>- The costs claimed in [16] are 2529 for the smallest proposed Classic McEliece param-
eters. This is much more expensive than a brute-force search through 256-bit seeds,
and much more expensive than ISD.
>- The costs are for an algorithm that is merely distinguishing public keys from random,
not attacking OW-CPA. The indistinguishability assumption targeted in [16] is not
used in the Classic McEliece security analysis; it is even explicitly disclaimed by the
Classic McEliece security analysis.
> [16] incorrectly suggests that it (1) attacks a problem that Classic McEliece relies upon and (2) is faster
than the best previous attacks against Classic McEliece. We promptly responded when [16]
appeared, but no errata were issued. Some third parties are now citing [16] as supposedly
significant attack progress.
[16] Hugues Randriambololona. The syzygy distinguisher, 2024. URL: https://eprint.
iacr.org/archive/2024/1193/1722424045.p
>- The costs are for an algorithm that is merely distinguishing public keys from random, not attacking OW-CPA. The indistinguishability assumption targeted in [16] is not used in the Classic McEliece security analysis; it is even explicitly disclaimed by the Classic McEliece security analysis.
> [16] incorrectly suggests that it (1) attacks a problem that Classic McEliece relies upon and (2) is faster than the best previous attacks against Classic McEliece. We promptly responded when [16] appeared, but no errata were issued. Some third parties are now citing [16] as supposedly significant attack progress.
[16] Hugues Randriambololona. The syzygy distinguisher, 2024. URL: https://eprint. iacr.org/archive/2024/1193/1722424045.p
reply