Added picnic-full params, replaced picnic2 with picnic3; unpined circ…

…leci from v0.3.0 (#62)

Fixes #60

.circleci/config.yml

@@ -13,7 +13,7 @@ version: 2
           useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
     - run:
         name: Clone liboqs
-        command: .circleci/git_no_checkin_in_last_day.sh || (env LIBOQS_BRANCH=0.3.0 ./oqs-scripts/clone_liboqs.sh)
+        command: .circleci/git_no_checkin_in_last_day.sh || (./oqs-scripts/clone_liboqs.sh)
     - run:
         name: Build liboqs
         command: .circleci/git_no_checkin_in_last_day.sh || (./oqs-scripts/build_liboqs.sh)

README.md

@@ -123,7 +123,7 @@ On **macOS**, you need to install the following packages using brew (or a packag
 The following instructions install liboqs into a subdirectory inside the OpenSSH source. If `<OPENSSH_ROOT>` is the root of the OpenSSH source:
 
 ```
-git clone --branch 0.3.0 --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git
+git clone --branch master --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git
 cd liboqs
 mkdir build && cd build
 cmake .. -GNinja -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DCMAKE_INSTALL_PREFIX=<OPENSSH_ROOT>/oqs

configure.ac

@@ -3760,7 +3760,7 @@ if test "x$with_liboqs" = "xyes" ; then
 	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
 				#include <oqs/oqs.h>
 			]], [[
-					#if defined(OQS_ENABLE_SIG_PICNIC) || (defined(OQS_ENABLE_SIG_picnic_L1_UR))
+					#if defined(OQS_ENABLE_SIG_PICNIC) || (defined(OQS_ENABLE_SIG_picnic_L1_FS) && defined(OQS_ENABLE_SIG_picnic3_L1))
 					#else
 					#error "PICNIC is not supported"
 					#endif

oqs-template/generate.yml

@@ -62,17 +62,23 @@ sigs:
     family: "PICNIC"
     variants:
       -
-        enable: false
+        enable: true
         name: "PICNIC_L1FS"
         oqs_meth: "OQS_SIG_alg_picnic_L1_FS"
         mix_with: [{'name':'rsa3072'},
                    {'name': 'p256', 'curve':'NID_X9_62_prime256v1'}]
       -
-        enable: true
+        enable: false
         name: "PICNIC_L1UR"
         oqs_meth: "OQS_SIG_alg_picnic_L1_UR"
         mix_with: [{'name':'rsa3072'},
                    {'name': 'p256', 'curve':'NID_X9_62_prime256v1'}]
+      -
+        enable: false
+        name: "PICNIC_L1FULL"
+        oqs_meth: "OQS_SIG_alg_picnic_L1_full"
+        mix_with: [{'name':'rsa3072'},
+                   {'name': 'p256', 'curve':'NID_X9_62_prime256v1'}]
       -
         enable: false
         name: "PICNIC_L3FS"
@@ -83,6 +89,11 @@ sigs:
         name: "PICNIC_L3UR"
         oqs_meth: "OQS_SIG_alg_picnic_L3_UR"
         mix_with: [{'name': 'p384', 'curve':'NID_secp384r1'}]
+      -
+        enable: false
+        name: "PICNIC_L3FULL"
+        oqs_meth: "OQS_SIG_alg_picnic_L3_full"
+        mix_with: [{'name': 'p384', 'curve':'NID_secp384r1'}]
       -
         enable: false
         name: "PICNIC_L5FS"
@@ -95,19 +106,24 @@ sigs:
         mix_with: [{'name': 'p521', 'curve':'NID_secp521r1'}]
       -
         enable: false
-        name: "PICNIC2_L1FS"
-        oqs_meth: "OQS_SIG_alg_picnic2_L1_FS"
+        name: "PICNIC_L5FULL"
+        oqs_meth: "OQS_SIG_alg_picnic_L5_full"
+        mix_with: [{'name': 'p521', 'curve':'NID_secp521r1'}]
+      -
+        enable: true
+        name: "PICNIC3_L1"
+        oqs_meth: "OQS_SIG_alg_picnic3_L1"
         mix_with: [{'name':'rsa3072'},
                    {'name': 'p256', 'curve':'NID_X9_62_prime256v1'}]
       -
         enable: false
-        name: "PICNIC2_L3FS"
-        oqs_meth: "OQS_SIG_alg_picnic2_L3_FS"
+        name: "PICNIC3_L3"
+        oqs_meth: "OQS_SIG_alg_picnic3_L3"
         mix_with: [{'name': 'p384', 'curve':'NID_secp384r1'}]
       -
         enable: false
-        name: "PICNIC2_L5FS"
-        oqs_meth: "OQS_SIG_alg_picnic2_L5_FS"
+        name: "PICNIC3_L5"
+        oqs_meth: "OQS_SIG_alg_picnic3_L5"
         mix_with: [{'name': 'p521', 'curve':'NID_secp521r1'}]
   -
     family: "QTESLA"

oqs-test/test_openssh.py

@@ -9,9 +9,9 @@
     sig_algs += [
 ##### OQS_TEMPLATE_FRAGMENT_LIST_SIGS_START
     # post-quantum only sigs
-    'ssh-oqsdefault','ssh-dilithium2','ssh-falcon512','ssh-mqdss3148','ssh-picnicl1ur','ssh-qteslapi','ssh-rainbowiaclassic','ssh-rainbowiiicclassic','ssh-rainbowvcclassic','ssh-sphincsharaka128frobust','ssh-sphincssha256128frobust','ssh-sphincsshake256128frobust',
+    'ssh-oqsdefault','ssh-dilithium2','ssh-falcon512','ssh-mqdss3148','ssh-picnicl1fs','ssh-picnic3l1','ssh-qteslapi','ssh-rainbowiaclassic','ssh-rainbowiiicclassic','ssh-rainbowvcclassic','ssh-sphincsharaka128frobust','ssh-sphincssha256128frobust','ssh-sphincsshake256128frobust',
     # hybrid sigs
-    'ssh-rsa3072-oqsdefault','ssh-p256-oqsdefault','ssh-rsa3072-dilithium2','ssh-p256-dilithium2','ssh-rsa3072-falcon512','ssh-p256-falcon512','ssh-rsa3072-mqdss3148','ssh-p256-mqdss3148','ssh-rsa3072-picnicl1ur','ssh-p256-picnicl1ur','ssh-rsa3072-qteslapi','ssh-p256-qteslapi','ssh-rsa3072-rainbowiaclassic','ssh-p256-rainbowiaclassic','ssh-p384-rainbowiiicclassic','ssh-p521-rainbowvcclassic','ssh-rsa3072-sphincsharaka128frobust','ssh-p256-sphincsharaka128frobust','ssh-rsa3072-sphincssha256128frobust','ssh-p256-sphincssha256128frobust','ssh-rsa3072-sphincsshake256128frobust','ssh-p256-sphincsshake256128frobust',
+    'ssh-rsa3072-oqsdefault','ssh-p256-oqsdefault','ssh-rsa3072-dilithium2','ssh-p256-dilithium2','ssh-rsa3072-falcon512','ssh-p256-falcon512','ssh-rsa3072-mqdss3148','ssh-p256-mqdss3148','ssh-rsa3072-picnicl1fs','ssh-p256-picnicl1fs','ssh-rsa3072-picnic3l1','ssh-p256-picnic3l1','ssh-rsa3072-qteslapi','ssh-p256-qteslapi','ssh-rsa3072-rainbowiaclassic','ssh-p256-rainbowiaclassic','ssh-p384-rainbowiiicclassic','ssh-p521-rainbowvcclassic','ssh-rsa3072-sphincsharaka128frobust','ssh-p256-sphincsharaka128frobust','ssh-rsa3072-sphincssha256128frobust','ssh-p256-sphincssha256128frobust','ssh-rsa3072-sphincsshake256128frobust','ssh-p256-sphincsshake256128frobust',
 ##### OQS_TEMPLATE_FRAGMENT_LIST_SIGS_END
 ]
 

oqs-utils.h

@@ -7,7 +7,8 @@
 				strcmp(alg, "ssh-rsa3072-dilithium2") == 0 || \
 				strcmp(alg, "ssh-rsa3072-falcon512") == 0 || \
 				strcmp(alg, "ssh-rsa3072-mqdss3148") == 0 || \
-				strcmp(alg, "ssh-rsa3072-picnicl1ur") == 0 || \
+				strcmp(alg, "ssh-rsa3072-picnicl1fs") == 0 || \
+				strcmp(alg, "ssh-rsa3072-picnic3l1") == 0 || \
 				strcmp(alg, "ssh-rsa3072-qteslapi") == 0 || \
 				strcmp(alg, "ssh-rsa3072-rainbowiaclassic") == 0 || \
 				strcmp(alg, "ssh-rsa3072-sphincsharaka128frobust") == 0 || \
@@ -19,7 +20,8 @@
 				alg == KEY_RSA3072_DILITHIUM_2 || \
 				alg == KEY_RSA3072_FALCON_512 || \
 				alg == KEY_RSA3072_MQDSS_31_48 || \
-				alg == KEY_RSA3072_PICNIC_L1UR || \
+				alg == KEY_RSA3072_PICNIC_L1FS || \
+				alg == KEY_RSA3072_PICNIC3_L1 || \
 				alg == KEY_RSA3072_QTESLA_P_I || \
 				alg == KEY_RSA3072_RAINBOW_IA_CLASSIC || \
 				alg == KEY_RSA3072_SPHINCS_HARAKA_128F_ROBUST || \
@@ -31,7 +33,8 @@
 				alg == KEY_P256_DILITHIUM_2 || \
 				alg == KEY_P256_FALCON_512 || \
 				alg == KEY_P256_MQDSS_31_48 || \
-				alg == KEY_P256_PICNIC_L1UR || \
+				alg == KEY_P256_PICNIC_L1FS || \
+				alg == KEY_P256_PICNIC3_L1 || \
 				alg == KEY_P256_QTESLA_P_I || \
 				alg == KEY_P256_RAINBOW_IA_CLASSIC || \
 				alg == KEY_P256_SPHINCS_HARAKA_128F_ROBUST || \
@@ -49,7 +52,8 @@
 				(type) == KEY_DILITHIUM_2 || \
 				(type) == KEY_FALCON_512 || \
 				(type) == KEY_MQDSS_31_48 || \
-				(type) == KEY_PICNIC_L1UR || \
+				(type) == KEY_PICNIC_L1FS || \
+				(type) == KEY_PICNIC3_L1 || \
 				(type) == KEY_QTESLA_P_I || \
 				(type) == KEY_RAINBOW_IA_CLASSIC || \
 				(type) == KEY_RAINBOW_IIIC_CLASSIC || \
@@ -66,7 +70,8 @@
 	case KEY_DILITHIUM_2: \
 	case KEY_FALCON_512: \
 	case KEY_MQDSS_31_48: \
-	case KEY_PICNIC_L1UR: \
+	case KEY_PICNIC_L1FS: \
+	case KEY_PICNIC3_L1: \
 	case KEY_QTESLA_P_I: \
 	case KEY_RAINBOW_IA_CLASSIC: \
 	case KEY_RAINBOW_IIIC_CLASSIC: \
@@ -82,7 +87,8 @@
 	case KEY_RSA3072_DILITHIUM_2: \
 	case KEY_RSA3072_FALCON_512: \
 	case KEY_RSA3072_MQDSS_31_48: \
-	case KEY_RSA3072_PICNIC_L1UR: \
+	case KEY_RSA3072_PICNIC_L1FS: \
+	case KEY_RSA3072_PICNIC3_L1: \
 	case KEY_RSA3072_QTESLA_P_I: \
 	case KEY_RSA3072_RAINBOW_IA_CLASSIC: \
 	case KEY_RSA3072_SPHINCS_HARAKA_128F_ROBUST: \
@@ -94,7 +100,8 @@
 	case KEY_P256_DILITHIUM_2: \
 	case KEY_P256_FALCON_512: \
 	case KEY_P256_MQDSS_31_48: \
-	case KEY_P256_PICNIC_L1UR: \
+	case KEY_P256_PICNIC_L1FS: \
+	case KEY_P256_PICNIC3_L1: \
 	case KEY_P256_QTESLA_P_I: \
 	case KEY_P256_RAINBOW_IA_CLASSIC: \
 	case KEY_P256_SPHINCS_HARAKA_128F_ROBUST: \

pathnames.h

@@ -46,7 +46,8 @@
 #define _PATH_HOST_DILITHIUM_2_KEY_FILE SSHDIR "/ssh_host_dilithium2_key"
 #define _PATH_HOST_FALCON_512_KEY_FILE SSHDIR "/ssh_host_falcon512_key"
 #define _PATH_HOST_MQDSS_31_48_KEY_FILE SSHDIR "/ssh_host_mqdss3148_key"
-#define _PATH_HOST_PICNIC_L1UR_KEY_FILE SSHDIR "/ssh_host_picnicl1ur_key"
+#define _PATH_HOST_PICNIC_L1FS_KEY_FILE SSHDIR "/ssh_host_picnicl1fs_key"
+#define _PATH_HOST_PICNIC3_L1_KEY_FILE SSHDIR "/ssh_host_picnic3l1_key"
 #define _PATH_HOST_QTESLA_P_I_KEY_FILE SSHDIR "/ssh_host_qteslapi_key"
 #define _PATH_HOST_RAINBOW_IA_CLASSIC_KEY_FILE SSHDIR "/ssh_host_rainbowiaclassic_key"
 #define _PATH_HOST_RAINBOW_IIIC_CLASSIC_KEY_FILE SSHDIR "/ssh_host_rainbowiiicclassic_key"
@@ -62,8 +63,10 @@
 #define _PATH_HOST_P256_FALCON_512_KEY_FILE SSHDIR "/ssh_host_p256_falcon512_key"
 #define _PATH_HOST_RSA3072_MQDSS_31_48_KEY_FILE SSHDIR "/ssh_host_rsa3072_mqdss3148_key"
 #define _PATH_HOST_P256_MQDSS_31_48_KEY_FILE SSHDIR "/ssh_host_p256_mqdss3148_key"
-#define _PATH_HOST_RSA3072_PICNIC_L1UR_KEY_FILE SSHDIR "/ssh_host_rsa3072_picnicl1ur_key"
-#define _PATH_HOST_P256_PICNIC_L1UR_KEY_FILE SSHDIR "/ssh_host_p256_picnicl1ur_key"
+#define _PATH_HOST_RSA3072_PICNIC_L1FS_KEY_FILE SSHDIR "/ssh_host_rsa3072_picnicl1fs_key"
+#define _PATH_HOST_P256_PICNIC_L1FS_KEY_FILE SSHDIR "/ssh_host_p256_picnicl1fs_key"
+#define _PATH_HOST_RSA3072_PICNIC3_L1_KEY_FILE SSHDIR "/ssh_host_rsa3072_picnic3l1_key"
+#define _PATH_HOST_P256_PICNIC3_L1_KEY_FILE SSHDIR "/ssh_host_p256_picnic3l1_key"
 #define _PATH_HOST_RSA3072_QTESLA_P_I_KEY_FILE SSHDIR "/ssh_host_rsa3072_qteslapi_key"
 #define _PATH_HOST_P256_QTESLA_P_I_KEY_FILE SSHDIR "/ssh_host_p256_qteslapi_key"
 #define _PATH_HOST_RSA3072_RAINBOW_IA_CLASSIC_KEY_FILE SSHDIR "/ssh_host_rsa3072_rainbowiaclassic_key"
@@ -118,7 +121,8 @@
 #define _PATH_SSH_CLIENT_ID_DILITHIUM_2 _PATH_SSH_USER_DIR "/id_dilithium2"
 #define _PATH_SSH_CLIENT_ID_FALCON_512 _PATH_SSH_USER_DIR "/id_falcon512"
 #define _PATH_SSH_CLIENT_ID_MQDSS_31_48 _PATH_SSH_USER_DIR "/id_mqdss3148"
-#define _PATH_SSH_CLIENT_ID_PICNIC_L1UR _PATH_SSH_USER_DIR "/id_picnicl1ur"
+#define _PATH_SSH_CLIENT_ID_PICNIC_L1FS _PATH_SSH_USER_DIR "/id_picnicl1fs"
+#define _PATH_SSH_CLIENT_ID_PICNIC3_L1 _PATH_SSH_USER_DIR "/id_picnic3l1"
 #define _PATH_SSH_CLIENT_ID_QTESLA_P_I _PATH_SSH_USER_DIR "/id_qteslapi"
 #define _PATH_SSH_CLIENT_ID_RAINBOW_IA_CLASSIC _PATH_SSH_USER_DIR "/id_rainbowiaclassic"
 #define _PATH_SSH_CLIENT_ID_RAINBOW_IIIC_CLASSIC _PATH_SSH_USER_DIR "/id_rainbowiiicclassic"
@@ -134,8 +138,10 @@
 #define _PATH_SSH_CLIENT_ID_P256_FALCON_512 _PATH_SSH_USER_DIR "/id_p256_falcon512"
 #define _PATH_SSH_CLIENT_ID_RSA3072_MQDSS_31_48 _PATH_SSH_USER_DIR "/id_rsa3072_mqdss3148"
 #define _PATH_SSH_CLIENT_ID_P256_MQDSS_31_48 _PATH_SSH_USER_DIR "/id_p256_mqdss3148"
-#define _PATH_SSH_CLIENT_ID_RSA3072_PICNIC_L1UR _PATH_SSH_USER_DIR "/id_rsa3072_picnicl1ur"
-#define _PATH_SSH_CLIENT_ID_P256_PICNIC_L1UR _PATH_SSH_USER_DIR "/id_p256_picnicl1ur"
+#define _PATH_SSH_CLIENT_ID_RSA3072_PICNIC_L1FS _PATH_SSH_USER_DIR "/id_rsa3072_picnicl1fs"
+#define _PATH_SSH_CLIENT_ID_P256_PICNIC_L1FS _PATH_SSH_USER_DIR "/id_p256_picnicl1fs"
+#define _PATH_SSH_CLIENT_ID_RSA3072_PICNIC3_L1 _PATH_SSH_USER_DIR "/id_rsa3072_picnic3l1"
+#define _PATH_SSH_CLIENT_ID_P256_PICNIC3_L1 _PATH_SSH_USER_DIR "/id_p256_picnic3l1"
 #define _PATH_SSH_CLIENT_ID_RSA3072_QTESLA_P_I _PATH_SSH_USER_DIR "/id_rsa3072_qteslapi"
 #define _PATH_SSH_CLIENT_ID_P256_QTESLA_P_I _PATH_SSH_USER_DIR "/id_p256_qteslapi"
 #define _PATH_SSH_CLIENT_ID_RSA3072_RAINBOW_IA_CLASSIC _PATH_SSH_USER_DIR "/id_rsa3072_rainbowiaclassic"

readconf.c

@@ -2032,7 +2032,8 @@ fill_default_options(Options * options)
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DILITHIUM_2, 0);
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_FALCON_512, 0);
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_MQDSS_31_48, 0);
-		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_PICNIC_L1UR, 0);
+		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_PICNIC_L1FS, 0);
+		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_PICNIC3_L1, 0);
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_QTESLA_P_I, 0);
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RAINBOW_IA_CLASSIC, 0);
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RAINBOW_IIIC_CLASSIC, 0);
@@ -2052,8 +2053,10 @@ fill_default_options(Options * options)
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_P256_FALCON_512, 0);
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA3072_MQDSS_31_48, 0);
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_P256_MQDSS_31_48, 0);
-		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA3072_PICNIC_L1UR, 0);
-		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_P256_PICNIC_L1UR, 0);
+		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA3072_PICNIC_L1FS, 0);
+		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_P256_PICNIC_L1FS, 0);
+		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA3072_PICNIC3_L1, 0);
+		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_P256_PICNIC3_L1, 0);
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA3072_QTESLA_P_I, 0);
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_P256_QTESLA_P_I, 0);
 		add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA3072_RAINBOW_IA_CLASSIC, 0);

servconf.c

@@ -290,7 +290,9 @@ fill_default_server_options(ServerOptions *options)
 		servconf_add_hostkey("[default]", 0, options,
 		    _PATH_HOST_MQDSS_31_48_KEY_FILE);
 		servconf_add_hostkey("[default]", 0, options,
-		    _PATH_HOST_PICNIC_L1UR_KEY_FILE);
+		    _PATH_HOST_PICNIC_L1FS_KEY_FILE);
+		servconf_add_hostkey("[default]", 0, options,
+		    _PATH_HOST_PICNIC3_L1_KEY_FILE);
 		servconf_add_hostkey("[default]", 0, options,
 		    _PATH_HOST_QTESLA_P_I_KEY_FILE);
 		servconf_add_hostkey("[default]", 0, options,
@@ -326,9 +328,13 @@ fill_default_server_options(ServerOptions *options)
 		servconf_add_hostkey("[default]", 0, options,
 		    _PATH_HOST_P256_MQDSS_31_48_KEY_FILE);
 		servconf_add_hostkey("[default]", 0, options,
-		    _PATH_HOST_RSA3072_PICNIC_L1UR_KEY_FILE);
+		    _PATH_HOST_RSA3072_PICNIC_L1FS_KEY_FILE);
+		servconf_add_hostkey("[default]", 0, options,
+		    _PATH_HOST_P256_PICNIC_L1FS_KEY_FILE);
+		servconf_add_hostkey("[default]", 0, options,
+		    _PATH_HOST_RSA3072_PICNIC3_L1_KEY_FILE);
 		servconf_add_hostkey("[default]", 0, options,
-		    _PATH_HOST_P256_PICNIC_L1UR_KEY_FILE);
+		    _PATH_HOST_P256_PICNIC3_L1_KEY_FILE);
 		servconf_add_hostkey("[default]", 0, options,
 		    _PATH_HOST_RSA3072_QTESLA_P_I_KEY_FILE);
 		servconf_add_hostkey("[default]", 0, options,

ssh-add.c

@@ -85,7 +85,8 @@ static char *default_files[] = {
 	_PATH_SSH_CLIENT_ID_DILITHIUM_2,
 	_PATH_SSH_CLIENT_ID_FALCON_512,
 	_PATH_SSH_CLIENT_ID_MQDSS_31_48,
-	_PATH_SSH_CLIENT_ID_PICNIC_L1UR,
+	_PATH_SSH_CLIENT_ID_PICNIC_L1FS,
+	_PATH_SSH_CLIENT_ID_PICNIC3_L1,
 	_PATH_SSH_CLIENT_ID_QTESLA_P_I,
 	_PATH_SSH_CLIENT_ID_RAINBOW_IA_CLASSIC,
 	_PATH_SSH_CLIENT_ID_RAINBOW_IIIC_CLASSIC,
@@ -105,8 +106,10 @@ static char *default_files[] = {
 	_PATH_SSH_CLIENT_ID_P256_FALCON_512,
 	_PATH_SSH_CLIENT_ID_RSA3072_MQDSS_31_48,
 	_PATH_SSH_CLIENT_ID_P256_MQDSS_31_48,
-	_PATH_SSH_CLIENT_ID_RSA3072_PICNIC_L1UR,
-	_PATH_SSH_CLIENT_ID_P256_PICNIC_L1UR,
+	_PATH_SSH_CLIENT_ID_RSA3072_PICNIC_L1FS,
+	_PATH_SSH_CLIENT_ID_P256_PICNIC_L1FS,
+	_PATH_SSH_CLIENT_ID_RSA3072_PICNIC3_L1,
+	_PATH_SSH_CLIENT_ID_P256_PICNIC3_L1,
 	_PATH_SSH_CLIENT_ID_RSA3072_QTESLA_P_I,
 	_PATH_SSH_CLIENT_ID_P256_QTESLA_P_I,
 	_PATH_SSH_CLIENT_ID_RSA3072_RAINBOW_IA_CLASSIC,

ssh-keygen.c

@@ -319,8 +319,11 @@ ask_filename(struct passwd *pw, const char *prompt)
 		case KEY_MQDSS_31_48:
 			name = _PATH_SSH_CLIENT_ID_MQDSS_31_48;
 			break;
-		case KEY_PICNIC_L1UR:
-			name = _PATH_SSH_CLIENT_ID_PICNIC_L1UR;
+		case KEY_PICNIC_L1FS:
+			name = _PATH_SSH_CLIENT_ID_PICNIC_L1FS;
+			break;
+		case KEY_PICNIC3_L1:
+			name = _PATH_SSH_CLIENT_ID_PICNIC3_L1;
 			break;
 		case KEY_QTESLA_P_I:
 			name = _PATH_SSH_CLIENT_ID_QTESLA_P_I;
@@ -1082,7 +1085,8 @@ do_gen_all_hostkeys(struct passwd *pw)
 		{ "dilithium2", "DILITHIUM_2", _PATH_HOST_DILITHIUM_2_KEY_FILE },
 		{ "falcon512", "FALCON_512", _PATH_HOST_FALCON_512_KEY_FILE },
 		{ "mqdss3148", "MQDSS_31_48", _PATH_HOST_MQDSS_31_48_KEY_FILE },
-		{ "picnicl1ur", "PICNIC_L1UR", _PATH_HOST_PICNIC_L1UR_KEY_FILE },
+		{ "picnicl1fs", "PICNIC_L1FS", _PATH_HOST_PICNIC_L1FS_KEY_FILE },
+		{ "picnic3l1", "PICNIC3_L1", _PATH_HOST_PICNIC3_L1_KEY_FILE },
 		{ "qteslapi", "QTESLA_P_I", _PATH_HOST_QTESLA_P_I_KEY_FILE },
 		{ "rainbowiaclassic", "RAINBOW_IA_CLASSIC", _PATH_HOST_RAINBOW_IA_CLASSIC_KEY_FILE },
 		{ "rainbowiiicclassic", "RAINBOW_IIIC_CLASSIC", _PATH_HOST_RAINBOW_IIIC_CLASSIC_KEY_FILE },
@@ -1099,7 +1103,8 @@ do_gen_all_hostkeys(struct passwd *pw)
 		{ "rsa3072_dilithium2", "RSA3072_DILITHIUM_2", _PATH_HOST_RSA3072_DILITHIUM_2_KEY_FILE },
 		{ "rsa3072_falcon512", "RSA3072_FALCON_512", _PATH_HOST_RSA3072_FALCON_512_KEY_FILE },
 		{ "rsa3072_mqdss3148", "RSA3072_MQDSS_31_48", _PATH_HOST_RSA3072_MQDSS_31_48_KEY_FILE },
-		{ "rsa3072_picnicl1ur", "RSA3072_PICNIC_L1UR", _PATH_HOST_RSA3072_PICNIC_L1UR_KEY_FILE },
+		{ "rsa3072_picnicl1fs", "RSA3072_PICNIC_L1FS", _PATH_HOST_RSA3072_PICNIC_L1FS_KEY_FILE },
+		{ "rsa3072_picnic3l1", "RSA3072_PICNIC3_L1", _PATH_HOST_RSA3072_PICNIC3_L1_KEY_FILE },
 		{ "rsa3072_qteslapi", "RSA3072_QTESLA_P_I", _PATH_HOST_RSA3072_QTESLA_P_I_KEY_FILE },
 		{ "rsa3072_rainbowiaclassic", "RSA3072_RAINBOW_IA_CLASSIC", _PATH_HOST_RSA3072_RAINBOW_IA_CLASSIC_KEY_FILE },
 		{ "rsa3072_sphincsharaka128frobust", "RSA3072_SPHINCS_HARAKA_128F_ROBUST", _PATH_HOST_RSA3072_SPHINCS_HARAKA_128F_ROBUST_KEY_FILE },
@@ -1110,7 +1115,8 @@ do_gen_all_hostkeys(struct passwd *pw)
 		{ "p256_dilithium2", "P256_DILITHIUM_2", _PATH_HOST_P256_DILITHIUM_2_KEY_FILE },
 		{ "p256_falcon512", "P256_FALCON_512", _PATH_HOST_P256_FALCON_512_KEY_FILE },
 		{ "p256_mqdss3148", "P256_MQDSS_31_48", _PATH_HOST_P256_MQDSS_31_48_KEY_FILE },
-		{ "p256_picnicl1ur", "P256_PICNIC_L1UR", _PATH_HOST_P256_PICNIC_L1UR_KEY_FILE },
+		{ "p256_picnicl1fs", "P256_PICNIC_L1FS", _PATH_HOST_P256_PICNIC_L1FS_KEY_FILE },
+		{ "p256_picnic3l1", "P256_PICNIC3_L1", _PATH_HOST_P256_PICNIC3_L1_KEY_FILE },
 		{ "p256_qteslapi", "P256_QTESLA_P_I", _PATH_HOST_P256_QTESLA_P_I_KEY_FILE },
 		{ "p256_rainbowiaclassic", "P256_RAINBOW_IA_CLASSIC", _PATH_HOST_P256_RAINBOW_IA_CLASSIC_KEY_FILE },
 		{ "p384_rainbowiiicclassic", "P384_RAINBOW_IIIC_CLASSIC", _PATH_HOST_P384_RAINBOW_IIIC_CLASSIC_KEY_FILE },
@@ -2890,7 +2896,9 @@ main(int argc, char **argv)
 			n += do_print_resource_record(pw,
                  _PATH_HOST_MQDSS_31_48_KEY_FILE, rr_hostname);
 			n += do_print_resource_record(pw,
-                 _PATH_HOST_PICNIC_L1UR_KEY_FILE, rr_hostname);
+                 _PATH_HOST_PICNIC_L1FS_KEY_FILE, rr_hostname);
+			n += do_print_resource_record(pw,
+                 _PATH_HOST_PICNIC3_L1_KEY_FILE, rr_hostname);
 			n += do_print_resource_record(pw,
                  _PATH_HOST_QTESLA_P_I_KEY_FILE, rr_hostname);
 			n += do_print_resource_record(pw,