The Insecurity of Masked Comparisons: SCAs on ML-KEM's FO-Transform

NIST released the draft standard for ML-KEM, and we can expect its widespread use in the embedded world in the near future. Several side-channel attacks have been proposed, and one line of research has focused on attacks against the comparison step of the FO-transform. A work published at TCHES 2022 stressed the need for secure higher-order masked comparisons beyond the t-probing model and proposed a higher-order masked comparison method. Subsequently, D'Anvers, Van Beirendonck, and Verbauwhede improved upon the performance of several previous proposals; their higher-order masked algorithm currently achieves the highest performance for masked comparisons.