> We agree that our bit security estimates might not precisely capture
> the difficulty of these challenges.
My concern here is not with the level of precision. My concern is with
new strawman security estimates being incorrectly labeled as being part
of the security foundation of the McEliece system.
If these new estimates are (unsurprisingly) broken by the techniques
that I cited, then the "security foundation"/"McEliece"/... labeling
will make people believe, incorrectly, that the break is a problem for
the McEliece system. The labeling should be fixed.
The new FAQ entry exacerbates this problem by indicating, incorrectly,
that these challenges are simply the result of "down-scaling" normal
parameter selection to reach "approachable" sizes. This was already
suggested by the "reduced-size" terminology but is now more explicit.
As a concrete example, describing the challenge
{"n": 1008, "k": 898, "t": 11, "m": 10, "bitcomplexity": 252.052342314491}
as the result of "down-scaling" makes people think, incorrectly, that
this 2^252 is the result of scaling down security estimates that the
literature gives for cryptographic sizes.
Even if the "bitcomplexity" number is ignored, the "t" is surprisingly
small. One consequence is that the rate k/n = 898/1008 is very close to
the 92% cutoff for the
https://eprint.iacr.org/2010/331 distinguisher.
It's well known that a feasible search will change the numbers a bit so
such cutoffs shouldn't be treated as sharp edges.
I'm not saying distinguishers necessarily turn into attacks. The point
is that this parameter set is not following normal parameter-selection
procedures. Normal parameter selection uses rates between 70% and 80%,
with much larger values of t than this challenge, many more choices for
the secret Goppa polynomial, and a much larger security margin against
key recovery.
For example, the smallest selected Classic McEliece parameter set has
(n,k,t) = (3488,2720,64), with rate 78%. The recommended 6688 and 6960
parameter sets have rates 75% and 78% respectively. The reasonably
scaled parameter set in
https://decodingchallenge.org/goppa/record/26
has (n,k,t) = (1347,1072,25), with rate 80%.