Experimental results

The previous attack was implemented in order to check its effectiveness. For a 512-bit RSA-modulus, we observed that if the number of faulty bits is smaller than 20, then the length $\mu$ of the tail is generally long and all the bits of the secret exponent s can be recovered. The length $\lambda$ of the cycle is also of some importance. The number of required faulty signatures actually depends on it. To find the $\mu$ first bits of s , we need to know $\mu+\lambda$ faulty signatures (see Eq. (4)).

Remark. Although quite efficient in practice, our attack is not fully optimized. It can be enhanced by searching collisions instead of cycles. This will be done in a future work.