In [1]:
#Requires Python 3.8+

# Imports

In [216]:
import random
import secrets
from decimal import *

# Functions

Returns the GCD of 2 numbers

In [50]:
def gcd(a, b):
    while(b):
        a, b = b, a % b 
    return a

Rabin-Miller Primality Test<br>
Checks if a number is prime, p is the number to be tested, s is the number of rounds<br>
Number of rounds should ensure that the probability of p not being prime is < 2^(-80) 

In [71]:
def RMPT(p, s):
    q = p - 1
    k = 0
    while q % 2 != 1:
        q //= 2
        k += 1
        
    for _ in range(s):
        a = random.randrange(3, p - 2)      
        while gcd(a, p) != 1:
            a = random.randrange(3, p - 2)
        
        z = pow(a, q, p)
        
        if z == 1 or z == p - 1:
            continue #Not a witness, pick another a
        
        for i in range(1, k):
            z = pow(a, pow(2, i)*q, p)
            if z == p - 1:
                break #Not a witness, pick another a
        else:
            return False  #a^((2^K)*Q)modP != -1 for all values of K, it is a witness, therefore its definitely not prime
        
    return True #After S iterations still not a composite, chance to be a prime

Converts a string to ascii

In [154]:
def convert_to_ascii(message):
    ascii_message = ""
    for char in message:
        ascii_char = ord(char)
        ascii_char = str(ascii_char)
        ascii_char = ascii_char.zfill(3)
        ascii_message += ascii_char
    return int(ascii_message)

Converts ascii back to string

In [192]:
from textwrap import wrap

def convert_to_string(ascii_message):
    message = ""
    ascii_message = str(ascii_message)
    if(len(ascii_message) % 3 != 0):
        for _ in range(3 - len(ascii_message) % 3):
            ascii_message = "0" + ascii_message
    ascii_list = wrap(ascii_message, 3)
    for ascii in ascii_list:
        message = message + chr(int(ascii))
    return message

Generates the decryption key using public key e and 2 prime numbers p and q

In [133]:
def RSA_generate_D(e, p, q):
    N = p * q
    phi_N = (p - 1) * (q - 1)
    assert gcd(e, phi_N) == 1, "GCD of e and phi N must be 1"
    d = pow(e, -1, phi_N)
    return d

Encrypts a number with public key e

In [167]:
def RSA_encrypt(ascii_message, e, N):
    encrypted_message = pow(ascii_message, e, N)
    return encrypted_message

Encrypts a number using private key d

In [None]:
def RSA_decrypt(encrypted_message, d, N):
    ascii_message = pow(encrypted_message, d, N)
    return ascii_message

Continuously generates random bit_length numbers<br>
If number is even, adds one to make it odd<br>
Tries to factorize the number with small primes to determine if composite<br>
Uses Rabin-Miller Primality Test if it is still possible to be a prime number

In [130]:
def Generate_Prime(bit_length, RMPT_rounds):   
    while(True):
        num = secrets.randbits(bit_length)
        
        #If number is even, make it odd
        if num%2 == 0:
            num += 1
        #Try factorize using small primes
        elif num%3 == 0:
            continue
        elif num%5 == 0:
            continue
        elif num%7 == 0:
            continue
        elif num%11 == 0:
            continue
        #Try the expensive Rabin-Miller Primality Test
        elif RMPT(num, RMPT_rounds):
            print(num)
            return num

# RSA 1024

In [141]:
p = Generate_Prime(1024, 15)

112007274411492932203003985852265284633825558666188564847677886989635677089938960827538024824613355138793768734507365105892206457313657306955111080082587911484006170867863289948078561326081446989964213408670176914099076038535088335213866025371789225164615769274974423531788614703159129407338566774087284825897


In [142]:
q = Generate_Prime(1024, 15)

44388198675402330255157764883651845483911584760541083818850259569107083757350953919065939759725571076157305352337170507482647141333634139227053038445304976677601264011423989120789398665835201482285741602621047717625955980344505897028748062983314134880378511432629708124480328041623241555158208582504791413311


In [150]:
N = p * q

In [143]:
d = RSA_generate_D(3, p, q)

In [163]:
message = "Hello, this message is secure in RSA1024 but weak in RSA 2048 without padding with a small exponent of 3"

ascii_message = convert_to_ascii(message)
print(ascii_message)
ascii_message.bit_length()

72101108108111044032116104105115032109101115115097103101032105115032115101099117114101032105110032082083065049048050052032098117116032119101097107032105110032082083065032050048052056032119105116104111117116032112097100100105110103032119105116104032097032115109097108108032101120112111110101110116032111102032051


1033

In [168]:
encrypted_message = RSA_encrypt(ascii_message, 3, N)

In [169]:
print(encrypted_message)

862065518385892510505107470880622421869203899106005976962834397943854894252907727932381335991617784070832951879756847421913952641737813793677045620752254000484244844959250053433595335441170458191469221384009989918621009169229954516824861082074606371547799781613125147206834649672734628800016202001463808313744518150918530624430508663553244573402718452052800532023051080324737646589482434472702587219567811818559420654279932468515023831590043630324647279570130110603345082334732893856278266990005236214151837122082984853896198007651808771443575248165715972987461159010031742091836715019715658541110304310553658453990


In [197]:
print(convert_to_string(encrypted_message))

͞AȆƁͼǾǹkǖͰɮƥͥË΃jϐς͂ƍί͖;ü΋˗ΤŽŏϟɩ̐F̀ηͯ˴͏ƥΑθʁˡ̭̙ʥ-ɬ˰þ Ǥô͌οú5ƱɓŏƹªǊ¿ǕÝƀ	ϝΖɭ	©åκȄ̸͝RJɞųȣ̟̍ɥ}Î͂ʉʠ˞ɴ̠ÊĮ̌Ĺ˨ȆΖȒɰƮǼʗȩôȽƒˎǄ4̠Ȕ3PńˡʆɍǢƲǘʾɋÛȷ̫̲ȯƤʎėΤǔȃ̿Ɏ+ɶńʇėȺnɛřRŎ˜ͽ͘ĖĊϞìÖͅzRϘ͕΀Æʋ̨̃ƻȿø¥ˋόϛǍ
˦[̈́ˋˋʒȝnİĶȩʒǅϞ


In [198]:
decrypted_message = RSA_encrypt(encrypted_message, d, N)

In [199]:
print(convert_to_string(decrypted_message))

Hello, this message is secure in RSA1024 but weak in RSA 2048 without padding with a small exponent of 3


# RSA 2048

In [207]:
p = Generate_Prime(2048, 15)

9727865763509846123733885720856249176912860111602134732304407943585962154976893182904491071377985130405512001641260830836726601063953060764696245422686258616155839000412061136399825338896561715137771309438075122019086230114566726172926310134599510336609429362162820813677432751602159949638299753264196720925334194658008317599405194261187267025216603066751191712422458928123769136268679017219434442400404562562487671636323695352165516531243785820475815828148651664717304271242943004071607042175565792948506323553046628474917721171949646346659084717822855892901753419859065595445133363599682778845630718448328026596209


In [201]:
q = Generate_Prime(2048, 15)

1684429827369255255303158195555661806616277550699462706655042183057403944083632652054602140158867591612504812864612117221363162083824680077860012498319590830408301857904112703622084227841103255183763781284818101974359063837403203715686695237929352154958942945425811472678905613749831534070575881648178566215474968950297753076330810833112445885639132720107019255811825897900298201347268848517355269388256730429560201726133945324898472794265748602836780769776755004217655068314074625397945440327995873431020720253754915497124614418281627109863393843146222583496936680887338492905228678186063381777141685842763013048087


In [205]:
N = p * q

In [208]:
#Might have to generate a few different p q, if gcd(3, phi(N)) == 0
d = RSA_generate_D(3, p, q)

In [209]:
message = "Hello, this message is secure in RSA1024 but weak in RSA 2048 without padding with a small exponent of 3"

ascii_message = convert_to_ascii(message)
print(ascii_message)
ascii_message.bit_length()

72101108108111044032116104105115032109101115115097103101032105115032115101099117114101032105110032082083065049048050052032098117116032119101097107032105110032082083065032050048052056032119105116104111117116032112097100100105110103032119105116104032097032115109097108108032101120112111110101110116032111102032051


1033

In [210]:
encrypted_message = RSA_encrypt(ascii_message, 3, N)

In [211]:
print(encrypted_message)

374822642466453503471129234953054526212879179388354880533829447986843654790252314554033043646746764449913639182639657708742449037448950714078946330611043527252186205143428991207943778445949669261828678244029033364957051851646843200248207959737882920354740993629980412340688249208986011917884001719076791515449239894248936982703403870041158347994141996971536956348876306054595083780967728076706532035714204633008080071541961769864324054181130056979714597750740643162189705244532503479892077386565813438424295161109106397041214616802454831180487114975435436195881465431700791503705277369993863949588713707081687514834613488238651365075709738120939125370934830072994404453950653829807147232013328123932604129717807697923904573366449573757101712631775756908010422087048442049253902421391121963980754726364178279941244392279920641838047656797066648613408324642902777263968839370282113878069675238833717309324302239332461043662637827828651


In [212]:
print(convert_to_string(encrypted_message))

Ŷ̶ʂǒǅǷǗêι6ȎÔͯ³ƄŢͰȕ̽ƿϚ͋ʎ̖üĺȪ!+ʆ˪˼ǁΑɿ¶ɿʑ˄˦ǁ%ǀζˊNβŊɣ+ȏüºÍƬϟÏί̊ƽεʝą̼ʦô!Ŭν3͓ʆ͋ÈøÏοˡͲΘŢˤϡɵϔƜŔʰùÐϚΕʹˏL̗ȃǁï;øΨϖʿƓͦ)śϢϤϋȘμŜͬĲ6ɓŠχ˘L˂Ȕ#ˊÌɹPGȝρ́͠ń6µ8ϓˊɕˮˤʃ¢½ˁôȔǷǟͼMƂȵ̭ƶƨħ¡mjƍ)Öɨ̢ǆ̿´ǧrϏƳƴÃͱǑƯʼ̗Ƿˁĕűϡ͟εɌˉ˃QʯȂ͂ɥǨîʋŭK˅ˢxΫ}ŲΦ̾HϢƔǅζʍ̧̽èň{Τɜˍ̧ʹΛΈȽŮǁȽ˵eˈɷ̇˴Ό
ƦW0ƺ1ýΆƥƇyσϔ˲˖Ŭ²ėέôƈėΘʁ͆/ʐ̝BʈɥƘńʂΆ̉ćψ͇ŲĚqͮEʣî́ˍĵńĮïŌǍ+ʖɽ̻̼ʋ


Since the number of bits of the plain text is much smaller than 2048 bits, even when the plain text raised to the power of 3 it is still smaller than 2048 bits which means the mod operation does nothing, and i can just use the cube root to find the original message

In [223]:
#Workaround for getting the cube root of a huge integer

minprec = 27

encrypted_message_len = len(str(encrypted_message))

if encrypted_message_len > minprec: 
    getcontext().prec = encrypted_message_len
else:
    getcontext().prec = minprec
    
encrypted_message = Decimal(encrypted_message)
power = Decimal(1)/Decimal(3)

#Gets cube root of encrypted message
decrypted_message = encrypted_message**power
decrypted_message = int(decrypted_message.quantize(Decimal('1.'), rounding=ROUND_UP))

In [224]:
print(convert_to_string(decrypted_message))

Hello, this message is secure in RSA1024 but weak in RSA 2048 without padding with a small exponent of 3


This exploit can be avoided by simply padding the original message to 