1
import os
2
import sys
3

4
path = os.path.dirname(os.path.dirname(os.path.realpath(os.path.abspath(__file__))))
5
if sys.path[1] != path:
6
    sys.path.insert(1, path)
7

8
from shared.partial_integer import PartialInteger
9

10

11
def attack(n, e, sv, sf):
12
    """
13
    Recovers the bits of the private exponent d that were flipped during generation of signatures.
14
    More faulty signatures reveal more bits of d, assuming the bit flip positions are different.
15
    :param n: the modulus
16
    :param e: the public exponent
17
    :param sv: the valid signature
18
    :param sf: the list of faulty signatures: for each entry in this list, at most one bit in d should have been flipped during signature generation
19
    :return: a PartialInteger containing the known and unknown bits of d
20
    """
21
    d_bits = [None] * n.bit_length()
22
    m = 2
23
    mi = {pow(m, 2 ** i, n): i for i in range(n.bit_length())}
24
    for sfi in sf:
25
        di0 = pow(sv, -1, n) * sfi % n
26
        di1 = sv * pow(sfi, -1, n) % n
27
        if di0 in mi:
28
            d_bits[mi[di0]] = 0
29
        if di1 in mi:
30
            d_bits[mi[di1]] = 1
31

32
    return PartialInteger.from_bits_le(d_bits)
33

34