@article{D’Anvers_Heinz_Pessl_Van Beirendonck_Verbauwhede_2022, title={Higher-Order Masked Ciphertext Comparison for Lattice-Based Cryptography}, volume={2022}, url={https://tches.iacr.org/index.php/TCHES/article/view/9483}, DOI={10.46586/tches.v2022.i2.115-139}, abstractNote={<p>Checking the equality of two arrays is a crucial building block of the Fujisaki-Okamoto transformation, and as such it is used in several post-quantum key encapsulation mechanisms including Kyber and Saber. While this comparison operation is easy to perform in a black box setting, it is hard to efficiently protect against side-channel attacks. For instance, the hash-based method by Oder et al. is limited to first-order masking, a higher-order method by Bache et al. was shown to be flawed, and a very recent higher-order technique by Bos et al. suffers in runtime. In this paper, we first demonstrate that the hash-based approach, and likely many similar first-order techniques, succumb to a relatively simple side-channel collision attack. We can successfully recover a Kyber512 key using just 6000 traces. While this does not break the security claims, it does show the need for efficient higher-order methods. We then present a new higher-order masked comparison algorithm based on the (insecure) higher-order method of Bache et al. Our new method is 4.2x, resp. 7.5x, faster than the method of Bos et al. for a 2<sup>nd</sup>, resp. 3<sup>rd</sup>, -order masking on the ARM Cortex-M4, and unlike the method of Bache et al., the new technique takes ciphertext compression into account. We prove correctness, security, and masking security in detail and provide performance numbers for 2<sup>nd</sup> and 3<sup>rd</sup>-order implementations. Finally, we verify our the side-channel security of our implementation using the test vector leakage assessment (TVLA) methodology.</p>}, number={2}, journal={IACR Transactions on Cryptographic Hardware and Embedded Systems}, author={D’Anvers, Jan-Pieter and Heinz, Daniel and Pessl, Peter and Van Beirendonck, Michiel and Verbauwhede, Ingrid}, year={2022}, month={Feb.}, pages={115–139} }