Paper 2024/1291

Raccoon: A Masking-Friendly Signature Proven in the Probing Model

Rafaël del Pino, PQShield
Shuichi Katsumata, PQShield, National Institute of Advanced Industrial Science and Technology
Thomas Prest, PQShield
Mélissa Rossi, ANSSI
Abstract

This paper presents Raccoon, a lattice-based signature scheme submitted to the NIST 2022 call for additional post-quantum signatures. Raccoon has the specificity of always being masked. Concretely, all sensitive intermediate values are shared into 𝑑 parts. The main design rationale of Raccoon is to be easy to mask at high orders, and this dictated most of its design choices, such as the introduction of new algorithmic techniques for sampling small errors. As a result, Raccoon achieves a masking overhead $𝑂(𝑑 \log 𝑑)$ that compares favorably with the overheads $𝑂(𝑑^2 \log 𝑞)$ observed when masking standard lattice signatures. In addition, we formally prove the security of Raccoon in the 𝑡-probing model: an attacker is able to probe $𝑡 ≤ 𝑑 −1$ shares during each execution of the main algorithms (key generation, signing, verification). While for most cryptographic schemes, the black-box 𝑡-probing security can be studied in isolation, in Raccoon this analysis is performed jointly. To that end, a bridge must be made between the black-box game-based EUF-CMA proof and the usual simulation proofs of the ISW model (CRYPTO 2003). We formalize an end-to-end masking proof by deploying the probing EUF-CMA introduced by Barthe et al.(Eurocrypt 2018) and exhibiting the simulators of the non-interference properties (Barthe et al. CCS 2016). The proof is divided into three novel parts: - a simulation proof in the ISW model that allows to propagate the dependency to a restricted number of inputs and random coins, - a game-based proof showing that the security of Raccoon with probes can be reduced to an instance of Raccoon with smaller parameters, - a parameter study to ensure that the smaller instance is secure, using a robust generalization of the Rényi divergence. While we apply our techniques to Raccoon, we expect that the algorithmic and proof techniques we introduce will be helpful for the design and analysis of future masking-friendly schemes.

Note: This is the conference version for CRYPTO 2024. This submission will be updated to fit the eprint format.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published by the IACR in CRYPTO 2024
Keywords
Raccoon signature𝑡-probing modelside-channel attacks
Contact author(s)
rafael del pino @ pqshield com
shuichi katsumata @ pqshield com
thomas prest @ pqshield com
melissa mv rossi @ gmail com
History
2024-08-20: approved
2024-08-16: received
See all versions
Short URL
https://ia.cr/2024/1291
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1291,
      author = {Rafaël del Pino and Shuichi Katsumata and Thomas Prest and Mélissa Rossi},
      title = {Raccoon: A Masking-Friendly Signature Proven in the Probing Model},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1291},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1291}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.