In [105]:
def rand_primes(size):
    """Generates random primes with q < p < 2q. Taken from https://github.com/mseckept/generalized-wiener-attack"""
    p = random_prime(1 << (size - 1), 1 << size)
    while True:
        q = random_prime(1 << (size - 1), 1 << size)
        if p < q:
            p, q = q, p
            if q < p < 2*q:
                break
    return p,q

In [106]:
a, b = rand_primes(512);
print(a)
print(b)

6467513751855339472156436820037705940465712659734255609205982039097008406025170369311565529290499021033478789668935495660595404642755236847340840070946319
6212949187303999385595771493122147233460309396256414421825643998975564717077735421991732286256467710076027089714261707536818621541212399184341897637068127


In [107]:
def generate_vulnerable_rsa_key(bits=256):
    """
    Generates a large, vulnerable RSA key pair.
    """
    print(f"--- 1. Generating a Vulnerable {bits}-bit RSA Key ---")

    # Generate large random primes, satifying q < p < 2q
    p, q = rand_primes(bits//2);
    n = p * q
    phi_n = (p - 1) * (q - 1)

    # Calculate the maximum d allowed by Wiener's condition: d < (1/3) * n^(1/4)
    max_d = Integer(round(1/3 * n**(1/4)))

    # Choose a small 'd' to ensure the attack succeeds
    d = random_prime(max_d // 100, lbound=1)

    # Calculate the public exponent 'e' using the optimized modular inverse
    e = inverse_mod(d, phi_n)

    print(f"Modulus n bit length: {n.nbits()}")
    print(f"Maximum safe d (for Wiener's attack): {max_d.nbits()} bits")
    print(f"Chosen d: {d} ({d.nbits()} bits)")

    return n, e, d, p, q

In [108]:
n, e, d, p, q = generate_vulnerable_rsa_key(bits = 512)

--- 1. Generating a Vulnerable 512-bit RSA Key ---
Modulus n bit length: 510
Maximum safe d (for Wiener's attack): 126 bits
Chosen d: 93346864986489044246176253992334719 (117 bits)


In [109]:
def wiener_attack(n, e):
    """
    Implements Wiener's attack by checking the convergents of e/n.
    """
    print("\n--- 2. Starting Wiener's Attack ---")

    # The target rational number for continued fraction expansion
    target_fraction = Rational((e, n))

    # Sage's continued_fraction() function returns the list of coefficients (a_i)
    cf_expansion = continued_fraction(target_fraction)
    print(f"Continued Fraction Expansion Coefficients (a_i): {cf_expansion}")
 
    # Iterate through the convergents (k/d_cand) of the continued fraction of e/n
    # Convergents are fractions that closely approximate the target_fraction.
    # The key d is guaranteed to be the denominator of one of these (Legendre Theorem).
    
    print("Testing Convergents...")
    
    # The .convergents() method returns the sequence of convergents as rational numbers
    convergents_list = list(cf_expansion.convergents())
    for i, convergent in enumerate(convergents_list):
        # The convergent is k_i / d_i
        k = convergent.numerator()
        d_cand = convergent.denominator()
        # Skip zero (First convergent)
        if k == 0:
            continue
        # Test 1: Check if (ed - 1) is divisible by k.
        # If true, phi_cand = (ed - 1) / k should be an integer.
        
        if (e * d_cand - 1) % k == 0:
            phi_cand = (e * d_cand - 1) // k
            # Test 2: Verify if this phi_cand can correctly factor n.
            # We know: p+q = n - phi_cand + 1
            # We solve the quadratic: x^2 - (p+q)x + n = 0
            
            sum_pq = n - phi_cand + 1
            
            # The discriminant of the quadratic formula: Delta = (p+q)^2 - 4n
            discriminant = sum_pq^2 - 4 * n
            
            # If Delta is a perfect square, p and q are integers.
            if discriminant >= 0 and isqrt(discriminant)^2 == discriminant:
                sqrt_discriminant = isqrt(discriminant)
                
                # Roots of the quadratic (the factors p and q)
                p_cand = (sum_pq + sqrt_discriminant) // 2
                q_cand = (sum_pq - sqrt_discriminant) // 2
                
                # Final check: are p and q factors of n and prime?
                if p_cand * q_cand == n and p_cand > 1 and q_cand > 1:
                    
                    # Found the secret key!
                    print(f"\n[SUCCESS] Key found at convergent #{i+1}")
                    print(f"Candidate d: {d_cand}")
                    print(f"Candidate p: {p_cand}")
                    print(f"Candidate q: {q_cand}")
                    return d_cand, p_cand, q_cand
        
    print("\n[FAILURE] Attack failed to find the key within the convergents.")
    return None, None, None

In [110]:
wiener_attack(n,e)


--- 2. Starting Wiener's Attack ---
Continued Fraction Expansion Coefficients (a_i): [0; 1, 5, 2, 1, 1, 2, 1, 1, 4, 85, 1, 3, 4, 3, 1, 1, 1, 1, 1, 1, 5, 1, 1, 1, 10, 1, 1, 1, 4, 4, 1, 3, 5, 1, 13, 3, 2, 65, 5, 4, 11, 1, 177, 1, 3, 3, 4, 2, 11, 1, 113, 2, 132, 1, 1, 1, 1, 2, 1, 5, 12, 5, 3, 1, 1, 1, 3, 3087668, 1, 20, 2, 4, 1, 6, 1, 1, 1, 2, 25, 1, 2, 1, 1, 1, 3, 3, 7, 1, 2, 5, 1, 1, 1, 7, 5, 5, 7, 1, 32, 2, 4, 1, 5, 1, 1, 2, 122, 2, 1, 1, 1, 1, 2, 1, 4, 2, 3, 17, 1, 31, 11, 3, 5, 1, 8, 1, 1, 1, 1, 5, 1, 4, 1, 2, 4, 1, 2, 4, 1, 2, 3, 1, 2, 1, 3, 50, 2, 1, 2, 1, 20, 1, 1, 1, 3, 1, 3, 1, 1, 3, 3, 11, 1, 1, 1, 1, 2, 1, 2, 2, 1, 3, 1, 21, 1, 16, 1, 8, 1, 1, 1, 1, 10, 1, 54, 1, 3, 1, 9, 1, 2, 2, 31, 1, 3, 1, 86, 1, 103, 3, 2, 1, 1, 1, 1, 1, 5, 1, 1, 7, 60, 4, 3, 6, 3, 1, 169, 1, 1, 1, 1, 6, 1, 2, 2, 1, 4, 1, 1, 1, 1, 4, 3, 2, 5, 11, 4, 1, 1, 20, 1, 91, 4, 2, 1, 2, 2, 1, 45, 4, 3, 13, 1, 1, 7, 6, 1, 3, 11, 1, 5, 1, 1, 3, 1, 3, 3, 1, 13, 1, 3, 56, 6, 1, 15, 1, 2, 1, 1, 1, 4, 6, 9, 1, 355, 2, 

(93346864986489044246176253992334719,
 54297767816077021321097440975155542277445266028500467639067999197047249082273,
 38985970559298729023515307505967361563036276444485713573163190616839901707781)

In [78]:
# ==============================================================================
# SAGE MATH IMPLEMENTATION OF WIENER'S ATTACK
# This script demonstrates how to implement the attack, which relies on continued
# fractions to find the small private exponent 'd'.
#
# ASSIGNED TO: Qassim
# ==============================================================================
from sage.all import *

def generate_vulnerable_rsa_key(bits=512):
    """
    Generates an RSA key pair that is vulnerable to Wiener's attack.
    Vulnerability criteria: d < (1/3) * n^(1/4)
    La dimensione 'bits' si riferisce alla dimensione totale del modulo n (ad esempio 1024 o 2048).
    """
    print(f"--- 1. Generating a Vulnerable {bits}-bit RSA Key ---")
    
    half_bits = bits // 2 # Dimensione target per p e q

    while True:
        # 1. Generate two primes p and q such that q < p < 2q
        # Generiamo p e q in un intervallo bilanciato (approssimativamente half_bits)
        p = random_prime(2^half_bits, lbound=2^(half_bits - 1))
        q = random_prime(2^half_bits, lbound=2^(half_bits - 1))

        # Assicuriamo che p > q. Questo è il modo più pulito.
        if q > p:
            p, q = q, p
        
        # Verifichiamo la condizione di bilanciamento (q < p < 2q)
        if p < 2 * q:
            break
        
    n = p * q
    phi_n = (p - 1) * (q - 1)

    # 2. Choose a small private exponent 'd'
    # The condition is d < (1/3) * n^(1/4)
    max_d = Integer(round(1/3 * n**(1/4)))
    print(f"Modulus n bit length: {n.nbits()}")
    print(f"Maximum safe d (for Wiener's attack): {max_d.nbits()} bits")

    # Choose a 'd' that is demonstrably small
    # MODIFICA: Forziamo d ad essere molto più piccolo (// 500) per garantire successo
    d_size = max_d // 500 
    if d_size < 1: d_size = 1 # Ensure d is at least 1
    d = random_prime(d_size, lbound=1)

    # 3. Compute the public exponent 'e'
    e = inverse_mod(d, phi_n)

    # Print key parameters (attacker only knows n, e)
    print(f"Chosen d: {d} ({d.nbits()} bits)")
    print(f"Public Key (n): {n}")
    print(f"Public Key (e): {e}")

    # Return only the public keys (n, e) and the secret d for verification
    return n, e, d, p, q

def wiener_attack(n, e):
    """
    Implements Wiener's attack by checking the convergents of e/n.
    """
    print("\n--- 2. Starting Wiener's Attack ---")
    
    # The target rational number for continued fraction expansion
    target_fraction = e / n 

    # Sage's continued_fraction() function returns the list of coefficients (a_i)
    cf_expansion = continued_fraction(target_fraction)
    print(f"Continued Fraction Expansion Coefficients (a_i): {cf_expansion}")

    # Iterate through the convergents (k/d_cand) of the continued fraction of e/n
    # Convergents are fractions that closely approximate the target_fraction.
    # The key d is guaranteed to be the denominator of one of these.
    
    print("Testing Convergents...")
    
    # Convert the sequence of convergents to an explicit list 
    # to avoid compatibility issues in some interactive environments.
    convergents_list = list(cf_expansion.convergents())

    # The .convergents() method returns the sequence of convergents as rational numbers
    for i, convergent in enumerate(convergents_list):
        # The convergent is k_i / d_i
        # Explicitly cast to Integer to prevent a method/value coercion error (TypeError fix)
        k = Integer(convergent.numerator())
        d_cand = Integer(convergent.denominator())

        # GUARD: Check for ZeroDivisionError by ensuring k is positive.
        # k=0 is the first convergent (0/1), which can be safely skipped.
        if k == 0:
            continue
            
        # Test 1: Check if (ed - 1) is divisible by k.
        # If true, phi_cand = (ed - 1) / k should be an integer.
        
        if (e * d_cand - 1) % k == 0:
            phi_cand = (e * d_cand - 1) // k
            
            # Test 2: Verify if this phi_cand can correctly factor n.
            # We know: p+q = n - phi_cand + 1
            # We solve the quadratic: x^2 - (p+q)x + n = 0
            
            sum_pq = n - phi_cand + 1
            
            # The discriminant of the quadratic formula: Delta = (p+q)^2 - 4n
            discriminant = sum_pq^2 - 4 * n
            
            # If Delta is a perfect square, p and q are integers.
            if discriminant >= 0 and isqrt(discriminant)^2 == discriminant:
                sqrt_discriminant = isqrt(discriminant)
                
                # Roots of the quadratic (the factors p and q)
                p_cand = (sum_pq + sqrt_discriminant) // 2
                q_cand = (sum_pq - sqrt_discriminant) // 2
                
                # Final check: are p and q factors of n and prime?
                if p_cand * q_cand == n and p_cand > 1 and q_cand > 1:
                    
                    # Found the secret key!
                    print(f"\n[SUCCESS] Key found at convergent #{i+1}")
                    print(f"Candidate d: {d_cand}")
                    print(f"Candidate p: {p_cand}")
                    print(f"Candidate q: {q_cand}")
                    return d_cand, p_cand, q_cand
        
    print("\n[FAILURE] Attack failed to find the key within the convergents.")
    return None, None, None

# --- Main Execution ---
if __name__ == '__main__':
    # 1. Generate the vulnerable key
    # Usiamo 512 bit per un test veloce e stabile
    n_val, e_val, d_true, p_true, q_true = generate_vulnerable_rsa_key(bits=512)
    
    # CASTING ESPLICITO (Precaution to resolve potential typing issues)
    # Assicuriamo che n ed e siano oggetti Integer di Sage
    n = Integer(n_val)
    e = Integer(e_val)

    # 2. Run the attack
    d_found, p_found, q_found = wiener_attack(n, e)

    # 3. Verification
    print("\n--- 3. Verification ---")
    if d_found is not None:
        print(f"True d: {d_true}")
        print(f"Found d: {d_found}")
        print(f"Match: {d_true == d_found}")
        
        # Sanity check on factorization
        print(f"True factors: ({p_true}, {q_true})")
        print(f"Found factors: ({p_found}, {q_found})")
        print(f"Factors Match: {(p_true == p_found and q_true == q_found) or (p_true == q_found and q_true == p_found)}")
    
    else:
        print("Attack failed or a bug occurred in the implementation logic.")


--- 1. Generating a Vulnerable 512-bit RSA Key ---
Modulus n bit length: 512
Maximum safe d (for Wiener's attack): 127 bits
Chosen d: 122451113789075543789322787269389677 (117 bits)
Public Key (n): 8759691787063926790427312739705879233983581134011511930768234228961389191092136392913748946039999975574328178911590667217795556900428242402527895330665117
Public Key (e): 105159557564442034486596824284206676360006757581242552142682541133323177239391722057079891377114667964285606036879879740469509945939864988108405102327141

--- 2. Starting Wiener's Attack ---
Continued Fraction Expansion Coefficients (a_i): [0; 83, 3, 2, 1, 9, 1, 7, 1, 1, 1, 1, 2, 2, 3, 1, 1, 4, 19, 1, 1, 1, 3, 1, 1, 3, 37, 2, 2, 74, 1, 3, 2, 2, 1, 1, 7, 2, 1, 3, 1, 8, 3, 1, 12, 1, 21, 14, 69, 1, 1, 2, 1, 12, 1, 1, 2, 26, 24, 347, 4, 2, 254675879, 3, 1, 1, 6, 6, 1, 2, 3, 11, 4, 1, 2, 1, 1, 4, 1, 3, 4, 1, 2, 1, 6, 1, 123, 1, 3, 2, 1, 1, 3, 2, 7, 1, 1, 1, 1, 2, 1, 2, 2, 1, 8, 2, 1, 3, 1, 1, 5, 9, 11, 12, 1, 2, 4, 1, 2, 3, 2, 1