15

For RSA, how do i calculate the secret exponent?

Given p and q the two primes, and phi=(p-1)(q-1), and the public exponent (0x10001), how do i get the secret exponent 'd' ?

I've read that i have to do: d = e-1 mod phi using modular inversion and the euclidean equation but i cannot understand how the above formula maps to either the a-1 ≡ x mod m formula on the modular inversion wiki page, or how it maps to the euclidean GCD equation.

Can someone help please, cheers

Chris
  • 39,719
  • 45
  • 189
  • 235

1 Answers1

19

You can use the extended Euclidean algorithm to solve for d in the congruence

de = 1 mod phi(m)

For RSA encryption, e is the encryption key, d is the decryption key, and encryption and decryption are both performed by exponentiation mod m. If you encrypt a message a with key e, and then decrypt it using key d, you calculate (ae)d = ade mod m. But since de = 1 mod phi(m), Euler's totient theorem tells us that ade is congruent to a1 mod m -- in other words, you get back the original a.

There are no known efficient ways to obtain the decryption key d knowing only the encryption key e and the modulus m, without knowing the factorization m = pq, so RSA encryption is believed to be secure.

Jim Lewis
  • 43,505
  • 7
  • 82
  • 96
  • 1
    I had good luck with the code from here: http://en.wikipedia.org/wiki/Extended_Euclidean_algorithm#Recursive_method_2 Simply inputting a=e, b=phi to that function gives me x,y - y is discarded, and x is the secret exponent d ! – Chris Jul 09 '10 at 05:16
  • 1
    @Chris: It's a pity Euler and Euclid didn't survive to collect their share of the patent revenue. So long, and thanks for all the math! – Jim Lewis Jul 09 '10 at 06:04
  • Just for completeness, another way to do the computation with the same basic performance is d = e**(phi(phi(m))-1) mod phi(m). – President James K. Polk Jul 10 '10 at 17:28
  • 1
    @GregS: The identity holds, but I disagree that the performance is comparable. Finding an inverse mod n with Euclid's algorithm can be done in O(log n) time. But finding phi(n) is as difficult as factoring n, for which there is no known O( (log n)^k ) algorithm for any k. And if the original p and q are well-chosen, (p-1) and (q-1) will themselves have large prime factors, making phi(phi(m)) difficult to calculate. – Jim Lewis Jul 10 '10 at 22:00
  • @Jim: Agreed, you have to know phi(phi(m)) or it is pointless. If p-1=2*p' and q-1=2*q', where p' and q' are primes, then phi(phi(m)) is 2*p'*q'. Such a p and q are called safe primes and are common (although unnecessary) in RSA implementations. – President James K. Polk Jul 11 '10 at 00:41
  • @GregS: Aren't you mixing safe primes with strong primes here? E.g. ANSI requires strong primes (i.e. both p-1 and p+1 must have a large prime factor). Safe primes prevent Pollard's p-1 factoring algorithm but (in principle) not Williams p+1 algorithm. (And, yes, neither using safe nor strong primes is necessary). – abc Jul 28 '10 at 09:35
  • @abc: No. In the above, p and q are safe primes, not strong primes. – President James K. Polk Jul 28 '10 at 23:14
  • @GregS: I'm sorry. I didn't want to imply that you don't know what a safe prime is. Rather, that safe primes are not that common in RSA keys. I've seen crypto libraries that generate strong primes during the RSA key generation, but I'm not aware of a library that uses safe primes. – abc Jul 29 '10 at 09:14
  • @abc: Oh, I see. Well, let's look around and check. A strong prime can also be a safe prime, i.e. if the large prime factor of p-1 happens to be (p-1)/2. – President James K. Polk Jul 29 '10 at 10:59
  • @JamesKPolk Small correction, if _m = pq_ and _p-1 = 2*p'_ and _q-1 = 2*q'_, then _phi(phi(m))_ is _(p'-1)*(q'-1)_ (assuming _p', q'_ are prime). _2*p'*q'_ is incorrect. – orlp Jan 16 '17 at 16:43
  • @JamesKPolk _φ(m) = φ(pq) = φ(p)φ(q) = (p-1)(q-1)_. Then, _φ(φ(m)) = φ((p-1)(q-1)) = φ(p-1)φ(q-1)_. Now for _φ(p-1)_, we have _φ(p-1) = φ(2*p') = φ(2)φ(p') = φ(p') = p'-1_. Similarly for _q'_ such that _φ(p-1)φ(q-1) = (p'-1)(q'-1)_. So finally, _φ(φ(m)) = (p'-1)(q'-1)_. – orlp Jan 16 '17 at 17:18
  • @JamesKPolk Actually, after [a discussion with Ilmari Karonen](http://codegolf.stackexchange.com/users/3191/ilmari-karonen), I realize I messed up. I forgot that φ is only multiplicative when the factors are coprime. So we have _φ((p-1)(q-1)) = φ(2p' * 2q') = φ(4)φ(p'q') = 2φ(p'q')_. The correct result is thus _φ(φ(m)) = 2(p'-1)(q'-1)_. – orlp Jan 16 '17 at 20:32