RSA Calculator
Enter two prime numbers p and q to generate an RSA key pair. The calculator finds n, Carmichael's lambda, the public exponent e, and the private key d. You can then encrypt a numeric message with the public key and decrypt it with the private key, with every step of the modular arithmetic shown.
Formula
Worked example
Let p = 61, q = 53. Then n = 3233 and lambda(n) = lcm(60, 52) = 780. Choose e = 17; then d = 17^-1 mod 780 = 413. To encrypt M = 42: C = 42^17 mod 3233 = 2557. To decrypt: M = 2557^413 mod 3233 = 42.
What is RSA?
RSA is a public-key cryptographic algorithm invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. It is the most widely deployed asymmetric cipher in the world, securing HTTPS connections, email signing, SSH authentication, and digital certificates every day. The core idea is elegant: anyone can encrypt a message using a publicly shared key, but only the holder of the corresponding private key can decrypt it. The security rests on the practical impossibility of factoring the product of two large prime numbers in a useful amount of time.
How does the RSA algorithm work?
RSA has three phases. Key generation: choose two distinct primes p and q, compute n = p x q (the modulus), then compute Carmichael's lambda(n) = lcm(p-1, q-1). Pick a public exponent e that is coprime with lambda(n) - 65537 is the universal standard. Compute the private key d as the modular inverse of e modulo lambda(n), meaning e x d = 1 mod lambda(n). The public key is the pair (n, e) and the private key is the pair (n, d). Encryption: the sender computes C = M^e mod n, where M is the numeric plaintext. Only values of M smaller than n can be encrypted directly. Decryption: the recipient computes M = C^d mod n to recover the original message. This works because of Euler's theorem: (M^e)^d = M^(e x d) = M^(1 + k x lambda(n)) = M for any integer k, provided gcd(M, n) = 1.
Why use Carmichael's lambda instead of Euler's phi?
Older descriptions of RSA use Euler's totient function phi(n) = (p-1)(q-1). Carmichael's lambda(n) = lcm(p-1, q-1) always divides phi(n) and is often smaller, which makes the private key d smaller and decryption faster without reducing security. Both choices produce a valid RSA system; the PKCS#1 and RFC 8017 standards now recommend using lambda(n). The correctness guarantee is the same: e x d = 1 mod lambda(n) ensures that (M^e)^d = M mod n for all valid messages M.
Educational vs. real-world RSA
This calculator uses small primes to make the arithmetic visible and verifiable by hand. In production, RSA key sizes are at least 2048 bits, meaning p and q are each around 600 decimal digits long - far beyond hand calculation. Generating secure RSA keys also requires cryptographically random prime selection, which prevents attackers from guessing the factors. Real RSA implementations also apply padding schemes such as OAEP (Optimal Asymmetric Encryption Padding) defined in PKCS#1 v2.2; encrypting a raw number without padding, as shown here, is insecure for real data because it leaks structure. Use this tool to understand how the algorithm works; use a vetted cryptographic library for real applications.
Common RSA public exponents
| Exponent e | Binary form | Use case | Security note |
|---|---|---|---|
| 3 | 11 | Legacy / research | Fast but vulnerable to certain attacks if padding is omitted |
| 5 | 101 | Research | Rarely used in production |
| 17 | 10001 | Some embedded systems | Limited practical use today |
| 257 | 100000001 | Research | Fermat prime F3, seldom deployed |
| 65537 | 10000000000000001 | Production standard | Fermat prime F4 - balanced speed and security |
Standard choices for the public exponent e in RSA key generation. Larger Fermat primes are preferred in practice.
Frequently asked questions
What does RSA stand for?
RSA stands for Rivest-Shamir-Adleman, the surnames of the three MIT researchers who published the algorithm in 1977. Ron Rivest, Adi Shamir, and Leonard Adleman each contributed to the mathematical construction. The same scheme was independently discovered by British mathematician Clifford Cocks at GCHQ in 1973, but that discovery was classified for 24 years.
Why must p and q be prime?
Primality guarantees that lambda(n) = lcm(p-1, q-1) and the modular inverse d can be computed cleanly. If either factor were composite, the key-generation math would break down and the decryption identity (M^e)^d = M mod n would no longer hold for all messages. The security of RSA also depends on the difficulty of factoring n back into p and q; using primes with no small factors and other properties (safe primes, for example) makes factoring as hard as possible.
Why is 65537 the standard public exponent?
65537 (written as 2^16 + 1) is a Fermat prime with a binary representation of exactly two 1-bits (1 followed by sixteen 0s and a 1). That structure makes modular exponentiation during encryption very fast because the square-and-multiply algorithm needs only 16 squarings and 1 multiplication. It is large enough to avoid the small-exponent attacks that affect e = 3 while remaining efficient. The PKCS#1 standard and virtually every TLS certificate use e = 65537.
What does the modular inverse mean?
The modular inverse of e modulo lambda(n) is a number d such that e x d leaves a remainder of 1 when divided by lambda(n). It is found with the extended Euclidean algorithm, the same algorithm used to find greatest common divisors. The inverse exists only when gcd(e, lambda(n)) = 1, which is why e must be coprime with lambda(n). You can think of d as the 'multiplicative undo' of e in the arithmetic world of integers modulo lambda(n).
Can I use this calculator for real encryption?
No. RSA with the small primes used here is trivially breakable because any computer can factor a four-digit n in microseconds. Real RSA uses 2048-to-4096-bit keys (roughly 600 to 1200 decimal digit primes), strong random prime generation, and OAEP padding. This tool is designed to make the mathematics of RSA transparent, not to protect actual data. For real security, use a vetted cryptographic library such as OpenSSL, libsodium, or the Crypto API built into your operating system or browser.
What is the relationship between encryption and decryption in RSA?
RSA is symmetric in a mathematical sense: encrypting with d and decrypting with e also works. This is exploited in digital signatures - a sender 'signs' a message by encrypting its hash with their private key d. Anyone with the public key e can then verify the signature by decrypting and checking the hash matches. The public key encrypts, the private key decrypts; or the private key signs, the public key verifies.