How to calculate the Modular Multiplicative inverse of a number in the context of RSA encryption?
5 Answers
Direct Modular Exponentiation
The direct modular exponentiation method, as an alternative to the extended Euclidean algorithm, is as follows:
Source: http://en.wikipedia.org/wiki/Modular_multiplicative_inverse

- 66,139
- 40
- 186
- 319

- 11,678
- 12
- 45
- 60
-
1This method requires the order of the group in which you take the inverse. In the case of RSA you usually don't know this. – abc Jul 28 '10 at 09:20
-
You know it if the modulus is prime - it's P-1. For an RSA key at the time of key generation you may know it as well (P-1)*(Q-1). Once the key pairs are created, the factorization of the modulus is thrown away, as knowing the order of the group is required to create a key pair and is equivalent to finding the private key. – phkahler Jul 28 '10 at 13:47
-
Since in RSA, to find the private key you need to find the inverse of `e (mod φ(n))`, using this method requires you to calculate `φ(φ(n))`, which is equivalent to factoring `φ(n)`. So, @abc is right: you can't use this method; I did not even think about this earlier. – BlueRaja - Danny Pflughoeft Jul 28 '10 at 21:23
-
It's easy to compute phi(phi(n)) if the RSA primes are safe primes. See my comment to http://stackoverflow.com/questions/3209665/for-rsa-how-do-i-calculate-the-secret-exponent/3209797#3209797. But it's just fun to think about and tinker with, the extended euclidean algorithm always works fast. – President James K. Polk Jul 29 '10 at 00:03
Use the Extended Euclidean Algorithm, which is significantly faster than direct modular exponentiation in practice.

- 84,206
- 33
- 197
- 283
There are two algorithms explained in detail in the Modular multiplicative inverse Wikipedia article.

- 398,270
- 210
- 566
- 880
If You need to calculate w
for DSA alghoritm, you can use this:
w = s^-1 mod q
is actually
w = s^(q-2) mod q
See: http://en.wikipedia.org/wiki/Modular_multiplicative_inverse#Using_Euler.27s_theorem
I worked out a an simpler inverse function
def privateExponent(p,q,e):
totient=(p-1)*(q-1)
for k in range(1,e):
if (totient*k+1) % e==0:
return (totient*k+1)/e
return -1 # shouldnt get here
The equation d*e=1 (mod totient) can be rewritten as d*e=1+k*totient (for some value of k) and the program just searches for first value of k which makes the equation divisible by e (the public exponent). This will work if e is small (as is usually recommended).
We can move all the bignum operations out of the loop to improve its performance.
def privateExponent(p,q,e):
totient=(p-1)*(q-1)
t_mod_e=totient % e
k=0
total=1
while total!=0:
k+=1
total=(total+t_mod_e) % e
return (k*totient+1)/e
It turns out that for e=3, we don't really have to search as the answer is always 2*((p-1)*(q-1)+1)/3

- 4,095
- 2
- 22
- 12