## Wiener's Attack

If d is smaller than $ 2^{n/4}  $, then we can recover p,q.

In [None]:
p = random_prime(2**1024)
q = random_prime(2**1024)

n = p * q

phi = (p - 1)*(q - 1)

bound = 2 ** (n.bit_length() // 4)



# generating d to be a prime, so that it is guaranteed that there's an inverse
# any coprime to phi can be used
# in any case, this doesn't affect numberical results

d = random_prime(int(1/3 * bound)) 

print(d)


e = pow(d, -1, phi)


print(f'{e=}')
print(f'{n=}')


980972594607049419090084727674203183864083454657639314448107928477932285407921829564520822577302195151686128060902417155287678351314782601135083907823439
e=17931431110310553396630139436583239846178260308255820510362253865033664658810485937574873717820617628876613416952616234330684477394465249160813191432205952133554399264626459235946469674807799570218444443448229023457505647105581879773335447654664882710085295175234889104056361733517946510541468490969388718146224229059554423970276304210400789532835190126423910576371134137193630572923744624429622232138100982897926195598675344466195691539489217467421352071893562253337287534206890382572917987442158757969072921801002687066707182416421731711848429812497356770275172468482022251067051168830176632721510490872995980599087
n=24130204414436259990192282489444520782802176237400536195755773511070327259243687838351076913616599857301324625245869941371571661238880226902963973627587535055489540547683627076375526084093379219156928507630968995574373183912

Because $k < d < 1/3*N^{1/4}$

$ \big| \dfrac{e}{N} - \dfrac{k}{d} \big| \leq \dfrac{1}{dN^{1/4}} < \dfrac{1}{2d^2} $

Note, $d$ is the private exponent, and $k$ is derived from the relation $ ed = 1 + kφ(N) $


As stated in the paper, all fractions of this form are obtained as convergents of the continued fraction expansion of $ \dfrac{e}{N} $

https://math.stackexchange.com/a/2698953    
https://en.wikipedia.org/wiki/Wiener%27s_attack#Example

In [69]:
def continued_fraq(num, denom):
    decomp = []
    
    while num > 1:
        decomp.append(num // denom)
        
        num, denom = denom, num % denom
        
    return decomp
              

e1 = 17993 #test vars from wikipedia
n1 = 90581
    
    
decomp = continued_fraq(e, n)
print(decomp)



[0, 1, 2, 1, 8, 3, 10, 2, 3, 1, 7, 6, 1, 280, 1, 2, 2, 1, 2, 2, 1, 7, 2, 1, 1, 12, 1, 6, 1, 2, 1, 2, 1, 1, 3, 1, 1, 1, 1, 8, 2, 7, 1, 1, 3, 1, 1, 1, 3, 1, 1, 1, 9, 1, 3, 4, 1, 6, 1, 82, 1, 209, 80, 1, 6, 1, 13, 1, 6, 4, 1, 18, 2, 1, 1, 1, 1, 2, 1, 1, 2, 6, 6, 2, 81, 2, 8, 1, 3, 1, 3, 1, 5, 1, 3, 1, 4, 1, 229, 1, 5, 3, 2, 6, 1, 29, 1, 22, 1, 1, 2, 10, 3, 1, 27, 2, 3, 1, 2, 1, 3, 1, 1, 46, 1, 19, 2, 1, 1, 1, 16, 1, 25, 2, 5, 66, 1, 1, 1, 1, 1, 1, 1, 1, 1, 4, 2, 4, 6, 2, 3, 2, 2, 1, 2, 1, 2, 1, 1, 1, 1, 23, 4, 25, 1, 2, 1, 45, 1, 2, 6, 1, 27, 1, 2, 20, 3, 1, 1, 1, 1, 2, 1, 3, 2, 68, 1, 2, 2, 1, 3, 40, 1, 30, 2, 2, 2, 1, 1, 3, 1, 2, 16, 3, 3, 3, 1, 3, 1, 2, 1, 35, 2, 1, 2, 5, 2, 2, 1, 11, 3, 4, 3, 1, 10, 4, 1, 9, 5, 15, 1, 59, 1, 2, 1, 1, 2, 111, 1, 3, 2, 1, 17, 1, 3, 6, 1, 1, 2, 1, 1, 4, 78, 2, 6, 2, 1, 1, 4, 2, 280, 3, 2, 7, 1, 2, 2, 1, 1, 1, 24, 1, 1, 2, 4, 1, 5, 1, 1, 1, 1, 1, 1, 19, 2, 25, 1, 12, 6, 1, 2, 1, 27, 1, 1, 2, 1, 1, 3, 1, 7, 1, 102, 1, 107, 1, 1, 1, 1, 2, 11, 5, 4, 2885, 1,

In [70]:
from math import gcd

def calc_fraq(decomp):
    
    if len(decomp) == 1:
        return decomp[0]
    
    decomp = decomp[::-1]
    
    nom, denom = decomp[0], 1
    
    for idx in range(len(decomp) - 1):
        #reverse 
        nom, denom = denom, nom
        
        #add nxt
        nom = nom + decomp[idx + 1] * denom
        
    
    return (nom, denom)
    


def calc_convergents(decomp):
    convergents = []
    

    #building all i-th fractions separately
    #runs in O(n^2), where n is log2(N), still negligible complexity.
    for i in range(len(decomp)):
        convergents.append(calc_fraq(decomp[:i + 1]))
    

    return convergents



# decomp = continued_fraq(e, n)

convergents = calc_convergents(decomp)
        
print(convergents)

[0, (1, 1), (2, 3), (3, 4), (26, 35), (81, 109), (836, 1125), (1753, 2359), (6095, 8202), (7848, 10561), (61031, 82129), (374034, 503335), (435065, 585464), (122192234, 164433255), (122627299, 165018719), (367446832, 494470693), (857520963, 1153960105), (1224967795, 1648430798), (3307456553, 4450821701), (7839880901, 10550074200), (11147337454, 15000895901), (85871243079, 115556345507), (182889823612, 246113586915), (268761066691, 361669932422), (451650890303, 607783519337), (5688571750327, 7655072164466), (6140222640630, 8262855683803), (42529907594107, 57232206267284), (48670130234737, 65495061951087), (139870168063581, 188222330169458), (188540298298318, 253717392120545), (516950764660217, 695657114410548), (705491062958535, 949374506531093), (1222441827618752, 1645031620941641), (4372816545814791, 5884469369356016), (5595258373433543, 7529500990297657), (9968074919248334, 13413970359653673), (15563333292681877, 20943471349951330), (25531408211930211, 34357441709605003), (2198145989


Having the continued fractions expansion of $ \dfrac{e}{N} $, we can recover p and q: 

$ φ(N) = \dfrac{ed - 1}{k} $

But since p, q primes, we can solve the following system

$\begin{cases}
φ(N) = (p - 1)(q - 1) = N - p - q + 1\\
N = pq
\end{cases}$



In [71]:
#we can use sage to solve this as a 2nd degree equation equation
#Develop a proof-of-concept that doesn't use sage, but rather Fact 1 from page 3 of 20 years of RSA (ToDo-completed)
#Alternatively we can use the code from Recover_p_q 
p = q = -1

for k, d in convergents[1:]:
    phi = (e*d - 1) // k
    R.<x> = PolynomialRing(ZZ)
    Eq = x^2 - (n - phi + 1)*x + n
    
    primes = Eq.roots()
    if not primes:
        continue
    print('[+]Found factorisation of n')
    p, q = [i[0] for i in primes]
    assert p * q == n

phi = (p - 1)*(q - 1)
d = pow(e, -1, phi)

print(f'{p = }\n{q = }\n{phi = }\n{d = }')
    
    

[+]Found factorisation of n
p = 157236082276278651339884845838553854547671489551652965930930155994002531095235335625603536464253481412219771121644288735800268997903998411062580286011929170033496104772684547371862332405816275701942432161115368703196835105587594553433383299478451586465143276066874708266811772269461820109705658209684556084657
q = 153464803148918523345475879962019476363105334450451581225662114813883010339423122591695229747548333102236443454457679411114304013849957528478451819992248134567472548180665192401539778976912534184963941839382316676144578609999305372513059286284585028288287083697475541015936587856847374309568412151340189058393
phi = 24130204414436259990192282489444520782802176237400536195755773511070327259243687838351076913616599857301324625245869941371571661238880226902963973627587535055489540547683627076375526084093379219156928507630968995574373183912947950051465972040057029559768038217342348746071698914840700848897537247950393273035868372253102687019506064586467