The microblog: 2022.06.02 17:02:50

2022.06.02 17:02:50 (1532377205501661184) from Daniel J. Bernstein:

Eurocrypt talk today on presented cryptosystems using lattices secretly isometric to a public easy-to-decode lattice, and portrayed this as analogous to McEliece using codes secretly isometric to a public easy-to-decode code. That's not what McEliece does!

2022.06.02 17:13:49 (1532379967782236162) from Daniel J. Bernstein:

Beyond isometry, there are many ways to hide codes; see for a survey. McEliece takes a secret scaling (from the secret polynomial g), plus a subfield subcode (the scaling isn't an isometry on the resulting code), plus a permutation (the isometry part).

2022.06.02 17:23:39 (1532382444812308480) from Daniel J. Bernstein:

This is important because if McEliece relied _just_ on the secret isometry (the permutation) then it would be broken by Sendrier's 2000 support-splitting algorithm. Now a new proposal relies purely on secret isometries, misrepresents McEliece, and downplays Sendrier? Alarm bells!

2022.06.02 17:35:17 (1532385372591644674) from Daniel J. Bernstein:

Meanwhile the trend in code-based cryptography is to add _more_ defenses against potential attacks. For example, Classic McEliece describes secret puncturing, taking the code length n below a power of 2, as an "extra defense", and uses this for most proposed parameter sets.

2022.06.02 17:58:49 (1532391295246737410) from Daniel J. Bernstein:

Secret puncturing can't hurt security. The 2012 challenge to break a secretly punctured secretly permuted symmetric public code (BCH) is designed to shed light on whether secret puncturing helps security. Secret puncturing is then layered _on top_ of McEliece's original defenses.