Generating RSA Encryption and Decryption Exponents

that is, d is e−1 (the inverse of e) in Zφ(n). We now turn to the question of how Alice chooses e and d to satisfy (1). One way she can do this is to choose a random integer e ∈ Zφ(n) and then solve (1) for d. We will show how to solve for d in Sections 46 and 47 below. However, there is another issue, namely, how does Alice find random e ∈ Zφ(n)? If Z ∗ φ(n) is large enough, then she can just choose random elements from Zφ(n) until she encounters one that also lies in Zφ(n). A candidate element e lies in Z ∗ φ(n) if gcd(e, φ(n)) = 1, which can be computed efficiently using Algorithm 42.2 (Euclidean algorithm).1 But how large is large enough? If φ(φ(n)) (the size of Zφ(n)) is much smaller than φ(n) (the size of Zφ(n)), Alice might have to search for a long time before finding a suitable candidate for e. In general, Zm can be considerably smaller than m. For example, if m = |Zm| = 210, then |Zm| = 48. In this case, the probability that a randomly-chosen element of Zm falls in Zm is only 48/210 = 8/35 = 0.228 . . . . The following theorem provides a crude lower bound on how small Zm can be relative to the size of Zm that is nevertheless sufficient for our purposes.