 So You may think the falcon is fast and sexy, right? But if it speeds around for a little too long And you may be able to catch it with a good timing and a lot of firepower so Falcon for those who are familiar with it It's a promising round two can miss candidates for lattice-based signatures So it's a hash and sign scheme, which means that you you sign by sampling some lattice lattice discrete Gaussian centered at a point determined by the message and basically so to Express it as a Formula it's a GPV. So the original lattice-based Hash and sign signatures together some entry key and some fancy Technique base to speed it up and make it make make the sampling was a linear So it's a successor of some older scheme called DLP. It was basically falcon minus this fancy stuff and It turns out that on in both schemes the falcon and DLP The lattice Gaussian sampling is carried out With something called the black line sampler. And so it means that you reduce lattice Gaussian sampling to some one-dimensional samplings and the Standard deviation of those one-dimensional quotient is determined determined by the Gram-Schmidt norms of the secret key So There's a timing leakage Which is that the dimension one sampler leaks those GS norms through timing information. So the number of repetition that you carried out for your one-dimensional Discrete notions. So there's an attack here. So you start from the Gram-Schmidt norms and there's some interesting math here to get back to some Polyomule, which is the which we call the the Gram-Schmidt polynomial and where F and G here are the Elements of the secret key and so after that it's easy enough to get to the secret key So the second step is a kind of easy. It's poly time and it's basically the Gentry-Siedler algorithm and the first step It's kind of the main contribution It's poly time for DLP and quasi poly time for Falcon and You can kind of so it works. These are the timings for Exact values for the GS norms, but if you have approximate values, then you can combine it with some research to Make it work even with approximate values So we run that attack last week So we generate something like two to the thirty eight point five DLP signatures And from that you easily extract approximations of the GS norms up to an error of two to the minus seven or something like this and so Step one gives you this GS polynomial. You can't probably can't see but anyway and Step two gives you the secret so so the Like computationally is quite easy. So step one looks like three minutes step two It looks a bit longer, but it's Gentry-Siedler. So it's well known And so of course you need quite a bit of signatures, but it's feasible So the conclusion is that so we have a leakage of the leakage of the Gram-Schmidt norm is quite dangerous You get so against Falcon is quasi polynomial something So it's kind of theoretical, but for the at least for the LPs very concrete and Actually, so there's an updated version updated implementation of Falcon that kind of patches this leakage But it's really important to apply the countermeasure for security Thank you very much