Wiener's Attack

Using Continued Fractions to attack large e values

Overview

Wiener's Attack utilises the convergents of the continued fraction expansion of $\frac{k}{d}$ to attempt to guess the decryption exponent $d$ when $e$ is large, as $d$ is necessarily small as a result.

Introduction

We can say that

\phi(N) = (p-1)(q-1) \\ = pq - (p + q) + 1 \\ \approx N

We can also say that since $ed \equiv 1 \mod \phi(N)$ , we can rearrange this to say that $ed = k\phi(N) + 1$ .

d = k\phi(N) + 1 \\ ed - k\phi(N) = 1 \\ \frac{e}{\phi(N)} - \frac{k}{d} = \frac{1}{d\phi(N)}

Now since $d\phi(N)$ is likely to be huge, we can say $\frac{1}{d\phi(N)}$ is almost zero, and also use the approximation from before to say that

\frac{e}{N} \approx \frac{k}{d}

Note that $\frac{e}{N}$ is composed of entirely public information, meaning we have access to an approximation to $\frac{k}{d}$ , which is entirely private information.

Determining the Private Information

We can represent $\frac{e}{N}$ as a continued fraction. If we go through the convergents of this fraction, we may come across $\frac{k}{d}$ since $\frac{e}{N} \approx \frac{k}{d}$ ( $\frac{k}{d}$ is a good approximation). This is more likely to work whendis smaller due to Legendre’s Theorem in Diophantine Approximations (TODO prove this), specifically when $d<\frac{1}{3}N^\frac{1}{4}$ .

Once we list the convergents, we iterate through and there are a few checks we can make to determine whether or not it's the correct convergent:

As $ed \equiv 1 \mod \phi(N)$ and $\phi(N)$ is even, $d$ must be odd, so we can discard convergences with even denominators.
Since $\phi(N)$ must be a whole number, we can compute $\frac{ed - 1}{k}$ and see if it returns an integer or not - if not, we can discard the convergent.

Once we find a convergent we don't discard, we can assume it's $\phi(N)$ and attempt to calculate $d$ with that, seeing if the resultant private key yields a valid result or not. This can take a lot of decryption attempts to work successfully however - we can speed up the "checking" process using a quadratic equation.

Solving for p, q

If we say $N=pq$ , it follows that:

\phi(N) = (p-1)(q-1) \\ \phi(N) = N - (p + q) + 1 \\ p + q = N - \phi(N) + 1

If we now consider a quadratic equation $(x-p)(x-q) = 0$ , with the roots $p$ and $q$ being the prime factors of $N$ , we can expand this and substitute:

(x-p)(x-q) = 0 \\ x^2 - (p+q)x + pq = 0 \\ x^2 - (N - \phi(N) + 1)x + N = 0

If our value of $\phi(N)$ is correct, we can substitute this into the equation and solve it for two integer values $p$ and $q$ . If the values are not integer, the result can be discarded.

PreviousMulti-party RSA with Small e NextChoice of Primes

Last updated 3 years ago

Was this helpful?

Introduction

We can say that

\phi(N) = (p-1)(q-1) \\ = pq - (p + q) + 1 \\ \approx N

We can also say that since

ed \equiv 1 \mod \phi(N)

, we can rearrange this to say that

ed = k\phi(N) + 1

d = k\phi(N) + 1 \\ ed - k\phi(N) = 1 \\ \frac{e}{\phi(N)} - \frac{k}{d} = \frac{1}{d\phi(N)}

Now since

d\phi(N)

is likely to be huge, we can say

\frac{1}{d\phi(N)}

is almost zero, and also use the approximation from before to say that

\frac{e}{N} \approx \frac{k}{d}

Note that

\frac{e}{N}

is composed of entirely public information, meaning we have access to an approximation to

\frac{k}{d}

, which is entirely private information.

Determining the Private Information

We can represent

\frac{e}{N}

as a continued fraction. If we go through the convergents of this fraction, we may come across

\frac{k}{d}

since

\frac{e}{N} \approx \frac{k}{d}

(

\frac{k}{d}

is a good approximation). This is more likely to work whendis smaller due to Legendre’s Theorem in Diophantine Approximations (TODO prove this), specifically when

d<\frac{1}{3}N^\frac{1}{4}

Once we list the convergents, we iterate through and there are a few checks we can make to determine whether or not it's the correct convergent:

As $ed \equiv 1 \mod \phi(N)$ and $\phi(N)$ is even, $d$ must be odd, so we can discard convergences with even denominators.

Since $\phi(N)$ must be a whole number, we can compute $\frac{ed - 1}{k}$ and see if it returns an integer or not - if not, we can discard the convergent.

Once we find a convergent we don't discard, we can assume it's

\phi(N)

and attempt to calculate

d

with that, seeing if the resultant private key yields a valid result or not. This can take a lot of decryption attempts to work successfully however - we can speed up the "checking" process using a quadratic equation.

Solving for p, q

If we say

N=pq

, it follows that:

\phi(N) = (p-1)(q-1) \\ \phi(N) = N - (p + q) + 1 \\ p + q = N - \phi(N) + 1

If we now consider a quadratic equation

(x-p)(x-q) = 0

, with the roots

p

and

q

being the prime factors of

N

, we can expand this and substitute:

(x-p)(x-q) = 0 \\ x^2 - (p+q)x + pq = 0 \\ x^2 - (N - \phi(N) + 1)x + N = 0

If our value of

\phi(N)

is correct, we can substitute this into the equation and solve it for two integer values

p

and

q

. If the values are not integer, the result can be discarded.