Tools / RSA Calculator

RSA Calculator

Three modes in one tool. Decrypt a ciphertext when you already know p, q, e, and c. Factor from sum when the challenge leaks p + q alongside n. Generate keys from arbitrary primes to verify your understanding. All arithmetic uses JavaScript BigInt — no size limits.

p (prime)

q (prime)

n (modulus)

Optional — computed from p×q if omitted

e (public exponent)

Common values: 65537, 3, 17

c (ciphertext)

p is required; q is required; c (ciphertext) is required

How RSA works

1. Choose two large primes p and q. Compute n = p × q.

2. Compute φ(n) = (p-1)(q-1) (Euler's totient).

3. Choose public exponent e coprime to φ(n). Common: 65537.

4. Compute private key d = e⁻¹ mod φ(n) (modular inverse).

5. Encrypt: c = mᵉ mod n. Decrypt: m = cᵈ mod n.

CTF attacks exploit weak key generation: small primes, shared factors, smooth p-1 (Pollard), sum/product leaks.

Common RSA CTF attack patterns

Most RSA CTF challenges exploit weak key generation rather than breaking the underlying math:

Sum/product leak — if you know p + q and p * q, solve the quadratic x² - (p+q)x + pq = 0 (use "Factor from sum" mode).
Smooth p-1 (Pollard) — if p - 1 has only small prime factors, Pollard's p-1 algorithm factors n in seconds.
Small e with small m — if e = 3 and the message is small, m³ < n, so computing the integer cube root of c gives m directly.
Shared factor — if two public keys share a prime, GCD(n₁, n₂) reveals it.

Challenges solved with this tool: picoCTF 2022 -- Sum-O-Primes, Very Smooth, picoCTF 2023 -- SRA, picoCTF 2024 -- rsa_oracle.