6

How to calculate the Modular Multiplicative inverse of a number in the context of RSA encryption?

Marc Hoffer
  • 61
  • 1
  • 1
  • 2

5 Answers5

3

Direct Modular Exponentiation

The direct modular exponentiation method, as an alternative to the extended Euclidean algorithm, is as follows:

Source: http://en.wikipedia.org/wiki/Modular_multiplicative_inverse

Andrew Tomazos
  • 66,139
  • 40
  • 186
  • 319
Daniel Gartmann
  • 11,678
  • 12
  • 45
  • 60
  • 1
    This method requires the order of the group in which you take the inverse. In the case of RSA you usually don't know this. – abc Jul 28 '10 at 09:20
  • You know it if the modulus is prime - it's P-1. For an RSA key at the time of key generation you may know it as well (P-1)*(Q-1). Once the key pairs are created, the factorization of the modulus is thrown away, as knowing the order of the group is required to create a key pair and is equivalent to finding the private key. – phkahler Jul 28 '10 at 13:47
  • Since in RSA, to find the private key you need to find the inverse of `e (mod φ(n))`, using this method requires you to calculate `φ(φ(n))`, which is equivalent to factoring `φ(n)`. So, @abc is right: you can't use this method; I did not even think about this earlier. – BlueRaja - Danny Pflughoeft Jul 28 '10 at 21:23
  • It's easy to compute phi(phi(n)) if the RSA primes are safe primes. See my comment to http://stackoverflow.com/questions/3209665/for-rsa-how-do-i-calculate-the-secret-exponent/3209797#3209797. But it's just fun to think about and tinker with, the extended euclidean algorithm always works fast. – President James K. Polk Jul 29 '10 at 00:03
3

Use the Extended Euclidean Algorithm, which is significantly faster than direct modular exponentiation in practice.

BlueRaja - Danny Pflughoeft
  • 84,206
  • 33
  • 197
  • 283
2

There are two algorithms explained in detail in the Modular multiplicative inverse Wikipedia article.

Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
0

If You need to calculate w for DSA alghoritm, you can use this:

w = s^-1 mod q

is actually

w = s^(q-2) mod q

See: http://en.wikipedia.org/wiki/Modular_multiplicative_inverse#Using_Euler.27s_theorem

tessi
  • 13,313
  • 3
  • 38
  • 50
zeykukguz
  • 1
0

I worked out a an simpler inverse function

def privateExponent(p,q,e):
    totient=(p-1)*(q-1)
    for k in range(1,e):
        if (totient*k+1) % e==0:
            return (totient*k+1)/e
    return -1 # shouldnt get here

The equation d*e=1 (mod totient) can be rewritten as d*e=1+k*totient (for some value of k) and the program just searches for first value of k which makes the equation divisible by e (the public exponent). This will work if e is small (as is usually recommended).

We can move all the bignum operations out of the loop to improve its performance. 

def privateExponent(p,q,e):
    totient=(p-1)*(q-1)
    t_mod_e=totient % e
    k=0
    total=1
    while total!=0:
        k+=1
        total=(total+t_mod_e) % e
    return (k*totient+1)/e

It turns out that for e=3, we don't really have to search as the answer is always 2*((p-1)*(q-1)+1)/3

paperhorse
  • 4,095
  • 2
  • 22
  • 12