2022.06.02 17:02:50 (1532377205501661184) from Daniel J. Bernstein:
Eurocrypt talk today on https://eprint.iacr.org/2021/1332 presented cryptosystems using lattices secretly isometric to a public easy-to-decode lattice, and portrayed this as analogous to McEliece using codes secretly isometric to a public easy-to-decode code. That's not what McEliece does!
2022.06.02 17:13:49 (1532379967782236162) from Daniel J. Bernstein:
Beyond isometry, there are many ways to hide codes; see https://cr.yp.to/talks.html#2012.09.24 for a survey. McEliece takes a secret scaling (from the secret polynomial g), plus a subfield subcode (the scaling isn't an isometry on the resulting code), plus a permutation (the isometry part).
2022.06.02 17:23:39 (1532382444812308480) from Daniel J. Bernstein:
This is important because if McEliece relied _just_ on the secret isometry (the permutation) then it would be broken by Sendrier's 2000 support-splitting algorithm. Now a new proposal relies purely on secret isometries, misrepresents McEliece, and downplays Sendrier? Alarm bells!
2022.06.02 17:35:17 (1532385372591644674) from Daniel J. Bernstein:
Meanwhile the trend in code-based cryptography is to add _more_ defenses against potential attacks. For example, Classic McEliece describes secret puncturing, taking the code length n below a power of 2, as an "extra defense", and uses this for most proposed parameter sets.
2022.06.02 17:58:49 (1532391295246737410) from Daniel J. Bernstein:
Secret puncturing can't hurt security. The 2012 challenge to break a secretly punctured secretly permuted symmetric public code (BCH) is designed to shed light on whether secret puncturing helps security. Secret puncturing is then layered _on top_ of McEliece's original defenses.