 Hi, I'm Andre and this is a teaser talk for our work partial key exposure attacks on bike rainbow and and true and Should motivate you to go to the talk at the main event and it is joint work with alexander maye have ever bell and wait I'm right So in this work we investigated the question if post quantum candidates are leakage resistant So what does this mean in an informal sense if you have an n-bit key and a bit of this key get leaked Then we say a system is leakage resistant if it offers the security of an n-l bit key Which is somehow the best one can hope for and we know from classical schemes like for example RSA that this is not the case so why do we ask this question for about post quantum candidates because the best known attacks are enumeration based meaning they Enumerates the missing key bits and therefore strongly support this leakage resistance belief So they do not exploit any key redundancy key structure or public private key relations and in this work we give new attacks that actually heavily exploits those things and Using our attacks we give new bounds on the required leakage for full key recovery so give me a let me give a brief explanation of the methodology we used So first we we model the leakage so from a theoretical point of view How does the leakage that we obtain via some arbitrary side channel look like so here we define two to three different models and Just said you can relate to something. Let me let me introduce one of these models which we call the erasure model so we model the secret key always as a chunk of n bits and Then you obtain in the erasure model you obtain an erased version of this key so some of the bits got erased here illustrated by the covered areas with question marks and You see the value of those bits is not known however, the green parts are known and the positions also and it's guaranteed that those are correct and Yeah, then then given this erased key we asked Two different research questions. So the first one is about asymptotic leakage bounds It means basically we are asking how many erasures so how many erased bits how many question marks can we tolerate so that we can still recover all of them in polynomial time and Here for example in the in the entry case we find that up to Cube root of the length of this vector many erased bits can still be recovered in polynomial time And then we asked a more practical question a more practical question where we ask to how big Or how many erased bits can we tolerate if we want to recover the secret key In time less than some threshold this threshold might for example be two to the 60 bit operations And then we find in the entry case And also in other cases that we can tolerate way higher Eurasias and Here for example in the entry case we find that 30% of erasures can still be recovered using less than 2060 operations Overall we we find we we give such non-trivial polynomial time key recovery attacks for all considered schemes meaning rainbow bike and and true and For all of them we find or we give even higher practical bounds that stay below some threshold where we consider different bit complexities and Overall our results are comparable to non post quantum systems like the results known for RSA So that we can safely conclude that post quantum candidates do not per se enjoy leakage resistance and if you're interested in how we obtain our results and In of course all our results on bike rainbow and and true Then please attend our main talk in the lot a lemon hall on the 17th of August in the session starting at 10 a.m Thank you very much