Perhaps I'm missing something, but real-world RSA implementations are not vulnerable to this because they implement RSA blinding to prevent timing attacks (which prevents a magic a * b fault from being exploited deterministically) or verify the signature after creation (which protects against random faults, a very good idea anyway).
Something can't be "new" and "big" if it's been addressed in GnuPG, Crypto++ and others years ago. 8-P --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]