## Fermat's factorization attack on 2048-bit RSA

In [1]:
import math
from secrets import SystemRandom
from sympy import nextprime, isprime, mod_inverse

In [2]:
def generate_two_close_primes():
    # Define the minimum gap between the two primes
    min_diff = 10**150

    # Using cryptographically secure RNG
    secure_rand = SystemRandom()

    # Generate a random number with 2048 bit length
    n = secure_rand.getrandbits(1023) | (1 << 1023) # force the first bit to 1

    # Find the next prime greater than or equal to n
    p = nextprime(n)

    # Find the next prime after (p + diff)
    q = nextprime(p + min_diff)

    # Compute the actual difference
    D = abs(p - q)

    return p, q, D

# Generate the primes
p, q, D = generate_two_close_primes()

# Print results
print("Prime 1 (p):", p)
print("Prime 2 (q):", q)
print("Difference (D):", D)
print("Bit length of p:", p.bit_length())
print("Bit length of q:", q.bit_length())


Prime 1 (p): 154686915340612135900403913752276213341022047011676436639270487550848297808739930706381975740101308756917253502761925333875518410593699974838273498796447018810742239720999333562082246128039127977142770000857339126026901479968099928077257128526072813744871771945745619459953521026415462943517663566920310446569
Prime 2 (q): 154686915340612135900403913752276213341022047011676436639270487550848297808739930706381975740101308756917253502761925333875518410593699974838273498796447018811742239720999333562082246128039127977142770000857339126026901479968099928077257128526072813744871771945745619459953521026415462943517663566920310446883
Difference (D): 1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000314
Bit length of p: 1024
Bit length of q: 1024


In [3]:
N = p * q

# Print results
print("modulus (N):", N)
print(f"Length of N: {len(str(N))}")
print("Bit Length of N:", N.bit_length())

modulus (N): 23928041777593706144005084467166588000973618970460860817356011421235306603432501925156396389492979158856274786904931375182272016203876008830964312549027873778654636955200282116869922092047381369806216027474577036614567028476641574254920332865188143530095575628638259063855855061196305084033859412730473426228489465601413442136444797359827568754324075022217051885727985036088808382899705244462964700660566099029425178012699572775889771945690744327216276388127621716862345834098529192291475974275033163485933313673248561537035566577233076412264724663645152312511046831281486344530542539609516081441439688185009684094427
Length of N: 617
Bit Length of N: 2048


In [4]:
# Checks if a number n is a perfect square. Return True if n is a perfect square, False otherwise.
def is_perfect_square(n):

    if n < 0:
        return False  # Negative numbers cannot be perfect squares in real numbers
    
    root = math.isqrt(n)
    return root * root == n # Return True or False

In [5]:
# Fermat's factorization
def fermat_factor(N):
    a = math.isqrt(N) + 1
    iters = 0

    while True:
        b2 = a * a - N

        if is_perfect_square(b2): # Check if b2 is perfect square
            b = math.isqrt(b2)
            q_found = a + b
            p_found = a - b
            return q_found, p_found, b, iters
        
        print("b^2 is not a perfect square.")
        a += 1
        iters += 1

q_found, p_found, b, iters = fermat_factor(N)
print("b:",b)
print("\nFactors found:")
print("q found =", q_found)
print("p found =", p_found)
print("\nIterations:", iters)

b: 500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000157

Factors found:
q found = 154686915340612135900403913752276213341022047011676436639270487550848297808739930706381975740101308756917253502761925333875518410593699974838273498796447018811742239720999333562082246128039127977142770000857339126026901479968099928077257128526072813744871771945745619459953521026415462943517663566920310446883
p found = 154686915340612135900403913752276213341022047011676436639270487550848297808739930706381975740101308756917253502761925333875518410593699974838273498796447018810742239720999333562082246128039127977142770000857339126026901479968099928077257128526072813744871771945745619459953521026415462943517663566920310446569

Iterations: 0


In [None]:
# Verify results
print("Verify p and q:")
print("p_found == original p?", p_found == p)
print("q_found == original q?", q_found == q)

print("\nPrimality check:")
print("p_found is prime?", isprime(p_found))
print("q_found is prime?", isprime(q_found))

Verify p and q:
p found == original p? True
q found == original q? True

Primality check:
p found is prime? True
q found is prime? True


## Attack Simulation

In [7]:
# Generate two close primes
p, q, D = generate_two_close_primes()
print("Prime 1 (p):", p)
print("Prime 2 (q):", q)
print("Difference (D):", D)
print("Bit length of p:", p.bit_length())
print("Bit length of q:", q.bit_length())

# RSA key generation
N = p * q
phi = (p - 1) * (q - 1)
e = 65537
d = mod_inverse(e, phi)
print("\nModulus (N):", N)
print("Bit Length of N:", N.bit_length())



Prime 1 (p): 154137866799946650621166848997848495644596140884671880243792888961989263835915510884672160003379071154081950682347506878244719644284708699343907723819648953070614864933966118491814201580592151466366931328377176293843104404279717141014501653305641425741097585303263165899085377722550287873110830296045601876897
Prime 2 (q): 154137866799946650621166848997848495644596140884671880243792888961989263835915510884672160003379071154081950682347506878244719644284708699343907723819648953071614864933966118491814201580592151466366931328377176293843104404279717141014501653305641425741097585303263165899085377722550287873110830296045601877809
Difference (D): 1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000912
Bit length of p: 1024
Bit length of q: 1024

Modulus (N): 23758481981638095921103108908968391699554464066381813107106851594373300398288954077395222399991765612955883943230335748602666473

In [None]:
# Encrypt a message
message = 4010
cipher = pow(message, e, N)
print("Plaintext:", message)
print("Ciphertext:", cipher)

# Fermat factorization attack
print("\nFermat Factorisation Attack:")
q_found, p_found, b, iters = fermat_factor(N)

print("\np_found:", p_found)
print("q_found:", q_found)

print("\np_found == original p?", p_found == p)
print("q_found == original q?", q_found == q)

# Reconstruct private key
phi_recovered = (p_found - 1) * (q_found - 1)
d_recovered = mod_inverse(e, phi_recovered)

# Decrypt ciphertext using recovered key
decrypted = pow(cipher, d_recovered, N)
print("\nDecrypted message using recovered factors:", decrypted)

# Verify result
if decrypted == message:
    print("\nFermat factorisation successfully broke RSA")
else:
    print("\nAttack failed. Factors incorrect.")

Plaintext: 4010
Ciphertext: 14951712410257364464102316903646505796269835176581803742900612631683733636850873799503670267974289517966100038555074228990336327723866501962960794649597612005059715808353447827958069137951597098550428569285519508087468163224487958512205720173727646238283684073271716875982819645260433845301519136481091160741074363540061976742056440155273517702034960078557459226384403530888999190440046302248165077972950802065202210983000802730198697082964861152775299303134241511254823175241508795893707249452494906055043118296303491384104073741363506335138379482576395518735133964229413813566062471379535469969337985965777717297527

Fermat Factorisation Attack:

p_found: 154137866799946650621166848997848495644596140884671880243792888961989263835915510884672160003379071154081950682347506878244719644284708699343907723819648953070614864933966118491814201580592151466366931328377176293843104404279717141014501653305641425741097585303263165899085377722550287873110830296045601876897
q_fo