Paper 2022/1202

Disorientation faults in CSIDH

Gustavo Banegas, Inria and Laboratoire d'Informatique de l'Ecole polytechnique, Institut Polytechnique de Paris, Palaiseau, France
Juliane Krämer, University of Regensburg, Germany
Tanja Lange, Eindhoven University of Technology, the Netherlands, Academia Sinica, Taipei, Taiwan
Michael Meyer, University of Regensburg, Germany
Lorenz Panny, Academia Sinica, Taipei, Taiwan
Krijn Reijnders, Radboud University, Nijmegen, The Netherlands
Jana Sotáková, University of Amsterdam and QuSoft, Amsterdam, The Netherlands
Monika Trimoska, Radboud University, Nijmegen, The Netherlands

We investigate a new class of fault-injection attacks against the CSIDH family of cryptographic group actions. Our disorientation attacks effectively flip the direction of some isogeny steps. We achieve this by faulting a specific subroutine, connected to the Legendre symbol or Elligator computations performed during the evaluation of the group action. These subroutines are present in almost all known CSIDH implementations. Post-processing a set of faulty samples allows us to infer constraints on the secret key. The details are implementation specific, but we show that in many cases, it is possible to recover the full secret key with only a modest number of successful fault injections and modest computational resources. We provide full details for attacking the original CSIDH proof-of-concept software as well as the CTIDH constant-time implementation. Finally, we present a set of lightweight countermeasures against the attack and discuss their security.

Available format(s)
Public-key cryptography
Publication info
Fault-injection attack isogenies of elliptic curves post-quantum cryptography
Contact author(s)
gustavo @ cryptme in
juliane kraemer @ ur de
tanja @ hyperelliptic org
michael @ random-oracles org
lorenz @ yx7 cc
krijn @ cs ru nl
j s sotakova @ uva nl
monika trimoska @ ru nl
2022-09-12: approved
2022-09-12: received
See all versions
Short URL
Creative Commons Attribution


      author = {Gustavo Banegas and Juliane Krämer and Tanja Lange and Michael Meyer and Lorenz Panny and Krijn Reijnders and Jana Sotáková and Monika Trimoska},
      title = {Disorientation faults in CSIDH},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1202},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.