/wiki/RSA_(cryptosystem)