Raccoon

Introduction

Raccoon is a digital signature scheme submitted to the NIST Call for Additional Post-Quantum Signature Schemes proposed by the Raccoon Team.
The authors can be contacted by email at authors [at] raccoonfamily [dot] org.

The Raccoon signature scheme is based on the Fiat-Shamir transform from a Schnorr lattice-based signature with a fine-tuned analysis to prevent the use of the rejection-sampling method and Gaussian sampling, enabling the use of masking techniques —a countermeasure against side-channel attacks— on the secret keys during the signature algorithm.

Furthermore, the security of Raccoon relies on standard assumptions on module lattices, which are the same one used in the (selected) standard Dilithium. These assumptions are well studied since a decade and have shown to be robust while offering fair parameter size.

Highlights

The Raccoon signature scheme has been designed to ensure the ease of implementation as well as

  • Masking. The main design of Raccoon makes it possible to enable the use of efficient masking techniques. Raccoon can be masked with a quasi-linear overhead with respect to the masking order. This allows masking at high orders with a small impact on efficiency.
  • Standard lattice assumptions. The security of Raccoon relies on (variants) of lattice assumptions that are well-understood. Namely, these assumptions are Module-LWE and Module-SIS similarly to the primary standard Dilithium.
  • Simple and portable implementations. The design of Raccoon relies on two points to ease the implementation on a wide range of platforms. First, the error distribution is a sum of uniforms, thus avoiding the implementation of Gaussian sampling. Then, the selected 49-bit modulus splits into a 24 and 25-bit moduli, which facilitates implementations on 32-bit architecture.

Performances

Key sizes for the different parameter levels with a number of shares d = 1 (no masking) and d = 32.
Parameter level Shares Verification key size (kB) Signing key size (kB) Signature size (kB)
1 1 2.256 14.800 11.524
1 32 2.256 15.296 11.524
3 1 3.160 18.840 14.544
3 32 3.160 19.584 14.544
5 1 4.064 26.016 20.330
5 32 4.064 27.008 20.330
Timing of the reference implementation runnning on a desktop computer with an Intel i7-12700 CPU running at 2.1GHz.
Parameter level Shares Keygen (ms) Sign (ms) Verify (ms)
1 1 1.000 2.281 0.832
1 32 19.829 35.104 0.832
3 1 1.540 3.248 1.309
3 32 26.451 46.867 1.309
5 1 2.462 4.764 2.156
5 32 36.587 63.972 2.156
Memory consumption of the reference implementation (stack usage).
Parameter level Shares Keygen (kB) Sign (kB) Verify (kB)
1 1 24.784 155.952 53.488
1 32 283.360 922.480 53.488
3 1 28.896 233.808 65.776
3 32 287.472 1127.296 65.776
5 1 37.088 373.072 82.176
5 32 295.664 1520.512 82.176

Reference implementation running time in millisecond (scale on the left side) and stack usage in kilobytes (scale on the right side) as functions of the number of shares d for Keygen and Sign, for NIST levels I, III and V.