Picnic
- Algorithm type: Digital signature scheme.
- Main cryptographic assumption: hash function security (ROM/QROM), key recovery attacks on the lowMC block cipher.
- Principal submitters: Greg Zaverucha, Melissa Chase, David Derler, Steven Goldfeder, Claudio Orlandi, Sebastian Ramacher, Christian Rechberger, Daniel Slamanig, Jonathan Katz, Xiao Wang, Vladmir Kolesnikov.
- Authors’ website: https://microsoft.github.io/Picnic/
- Specification version: 3.0.17.
- Primary Source:
- Source: https://github.com/IAIK/Picnic
- Implementation license (SPDX-Identifier): MIT
Test limitation
This algorithm is not tested under Windows using the “msys2” tool chain (due to https://github.com/open-quantum-safe/liboqs/issues/1218).
Parameter set summary
Parameter set | Security model | Claimed NIST Level | Public key size (bytes) | Secret key size (bytes) | Signature size (bytes) |
---|---|---|---|---|---|
picnic_L1_FS | EUF-CMA | 1 | 33 | 49 | 34036 |
picnic_L1_UR | EUF-CMA | 1 | 33 | 49 | 53965 |
picnic_L1_full | EUF-CMA | 1 | 35 | 52 | 32065 |
picnic_L3_FS | EUF-CMA | 3 | 49 | 73 | 76776 |
picnic_L3_UR | EUF-CMA | 3 | 49 | 73 | 121849 |
picnic_L3_full | EUF-CMA | 3 | 49 | 73 | 71183 |
picnic_L5_FS | EUF-CMA | 5 | 65 | 97 | 132860 |
picnic_L5_UR | EUF-CMA | 5 | 65 | 97 | 209510 |
picnic_L5_full | EUF-CMA | 5 | 65 | 97 | 126290 |
picnic3_L1 | EUF-CMA | 1 | 35 | 52 | 14612 |
picnic3_L3 | EUF-CMA | 3 | 49 | 73 | 35028 |
picnic3_L5 | EUF-CMA | 5 | 65 | 97 | 61028 |
picnic_L1_FS implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage?‡ |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
‡For an explanation of what this denotes, consult the Explanation of Terms section at the end of this file.
picnic_L1_UR implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
picnic_L1_full implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
picnic_L3_FS implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
picnic_L3_UR implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
picnic_L3_full implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
picnic_L5_FS implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
picnic_L5_UR implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
picnic_L5_full implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
picnic3_L1 implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
picnic3_L3 implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
picnic3_L5 implementation characteristics
Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
---|---|---|---|---|---|---|---|
Primary Source | master | All | All | None | True | True | False |
Primary Source | master | x86_64 | Linux | AVX2,SSE2 | True | True | False |
Primary Source | master | x86_64 | Darwin,Windows | SSE2 | True | True | False |
Are implementations chosen based on runtime CPU feature detection? Yes.
Explanation of Terms
- Large Stack Usage: Implementations identified as having such may cause failures when running in threads or in constrained environments.