Disorientation Faults in CSIDH

. We investigate a new class of fault-injection attacks against the CSIDH family of cryptographic group actions. Our disorientation attacks effectively flip the direction of some isogeny steps. We achieve this by faulting a specific subroutine, connected to the Legendre symbol or Elligator computations performed during the evaluation of the group action. These subroutines are present in almost all known CSIDH implementations. Post-processing a set of faulty samples allows us to infer constraints on the secret key. The details are implementation specific, but we show that in many cases, it is possible to recover the full secret key with only a modest number of successful fault injections and modest computational resources. We provide full details for attacking the original CSIDH proof-of-concept software as well as the CTIDH constant-time ∗ Author list in alphabetical order; see https://ams.org/profession/leaders/ CultureStatement04.pdf . This work began at the online Lorentz Center workshop “Post-Quantum Cryptography for Embedded Systems” held in February 2022. This research was funded in part by the European Commission through H2020 SPARTA,


Introduction
Isogeny-based cryptography is a contender in the ongoing quest for post-quantum cryptography.Perhaps the most attractive feature is small key size, but there are other reasons in favor of isogenies: Some functionalities appear difficult to construct from other paradigms.For instance, the CSIDH [15] scheme gives rise to non-interactive key exchange.CSIDH uses the action of an ideal-class group on a set of elliptic curves to mimic (some) classical constructions based on discrete logarithms, most notably the Diffie-Hellman key exchange.Recently, more advanced cryptographic protocols have been proposed based on the CSIDH group action: the signature schemes SeaSign [22] and CSI-FiSh [8], threshold schemes [23], oblivious transfer [27], and more.The main drawback of isogenybased cryptography is speed: CSIDH takes hundreds of times longer to complete a key exchange than pre-quantum elliptic-curve cryptography (ECC).
The group action in CSIDH and related schemes is evaluated by computing a sequence of small-degree isogeny steps; the choice of degrees and "directions" is the private key.Thus, the control flow of a straightforward implementation is directly related to the secret key, which complicates side-channel resistant implementations [3,7,12,26,30,31].
In a side-channel attack, passive observations of physical leakage (such as timing differences, electromagnetic emissions, or power consumption) during the execution of sensitive computations help an attacker infer secret information.A more intrusive class of physical attacks are fault-injection attacks or fault attacks: By actively manipulating the execution environment of a device (for instance, by altering the characteristics of the power supply, or by exposing the device to electromagnetic radiation), the attacker aims to trigger an error during the execution of sensitive computations and later infer secret information from the outputs, which are now potentially incorrect, i.e., faulty.
Two major classes of faults are instruction skips and variable modifications.Well-timed skips of processor instructions can have far-reaching consequences, e.g., omitting a security check entirely, or failing to erase secrets which subsequently leak into the output.Variable modifications may reach from simply randomized CPU registers to precisely targeted single-bit flips.They cause the software to operate on unexpected values, which (especially in a cryptographic context) may lead to exploitable behavior.In practice, the difficulty of injecting a particular kind of fault (or a combination of multiple faults) depends on various parameters; generally speaking, less targeted faults are easier.

Our contributions.
We analyze the behavior of existing CSIDH implementations under a new class of attacks that we call disorientation faults.These faults occur when the attacker confuses the algorithm about the orientation of a point used during the computation: The effect of such an error is that a subset of the secret-dependent isogeny steps will be performed in the opposite direction, resulting in an incorrect output curve.
The placement of the disorientation fault during the algorithm influences the distribution of the output curve in a key-dependent manner.We explain how an attacker can post-process a set of faulty outputs to fully recover the private key.This attack works against almost all existing CSIDH implementations.
To simplify exposition we first assume access to a device that applies a secret key to a given public key (i.e., computing the shared key in CSIDH) and returns the result (e.g., a hardware security module providing a CSIDH accelerator).We also discuss variants of the attack with weaker access; this includes a hashed version where faulty outputs are not revealed as-is, but passed through a keyderivation function first, as is commonly done for a Diffie-Hellman-style key exchange, and made available to the attacker only indirectly, e.g., as a MAC under the derived key.
Part of the tooling for the post-processing stage of our attack is a somewhat optimized meet-in-the-middle path-finding program for the CSIDH isogeny graph, dubbed pubcrawl.This software is intentionally kept fully generic with no restrictions specific to the fault-attack scenario we are considering, so that it may hopefully be usable out of the box for other applications requiring "small" neighborhood searches in CSIDH in the future.Applying expensive but feasible precomputation can speed up post-processing for all attack variants and is particularly beneficial to the hashed version of the attack.
To defend against disorientation faults, we provide a set of countermeasures.We show different forms of protecting an implementation and discuss the pros and cons of each of the methods.In the end, we detail two of the protections that we believe give the best security.Both of them are lightweight, and they do not significantly add to the complexity of the implementation.

Note on security.
We emphasize that CSIDH, its variants, and the protocols based on the CSIDH group action are not affected by the recent attacks that break the isogeny-based scheme SIDH [14,29,34].These attacks exploit specific auxiliary information which is revealed in SIDH but does not exist in CSIDH.
CSIDH is a relatively young cryptosystem, being introduced only in 2018, but it is based on older systems due to Couveignes [21] and Rostovtsev and Stolbunov [35] which have received attention since 2006.The best non-quantum attack is a meet-in-the-middle attack running in O( 4√ p); a low-memory version was developed in [24].On a large quantum computer Kuperberg's attack can be mounted as shown in [19].This attack runs in L √ p (1/2) calls to a quantum oracle.The number of oracle calls was further analyzed in [9] and [33] for concrete parameters, while [7] analyzes the costs per oracle call in number of quantum operations.Combining these results shows that breaking CSIDH-512 requires around 2 60 qubit operations on logical qubits, i.e., not taking into account the overhead for quantum error correction.Implementation papers such as CTIDH [3] use the CSIDH-512 prime for comparison purposes and also offer larger parameters.Likewise, we use the CSIDH-512 and CTIDH-512 parameters for concrete examples.

Related work.
Prior works investigating fault attacks on isogeny-based cryptography mostly target specific variants or implementations of schemes and are different from our approach.Loop-abort faults on the SIDH cryptosystem [25], discussed for CSIDH in [10], lead to leakage of an intermediate value of the computation rather than the final result.Replacing torsion points with other points in SIDH [36,37] can be used to recover the secret keys; faulting intermediate curves in SIDH [2] to learn if secret isogeny paths lead over subfield curves can also leak information on secret keys.But the two latter attacks cannot be mounted against CSIDH due to the structural and mathematical differences between SIDH and CSIDH.
Recently, several CSIDH-specific fault attacks were published.One can modify memory locations and observe if this changes the resulting shared secret [11].A different attack avenue is to target fault injections against dummy computations in CSIDH [10,28].We emphasize that these are attacks against specific implementations and variants of CSIDH.Our work, in contrast, features a generic approach to fault attacks, exploiting an operation and data flow present in almost all current implementations of CSIDH.

Background
CSIDH is based on a group action on a certain set of elliptic curves.We explain the setup of CSIDH in Section 2.1 and relevant algorithmic aspects in Section 2.2.We assume some familiarity with elliptic curves and isogenies; the reader may consult [15] for more details.
We define E to be the set of supersingular elliptic curves over F p in Montgomery form, up to F p -isomorphism.All such curves admit an equation of the form Isogeny steps.For any ℓ i and any E A ∈ E there are two ℓ i -isogenies, each leading to another curve in E. One has kernel generated by any point P + of order ℓ i with both coordinates in F p .We say this ℓ i -isogeny is in the positive direction and the point P + has positive orientation.The other ℓ i -isogeny has kernel generated by any point P − of order ℓ i with x-coordinate in F p but y-coordinate in F p 2 \ F p .We say this isogeny is in the negative direction and the point P − has negative orientation.Replacing E A by the codomain of a positive and negative ℓ i -isogeny from E A is a positive and negative ℓ i -isogeny step, respectively.As the name suggests, a positive and a negative ℓ i -isogeny step cancel.
Fix i ∈ F p 2 \F p with i 2 = −1 ∈ F p and note that a negatively oriented point is necessarily of the form (x, iy) with x, y ∈ F p .Moreover, x ∈ F * p defines a positively oriented point on E A whenever x 3 + Ax 2 + x is a square in F p , and a negatively oriented point otherwise.
The group action.It is a non-obvious, but very useful fact that the isogeny steps defined above commute: Any sequence of them can be rearranged arbitrarily without changing the final codomain curve [15].Thus, taking a combination of various isogeny steps defines a group action of the abelian group (Z n , +) on E: The vector (e 1 , . . ., e n ) ∈ Z n represents |e i | individual ℓ i -isogeny steps, with the sign of e i specifying the orientation: if l i denotes a single positive ℓ i -isogeny step, the action of (e 1 , . . ., e n ) ∈ Z n on a curve E denotes the sequence of steps We refer to (e 1 , . . ., e n ) as an exponent vector.

Algorithmic aspects
Every step is an oriented isogeny, so applying a single l ±1 i step requires a point P with two properties: P has order ℓ i and the right orientation.The codomain of E → E/⟨P ⟩ is computed using either the Vélu [39] or √ élu [5] formulas.
Determining orientations.All state-of-the-art implementations of CSIDH use x-only arithmetic and completely disregard y-coordinates.So, we sample a point P by sampling an x-coordinate in F p .To determine the orientation of P , we then find the field of definition of the y-coordinate, e.g., through a Legendre symbol computation.An alternative method is the "Elligator 2" map [6] which generates a point of the desired orientation.

Sampling order-ℓ points.
There are several methods to compute points of given order ℓ.The following Las Vegas algorithm is popular for its simplicity and efficiency: As above, sample a uniformly random point P of either positive or negative orientation, and compute Q := [(p + 1)/ℓ]P .Since P is uniformly random in a cyclic group of order p + 1, the point Q has order ℓ with probability 1 − 1/ℓ.With probability 1/ℓ, we get Filtering for points of a given orientation is straightforward.
Multiple isogenies from a single point.To amortize the cost of sampling points and determining orientations, implementations usually pick some set S of indices of exponents of the same sign, and attempt to compute one isogeny per degree ℓ i with i ∈ S from one point.If d = i∈S ℓ i and P a random point, then the point we can use it to construct an isogeny step for ℓ i ∈ S. The image of Q under that isogeny has the same orientation as P and Q and order dividing d/ℓ i , so we continue with the next ℓ j .
In CSIDH and its variants, the set S of isogeny degrees depends on the secret key and the orientation s of P .For example in Algorithm 1 (from [15]), for the first point that is sampled with positive orientation, the set S is {i | e i > 0}.
Sample a random x ∈ Fp, defining a point P .

3:
Set s ← IsSquare( for each i ∈ S do 7: Set Compute ϕ : EA → EB with kernel ⟨R⟩.9: The order of a random point P is not divisible by ℓ i with probability 1/ℓ i .This means that in many cases, we will not be able to perform an isogeny for every i ∈ S, but only for some (large) subset S ′ ⊂ S due to P lacking factors ℓ i in its order for those remaining i ∈ S \ S ′ .In short, a point P performs the action i∈S ′ l s i for some S ′ ⊂ S, with s the orientation of P (interpreted as ±1).Sampling a point and computing the action i∈S ′ l s i is called a round; we perform rounds for different sets S until we compute the full action a = l ei i .
Strategies.There are several ways of computing the group action as efficiently as possible, usually referred to as strategies.The strategy in Algorithm 1 is called multiplicative strategy [7,15,31].Other notable strategies from the literature are the SIMBA strategy [30], point-pushing strategies [18], and atomic blocks [3].

1-point and 2-point approaches.
The approach above and in Algorithm 1 samples a single point, computes some isogenies with the same orientation, and repeats this until all steps l ±1 i are processed.This approach, introduced in [15], is called 1-point approach.In contrast, one can sample two points per round, one with positive and one with negative orientation, and attempt to compute isogenies for each degree ℓ i per round, independent of the sign of the e i [32].Constanttime algorithms require choosing S independent of the secret key, and all stateof-the-art constant-time implementations use the 2-point approach, e.g., [3,17].

Attack scenario and fault model
Throughout this work, we assume physical access to some hardware device containing an unknown CSIDH private key a.In the basic version of the attack, we suppose that the device provides an interface to pass in a CSIDH public-key curve E and receive back the result a * E of applying a to the public key E as in the second step of the key exchange.
Remark 1. Diffie-Hellman-style key agreements typically hash the shared secret to derive symmetric key material, instead of directly outputting curves as in our scenario.Our attacks are still applicable in this hashed version of the attack, although the complexity for post-processing steps from Section 4 will increase significantly.To simplify exposition, we postpone this discussion to Section 7.
We assume that the attacker is able to trigger an error during the computation of the orientation of a point in a specific round of the CSIDH algorithm: whenever a point P with orientation s ∈ {−1, 1} is sampled during the algorithm, we can flip the orientation s → −s as shown below.This leads to some isogenies being computed in the opposite direction throughout the round.The effect of this flip will be explored in Section 4.

Square check.
In CSIDH, cf.Algorithm 1, the point P is generated in Step 2 and its orientation s is determined in Step 3. The function IsSquare determines s by taking as input the non-zero value z = x 3 + Ax 2 + x, and computing the Legendre symbol of z.Hence, s = 1 when z is a square and s = −1 when z is not a square.Many implementations simply compute s ← z p−1 2 .A successful fault injection in the computation z ← x 3 + Ax 2 + x, by skipping an instruction or changing the value randomly, ensures random input to IsSquare and so in about half of the cases the output will be flipped by s → −s.
In the other half of the cases, the output of IsSquare remains s.The attacker knows the outcome of the non-faulty computation and can thus discard those outputs and continue with those where the orientation has been flipped.
Remark 2. There are other ways to flip the orientation s.For example, one can also inject a random fault into x after s has been computed, which has a similar effect.The analysis and attack of Sections 4 and 5 apply to all possible ways to flip s, independent of the actual fault injection.The countermeasures introduced in Section 9 prevent all possible ways to flip s that we know of.
Faulting the Legendre symbol computation in IsSquare, in general, leads to a random F p -value as output instead of ±1.The interpretation of this result is heavily dependent on the respective implementation.For instance, the CSIDH implementation from [15] interprets the output as boolean value by setting s = 1 if the result is +1, and −1 otherwise.In this case, faults mostly flip in one direction: from positive to negative orientation.Thus, faulting the computation of z is superior in our attack setting.
Elligator.Implementations using a 2-point strategy often use Elligator 2 [6].On input of a random value, Elligator computes two points P and P ′ of opposite orientations.An IsSquare check is used to determine the orientation of P .If P has positive orientation, we set P + ← P and P − ← P ′ .Otherwise, set P + ← P ′ and P − ← P .Again, we can fault the input to this IsSquare check, which flips the assignments to P + and P − ; hence, the orientation of both points is flipped.
As before, this means that all isogenies computed using either of these points are pointing in the wrong direction.A notable exception is CTIDH, where two independent calls to Elligator are used to produce points for the 2-point strategy.This is due to security considerations, and the algorithmic and attack implications are detailed in Section 5.2.

Exploiting orientation flips
In Section 3, we defined an attack scenario that allows us to flip the orientation s in Line 3. If this happens, the net effect is that we will select an incorrect set S ′ with opposite orientation, and hence perform an isogeny walk in the opposite direction for all the indices in S ′ .Equivalently, the set S selected in Line 3 has opposite orientation to the point P .For simplicity, we will always fix the set S first and talk about the point P being flipped.We assume that we can successfully flip the orientation in any round r, and that we get the result of the faulty evaluation, which is some faulty curve E t ̸ = a * E.
We first study the effect of orientation flips for full-order points in Section 4.2, and then discuss effects of torsion in Section 4.3 and Section 4.4.We organize the faulty curves into components according to their orientation and round in Section 4.5 and study the distance of components from different rounds in Section 4.6.In Section 4.7, we use faulty curves to recover the secret key a.

Implications of flipping the orientation of a point
In this section, all points will have full order, so Line 7 never skips an i.
Suppose we want to evaluate the group action i∈S l i * E A for some set of steps S. Suppose we generate a negatively oriented point P , but flipped its orientation.This does not change the point (still negatively oriented), but if we use P to evaluate the steps in what we believe is the positive direction, we will in fact compute the steps in the negative direction: More generally, if we want to take steps in direction s and use a point of opposite orientation, we actually compute the curve E f = i∈S l −s i * E A .Suppose we flip the orientation of a point in one round of the isogeny computation E B = a * E A and the rest of the computation is performed correctly.The resulting curve E t is called a faulty curve.If the round was computing steps for isogenies in S with direction s, the resulting curve satisfies E B = i∈S l 2s i * E t , that is, the faulty curve differs from the correct curve by an isogeny whose degree is given by the (squares of) primes ℓ i for i ∈ S, the set S in the round we faulted.We call S the missing set of E t .
Distance between curves.We define the distance d between two curves E and E ′ as the lowest number of different degrees for isogenies ϕ : E → E ′ .Note that the distance only tells us how many primes we need to connect two curves, without keeping track of the individual primes ℓ i or their multiplicity.Specifically for a faulty curve with E B = i∈S l 2s i * E t , we define the distance to E B as the number of flipped steps |S|.Note that each l i appears as a square; this gets counted once in the distance.
Positive and negative primes.Suppose the secret key a is given by the exponent vector (e i ).Then every ℓ i is used to take e i steps in direction sign(e i ).Define the set of positive primes L + := {i | e i > 0}, negative primes L − := {i | e i < 0}, and neutral primes L 0 := {i | e i = 0}.For 1-point strategies and any faulty curve E t with missing set S, we always have S ⊂ L + or S ⊂ L − .However, using 2-point strategies, the sets S may contain positive and negative primes.We use the terminology 'flipping a batch' when we refer to the effect of an orientation flip to the primes being performed: when we flip the orientation s of a negative point from negative to positive, the final result has performed a batch of positive primes in the negative direction.
Example 1.Take CSIDH-512.Assume we flip the orientation s → −s of the first point P .From Algorithm 1, we see the elements of S are exactly those i such that |e i | ≥ 1 and sign(e i ) = −s.Therefore, we have S = L −s .

Faulty curves and full-order points
We continue to assume that all points have full order, so Line 7 never skips an i, and analyze which faulty curves we obtain by flipping the orientation in round r.We treat the general case in Section 4.3 and Section 4.4.
Effective curves.For any strategy (cf.Section 2.2), the computation in round r depends on what happened in previous rounds.In a 2-point strategy, we sample both a negative and a positive point and use them to perform the isogenies in both directions.So assuming points of full order, the round-r computation and the set S do not depend on the previous round but only the secret key.
In a 1-point strategy, we sample 1 point per round, and only perform isogenies in the direction of that point.So the set S in round r depends additionally on what was computed in previous rounds.However, the computation in round r only depends on previous rounds with the same orientation.The orientation of a round refers to which primes were used.Hence, a positive round means that the steps were performed for the positive primes, in the positive or negative direction.
Notation.Let + and − denote the positive and negative orientation, respectively.For a 1-point strategy, we encode the choices of orientations by a sequence of ±.We denote the round r in which we flip the orientation of a point by parentheses (•).We truncate the sequence at the moment of the fault because the rest of the computation is computed correctly.Hence, ++(−) means a computation starting with the following three rounds: the first two rounds were positive, the third one was a negative round with a flipped orientation, so the steps were computed for the negative primes, but in the positive direction.
Consider a flip of orientation in the second round.There are four possible scenarios: +(+).Two positive rounds, but the second positive batch of primes was flipped and we took the steps in negative direction instead.+(−).One positive round, one negative batch flipped to the positive direction.−(+).One negative round, one positive batch flipped to the negative direction.−(−).Two negative rounds, the second negative batch flipped to positive.
All four cases are equally likely to appear for 1-point strategies, but result in different faulty curves.Since the computation only depends on previous rounds with the same orientation, the case +(−) is easily seen to be the same as (−) and + + (−): all three are cases where the orientation of the point was flipped the first time a negative round occurred.However, the cases +(+) and −(+) are different: the latter is equivalent to (+).For example, in CSIDH, the set S for (+) is {i | e i ≥ 1}, and the set S ′ for +(+) is {i | e i ≥ 2}, differing exactly at the primes for which e i = 1.
Effective round.Let E r,+ be the faulty curve produced by the sequence +• • •+(+) of length r, and E r,− the curve produced by sequence −• • •−(−).We call the curves E r,± effective round-r curves.For a 2-point strategy, all faulty curves from round r are effective round-r curves.For 1-point strategies, effective round-r curves can be produced from other sequences as well, e.g.+(−) produces the effective round 1 curve E 1,− and ++−−+(−) produces an effective round-3 curve E 3,− .To get an effective round-r sample E r,+ from a round n, the last sign in the sequence must be (+), and the sequence must contain a total of r pluses.

Lemma 4.1. Assume we use a 1-point strategy. The probability to get any effective round-r sample if we successfully flip in round n is equal to
For a 2-point strategy, all curves resulting from a fault in round r are effective round-r curves.
Torsion sets S r,+ and S r,− .Define the set S r,s as the missing set of the effective round-r curve with orientation s, i.e., E B = i∈S r,s l 2s i * E r,s .Example 3 (CSIDH).The sets S 1,± were already discussed in Example 1.In general, S r,+ = {i | e i ≥ r} and S r,− = {i | e i ≤ −r}.

Missing torsion: faulty curves and points of non-full order
In Section 4.2, we worked under the unrealistic assumption that all points we encounter have full order.In this section, we relax this condition somewhat: we assume that every point had full order (and hence all isogenies were computed) up until round r, but the point P generated in round r potentially has smaller order.We call this the missing torsion case.The remaining relaxation of non-full order points in earlier rounds will be concluded in Section 4.4.
If the point P used to compute isogenies in round r does not have full order, the faulty curve E t will differ from the effective round-r curve E r,s by the primes ℓ i with i ∈ S r,s which are missing in the order of P .

Round-r faulty curves.
For simplicity, assume that we are in round r, in the case +• • •+(+), and that none of the isogenies in the previous rounds failed.In round r, a negative point P is sampled, but we flip its orientation, so the batch of positive primes will be computed in the negative direction.
If the point P has full order, we obtain the curve E r,+ at the end of the computation, which differs from E B exactly at primes contained in S r,+ .If, however, the point P does not have full order, a subset S ⊂ S r,+ of steps will be computed, leading to a different faulty curve E t .By construction, the curve i * E t .Assume we repeat this fault in T runs, leading to different faulty curves E t .Let n(E t ) be the number of times the curve E t occurs among the T samples.For each such E t , we know E B = i∈St l 2s i * E t , where S t ⊂ S r,+ is determined by the order of P t .As P t is a randomly sampled point, it has probability ℓi−1 ℓi that its order is divisible by ℓ i , and so probability 1  ℓi that its order is not divisible by ℓ i .This gives us directly the probability to end up at E t : the order of the point P t should be divisible by all ℓ i for i ∈ S t , but not by those ℓ i for i ∈ S r,+ \ S t .This is captured in the following result.Proposition 4.2.Let P t be a random negative point, where we flip the orientation s to positive.The probability that we compute the faulty curve Proof.The probability of obtaining E t is equal to the probability that the order of the point P t is divisible by all the primes in S t and not divisible by all the primes in S r,+ \ S t .The first happens with probability i∈St ℓi−1 ℓi ; the second is an independent event happening with probability i∈S r,+ \St 1 ℓ .
In CTIDH, the success probability of each point to match that of the smallest prime in the batch to hide which prime is handled.But for fixed batches, an analogous results to Proposition 4.2 can be given.
The expected number of appearances ℓi for all ℓ i , the probability p t is maximal when S t = S r,+ .We denote this probability by p r,+ .Hence, the curve that is likely to appear the most in this scenario over enough samples, is the curve E r,+ which we defined as precisely that curve with missing set S r,+ .For now, we focused solely on the positive curves.Taking into account the negative curves too, we get: . Then E r,+ and E r,− have the highest probability to appear among the effective round-r faulty curves.As a consequence, the largest two values n(E) of all effective round-r curves are most likely n(E r,+ ) and n(E r,− ) Example 4 (CSIDH).Take the set S 1,+ = {i | e i ≥ 1} and let p 1,+ denote the probability that a random point P has order divisible by all primes in S 1,+ .This probability depends on the secret key (e i ), but can be estimated if we collect enough faulty curves.Moreover, if e 1 ̸ = 0, then ℓ 1 = 3 dominates either p 1,+ or p 1,− through the relatively small probability of 2/3 that P has order divisible by 3. Thus, if the largest pile of faulty curves is E 1,± , we expect S 1,± not to contain 1.For instance, if e 1 is positive, p 1,− is larger than p 1,+ and so we expect n(E 1,− ) to be larger than n(E 1,+ ).In this case, we would expect to see another faulty curve E t with n(E t ) half the size of n(E 1,+ ); this curve E t has almost full missing set S 1,+ , but does not miss the 3-isogeny.That is, S t = S 1,+ \ {1}, with probability This curve E t is very "close" to E 1,+ ; they are distance 1 apart, precisely by l 2 1 .The precise probabilities p r,+ and p r,− depend highly on the specific implementation we target.Given an implementation, the values of p r,+ and p r,− allow for a concrete estimate on the size of n(E) for a specific curve E. Because ℓ i that are missing in the order of P t skip the misoriented steps, the curves in the neighborhood of E r,+ differ by two ℓ i -isogenies for i ∈ S r,+ \ S t in positive direction while those around E r,− differ by two ℓ i -isogenies for i ∈ S r,− \ S t in negative direction.
Corollary 4.4 will be essential to recover information on S r,+ out of the samples E t : Recovering small isogenies between samples allows us to deduce which i are in S r,+ or S r,− , and so leaks information about e i .

Torsion noise
Orthogonally to Section 4.3, we now examine the case that missing torsion occurred in an earlier round than the round we are faulting.

Example 6 (CSIDH).
Suppose that e 1 = 1 and that in the first positive round, the point generated in Line 2 of Algorithm 1 had order not divisible by ℓ 1 , but all other points have full order.Thus, the ℓ 1 -isogeny attempt fails in the first positive step.Consider now the second positive round.From Section 4.2, we would expect to be computing steps in S 2,+ = {i | e i ≥ 2}.But no ℓ 1 -isogeny has been computed in the first round, so it will be attempted in this second positive round.If we now fault the second positive point, we obtain a faulty curve that is also missing ℓ 1 , that is, 1 * E 2,+ .Unlike the faulty curves from 4.3, the positively oriented isogeny goes from E t towards E 2,+ .Also, note that in this scenario if e 1 = 2, a fault in round 2 would still result in the curve E 2,+ , because the set S 2,+ contains ℓ 1 already, and so the missed ℓ 1 -isogeny from round 1 will be computed in later rounds.
We refer to the phenomenon observed in Example 6 as torsion noise.More concretely, torsion noise happens when we fault the computation in round r for a run which is computing an ℓ i -isogeny in round r for |e i | < r because it was skipped in a previous round.
Torsion noise is rarer than missing torsion but can still happen: the isogeny computation needs to fail and the fault must come when we are "catching up" with the computation.For CSIDH, torsion noise can only happen if r > |e i | and the computation of the ℓ i -isogeny failed in at least r − |e i | rounds.Torsion noise is unlikely for large ℓ i because the probability that an isogeny fails is about 1/ℓ i .
For small primes, such as ℓ i ∈ {3, 5, 7}, we observe a lot of torsion noise.This can slightly affect the results as described in Section 4.3, but has no major impact on the results in general.Concretely, torsion noise may make it impossible to determine the correct e i for the small primes given only a few faulted curves.Nevertheless, their exact values can be brute-forced at the end of the attack.

Remark 4 (Orientation of torsion noise).
Faulty curves affected by torsion noise require contrarily oriented isogenies to the curves E r,s than the remaining faulty curves.Therefore, if torsion noise happens and we find a path from such a curve E t → E r,s , then we can infer not just the orientation of the primes in this path, but often also bound the corresponding exponents e i .

Connecting curves from the same round
Suppose we have a set of (effective) round-r faulty curves with the same orientation s, and suppose r and s are fixed.In Corollary 4.4, we show that such curves are close to each other.In particular, the path from E t to E r,s uses only degrees contained in the set S r,s .Finding short paths among faulty curves gives us information about S r,s , and hence about the secret key.
Component graphs.Starting from a set {E t } of round-r faulty curves with orientation s, we can use them to define the graph G r,s as follows: The vertices of G r,s are given by {E t }, and the edges are steps between the curves, labeled by i if the curves are connected by two ℓ i -isogenies.For convenience, we sparsify the graph G r,s and regard it as a tree with the curve E r,s as the root.

Remark 5 (Edges).
Starting from a set of faulty curves, it is easy to build the graphs G r,s .We can identify the roots of these graphs E r,s using Corollary 4.3.Then the distance from the root to any round-r faulty curve with the same orientation is small (cf.Corollary 4.4).Therefore, we can find the edges by applying short walks in this graph.Note that edges of G r,s give information on S r,s .

Remark 6 (Missing vertices
).If we do not have enough faulty curves {E t }, it may not be possible to connect all the curves with single steps (understood as isogenies of square degree, see Corollary 4.4).For convenience, we assume that we have enough curves.In practice, we include in the graph G r,s any curve on the path between E t to E r,s (again, taking steps with square prime degree).

Remark 7 (Components).
We imagine the graphs G r,s as subgraphs of the isogeny graph of supersingular elliptic curves with edges given by isogenies.Computing short paths from E r,s will give us enough edges so that we can consider the graphs G r,s to be connected.Hence we call them components.

Secret information.
An effective round-r faulty curve E t with torsion set S t ⊂ S r,+ can easily be connected by a path with labels S r,+ \ S t .Moreover, the orientation E r,+ → E t is positive.Therefore, we can identify which components are positive, and all the labels of the edges are necessarily in S r,+ , that is, the prime ℓ i is positive.Torsion noise can be recognized from the opposite direction of the edges (see Remark 4).In either case, the components G r,s give us the orientation of all the primes occurring as labels of the edges.
Sorting round-r samples.Suppose we are given a set of round-r faulty curves {E t }, but we do not have information about the orientation yet.We can again use Corollary 4.3 to find the root of the graph; then we take small isogeny steps until we have two connected components G 1 , G 2 .It is easy to determine the direction of the edges given enough samples; ignoring torsion noise, the positively oriented root will have outgoing edges.
In summary, we try to move curves E t from a pile of unconnected samples to one of the two graphs by finding collisions with one of the nodes in G r,+ resp.G r,− .The degrees of such edges reveal information on S r,+ and S r,− : An edge with label i in G r,+ implies i ∈ S r,+ , and analogously for G r,− and S r,− .Figure 1 summarizes the process, where, e.g., E r,+ → E 7 shows missing torsion and E 8 → E r,+ is an example of torsion noise.

Exhaust
Fig. 1: Building up the component graphs of faulty curves.

Connecting the components G r,s
Now, we explain how to connect the components G r,s for different rounds r.The distance of these components is related to the sets S r,+ and S r,− .We then show that it is computationally feasible to connect the components via a meetin-the-middle attack.Connecting two components gives us significantly more knowledge on the sets S r,+ and S r,− , such that connecting all components is enough to reveal the secret a in Section 4.7.
Information from two connected components.We start with an example: Example 7 (CSIDH).Recall that we have S r,+ = {i | e i ≥ r}, and so E r,+ = i∈S r,+ l −2 i * E B .This means that, e.g., we have S 3,+ ⊂ S 2,+ , and E 2,+ has a larger distance from E B than E 3,+ .The path between E 3,+ and E 2,+ then only contains steps of degrees ℓ i such that i ∈ S 2,+ \S 3,+ , so e i = 2.In general, it is easy to see that finding a single isogeny that connects a node E t3 from G 3,+ and a node E t2 in G 2,+ immediately gives the connection from E 3,+ to E 2,+ .Hence, we learn all ℓ i with e i = 2 from the components G 3,+ and G 2,+ .
In the general case, if we find an isogeny between two such graphs, say G r,+ and G r ′ ,+ , we can compute the isogeny between the two roots E r,+ and E r ′ ,+ of these graphs.The degree of this isogeny E r,+ → E r ′ ,+ describes precisely the difference between the sets S r,+ and S r ′ ,+ .The example above is the special case r ′ = r + 1, and in CSIDH we always have S (r+1),+ ⊂ S r,+ , so that the difference between S r,+ and S (r+1),+ is the set of ℓ i such that e i = r.In other CSIDHvariants, such sets are not necessarily nested, but connecting all components still reveals e i as Section 4.7 will show.In general, we connect two subgraphs by a distributed meet-in-the-middle search which finds the shortest connection first.
Distance between connected components.As we have shown, connecting two components G r,+ and G r ′ ,+ is equivalent to finding the difference in sets S r,+ and S r ′ ,+ .The distance between these sets heavily depends on the implementation, as these sets are determined by the key a and the evaluation of this key.For example, in CSIDH-512, the difference between S r,+ and S (r+1),+ are the e i = r, which on average is of size 74  11 ≈ 6.7.In practice, this distance roughly varies between 0 and 15.For an implementation such as CTIDH-512, the sets S r,+ are smaller in general, on average of size 7, and the difference between such sets is small enough to admit a feasible meet-in-the-middle connection.See Section 6 for more details on how we connect these components in practice.

Revealing the private key
So far, we showed how connecting different components G r,+ and G r ′ ,+ reveals information on the difference between the sets S r,+ and S r ′ ,+ .In this section, we show that when all components are connected, we can derive the secret a.This wraps up Section 4: Starting with disorientations in certain rounds r, we derive the secret a from the resulting graph structure, assuming enough samples.
From differences of sets to recoveries of keys.By connecting the graphs of all rounds, including the one-node-graph consisting of just the correct curve E B , we learn the difference between the sets S r,+ and S (r+1),+ for all rounds r (as well as for S r,− and S (r+1),− ).A single isogeny from some G r,+ to E B = a * E A then recovers S r,+ for this round r: Such an isogeny gives us an isogeny from E r,+ = i∈S r,+ l −2  i * E B to E B , whose degree shows us exactly those ℓ i ∈ S r,+ .From a connection between the components G r,+ and G r ′ ,+ , we learn the difference in sets S r,+ and S r ′ ,+ .From S r,+ , we can then deduce S r ′ ,+ .Therefore, if all graphs G r,+ for different r are connected, and we have at least one isogeny from a node to E B , we learn the sets S r,+ for all rounds r (and equivalently for S r,− ).From the knowledge of all sets S r,+ and S r,− we then learn a = (e i ): the sign of e i follows from observing in which of the sets S r,+ or S r,− the respective ℓ i appears, and |e i | equals the number of times of these appearances.
In practice however, due to missing torsion and torsion noise, connecting all components may not give us the correct sets S r,+ resp.S r,− .In such a case, one can either gather more samples to gain more information, or try to brute-force the difference.In practice, we find that the actual set S r,+ as derived from a and the set Sr,+ derived from our attack (leading to some a ′ ) always have a small distance.A simple meet-in-the-middle search between a ′ * E A and a * E A then quickly reveals the errors caused by missing torsion and torsion noise.

Complexity of recovering the secret a
The full approach of this section can be summarized as follows: 1. Gather enough effective round-r samples E t per round r, using Lemma 4.1.2. Build up the components G r,+ and G r,− using Corollaries 4.3 and 4.4.3. Connect components to learn the difference in sets S r,+ and S r ′ ,+ .4. Compute the sets S r,+ and S r,− for every round and recover a.
The overall complexity depends on the number of samples per round, but is in general dominated by Step 3.For Step 2, nodes are in most cases relatively close to the root E r,+ or to an already connected node E t , as shown in Corollary 4.4.
For Step 3, components are usually further apart than nodes from Step 2. In general, the distance between components G r,+ and G r ′ ,+ depends heavily on the specific design choices of an implementation.In a usual meet-in-the-middle approach, where n is the number of ℓ i over which we need to search and d is the distance between G r,+ and G r ′ ,+ , the complexity of finding a connection is ).Note that we can use previous knowledge from building components or finding small-distance connections between other components to reduce the search space and thus minimize n for subsequent connections.We analyze this in detail for specific implementations in Section 5.

Case studies: CSIDH and CTIDH
We previously defined a general strategy in four steps.In practice, those steps are dependent on the actual implementation.Concretely, we select two main implementations: CSIDH-512 and CTIDH-512.We discuss CSIDH-512 in Section 5.1, CTIDH-512 in Section 5.2, and we analyze other implementations in Section 5. 3.
In this section we will specialize to inputting E 0 into the target which thus computes a faulty version of E B = a * E 0 , its own public key.
Building components G r,+ and G r,− .
Step 2 of the attack on CSIDH-512 works exactly as described in Section 4.5.If E t and E t ′ are effective samples from the same round with the same orientation, their distance is small (Corollary 4.4).
We can thus perform a neighborhood search on all of the sampled curves until we have 10 connected components G r,± for r ∈ {1, . . ., 5}, as in Figure 1.This step is almost effortless: most curves will be distance 1 or 2 away from the root E r,s .In practice, using round information and number of occurrences, we identify the 10 curves E r,± for r = 1, . . ., 5, and explore all paths of small length from those 10 curves, or connect them via a meet-in-the-middle approach (e.g., using pubcrawl, see Section 6).The degrees of the isogenies corresponding to the new edges in G r,± reveal information on the sets S r,± , which can be used to reduce the search space when connecting the components G r,± .
Filter-and-break it, until you make it.
Step 3 is the most computationally intensive step, as it connects 11 components (G r,± and E B ) into a single large connected component.We argue that it is practical for CSIDH-512.
More specifically, we want to find connections between G r,± and G (r+1),± , as well as connections from G 5,± to E B .This gives us 10 connections, corresponding to the gaps {i | e i = k} for k ∈ [−5, 5] \ {0}. Figure 2 shows an abstraction of this large connected component.Since there are 74 primes in total, and only 10 gaps, at least one of these gaps is at most 7 primes.If we assume that at least 5 of the exponents are 0 (we expect ≈ 7 to be 0), then the smallest distance is at most 6 steps.Such gaps are easily found using a meet-in-the-middle search, see Section 6.
Let us call support the set of isogeny degrees used in a meet-in-the-middle neighborhood search.We can connect all components by a meet-in-the-middle search with support {ℓ 1 , . . ., ℓ 74 }.This becomes infeasible for large distances, so instead, we adaptively change the support.We start by finding short connections, and use the labels we find to pick a smaller support for searching between certain components, i.e., filter some of the ℓ i out of the support.
First, we learn the orientation of the components by identifying G 1,± and considering the direction of the edges.Effective round-1 samples do not have torsion noise, so the root E 1,+ has only outgoing edges, whereas the root E 1,− has only incoming edges.The labels of the edges of G 1,+ must be positive primes, and all components with a matching label are also positive.Next, all the labels that appear as degrees of edges in G r,+ for any r are necessarily positive.Finally, positively oriented components can only be connected by positive primes, so we ), other faulty curves appearing in the dataset are gray, and white circles are "intermediate" curves discovered while connecting the components.The primes appearing on the connecting path between E i,± and E i+1,± are exactly the primes appearing i times with orientation ±.For example, the primes indexed by 2, 9, 19 appearing between E 1,+ and E 2,+ have exponent +1 in the secret key.
can remove from the support all the primes that we know are negative.Similarly for negative orientations.
After finding the first connection we restrict the support even more: we know that any label i appears in at most one connection.Hence, whenever we find a connection, we get more information about orientation and can reduce the support for further searches, allowing us to find larger connections.We repeat this procedure with more and more restrictions on the support until we find the full connected component.
Recovering the secret key.From the connected components, we recover all of the sets S r,± and we compute the secret key as described in Section 4.7.
Example 8 (Toy CSIDH-103). Figure 3 shows the resulting connected graph for a toy version of CSIDH using Algorithm 1 with the first n = 21 odd primes and private keys in {−3, . . ., +3} n .Each round was faulted 10 times.
The distances between the components are very small and hence connecting paths are readily found.We sparsify the graph to plot it as a spanning tree; the edges correspond to positive steps of the degree indicated by the label.This graph comes from the secret key Required number of samples.Recovering the full secret exponent vector in CSIDH-512 equates to computing the sets S r,+ and S r,− for r ∈ {1, . . ., 5}.Recall that to compute these sets we need to build a connected component including subcomponents G r,+ and G r,− for r ∈ {1, . . ., 5}, and E B (the onenode-graph consisting of just the public key).We build the components G r,+ and G r,− by acquiring enough effective round-r samples.More effective round-r samples may give more vertices in G r,± , and more information about S r,± .
Let T r be the number of effective round-r samples and let T = T r .A first approach is to inject in round r until the probability is high enough that we have enough effective round-r samples.For CSIDH-512, we take T 1 = 16, T 2 = 16, T 3 = 32, T 4 = 64 and T 5 = 128, so that T = 256.From Lemma 4.1, we then expect 8 round-5 samples (4 per orientation) and the probability that we do not get any of the elements of G 5,+ or G 5,− is about 1.7%.This strategy can be improved upon.Notice that we need round-5 samples, and so in any case we need T 5 rather large (in comparison to T i with i < 5) to ensure we get such samples.But gathering samples from round 5 already gives us many samples from rounds before.Using Lemma 4.1 with T 5 = 128, we get on average 8 effective round-1 samples, 32 effective round-2 samples, 48 effective round-3 samples, 32 effective round-4 samples and 8 effective round-5 samples.In general, attacking different rounds offers different tradeoffs: attacking round 9 maximizes getting effective round-5 samples, but getting a round-1 sample in round 9 is unlikely.Faulting round 1 has the benefits that all faulty curves are effective round-1 curves, making them easy to detect in later rounds; that no torsion noise appears; and that missing torsion quickly allows to determine the orientation of the small primes, reducing the search space for connecting the components.Finally, note that gathering T faulty samples requires approximately 2T fault injections, since, on average, half of the faults are expected to will flip the orientation.

Breaking CTIDH-512
CTIDH [3] partitions the set of primes ℓ j into b batches, and bounds the number of isogenies per batch.For a list N ∈ Z b >0 with N k = n and a list of nonnegative bounds m ∈ Z b ≥0 define the keyspace as where (e i,j ) is a reindexed view of (e i ) given by the partition into batches.CTIDH-512 uses 14 batches with bounds m i ≤ 18, requiring at least 18 rounds.In every round, we compute one isogeny per batch; using a 2-point strategy, we compute isogenies in both positive and negative direction.So, all round-r samples are effective round-r samples.
Injecting faults.To sample oriented points, CTIDH uses the Elligator-2 map twice.First, Elligator is used to sample two points P + and P − on the starting curve E A .A direction s is picked to compute an isogeny, the point P s is used to take a step in that direction to a curve E A ′ , and the point P s is mapped through the isogeny.Then another point P ′ −s is sampled on E A ′ using Elligator.
We will always assume that we inject a fault into only one of these two Elligator calls (as in Section 3).Hence, as for CSIDH and 1-point strategies, we again always obtain either positively or negatively oriented samples.
Different rounds for CTIDH-512.Per round, CTIDH performs one ℓ i,j per batch B i .Within a batch, the primes ℓ i,j are ordered in ascending order: if the first batch is B 1 = {3, 5} and the exponents are (2, −4), then we first compute 2 rounds of 3-isogenies in the positive direction, followed by 4 rounds of 5-isogenies in the negative direction.We can visualize this as a queue [3+, 3+, 5−, 5−, 5−, 5−] (padded on the right with dummy isogenies for the remaining rounds up to m 1 ).CTIDH inflates the failure of each isogeny to that of the smallest prime in the batch to hide how often each prime is used; in our example, the failure probability is 1/3.This implies that the sets S r± contain precisely the r-th prime in the queue for the batch B i .With 14 batches and an equal chance for either orientation, we expect that each S r± will contain about 7 primes.Furthermore, each set S r± can contain only one prime per batch B i .
The small number of batches and the ordering of primes within the batches make CTIDH especially easy to break using our disorientation attack.
Components for CTIDH-512.Given enough samples, we construct the graphs G r,s ; the slightly higher failure probability of each isogeny (because of inflating) somewhat increases the chances of missing torsion and torsion noise.The distance of the root curves E r,s to the non-faulted curve E B is bounded by the number of batches.Per round r, the sum of the distances of E r,± to E B is at most 14, so we expect the distance to be about 7.
The distance between two graphs G r,s and G (r+1),s is often much smaller.We focus on positive orientation (the negative case is analogous).The distance between G r,+ to G (r+1),+ is given by the set difference of S r,+ and S (r+1),+ .If these sets are disjoint and all primes in round r and r + 1 are positive, the distance is 28, but we expect significant overlap: The set difference contains the indices i such that either the last ℓ i -isogeny is computed in round r or the first ℓ i -isogeny is computed in round r + 1.Note that these replacements need not come in pairs.In the first case, the prime ℓ i is replaced by the next isogeny ℓ j from the same batch only if ℓ j is also positive.In the second case, the prime ℓ i might have followed a negative prime that preceded it in the batch.
Therefore, given S r,+ , one can very quickly determine S (r+1),+ by leaving out some ℓ i 's or including subsequent primes from the same batch.In practice, this step is very easy.Finding one connection E B → E r,+ determines some set S r,+ , which can be used to quickly find other sets S r ′ ,+ .This approach naturally also works going backwards, to the set S (r−1),+ .
Directed meet-in-the-middle.Using a meet-in-the-middle approach, we compute the neighborhood of E B and all the roots E r,± (or components G r,± ) of distance 4.This connects E B to all the curves at distance at most 8. Disregard-ing orientation and information on batches, if we have N curves that we want to connect, the naive search will require about 2 • 74 4 • N ≈ 2 21 • N isogenies.The actual search space is even smaller as we can exclude all paths requiring two isogenies from the same batch.
Moreover, isogenies in batches are in ascending order.So, if in round r we see that the 3rd prime from batch B i was used, none of the rounds r ′ > r involves the first two prime, and none of the rounds r ′ < r can use the fourth and later primes from the batch for that direction.
Late rounds typically contain many dummy isogenies and the corresponding faulty curves are especially close to the public key.We expect to rapidly recover S r,± for the late round curves, and work backwards to handle earlier rounds.
Required number of samples.In CTIDH, we can choose to inject a fault into the first call of Elligator or the second one.We do not see a clear benefit of prioritizing either call.Unlike for CSIDH and 1-point strategies, there is no clear benefit from targeting a specific round.Assume we perform c successful faults per round per Elligator call, expecting to get samples for both orientations per round.As CTIDH-512 performs 18 rounds (in practice typically up to 22 because of isogeny steps failing), we require T = 18 • 2 • c successful flips.It seems possible to take c = 1 and hence T = 36 (or up to T = 44) samples.
With just one sample per round r (and per orientation s), the torsion effects will be significant and we will often not be able to recover S r,s precisely.Let Sr,s denote the index set recovered for round r and sign s.We can correct for some of these errors, looking at Sr ′ ,± for rounds r ′ close to r.Consider only primes from the same batch B, then the following can happen: -No prime from B is contained in either Sr,+ or Sr,− : all primes from B are done or missing torsion must have happened.We can examine the primes from the batch B which occur in neighboring rounds S(r±1),± and use the ordering in the batch to obtain guesses on which steps should have been computed if any.-One prime from B is contained in Sr,+ ∪ Sr,− : we fix no errors.
-Two primes from B are contained in Sr,+ ∪ Sr,− : the smaller one must have come from torsion noise in a previous round and can be removed.
Remark 8.It is possible to skip certain rounds to reduce the number of samples, and recover the missing sets S r,s using information from the neighboring rounds.We did not perform the analysis as to which rounds can be skipped, we feel that already two successful faults per round are low enough.Even a partial attack (obtaining information only from a few rounds) reveals a lot about the secret key thanks to the batches being ordered, and can reduce the search space for the secret key significantly.One may also select the rounds to attack adaptively, based on the information recovered from S r,s .
Recovering the secret key.Once we recover all the sets S r,s , the secret key can be found as a = r i∈S r,+ l i • j∈S r,− l −1 j .Note that as before, if we misidentify S r,s due to torsion effects, we may have to perform a small search to correct for the mistakes.

Other variants of CSIDH
In this section, we discuss some of the other implementations of CSIDH: all of these use IsSquare checks in the process of point sampling and are vulnerable to our attack.We analyze SIMBA [30], dummy-free implementations [1,16,18], and SQALE [17].SIMBA.Implementations using SIMBA [30] can be attacked similarly to CSIDH (cf.Section 5.1).SIMBA divides the n primes ℓ i into m prides (batches), and each round only computes ℓ i -isogenies from the same pride.That is, each round only involves up to ⌈n/m⌉ isogenies, and the setup of the prides is publicly known.In each round, fewer isogenies are computed, the sets S r,s are smaller and the distances between the components G r,s are shorter.It is therefore easier to find isogenies connecting the components, and recover the secret key.
Dummy-free CSIDH.Dummy-free implementations [1,16,18] replace pairs of dummy ℓ i -isogenies by pairs of isogenies that effectively cancel each other [16].This is due to the fact that l i * (l . Thus, computing one ℓ i -isogeny in positive direction and one ℓ i -isogeny in negative direction has the same effect as computing two dummy ℓ i -isogenies.However, this approach requires fixing the parity of each entry of the private key e i , e.g., by sampling only even numbers from [−10, 10] to reach the same key space size as before.The implementation of [16] therefore suffers a slowdown of factor 2. Nevertheless, such dummy-free implementations mitigate certain fault attacks, such as skipping isogenies, which in a dummy-based implementation would directly reveal if the skipped isogeny was a dummy computation and give respective information on the private key.Dummy-free CSIDH [1] computes |e i | ℓ i -isogenies per i in the appropriate direction, and then computes equally many ℓ i isogenies in both directions which cancel out, until all required isogenies have been computed.For instance, for an even e i sampled from [−10, 10], choosing e i = 4 would be performed by applying l 1 i in the first 5 rounds, applying l −1 i in round 6 and 7, applying l 1 i again in round 8 and 9, and finishing with l −1 i in round 10.Notice that all isogenies start in the correct direction, and that we learn |e i | from disorientation faults if we know in which round the first l i is applied in the opposite direction.Therefore, if we apply the attack of Section 4 and learn all sets S r,+ and S r,− , we can determine e i precisely.Even better, it suffices to only attack every second round: It is clear that each prime will have the same orientation in the third round as in the second round, in the fifth and fourth, et cetera.Due to the bounds used in [1], large degree ℓ i do not show up in later rounds, which decreases the meet-in-the-middle complexity of connecting the components G r,+ and G (r+1),+ for later rounds r. [17] only uses exponent bounds e i ∈ {−1, 1}.To get a large enough key space, more primes ℓ i are needed; the smallest instance uses 221 ℓ i .SQALE uses a 2-point strategy and only requires one round (keeping in mind the isogeny computation may fail and require further rounds).

SQALE. SQALE
Set S + = S 1,+ = {i | e i = 1} and S − = S 1,− = {i | e i = −1}.If the sampled points in round 1 have full order, the round 1 faulty curves are either: the 'twist' of E B : all the directions will be flipped (if both points are flipped), or the curve 110, we will not be able to find an isogeny to either of these curves using a brute-force or a meet-in-the-middle approach.
However, SQALE samples points randomly, and some of the isogeny computation will fail, producing faulty curves close to E ± (and curves with the same orientation will be close to each other, as in Section 4.5).Getting enough faulty curves allows the attacker to get the orientation of all the primes ℓ i , and the orientation of the primes is exactly the secret key in SQALE.We note that [18] in another context proposes to include points of full order into the system parameters and public keys such that missing torsion and torsion noise do not occur.If this is used for SQALE, our attack would not apply.

The pubcrawl tool
The post-processing stage of our attack relies on the ability to reconstruct the graph of connecting isogenies between the faulty CSIDH outputs.We solve this problem by a meet-in-the-middle neighborhood search in the isogeny graph, which is sufficiently practical for the cases we considered.In this section, we report on implementation details and performance results for our pubcrawl software. 7e emphasize that the software is not overly specialized to the fault-attack setting and may therefore prove useful for other "small" CSIDH isogeny searches appearing in unrelated contexts.
Algorithm.pubcrawl implements a straightforward meet-in-the-middle graph search: Grow isogeny trees from each input node simultaneously and check for collisions; repeat until there is only one connected component left.The set of admissible isogeny degrees ("support") is configurable, as are the directions of the isogeny steps ("sign", cf.CSIDH exponent vectors), the maximum number of isogeny steps to take from each target curve before giving up ("distance"), and the number of prime-degree isogenies done per graph-search step ("multiplicity", to allow for restricting the search to square-degree isogenies).

Size of search space. The number of vectors in
Similarly, the number of vectors in Implementation.The tool is written in C++ using modern standard library features, most importantly hashmaps and threading.It incorporates the latest version of the original CSIDH software as a library to provide the low-level isogeny computations.Public-key validation is skipped to save time.The shared data structures (work queue and lookup table) are protected by a simple mutex; more advanced techniques were not necessary in our experiments.We refrain from providing detailed benchmark results for the simple reason that the overwhelming majority of the cost comes from computing isogeny steps in a breadth-first manner, which parallelizes perfectly.Hence, both time and memory consumption scale almost exactly linearly with the number of nodes visited by the algorithm.
Concretely, on a server with two Intel Xeon Gold 6136 processors (offering a total of 24 hyperthreaded Skylake cores) using GCC 11.2.0, we found that each isogeny step took between 0.6 and 0.8 core milliseconds, depending on the degree.Memory consumption grew at a rate of ≈ 250 bytes per node visited, although this quantity depends on data structure internals and can vary significantly.Example estimates based on these observations are given in Table 1.
There is no doubt that pubcrawl could be sped up if desired, for instance by computing various outgoing isogeny steps at once instead of calling the CSIDH library as a black box for each individually.

Hashed version
As briefly mentioned in Remark 1, the attacker-observable output in Diffie-Hellman-style key agreements is not the shared elliptic curve, but a certain derived value.Typically, the shared elliptic curve is used to compute a key k using a key derivation function, which is further used for symmetric key cryptography.So we cannot expect to obtain (the Montgomery coefficient of) a faulty curve E t but only a derived value such as k = SHA-256(E t ) or MAC k (str) for some known fixed string str.
The attack strategies from Section 4 and Section 5 exploit the connections between the various faulty curves, but when we are only given a derived value, we are unable to apply isogenies.We argue that our attack, however, still extends to this more realistic setting as long as the observable value is computed deterministically from E t and collisions do not occur.
For simplicity, we will refer to the observable values as hashes of the faulty curves.Starting from a faulty curve E t , we assume we can easily compute the hashed value H(E t ), but we cannot recover E t from the hash h = H(E t ).
As we lack the possibility to apply isogenies to the hashes, we must adapt the strategy from Section 4. Given a set of faulty curves, we can no longer generate the neighborhood graphs, nor find connecting paths between these graphs, and it is harder to learn the orientation of primes, which helped to reduce the possible degrees of the isogenies when applying pubcrawl.If we only see hashes of the faulty curves, we cannot immediately form the neighborhood graphs and determine orientations.But from the frequency analysis (Corollary 4.3), we can still identify the two most frequent new hashes h 1 , h 2 per round as the probable hashes of H(E r,± ).

Example 9 (CSIDH).
When faulting the first point, the two most common hashed values are our best guesses for the hashes of E 1,± .Considering faults in the second point, we guess H(E 2,± ) to be the most common hashes that have not appeared in round 1. Similarly for later points.
To recover E given a hash H(E), we run a one-sided pubcrawl search starting from E B , where we hash all the curves we reach along the way, until we find a curve that hashes to H(E).In practice, we run pubcrawl with one orientation (or both, in parallel) until we recognize H(E r,± ).Having identified E r,± , we can then run a small neighborhood search around E r,± to identify the hashes of the faulty curves E t close to E r,± .In contrast to the unhashed version, in the hashed version we can only recover the faulty curves E t by a one-sided search from a known curve E, instead of a meet-in-the-middle attack.In particular, the only known curve at the beginning of the attack is E B .
Example 10 (CSIDH-512).The distance of the curves E r,s to E B is given by |{i | s • e i ≥ r}|.Therefore, the curves E 5,± have the smallest distance to E B .Starting from the public key E B , we thus first search the paths to the curves E 5,± .We do this by growing two neighborhoods (with positive and negative orientation) from E B .Recall from Section 5.1 that the expected distance of the faulty curves is about 74/11 ≈ 7.But the distance from E B to E 5,s can be a lot larger (it is equal to |{e i | s • e i = 5}|).Such large distances are rare: the probability of both E 5,± having distance larger than 10 from E B is, e.g.,

74−n m=11
74 n 74−n m 9 74−n−m /11 74 ≈ 0.3%.Hence, we do expect to find a connection to at least one of the curves E 5,± within distance 10, meaning that we expect the first connection to cost no more than 2 10 i=0 74 i ≈ 2 40.6 isogeny step evaluations and likely less for at least some H(E t ) in the neighborhood.From there, we will identify orientation for some primes, hence the search will be more efficient at each successive step because we need to search through fewer than 74 primes.
Example 11 .The faulty curves for any round in CTIDH are closer to the public key E B than in the CSIDH case: it is 14 in the worst case (one prime per batch all having the same orientation) and the distance is 7 on average (Section 5.2).So the directed pubcrawl searches up to distance ≈ 7 (one with positive and one with negative orientation) are very likely to identify many of the hashed curves.Once we identify some faulty curves, we can identify other faulty curves quickly by small neighborhood searches thanks to the extra ordered structure of the CTIDH keyspace.We also benefit from the slightly increased probability of failure leading to more curves in the neighborhood of E r,s .
Summary.In the hashed version, the main difference compared to the approach in Section 5 is that we can no longer mount a meet-in-the-middle attack starting from E B and from all faulty curves but can only search starting from E B .Hence, we do not get the square-root speedup from meeting in the middle.Despite this increase in the costs, it is still possible to attack the hashed version.Other sizes and variants work the same way with the concrete numbers adjusted.The bruteforce searches to connect the effective round-r curves in large CSIDH versions do get very expensive but will still remain cheaper than the security level for average gaps between E B and E r,s for the maximum r values.

Exploiting the twist to allow precomputation
In this section, we use quadratic twists and precomputation to significantly speed up obtaining the private key a given enough samples E t , especially for the "hashed" version described in Section 7.
Using the twist.The attack target is a public key E B = a * E 0 .Previously (Section 3), we attacked the computation of a * E 0 with disorientation faults.In this section, we will use E −B as the input curve instead: Negating B is related to inverting a because E −B = a −1 * E 0 .Moreover, applying a to E −B gives us back the curve E 0 and faulting this computation then produces faulty curves close to the fixed curve E 0 .As E −B is the quadratic twist of E B , we will refer to this attack variant as using the twist.
The main trick is that twisting induces a symmetry around the curve E 0 .This can be used to speed up pubcrawl: the opposite orientation of E t (starting from E 0 ) reaches E −t , so we can check two curves at once.By precomputing a set C of curves of distance at most d to E 0 , a faulty curve E t at distance d ′ ≤ d is in C and can immediately be identified via a table lookup.Note that C can be precomputed once and for all, independent of the target instance, as for any secret key a ′ the faulty curves end up close to E 0 .The symmetry of E −t and E t also reduces storage by half.
Finally, this twisting attack cannot be prevented by simply recognizing that E −B is the twist of E B and refusing to apply the secret a to such a curve: An attacker can just as easily pick a random masking value z and feed z * E −B to the target device.The faulty curves E t can then be moved to the neighborhood of E 0 by computing z −1 * E t at some cost per E t , or the attacker can precompute curves around z * E 0 .The latter breaks the symmetry of E t and E −t and does not achieve the full speedup or storage reduction, but retains the main benefits.
Twisting CTIDH.The twisting attack is at its most powerful for CTIDH.As noted before, the sets S r,± are small in every round for CTIDH.The crucial observation is that in each round and for each orientation, we use at most one prime per batch (ignoring torsion noise, see Section 4.4).For a faulty curve E t , the path E t → E 0 includes only steps with the same orientation and uses at most one prime per batch.With batches of size N i , the total number of possible paths per orientation is i (N i + 1), which is about 2 35.5 for CTIDH-512.Hence, it is possible to precompute all possible faulty curves that can appear from orientation flips from any possible secret key a.
Extrapolating the performance of pubcrawl (Section 6), this precomputation should take no more than a few core years.The resulting lookup table occupies ≈ 3.4 TB when encoded naively, but can be compressed to less than 250 GB using techniques similar to [38, § 4.3].
Twisting CSIDH.For this speed-up to be effective, the distance d we use to compute C must be at least as large as the smallest |S r,± |.Otherwise, no faulty curves end up within C. For CSIDH, the smallest such sets are S rmax,± , where r max is the maximal exponent permitted by the parameter; e.g., for CSIDH-512 r max = 5 and S 5,± have an expected size ≈ 7. Precomputing C for d ≤ 7 creates a set containing 7 i=0 74 i ≈ 2 31 curves.Such a precomputation will either identify S 5,± immediately, or allow us to find these sets quickly by considering a small neighborhood of the curves E 5,± .
Note that for all the earlier rounds r < r max , the sets S r,s include S rmax,s .Therefore, if we have the orientation s and the set S rmax,s , we can shift all the faulty curves by two steps for every degree in S rmax,s .If we have misidentified the orientation, this shift moves the faulty curves in the wrong direction, away from E 0 .This trick is particularly useful for larger r as eventually many isogenies need to be applied in the shifts and we will have identified the orientation of enough primes so that the search space for pubcrawl becomes small enough to be faster.
Twisting in the hashed version.Precomputation extends to the hashed version from Section 7: we simply precompute C ′ which instead of E t includes H(E t ) for all E t in the neighborhood of E 0 .Again, this works directly for attacking a hashed version of CTIDH and the effective round-r max curves in CSIDH.To use precomputation for different rounds, one can replace the starting curve E −B that is fed to the target device by the shift given exactly by the primes in S rmax,s (or, adaptively, by the part of the secret key that is known).This has the same effect as above: shifting all the curves E t with the same orientation closer towards E 0 , hopefully so that the H(E t ) are already in our database.If they are not then likely the opposite orientation appeared when we faulted the computation.
Summary.The benefit of using the twist with precomputation is largest for the hashed versions: we need a brute force search from E 0 in any case, and so we would use on average as many steps per round as the precomputation takes.For the non-hashed versions, the expensive precomputation competes with meet-inthe-middle attacks running in square root time.This means that in the hashed version we do not need to amortize the precomputation cost over many targets and have a clear tradeoff between memory and having to recompute the same neighborhood searches all over again and again.

Countermeasures
In this section, we present countermeasures against disorientation fault attacks from Section 3. We first review previous fault attacks on CSIDH and their countermeasures, as well as their influence on our attack in Section 9.1.We then discuss new countermeasures for one-point sampling from CSIDH and Elligator in Section 9.2, and estimate the costs of the countermeasures in Section 9.3.

Previous fault attacks and countermeasures
One way to recover secret keys is to target dummy isogenies with faults [10,28].
Although these attacks are implementation-specific, the proposed countermeasures impact our attack too.Typically, real isogenies are computed prior to dummy isogenies, but the order of real and dummy isogenies can be randomized [10,28] with essentially no computational overhead.When applied to dummy-based implementations, e.g., from [30,32], this randomization means dummy isogenies can appear in different rounds for each run, which makes the definitions of the curves E r,± almost obsolete.However, we can instead simply collect many faulted round-1 samples.Each faulty curve E t reveals a different set S t due to the randomization, and with enough samples, a statistical analysis will quickly reveal all the e i,j just from the number of appearances among the sets S t , again recovering the secret key.
Adapted to CTIDH, there are two possible variants of this randomization countermeasure: One could either keep the queue of real isogenies per batch as described above, but insert dummy isogenies randomly instead of at the end of the queue, or fully randomize the order of isogeny computations per batch including the dummy operations.In the first case, faulting round r if a dummy isogeny is computed in batch B i means that no prime from this batch appears in the missing set.This effect is the same as missing torsion and thus our attack remains feasible.The net effect matches increased failure probabilities p i and the larger neighborhoods simplify finding orientations.Note also that p i is inflated more for batches with more dummy isogenies.In the second case when the entire queue is randomized, the same arguments as for CSIDH apply, and we can recover the secret key from statistical information with round-1 samples only.
Many fault attacks produce invalid intermediate values.In [10] some lowlevel protections for dummy isogenies to detect fault injections are proposed.This approach does not prevent our disorientation attack, and is orthogonal to our proposed countermeasures.Its performance overhead for the CSIDH-512 implementation from [32] is reported to be 7%.
Faulting memory locations can identify dummy isogenies [11].In addition to the countermeasures above, the authors of [11] recommend using dummy-free implementations when concerned about fault attacks, with a roughly twofold slowdown [16].However, as described in Section 5.3, dummy-free implementations are vulnerable to disorientation faults too.
Lastly, [10] reports that its fault attack theoretically could lead to disorientation of a point.Although the probability for this to happen is shown to be negligible, the authors of [10] propose to counter this attack vector by checking the field of definition of each isogeny kernel generator (point R in Step 7 of Algorithm 1).This is rather expensive, with an overhead of roughly 30% for the implementation from [32], but also complicates the disorientation faults proposed in this work.We further discuss this in Section 9.2.We note that our countermeasures are significantly cheaper, but do not prevent the theoretical fault effect from [10].

Protecting square checks against fault attacks
The attack described in Section 3 can be applied to all implementations of CSIDH that use a call to IsSquare to determine the orientations of the involved point(s).The main weakness is that the output of IsSquare is always interpreted as s = 1 or s = −1, and there is no obvious way of reusing parts of the computation to verify that the output is indeed related to the x-coordinate of the respective point.For instance, faulting the computation of the Legendreinput z = x 3 + Ax 2 + x results in a square check for a point unrelated to the actual x-coordinate in use, and yields a fault success probability of 50%.
Repeating square checks.One way to reduce the attacker's chances for a successful fault is to add redundant computations and repeat the execution of IsSquare k times.In principle, this means that the attacker has to fault all k executions successfully, hence reducing the overall fault success probability to 1/2 k .However, if an attacker manages to reliably fault the computation of z or the Legendre symbol computation or to skip instructions related to the redundant computations, they might be able to circumvent this countermeasure.
Repeated square checks have been proposed for a different fault attack scenario [10].There, IsSquare is used to verify the correct orientation for each point that generates an isogeny kernel.However, this countermeasure significantly impacts the performance of CSIDH, and could be bypassed as above.
Using y-coordinates.In CSIDH, the field of definition of the y-coordinate determines the orientation of a point.So, another simple countermeasure relying on redundant computation is to work with both x-and y-coordinates, instead of x-only arithmetic.We can then easily recognize the orientation of each point.
But this leads again to a significant performance loss due to having to keep y-coordinates during all point multiplications and isogeny evaluations.We expect that this countermeasure is significantly more expensive than repeating IsSquare k times for reasonable choices of k.
Using pseudo y-coordinates.We propose a more efficient countermeasure: compute pseudo y-coordinates after sampling points.We sample a random xcoordinate and set z = x 3 + Ax 2 + x.If z is a square in F p , we can compute the corresponding y-coordinate ỹ ∈ F p through the exponentiation ỹ = √ z = z (p+1)/4 , and hence ỹ2 = z.Conversely, if z is a non-square in F p , the same exponentiation outputs ỹ ∈ F p such that ỹ2 = −z.Thus, as an alternative to IsSquare, we can determine the orientation of the sampled point by computing z = x 3 + Ax 2 + x, and the pseudo y-coordinate ỹ = z (p+1)/4 .If ỹ2 = z, the point has positive orientation, if ỹ2 = −z it has negative orientation.If neither of these cases applies, i.e., ỹ2 ̸ = ±z, a fault must have occurred during the exponentiation, and we reject the point.
This method may seem equivalent to computing the sign s using IsSquare as it does not verify that z has been computed correctly from x.But having an output value ỹ ∈ F p instead of the IsSquare output −1 or 1 allows for a much stronger verification step in order to mitigate fault attacks on the point orientation.We present the details of the original CSIDH algorithm including this countermeasure in Algorithm 2.

Algorithm 2: Evaluation of CSIDH group action with countermeasure
Input: A ∈ Fp and a list of integers (e1, . . ., en).Output: B ∈ Fp such that [li] e i * EA = EB 1: while some ei ̸ = 0 do 2: Sample a random x ∈ Fp, defining a point P .
Steps 3 and 4 of Algorithm 2 contain our proposed method to determine the orientation s without using IsSquare.In order to verify the correctness of these computations, we add a verification step.First, we recompute z via z ′ = x 3 + Ax 2 + x, and in case of a correct execution, we have z = z ′ .Thus, we have s • z ′ = ỹ2 , which we can use as verification of the correctness of the computations of s, z, z ′ , and ỹ.If this were implemented through a simple check, an attacker might be able to skip this check through fault injection.Hence, we perform the equality check through the multiplications and initialize Q = (X Q : Z Q ) only afterwards, in order to prevent an attacker from skipping Step 8.If s • z ′ = ỹ2 holds as expected, this is merely a change of the projective representation of Q ′ , and thus leaves the point and its order unchanged.However, if s • z ′ ̸ = ỹ2 , this changes the x-coordinate X Q /Z Q of Q to a random value corresponding to a point of different order.If Q does not have the required order before entering the isogeny loop, the isogeny computation will produce random outputs in F p that do not represent supersingular elliptic curves with overwhelming probability.We can either output this random F pvalue, or detect it through a supersingularity check (see [4,15]) at the end of the algorithm and abort.The attacker gains no information in both cases.The supersingularity check can be replaced by a cheaper procedure [10]: Sampling a random point P and checking if [p + 1]P = ∞ is much cheaper and has a very low probability of false positives, which is negligible in this case.
There are several ways in which an attacker may try to circumvent this countermeasure.A simple way to outmaneuver the verification is to perform the same fault in the computation of z and z ′ , such that z = z ′ , but z ̸ = x 3 +Ax 2 +x.To mitigate this, we recommend computing z ′ using a different algorithm and a different sequence of operations, so that there are no simple faults that can be repeated in both computations of z and z ′ that result in z = z ′ .Faults in the computation of both z and z ′ then lead to random F p -values, where the probability of z = z ′ is 1/p.
The attacker may still fault the computation of s in Step 4 of Algorithm 2. However, this will now also flip the x-coordinate of Q to −x, which in general results in a point of random order, leading to invalid outputs.The only known exception is the curve E 0 : y 2 = x 3 + x: In this case, flipping the x-coordinate corresponds to a distortion map taking Q to a point of the same order on the quadratic twist.Thus, for E 0 , flipping the sign s additionally results in actually changing the orientation of Q, so these two errors effectively cancel each other in Algorithm 2 and the resulting curve is the correct output curve after all.
Protecting Elligator.Recall from Section 3 that two-point variants of CSIDH, including CTIDH, use the Elligator map for two points simultaneously, which requires an execution of IsSquare in order to correctly allocate the sampled points to P + and P − .
We can adapt the pseudo y-coordinate technique from Section 9.2: we determine orientations and verify their correctness by applying this countermeasure for both P + and P − separately.We dub this protected version of the Elligator sampling Elligreator.An additional benefit is that faulting the computations of the x-coordinates of the two points within Elligator (see [16,Algorithm 3]) is prevented by Elligreator.
In CTIDH, each round performs two Elligator samplings, and throws away one point respectively.Nevertheless, it is not known a priori which of the two points has the required orientation, so Elligreator needs to check both points anyway in order to find the point of correct orientation.
On the one hand, adding dummy computations, in this case sampling points but directly discarding some of them, might lead to different vulnerabilities such as safe-error attacks.On the other hand, sampling both points directly with Elligreator at the beginning of each round (at the cost of one additional isogeny evaluation) may lead to correlations between the sampled points, as argued in [3].It is unclear which approach should be favored.

Implementation costs
Implementing this countermeasure is straightforward.While IsSquare requires an exponentiation by (p − 1)/2, our pseudo y-coordinate approach replaces this exponent by (p + 1)/4, which leads to roughly the same cost.(Note that neither has particularly low Hamming weight.)Furthermore, we require a handful of extra operations for computing z ′ , X Q , and Z Q in Steps 7 and 8 of Algorithm 2. For the computation of z ′ we used a different algorithm than is used for the computation of z, incurring a small additional cost, for the reason discussed above.Therefore, using this countermeasure in a 1-point variant of CSIDH will essentially not be noticeable in terms of performance, since the extra operations are negligible in comparison to the overall cost of the CSIDH action.
In 2-point variants, we use Elligreator, which requires two exponentiations instead of one as Elligator does.Thus, the countermeasure is expected to add a more significant, yet relatively small overhead in 2-point variants as in CTIDH.CTIDH uses two calls to Elligreator per round, and both executions contain two pseudo-y checks respectively.We estimate the cost of our countermeasure in CTIDH-512.The software of [3] reports an exponentiation by (p − 1)/2 to cost 602 multiplications (including squarings).Since CTIDH-512 requires roughly 20 rounds per run, we add two additional exponentiations by (p + 1)/4 per round, and these have almost the same cost of 602 multiplications, the overhead is approximately 2•20•602 = 24080 multiplications.Ignoring the negligible amount of further multiplications we introduce, this comes on top of a CTIDH-512 group action, which takes 438006 multiplications on average.Thus, we expect the total overhead of our countermeasure to be roughly 5.5% in CTIDH-512.Table 1: Example cost estimates per target curve for various pubcrawl instances, assuming each isogeny step takes 0.7 milliseconds and consumes 250 bytes.For example, an isogeny walk of length up to 10 between two given curves can be recovered using approximately 10 core days and 300 gigabytes of RAM, as it involves exploring two neighborhoods up to distance 5 from the two curves.

Fig. 3 :
Fig.3: Example isogeny graph of faulty curves obtained from attacking the fictitious CSIDH-103 implementation from Example 8.An edge labeled i denotes the isogeny step l i .The E B curve and the root faulty curves E r,s are rendered in black (from left to right:E 1,+ , E 2,+ , E 3,+ , E B , E 3,− , E 2,− , E 1,−), other faulty curves appearing in the dataset are gray, and white circles are "intermediate" curves discovered while connecting the components.The primes appearing on the connecting path between E i,± and E i+1,± are exactly the primes appearing i times with orientation ±.For example, the primes indexed by 2, 9, 19 appearing between E 1,+ and E 2,+ have exponent +1 in the secret key.
Example 4for any two faulty curves E t and E t ′ that are effective round-r samples of the same orientation, using Proposition 4.2.Let E t and E t ′ both be effective round-r samples with the same orientation s and missing torsion sets S t and S t ′ .Let S ∆ denote the difference in sets S t and S t ′ , i.e., S ∆