Raccoon: A Masking-Friendly Signature Proven in the Probing Model

Rafaël del Pino; Shuichi Katsumata; Thomas Prest; Mélissa Rossi

Paper 2024/1291

Raccoon: A Masking-Friendly Signature Proven in the Probing Model

Rafaël del Pino

, PQShield

Shuichi Katsumata

, PQShield, National Institute of Advanced Industrial Science and Technology

Thomas Prest

, PQShield

Mélissa Rossi

, ANSSI

Abstract

This paper presents Raccoon, a lattice-based signature scheme submitted to the NIST 2022 call for additional post-quantum signatures. Raccoon has the specificity of always being masked. Concretely, all sensitive intermediate values are shared into 𝑑 parts. The main design rationale of Raccoon is to be easy to mask at high orders, and this dictated most of its design choices, such as the introduction of new algorithmic techniques for sampling small errors. As a result, Raccoon achieves a masking overhead that compares favorably with the overheads observed when masking standard lattice signatures. In addition, we formally prove the security of Raccoon in the 𝑡-probing model: an attacker is able to probe shares during each execution of the main algorithms (key generation, signing, verification). While for most cryptographic schemes, the black-box 𝑡-probing security can be studied in isolation, in Raccoon this analysis is performed jointly. To that end, a bridge must be made between the black-box game-based EUF-CMA proof and the usual simulation proofs of the ISW model (CRYPTO 2003). We formalize an end-to-end masking proof by deploying the probing EUF-CMA introduced by Barthe et al.(Eurocrypt 2018) and exhibiting the simulators of the non-interference properties (Barthe et al. CCS 2016). The proof is divided into three novel parts: - a simulation proof in the ISW model that allows to propagate the dependency to a restricted number of inputs and random coins, - a game-based proof showing that the security of Raccoon with probes can be reduced to an instance of Raccoon with smaller parameters, - a parameter study to ensure that the smaller instance is secure, using a robust generalization of the Rényi divergence. While we apply our techniques to Raccoon, we expect that the algorithmic and proof techniques we introduce will be helpful for the design and analysis of future masking-friendly schemes.

Note: Added proofs and corrected statements (see Footnotes 4 and 5).

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: A minor revision of an IACR publication in CRYPTO 2024
Keywords: Raccoon signature 𝑡-probing model side-channel attacks
Contact author(s): rafael del pino @ pqshield com
shuichi katsumata @ pqshield com
thomas prest @ pqshield com
melissa mv rossi @ gmail com
History: 2025-02-04: revised; 2024-08-16: received; See all versions
Short URL: https://ia.cr/2024/1291
License: CC BY

BibTeX

@misc{cryptoeprint:2024/1291,
      author = {Rafaël del Pino and Shuichi Katsumata and Thomas Prest and Mélissa Rossi},
      title = {Raccoon: A Masking-Friendly Signature Proven in the Probing Model},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1291},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1291}
}