In [66]:
def rand_primes(size):
    """Generates random primes with q < p < 2q. Taken from https://github.com/mseckept/generalized-wiener-attack"""
    p = random_prime(1 << (size - 1), 1 << size)
    while True:
        q = random_prime(1 << (size - 1), 1 << size)
        if p < q:
            p, q = q, p
            if q < p < 2*q:
                break
    return p,q

In [67]:
a, b = rand_primes(512);
print(a)
print(b)

4825691833681466762189577551536330649252291910477624298040071541210632689301861809524172131564730989015207420027472579616747978658776840812072648789160471
4089831095247435365487829516743132995994782826431095323047386501449400977538640073034850859978338250166909572636216700382555069858082496532448364572345341


In [68]:
def generate_vulnerable_rsa_key(bits=256):
    """
    Generates a large, vulnerable RSA key pair.
    """
    print(f"--- 1. Generating a Vulnerable {bits}-bit RSA Key ---")

    # Generate large random primes, satifying q < p < 2q
    p, q = rand_primes(bits//2);
    n = p * q
    phi_n = (p - 1) * (q - 1)

    # Calculate the maximum d allowed by Wiener's condition: d < (1/3) * n^(1/4)
    max_d = Integer(round(1/3 * n**(1/4)))

    # Choose a small 'd' to ensure the attack succeeds
    d = random_prime(max_d // 500, lbound=1)

    # Calculate the public exponent 'e' using the optimized modular inverse
    e = inverse_mod(d, phi_n)

    print(f"Modulus n bit length: {n.nbits()}")
    print(f"Maximum safe d (for Wiener's attack): {max_d.nbits()} bits")
    print(f"Chosen d: {d} ({d.nbits()} bits)")

    return n, e, d, p, q

In [74]:
n, e, d, p, q = generate_vulnerable_rsa_key(bits = 512)

--- 1. Generating a Vulnerable 512-bit RSA Key ---
Modulus n bit length: 510
Maximum safe d (for Wiener's attack): 126 bits
Chosen d: 33373702577827954197795758380389557 (115 bits)


In [75]:
def wiener_attack(n, e):
    """
    Implements Wiener's attack by checking the convergents of e/n.
    """
    print("\n--- 2. Starting Wiener's Attack ---")

    # The target rational number for continued fraction expansion
    target_fraction = Rational((e, n))

    # Sage's continued_fraction() function returns the list of coefficients (a_i)
    cf_expansion = continued_fraction(target_fraction)
    print(f"Continued Fraction Expansion Coefficients (a_i): {cf_expansion}")
 
    # Iterate through the convergents (k/d_cand) of the continued fraction of e/n
    # Convergents are fractions that closely approximate the target_fraction.
    # The key d is guaranteed to be the denominator of one of these (Legendre Theorem).
    
    print("Testing Convergents...")
    
    # The .convergents() method returns the sequence of convergents as rational numbers
    for i, convergent in enumerate(cf_expansion):
        # The convergent is k_i / d_i
        k = convergent.numerator()
        d_cand = convergent.denominator()
        # Skip zero (First convergent)
        if k == 0:
            continue
        # Test 1: Check if (ed - 1) is divisible by k.
        # If true, phi_cand = (ed - 1) / k should be an integer.
        
        if (e * d_cand - 1) % k == 0:
            phi_cand = (e * d_cand - 1) // k
            # Test 2: Verify if this phi_cand can correctly factor n.
            # We know: p+q = n - phi_cand + 1
            # We solve the quadratic: x^2 - (p+q)x + n = 0
            
            sum_pq = n - phi_cand + 1
            
            # The discriminant of the quadratic formula: Delta = (p+q)^2 - 4n
            discriminant = sum_pq^2 - 4 * n
            
            # If Delta is a perfect square, p and q are integers.
            if discriminant >= 0 and isqrt(discriminant)^2 == discriminant:
                print("pollo")
                sqrt_discriminant = isqrt(discriminant)
                
                # Roots of the quadratic (the factors p and q)
                p_cand = (sum_pq + sqrt_discriminant) // 2
                q_cand = (sum_pq - sqrt_discriminant) // 2
                
                # Final check: are p and q factors of n and prime?
                if p_cand * q_cand == n and p_cand > 1 and q_cand > 1:
                    
                    # Found the secret key!
                    print(f"\n[SUCCESS] Key found at convergent #{i+1}")
                    print(f"Candidate d: {d_cand}")
                    print(f"Candidate p: {p_cand}")
                    print(f"Candidate q: {q_cand}")
                    return d_cand, p_cand, q_cand
        
    print("\n[FAILURE] Attack failed to find the key within the convergents.")
    return None, None, None

In [76]:
wiener_attack(n,e)


--- 2. Starting Wiener's Attack ---
Continued Fraction Expansion Coefficients (a_i): [0; 1, 1, 7, 2, 5, 7, 23, 3, 1, 71, 1, 3, 1, 1, 3, 1, 1, 1, 1, 2, 1, 4, 1, 21, 1, 1, 2, 2, 1, 4, 4, 1, 1, 6, 1, 8, 1, 7, 1, 40, 1, 4, 70, 1, 3, 9, 2, 1, 1, 3, 1, 28, 1, 2, 1, 2, 97, 1, 1, 2, 3, 1, 1, 1, 1, 2, 1, 1, 21, 5, 3, 43420174, 2, 3, 1, 7, 1, 7, 1, 3, 8, 2, 55, 5, 1, 3, 2, 123, 1, 2, 3, 2, 4, 339, 6, 1, 50, 165, 1, 3, 1, 35, 1, 1, 13, 2, 1, 6, 1, 1, 1, 14, 1, 19, 12, 5, 3, 4, 2, 1, 1, 1, 3, 31, 56, 1, 1, 1, 1628, 2, 5, 1, 3, 13, 2, 1, 336, 1, 1, 3, 1, 1, 1, 1, 6, 1, 1, 1, 1, 6, 2, 14, 2, 1, 1, 1, 1, 56, 1, 32, 2, 1, 1, 1, 3, 4, 13, 1, 6, 8, 1, 1, 1, 3, 1, 4, 2, 7, 1, 6, 1, 2, 2, 1, 9, 1, 13, 3, 3, 21, 1, 5, 1, 39, 1, 1, 5, 2, 1, 1, 1, 11, 5, 1, 5, 9, 1, 2, 8, 28, 12, 2, 1, 105, 1, 9, 2, 2, 1, 1, 1, 1, 1, 1, 1, 2, 1, 3, 1, 2, 4, 8, 1, 39, 1, 1, 1, 3, 3, 1, 4, 6, 97, 6, 14, 10, 1, 1, 1, 1, 1, 1, 7, 5, 1, 1, 9, 4, 10, 3, 17, 1, 2, 5, 1, 1, 1, 12, 1, 1, 8]
Testing Convergents...

[FAILURE] Attack f

(None, None, None)