In an RSA-encryption scenario, Bob's public key pair $(n, e)$ is $(143, 43)$. An attacker Mallory tries brute-force and comes to $d = 7$ as the private key.
The value of $φ(143) = 120$ is not known to Mallory.
However from $43 \cdot d \equiv 1 \pmod{120}$, one can calculate the first positive element $d = 67$ from congruence class $d = 67 + 120n$ and $n \in \mathbb{Z}$
$d = 7$ clearly doesn't fit in that congruence class, so how come it can successfully decrypt the encryption?
This question can be summarized: the attacker found a $d$ that did not satisfy $e \cdot d \equiv 1 \pmod{ \phi(n) }$, but it works; what's going on.
It turns out that $e \cdot d \equiv 1 \pmod{ \phi(n) }$ is not necessary (it is sufficient).
The necessary and sufficient conditions are:
$$e \cdot d \equiv 1 \pmod{p-1}$$ $$e \cdot d \equiv 1 \pmod{q-1}$$
If both of these hold, then $d$ will always work [1]; conversely if $d$ always works, then both of these hold.
These two conditions can be summarized as a single relation:
$$e \cdot d \equiv 1 \pmod{\text{lcm}(p-1, q-1)}$$
This $\text{lcm}(p-1, q-1)$ modulus is known as the Carmichael function of $n$.
In the specific example you have, $\text{lcm}(p-1, q-1) = 60$, and we have $7 \cdot 43 \equiv 1 \pmod{60}$, and hence $d = 7$ works
[1]: Assuming $p, q$ are distinct primes.
RSA private key can be found in two ways with $n = p\cdot q$, $p = 11$ and $q = 13$
Both are valid and Carmichael Function provides always the smallest $d$. The easy relation between both of them is that $\lambda(n)| \varphi(n)$. Therefore this indicates that in some setups we can have more than one valid private key where each of them $\leq \varphi(n)$. Actually, in the two distinct prime case we have the relation;
$$\varphi(n) = \lambda(n) \cdot \gcd(p-1,q-1).$$ This is due to the fact that $$a \cdot b = \operatorname{lcm}(a,b) \times \gcd(a,b) $$
Since RSA primes are distinct odd primes $p$ and $q$, then $\gcd(p-1,q-1) \geq 2$ and this implies that there is always at least two $d$ in the range $[1,\varphi(n)]$ and $\lambda(n) \neq \varphi(n)$.
This is your case and you have the $\varphi(n)$ and the attacker has $\lambda(n)$.
The PKCS#1 standard requires the Carmichael Function to be used for the calculation of $d$. Original RSA paper used Euler's totient function. Using shorter $d$ will decrease the signature time and less used decryption time.
Carmichael Function: For a positive integer $n$, $\lambda(n)$ is defined to be the smallest positive integer $k$ such that $$a^k \equiv 1 \pmod n$$ for all $a$ such that $\gcd(a,n)=1$
Little proof of $\lambda(n)| \varphi(n)$:
The proof relies on the exponent definition of group theory.
Let $G$ be group then the non-negative generator of the ideal $\{z \in \mathbb{Z}: \forall g \in G (g^z=1)\}$ is called the exponent of the group $G$. For finite groups like RSA groups, it is finite and positive, and then it is the smallest positive natural number $z$ such that $g^z=1$ for all $g \in G$.
The exponent of any finite group must divide the order of the group. $\lambda(n)$ is the exponent by the definition and the order of the group is $\varphi(n)$ also by definition. This clearly implies $\lambda(n)| \varphi(n)$.
More than 2 private key example;
Now all $d+k\cdot \lambda(n)$ are valid private key where $k \in [0,g]$, listing;
SageMath code to find the above example;
p = random_prime(200, 400) #upper and lower range
q = random_prime(200, 400)
n = p*q
e = 43
print("n = ",n)
print("factors %s = " % n, factor(n))
phi = (p-1)*(q-1) # or call euler_phi(n)
print("phi = ",phi)
if gcd(e,phi) != 1:
print( gcd(e,phi))
lmd = lcm(p-1,q-1) #or call carmichael_lambda(n)
print("lambda = ",lmd)
print("gcd(%s,%s) = " % (p-1,q-1), gcd(p-1,q-1))
print("inverse of %s by phi " %e, inverse_mod(e,phi))
print("inverse of %s by lambda" %e, inverse_mod(e,lmd))
d = inverse_mod(e,lmd)
for k in range(gcd(p-1,q-1)):
print(d+k*lmd)
