In [1]:
def rand_primes(size):
    """Generates random primes with q < p < 2q. Taken from https://github.com/mseckept/generalized-wiener-attack"""
    p = random_prime(1 << (size - 1), 1 << size)
    while True:
        q = random_prime(1 << (size - 1), 1 << size)
        if p < q:
            p, q = q, p
            if q < p < 2*q:
                break
    return p,q

In [2]:
a, b = rand_primes(512);
print(a)
print(b)

5344833217123044722231414459251585269771691768886917880830909197881703718057708558358906054007081415637680380448052543356961378202293280655737016067021647
4025921176777094324839220410881521771028028882271035355161455349706086435126351892903608529520458011231598204627604076727389121740619876396274090281052427


In [3]:
def generate_vulnerable_rsa_key(bits=256):
    """
    Generates a large, vulnerable RSA key pair.
    """
    print(f"--- 1. Generating a Vulnerable {bits}-bit RSA Key ---")

    # Generate large random primes, satifying q < p < 2q
    p, q = rand_primes(bits//2);
    n = p * q
    phi_n = (p - 1) * (q - 1)

    # Calculate the maximum d allowed by Wiener's condition: d < (1/3) * n^(1/4)
    max_d = Integer(round(1/3 * n**(1/4)))

    # Choose a small 'd' to ensure the attack succeeds
    d = random_prime(max_d // 100, lbound=1)

    # Calculate the public exponent 'e' using the optimized modular inverse
    e = inverse_mod(d, phi_n)

    print(f"Modulus n bit length: {n.nbits()}")
    print(f"Maximum safe d (for Wiener's attack): {max_d.nbits()} bits")
    print(f"Chosen d: {d} ({d.nbits()} bits)")

    return n, e, d, p, q

In [4]:
n, e, d, p, q = generate_vulnerable_rsa_key(bits = 192)

--- 1. Generating a Vulnerable 192-bit RSA Key ---
Modulus n bit length: 190
Maximum safe d (for Wiener's attack): 46 bits
Chosen d: 23522751929 (35 bits)


In [19]:
def wiener_attack(n, e):
    """
    Implements Wiener's attack by checking the convergents of e/n.
    """
    print("\n--- 2. Starting Wiener's Attack ---")

    # The target rational number for continued fraction expansion
    target_fraction = Rational((e, n))

    # Sage's continued_fraction() function returns the list of coefficients (a_i)
    cf_expansion = continued_fraction(target_fraction)
    print(f"Continued Fraction Expansion Coefficients (a_i): {cf_expansion}")

In [20]:
print(n, e)
wiener_attack(Integer(n),Integer(e))

1279435415964100723423545579319452297963310878088915394399 860241892597284318031015466026617507780603388652414721809

--- 2. Starting Wiener's Attack ---
Continued Fraction Expansion Coefficients (a_i): [0; 1, 2, 19, 5, 1, 1, 7, 1, 1, 1, 1, 5, 1, 1, 10, 1, 4, 3, 1, 1, 5, 1, 2, 8, 1, 48072910, 33, 1, 1, 1, 3, 47, 1, 2, 4, 2, 10, 3, 2, 2, 2, 2, 4, 1, 1, 2, 1, 32, 1, 3, 5, 9, 1, 5, 4, 4, 5, 22, 1, 4, 1, 1, 11, 1, 11, 4, 2, 2, 3, 1, 1, 7, 1, 3, 1, 2, 5, 4, 1, 2, 2, 1, 6, 20, 1, 1, 2, 5, 1, 1, 2, 40, 3, 57, 6, 2, 3, 1, 8]
