We shall illustrate this attack in the RSA signature context. Imagine
that Alice wants to send a signed message to Bob. For this purpose,
she carefully chooses two large primes *p* and *q* , and publishes
their product *n*=*pq* . She also chooses a public verification key *v*
according to . The secret signature key *s* is
computed so that . Then, to sign a
message *m* , Alice computes , and sends the pair
(*m*,*S*) to Bob. To verify that *S* effectively is the signature of
Alice corresponding to *m* , Bob checks whether , where *v* is the public verification key of Alice.

We shall see that if the hardware is damaged, then a pirate can obtain
some bits of the secret key *s* . Note that we do not deal with
Chinese remaindering based implementations, because, as shown before,
in this case one faulty computation modulo *p* or modulo *q* gives the
secret factors of *n* .