Introduction
Raccoon is a digital signature scheme submitted to the NIST Call for Additional Post-Quantum Signature Schemes proposed by the Raccoon Team.
The authors can be contacted by email at authors [at] raccoonfamily [dot] org.
The Raccoon signature scheme is based on the Fiat-Shamir transform from a Schnorr lattice-based signature with a fine-tuned analysis to prevent the use of the rejection-sampling method and Gaussian sampling, enabling the use of masking techniques —a countermeasure against side-channel attacks— on the secret keys during the signature algorithm.
Furthermore, the security of Raccoon relies on standard assumptions on module lattices, which are the same one used in the (selected) standard Dilithium. These assumptions are well studied since a decade and have shown to be robust while offering fair parameter size.
Highlights
The Raccoon signature scheme has been designed to ensure the ease of implementation as well as
- Masking. The main design of Raccoon makes it possible to enable the use of efficient masking techniques. Raccoon can be masked with a quasi-linear overhead with respect to the masking order. This allows masking at high orders with a small impact on efficiency.
- Standard lattice assumptions. The security of Raccoon relies on (variants) of lattice assumptions that are well-understood. Namely, these assumptions are Module-LWE and Module-SIS similarly to the primary standard Dilithium.
- Simple and portable implementations. The design of Raccoon relies on two points to ease the implementation on a wide range of platforms. First, the error distribution is a sum of uniforms, thus avoiding the implementation of Gaussian sampling. Then, the selected 49-bit modulus splits into a 24 and 25-bit moduli, which facilitates implementations on 32-bit architecture.
Performances
| Parameter level | Shares | Verification key size (kB) | Signing key size (kB) | Signature size (kB) |
|---|---|---|---|---|
| 1 | 1 | 2.256 | 14.800 | 11.524 |
| 1 | 32 | 2.256 | 15.296 | 11.524 |
| 3 | 1 | 3.160 | 18.840 | 14.544 |
| 3 | 32 | 3.160 | 19.584 | 14.544 |
| 5 | 1 | 4.064 | 26.016 | 20.330 |
| 5 | 32 | 4.064 | 27.008 | 20.330 |
| Parameter level | Shares | Keygen (ms) | Sign (ms) | Verify (ms) |
|---|---|---|---|---|
| 1 | 1 | 1.000 | 2.281 | 0.832 |
| 1 | 32 | 19.829 | 35.104 | 0.832 |
| 3 | 1 | 1.540 | 3.248 | 1.309 |
| 3 | 32 | 26.451 | 46.867 | 1.309 |
| 5 | 1 | 2.462 | 4.764 | 2.156 |
| 5 | 32 | 36.587 | 63.972 | 2.156 |
| Parameter level | Shares | Keygen (kB) | Sign (kB) | Verify (kB) |
|---|---|---|---|---|
| 1 | 1 | 24.784 | 155.952 | 53.488 |
| 1 | 32 | 283.360 | 922.480 | 53.488 |
| 3 | 1 | 28.896 | 233.808 | 65.776 |
| 3 | 32 | 287.472 | 1127.296 | 65.776 |
| 5 | 1 | 37.088 | 373.072 | 82.176 |
| 5 | 32 | 295.664 | 1520.512 | 82.176 |
Reference implementation running time in millisecond (scale on the left side) and stack usage in kilobytes (scale on the right side) as functions of the number of shares d for Keygen and Sign, for NIST levels I, III and V.