Revisiting Higher-Order Masked Comparison for Lattice-Based Cryptography: Algorithms and Bit-Sliced Implementations

Marked comparison is one of the most expensive operations in side-channel secure implementations of lattice-based post-quantum cryptography, especially for higher masking orders. First, we introduce two new masked comparison algorithms, which improve the arithmetic comparison of D'Anvers et al. (2021) and the hybrid comparison method of Coron et al. (2021) respectively. We then look into implementation-specific optimizations, and show that small specific adaptations can have a significant impact on the overall performance. Finally, we implement various state-of-the-art comparison algorithms and benchmark them on the same platform (ARM-Cortex M4) to allow a fair comparison between them. We improve on the arithmetic comparison of D'Anvers et al. with a factor asymptotic to 20% by using Galois Field multiplications and the hybrid comparison of Coron et al. with a factor asymptotic to 25% by streamlining the design. Our implementation-specific improvements allow a speedup of a straightforward comparison implementation of asymptotic to 33%. We discuss the differences between the various algorithms and provide the implementations and a testing framework to ease future research.