We shall illustrate this attack in the RSA signature context. Imagine
that Alice wants to send a signed message to Bob. For this purpose,
she carefully chooses two large primes p and q , and publishes
their product n=pq . She also chooses a public verification key v
according to . The secret signature key s is
computed so that
. Then, to sign a
message m , Alice computes
, and sends the pair
(m,S) to Bob. To verify that S effectively is the signature of
Alice corresponding to m , Bob checks whether
, where v is the public verification key of Alice.
We shall see that if the hardware is damaged, then a pirate can obtain some bits of the secret key s . Note that we do not deal with Chinese remaindering based implementations, because, as shown before, in this case one faulty computation modulo p or modulo q gives the secret factors of n .