F.2 Public and secret RSA operations

The public and secret RSA operations can take any integer number m as input, which satisfies the condition 0 ‰ m ‰ n ˆ’ 1. The results produced by any of the operations remain in the same range as m .

The public RSA operation is computed with the public key ( n, e )on the number m , using the formula P ( n , e )[ m ] = m ^ e mod n . The sign "^" stands for a modular exponentiation.
The secret RSA operation is computed with the private key ( n , d ) on the number m , using the formula S ( n , d )[ m ] = m ^ d mod n .

It is shown in [1] that the two operations are inverse of each other (i.e., P ( n , e )[ S ( n , d )[ m ]] = m ), for all the numbers m in the range [0, n “ 1].

Using various operation modes, RSA can be used as an asymmetric encryption algorithm for secret key distribution (see Appendix D, Section D.1) or as a digital signature scheme (see Appendix D, Section D.3). When referring to the communicating parties A and B in Figure B.1, assume that:

A is the sender of an encrypted message to the receiver B . To this end B has generated the RSA key pair consisting of a private decryption key KD _B = ( n _E , d _E ) and the corresponding public encryption key KE _B = ( n _E , e _E ). A has an authentic copy of this public encryption key, which could have been delivered as a public key certificate by a CA, which is accepted by both A and B (see Appendix D, Section D.4).
A is the signer of a message while B is the verifier of the signature generated by A on that message. To this end A has generated the RSA key pair consisting of a private signing key KS _A = ( n _S , d _S ) and the corresponding public verification key KV _A = ( n _S , e _S ). B has an authentic copy of this public verification key, which could have been delivered as a public key certificate by a CA, which is accepted by both A and B .

The public RSA operation represents an encryption when the public exponent e and the modulus n are the components of the public encryption key KE _B = ( n _E , e _E ) of the receiver B , and the number m represents confidential information, like a secret session key. In this case E ( KE _B )[ m ] = P ( n _E , e _E )[ m ] = m ^( e _E )mod n _E .

The public RSA operation represents a signature verification when the public exponent e and the modulus n are the components of the public verification key KV _A = ( n _S , e _S ) of the signer A . The number S represents the signature with appendix on a message M , which has to be verified . In this case Verify ( KV _A )[ S , M ] = P ( n _S , e _S )[ S ] = S ^( e _S )mod n _S ?= R ( M ), where R is a suitable redundancy function. If the signature scheme offers message recovery, then Recover ( KV _A )[ S , M ² ] = P ( n _S , e _S )[ S ] = S ^( e _S )mod n _S ?= R ( M _R M ² ), where R is a suitable redundancy function, M _R is the part of the message M that can be recovered from S , and M ² is the part of M that has to be explicitly sent by A to B such that the recover function is computable.

The secret RSA operation represents a decryption when the secret exponent d and the modulus n are the components of the private decryption key KD _B = ( n _E , d _E ) of the receiver B , and the number m represents a cryptogram, like a digital envelope wrapping a secret session key. In this case, D ( KD _B )[ m ] = S ( n _E , d _E )[ m ] = m ^( d _E )mod n _E .

The secret RSA operation represents a signature generation when the secret exponent d and the modulus n are the components of the private signing key KS _A = ( n _S , d _S ) of the signer A , and the number m represents the message M to be signed with some redundancy. In this case, Sign ( KS _A )[ M ] = S ( n _S , d _S )[ m ] = m ^( d _S )mod n _S .