TY - JOUR AU - Coron, Jean-Sébastien AU - Gérard, François AU - Montoya, Simon AU - Zeitoun, Rina PY - 2022/11/29 Y2 - 2024/03/29 TI - High-order Polynomial Comparison and Masking Lattice-based Encryption JF - IACR Transactions on Cryptographic Hardware and Embedded Systems JA - TCHES VL - 2023 IS - 1 SE - Articles DO - 10.46586/tches.v2023.i1.153-192 UR - https://tches.iacr.org/index.php/TCHES/article/view/9950 SP - 153-192 AB - <p>The main protection against side-channel attacks consists in computing every function with multiple shares via the masking countermeasure. For IND-CCA secure lattice-based encryption schemes, the masking of the decryption algorithm requires the high-order computation of a polynomial comparison. In this paper, we describe and evaluate a number of different techniques for such high-order comparison, always with a security proof in the ISW probing model. As an application, we describe the full high-order masking of the NIST standard Kyber, with a concrete implementation on ARM Cortex M architecture, and a <em>t</em>-test evaluation.</p> ER -