Abstract
Picnic is a digital signature algorithm designed to provide security against attacks by quantum computers. The design uses only symmetric-key primitives, and is an efficient instantiation of the MPC-in-the-head paradigm. In this work, we explore the Picnic design in great detail. We investigate and benchmark different parameter choices and show that there exist better parameter choices than those in the current specification. We also present improvements to the MPC protocol that shorten signatures and reduce signing time. The proposed MPC changes tailor the protocol to the circuit of interest in Picnic, but may also be of independent interest. Taken together, these changes give a new instantiation of Picnic that signs messages 7.9 to 13.9 times faster, and verifies signatures 4.5 to 5.5 times faster than the existing “Picnic2” design, while having nearly the same signature sizes.
Highlights
Digital signatures are a fundamental cryptographic primitive
NIST has solicited the design of new public-key signature algorithms with post-quantum security, i.e., security against attacks that use quantum computers [AASA+19]
The Picnic signature scheme is based on non-interactive zero-knowledge proofs of knowledge, where the proof of knowledge is instantiated using the MPC-in-the-head approach of Ishai et al [IKOS07]
Summary
Digital signatures are a fundamental cryptographic primitive. Potential advances in quantum computing threaten to break the security of signature algorithms in wide use today. We find that using a full S-box layer (i.e., each bit in the state is input to an S-box in every round) performs better than the current instances This option was missed in the original Picnic design since it requires the state to be a multiple of three, which is not the case when κ is 128 or 256. A goal of this work was to optimize Picnic so that the existing security analysis of the overall design still applies, as well as the analysis for the LowMC parameter changes While these optimizations require changes to the specification, the optimizations could be applied to Picnic[2] as tweaks, should be it selected for the third round of NIST’s project. Our implementation and benchmarks focus on the x64 platform, but most of the optimizations are algorithmic in nature, and since the total work of Picnic[3] is much lower than Picnic[2] it should perform better on all platforms
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have