RSA - Calculating d

Question

I'm trying to calculate d, given p=163, q=311, e=101, n=50693, φ(n)=50220

The below is my current effort - how do I calculate d from this? I'm struggling with this part - can someone point me in the right direction?

ed mod φ(n) =1

101d mod 50220 = 1

50220 = 497(101) + 23

101 = 4(23) + 9

23 = 2(9) + 5

9 = 1(5) + 4

5 = 1(4) + 1

Back substitution:

1 = 5 - 1(4)

1 = 5 - 1(9 - 1(5))

1 = 1(5) - 1(9 - 1(5))

1 = 2(5) - 1(9)

1 = 2(23-2(9)) - 1(9)

1 = 2(23-2(9)) - 1(101-4(23))

This is essentially a duplicate of that question, with larger numbers. My recommendation is to use the half-extended Euclidean algorithm, it is easier to get right. — fgrieu, May 21 '18 at 19:51
I'm struggling with the back substitution and how that generates d. I understand at some point I am supposed to get a value and subtract it from the totient, but I don't get which value that is? — , May 21 '18 at 19:54

score 2 · Accepted Answer · edited May 22 '18 at 07:33

You don't really need the backsubstitution:

write $$50220 = 0 \cdot 101 + 1\cdot 50220\tag{1}\label{eq1}$$ $$101 = 1\cdot 101 + 0\cdot 50220\tag{2}\label{eq2}$$

as the first two equations, that trivially hold. Then $101$ divides $50220$ $497$ times with remainder $23$ so multiply the second equation by $497$:

$$50160 = 497\cdot 101 + 0\cdot 50220$$ and substract it from the $\eqref{eq1}$ to get (just looking at the coefficients of $101$ and $50220$:

$$23 = -497 \cdot 101 + 1\cdot 50220\tag{3}\label{eq3}$$

$60$ only divides $101$ $4$ times, so $\eqref{eq2}$ minus $4$ times equation $\eqref{eq3}$ yields:

$$9 = 1989\cdot 101 + (-4)\cdot 50220\tag{4}\label{eq4}$$

Now $9$ divides $23$ twice, so we substract $2$ times $\eqref{eq4}$ from $\eqref{eq3}$:

$$5 = -4475 \cdot 101 + 9\cdot 50220\tag{5}\label{eq5}$$

Now $5$ divides $49$ once, so compute $\eqref{eq4}-\eqref{eq5}$:

$$4 = 6464 \cdot 101 + (-13)\cdot 50220\tag{6}\label{eq6}$$

And then finally $\eqref{eq5}$ minus $\eqref{eq6}$ yields:

$$1 = -10939\cdot 101 + 22\cdot 50220\tag{7}\label{eq7}$$

(which you can just check, as all intermediate stages, using a simple calculator), and so an inverse of $101$ modulo $50220$ is $-10939$ which, reduced modulo $50220$, yields $d=39281$.

Note that the left hand numbers are just the intermediate stages of the Euclidean algorithm, that you had. You just have to track along the equations as I did to get the final Bézout identity.

That's the extended Euclidean algorithm, linearized by re-assembling intermediary results as the algorithm progresses (the question attempts using a recursive form, assembling earlier results only after computing the GCD). It computes both Bézout coefficients −10939 and 22, and uses the appropriate one. Practical computer implementations can use the half extended Euclidean algorithm; it is also non-recursive, computes only the desired coefficient, and sticks to non-negative integers. — fgrieu, May 22 '18 at 07:35
@fgrieu This is the method I was taught in my first year algebra course, and I found that for hand computations, I can easily remember it and I make fewer mistakes then with the OP's method. — Henno Brandsma, May 22 '18 at 20:53
Yes, the linear EEA (generally designated by EEA with no other indication) is in general preferable to the recursive EEA, which performs backtracking only in the end (exceptions: when inverse is only wanted for GCD=1; when studying recursion). It allows checking earlier results. It requires finitely many variables. And it gives both Bézout coefficients, which sometime is useful. For computing the modular inverse and when performance matters, it can be simplified to the HEEA, which essentially computes only the desired coefficient; that's also is doable by hand with self-check. — fgrieu, May 23 '18 at 05:02

RSA - Calculating d

1 Answers1