RSA is a public-key encryption algorithm. It lets Alice publish a key that anyone can use to encrypt a message to her, while only she can decrypt it. The same keys work in reverse to prove who sent a message, which is how RSA is also used for digital signatures. Designed by Rivest, Shamir, and Adleman in 1977, it has since been used in TLS, SSH, PGP, and S/MIME, and remains widely deployed today.
# Trapdoor functions
Every public-key scheme rests on a trapdoor function. A trapdoor function is easy to compute in one direction and hard to reverse without a specific secret piece of information. RSA is built on multiplication.
Multiplying 2 large primes together takes a fraction of a second. Given only the product, recovering the original 2 primes is believed to be infeasible for large enough numbers. There is no known polynomial-time algorithm for factoring integers on a classical computer. This asymmetry is the entire foundation of RSA’s security.
# Key generation
To set up RSA, we choose 2 distinct primes and . Their product is . The number is the modulus. Everything in RSA happens mod .
Not any 2 primes will do. They must be distinct. If , then and its square root is . Factoring then becomes a matter of taking a square root instead of searching for 2 independent factors.
They also should not be close to each other. If and are near , Fermat’s factorization method finds them almost immediately. It searches for such that is a perfect square. In practice, and are also chosen to be roughly the same bit length and large enough that trial division and the fastest known factoring algorithms are infeasible. That is why real keys use primes hundreds of digits long rather than the small ones below.
and are never published. Only their product is. Anyone who recovers and from can rebuild the entire private key, so the 2 primes are hidden below by default. Click the eye icon to reveal them.
Choose p and q
Next, compute Euler’s totient, . The totient counts how many integers from 1 to share no common factor with . Because and are prime, the count is exactly . Like and themselves, stays secret. Anyone who learns it can compute directly from the public , without ever factoring .
Totient
Choose a public exponent that is between 2 and and coprime to , meaning . The most common choice in practice is 65537, a Fermat prime that makes exponentiation fast. For the toy examples below, smaller values are used.
Finally, compute the private exponent such that . This is the modular inverse of modulo , found with the extended Euclidean algorithm. The pair is the public key. The value is the private key and must stay secret.
Key generation
The private exponent is hidden by default too, using the same toggle as and above. Reveal it and watch how it feeds into decryption below.
# Encrypting a message
To send Alice an encrypted message, Bob needs only Alice’s public key . He represents the message as an integer in the range and computes the ciphertext.
The exponentiation can be done efficiently with square-and-multiply, even for large numbers. The result is safe to send over any channel. Without the private exponent , recovering from requires breaking the factoring problem.
Encrypt
# Decrypting
Alice receives and applies her private exponent.
Decrypt
✓ matches original message
It is not obvious why raising to the power should undo raising to the power . The reason comes from a result in number theory called Euler’s theorem. It says that for any coprime to , raising to the power always lands back on 1 modulo , no matter how large or is. This is what makes special. It is the exponent at which powers of start repeating modulo .
Remember that and were not picked independently. was computed specifically so that . In plain terms, the product is exactly 1 more than some whole multiple of . Write that multiple as , so .
Now trace what decryption actually computes. Substituting into gives the following chain.
The last step splits the exponent into 2 pieces, an left over and repeated times. Euler’s theorem says . So the entire term is just 1 raised to a power, still 1. That leaves . Encryption and decryption cancel out precisely because and were chosen to multiply to 1 modulo , the exact cycle length Euler’s theorem guarantees.
# Proving who sent it
Encryption alone does not prove who sent a message. Anyone can grab Alice’s public key and send her a message. Bob has no way to prove a message came from him rather than an impostor. RSA fixes this by running the algorithm with the roles reversed.
To sign a message, Bob uses his own private exponent , not Alice’s, and computes . Only Bob can produce this value, since only he holds .
Anyone holding Bob’s public key can then check the signature by computing . If matches the original message , the signature is genuine. This works because , the same cancellation from Euler’s theorem used in decryption, just applied with the exponents swapped.
Encryption and signing use the same trapdoor in opposite directions. To encrypt, Bob uses Alice’s public key so only Alice’s private key can undo it. To sign, Bob uses his own private key so anyone with his public key can confirm it came from him.
In practice, RSA signatures are not computed over the raw message. The message is hashed first, typically with SHA-256, and only the hash is signed. This keeps the signed value shorter than and avoids structural weaknesses that can appear when signing raw plaintext directly.
# Why it is hard to break
An eavesdropper watching the channel sees the public key and the ciphertext . To recover they need . To compute they need . To compute they need and . And to find and they must factor . Knowing does not shortcut any of this. Computing from alone is believed to be exactly as hard as factoring , since is only required to be coprime to , not derived from it.
What an eavesdropper sees
To decrypt, they need d. To find d, they need φ(n). To find φ(n) = (p−1)(q−1), they must factor n.
For this toy example n = 143 is trivial to factor. At 2048 bits, the best known algorithms would take longer than the age of the universe.
For small like in the demo, trial division finds the factors instantly. For a 2048-bit , the best known classical algorithm is the General Number Field Sieve. Its runtime grows sub-exponentially but fast enough to be completely out of reach at proper key sizes. A 2048-bit RSA key is considered secure against classical computers through at least the 2030s. 4096-bit keys are used when longer-term security is needed.
Quantum computers change the picture. Shor’s algorithm factors integers in polynomial time on a quantum computer, which would break RSA entirely. This is why post-quantum cryptography is an active area of standardization. NIST finalized its first post-quantum standards in 2024, based on lattice problems and hash functions rather than integer factoring.
RSA itself is not used to encrypt bulk data directly. The modulus size limits what can be encrypted, and modular exponentiation is slow compared to symmetric ciphers like AES. In practice, RSA encrypts only a symmetric key. That key then protects the actual message. This hybrid approach combines RSA’s convenience (no shared secret needed upfront) with the speed of symmetric encryption.