Wiener's Attack
Last updated
Last updated
Wiener's attack is an attack on RSA that uses continued fractions to find the private exponent when it's small (less than , where is the modulus). We know that when we pick the public exponent to be a small number and calcute its inverse
Wiener's attack is based on the following theorem:
Let , with . Let . Given and with , the attacker can efficiently recover .
In order to better understand Wiener's Attack, it may be useful to take note of certain properties of RSA:
We may start by noting that the congruence can be written as the equality for some value , we may additionally note that , since both and are much shorter than , we can say that .
Dividing the former equation by gives us , and using the latter approximation, we can write this as . Notice how the left-hand side of this equation is composed entirely of public information, this will become important later.
It is possible to quickly factor by knowing and . Consider the quadratic polynomial , this polynomial will have the roots and . Expanding it gives us , and substituting for the variables we know we can write this as . Applying the quadratic formula gives us and : , where , , and .
Wiener's attack works by expanding to a continued fraction and iterating through the terms to check various approximations of . In order to make this checking process more efficient, we can make a few observations (this part is optional):
Since is even, and and are both by definition coprime to , we know that is odd.
Given the above equations and the values of , , , and , we can solve for with the equation , thus we know that has to be divisible by .
If our is correct, the polynomial will have roots and , which we can verify by checking if .
Suppose we have the public key , this attack will determine
If all convergents have been tried, and none of them work, then the given RSA parameters are not vulnerable to Wiener's attack.
Here's a sage implementation to play around with:
//TODO: Proof of Wiener's theorem
The Python module owiener
simplifies the scripting process of Wiener's attack:
Here is a Wiener's attack template:
Convert the fraction into a continued fraction
Iterate over each convergent in the continued fraction:
Check if the convergent is by doing the following:
Set the numerator to be and denominator to be
Check if is odd, if not, move on to the next convergent
Check if , if not, move on to the next convergent
Set and find the roots of the polynomial
If the roots of the polynomial are integers, then we've found . (If not, move on to the next convergent)