An Interactive Guide to RSA

June 30, 20268 min read
computer-sciencecryptographyinteractive

Table Of Contents

  1. Trapdoor functions
  2. Key generation
  3. Encrypting a message
  4. Decrypting
  5. Proving who sent it
  6. Why it is hard to break

RSA is a public-key encryption algorithm. It lets Alice publish a key that anyone can use to encrypt a message to her, while only she can decrypt it. The same keys work in reverse to prove who sent a message, which is how RSA is also used for digital signatures. Designed by Rivest, Shamir, and Adleman in 1977, it has since been used in TLS, SSH, PGP, and S/MIME, and remains widely deployed today.

# Trapdoor functions

Every public-key scheme rests on a trapdoor function. A trapdoor function is easy to compute in one direction and hard to reverse without a specific secret piece of information. RSA is built on multiplication.

Multiplying 2 large primes together takes a fraction of a second. Given only the product, recovering the original 2 primes is believed to be infeasible for large enough numbers. There is no known polynomial-time algorithm for factoring integers on a classical computer. This asymmetry is the entire foundation of RSA’s security.

# Key generation

To set up RSA, we choose 2 distinct primes pp and qq. Their product is n=pqn = p \cdot q. The number nn is the modulus. Everything in RSA happens mod nn.

Not any 2 primes will do. They must be distinct. If p=qp = q, then n=p2n = p^2 and its square root is pp. Factoring nn then becomes a matter of taking a square root instead of searching for 2 independent factors.

They also should not be close to each other. If pp and qq are near n\sqrt{n}, Fermat’s factorization method finds them almost immediately. It searches for aa such that a2na^2 - n is a perfect square. In practice, pp and qq are also chosen to be roughly the same bit length and large enough that trial division and the fastest known factoring algorithms are infeasible. That is why real keys use primes hundreds of digits long rather than the small ones below.

pp and qq are never published. Only their product nn is. Anyone who recovers pp and qq from nn can rebuild the entire private key, so the 2 primes are hidden below by default. Click the eye icon to reveal them.

Choose p and q

n = p × q143

Next, compute Euler’s totient, ϕ(n)=(p1)(q1)\phi(n) = (p - 1)(q - 1). The totient counts how many integers from 1 to nn share no common factor with nn. Because pp and qq are prime, the count is exactly (p1)(q1)(p-1)(q-1). Like pp and qq themselves, ϕ(n)\phi(n) stays secret. Anyone who learns it can compute dd directly from the public ee, without ever factoring nn.

Totient

φ(n) = (p−1)(q−1)120

Choose a public exponent ee that is between 2 and ϕ(n)\phi(n) and coprime to ϕ(n)\phi(n), meaning gcd(e,ϕ(n))=1\gcd(e, \phi(n)) = 1. The most common choice in practice is 65537, a Fermat prime that makes exponentiation fast. For the toy examples below, smaller values are used.

Finally, compute the private exponent dd such that ed1modϕ(n)e \cdot d \equiv 1 \bmod \phi(n). This is the modular inverse of ee modulo ϕ(n)\phi(n), found with the extended Euclidean algorithm. The pair (n,e)(n, e) is the public key. The value dd is the private key and must stay secret.

Key generation

d = e⁻¹ mod φ(n)103
Public key(n = 143, e = 7)
Private key(n = 143, d = 103)

The private exponent dd is hidden by default too, using the same toggle as pp and qq above. Reveal it and watch how it feeds into decryption below.

# Encrypting a message

To send Alice an encrypted message, Bob needs only Alice’s public key (n,e)(n, e). He represents the message as an integer mm in the range [0,n)[0, n) and computes the ciphertext.

c=memodnc = m^e \bmod n

The exponentiation can be done efficiently with square-and-multiply, even for large numbers. The result cc is safe to send over any channel. Without the private exponent dd, recovering mm from cc requires breaking the factoring problem.

Encrypt

must be 0 to 142
427 mod 14381ciphertext c

# Decrypting

Alice receives cc and applies her private exponent.

m=cdmodnm = c^d \bmod n

Decrypt

ciphertext c81
81d mod 14342recovered message

✓ matches original message

It is not obvious why raising cc to the power dd should undo raising mm to the power ee. The reason comes from a result in number theory called Euler’s theorem. It says that for any mm coprime to nn, raising mm to the power ϕ(n)\phi(n) always lands back on 1 modulo nn, no matter how large mm or nn is. This is what makes ϕ(n)\phi(n) special. It is the exponent at which powers of mm start repeating modulo nn.

Remember that ee and dd were not picked independently. dd was computed specifically so that ed1modϕ(n)e \cdot d \equiv 1 \bmod \phi(n). In plain terms, the product ede \cdot d is exactly 1 more than some whole multiple of ϕ(n)\phi(n). Write that multiple as kk, so ed=1+kϕ(n)e \cdot d = 1 + k \cdot \phi(n).

Now trace what decryption actually computes. Substituting c=memodnc = m^e \bmod n into cdc^d gives the following chain.

cd=(me)d=med=m1+kϕ(n)=m(mϕ(n))kc^d = (m^e)^d = m^{e \cdot d} = m^{1 + k\phi(n)} = m \cdot (m^{\phi(n)})^k

The last step splits the exponent into 2 pieces, an mm left over and ϕ(n)\phi(n) repeated kk times. Euler’s theorem says mϕ(n)1modnm^{\phi(n)} \equiv 1 \bmod n. So the entire term (mϕ(n))k(m^{\phi(n)})^k is just 1 raised to a power, still 1. That leaves m1=mm \cdot 1 = m. Encryption and decryption cancel out precisely because ee and dd were chosen to multiply to 1 modulo ϕ(n)\phi(n), the exact cycle length Euler’s theorem guarantees.

# Proving who sent it

Encryption alone does not prove who sent a message. Anyone can grab Alice’s public key and send her a message. Bob has no way to prove a message came from him rather than an impostor. RSA fixes this by running the algorithm with the roles reversed.

To sign a message, Bob uses his own private exponent dd, not Alice’s, and computes s=mdmodns = m^d \bmod n. Only Bob can produce this value, since only he holds dd.

Anyone holding Bob’s public key (n,e)(n, e) can then check the signature by computing m=semodnm' = s^e \bmod n. If mm' matches the original message mm, the signature is genuine. This works because se=(md)e=mde=ms^e = (m^d)^e = m^{de} = m, the same cancellation from Euler’s theorem used in decryption, just applied with the exponents swapped.

Encryption and signing use the same trapdoor in opposite directions. To encrypt, Bob uses Alice’s public key so only Alice’s private key can undo it. To sign, Bob uses his own private key so anyone with his public key can confirm it came from him.

In practice, RSA signatures are not computed over the raw message. The message is hashed first, typically with SHA-256, and only the hash is signed. This keeps the signed value shorter than nn and avoids structural weaknesses that can appear when signing raw plaintext directly.

# Why it is hard to break

An eavesdropper watching the channel sees the public key (n,e)(n, e) and the ciphertext cc. To recover mm they need dd. To compute dd they need ϕ(n)=(p1)(q1)\phi(n) = (p - 1)(q - 1). To compute ϕ(n)\phi(n) they need pp and qq. And to find pp and qq they must factor nn. Knowing ee does not shortcut any of this. Computing ϕ(n)\phi(n) from nn alone is believed to be exactly as hard as factoring nn, since ee is only required to be coprime to ϕ(n)\phi(n), not derived from it.

What an eavesdropper sees

n (public)143
e (public)7
c (intercepted)81

To decrypt, they need d. To find d, they need φ(n). To find φ(n) = (p−1)(q−1), they must factor n.

n = ?143= 11 × 13

For this toy example n = 143 is trivial to factor. At 2048 bits, the best known algorithms would take longer than the age of the universe.

For small nn like in the demo, trial division finds the factors instantly. For a 2048-bit nn, the best known classical algorithm is the General Number Field Sieve. Its runtime grows sub-exponentially but fast enough to be completely out of reach at proper key sizes. A 2048-bit RSA key is considered secure against classical computers through at least the 2030s. 4096-bit keys are used when longer-term security is needed.

Quantum computers change the picture. Shor’s algorithm factors integers in polynomial time on a quantum computer, which would break RSA entirely. This is why post-quantum cryptography is an active area of standardization. NIST finalized its first post-quantum standards in 2024, based on lattice problems and hash functions rather than integer factoring.

RSA itself is not used to encrypt bulk data directly. The modulus size limits what can be encrypted, and modular exponentiation is slow compared to symmetric ciphers like AES. In practice, RSA encrypts only a symmetric key. That key then protects the actual message. This hybrid approach combines RSA’s convenience (no shared secret needed upfront) with the speed of symmetric encryption.