The previous attack was implemented in order to check its
effectiveness. For a 512-bit RSA-modulus, we observed that if the
number of faulty bits is smaller than 20, then the length of the
tail is generally long and all the bits of the secret exponent *s*
can be recovered. The length of the cycle is also of some
importance. The number of required faulty signatures actually depends
on it. To find the first bits of *s* , we need to know
faulty signatures (see Eq. (4)).

*Remark.* Although quite efficient in practice, our
attack is not fully optimized. It can be enhanced by searching
collisions instead of cycles. This will be done in a future work.