The previous attack was implemented in order to check its
effectiveness. For a 512-bit RSA-modulus, we observed that if the
number of faulty bits is smaller than 20, then the length of the
tail is generally long and all the bits of the secret exponent s
can be recovered. The length
of the cycle is also of some
importance. The number of required faulty signatures actually depends
on it. To find the
first bits of s , we need to know
faulty signatures (see Eq. (4)).
Remark. Although quite efficient in practice, our attack is not fully optimized. It can be enhanced by searching collisions instead of cycles. This will be done in a future work.