Section: New Results
Filtration Attacks against McEliece Cryptosystem
The McEliece encryption scheme based on binary Goppa codes was one of the first publickey encryption schemes [39] . Its security rests on the difficulty of decoding an arbitrary code. The original proposal uses classical Goppa codes, and while it still remains unbroken, it requires a huge size of key. On the other hand, many derivative systems based on other families of algebraic codes have been subject to key recovery attacks. Up to now, key recovery attacks were based either on a variant of Sidelnikov and Shestakov's attack [40] , where the first step involves the computation of minimumweight codewords, or on the resolution of a system of polynomial equations using Gröbner bases.
In [10] , A. Couvreur, P. Gaborit, V. Gauthier, A. Otmani and J.P. Tillich introduced a new paradigm of attack called filtration attacks. The general principle decomposes in two steps:

Distinguishing the public code from a random one using the square code operation.

Computing a filtration of the public code using the distinguisher, and deriving from this filtration an efficient decoding algorithm for the public code.
This new style of attack allowed A. Couvreur, A. Otmani and J.P. Tillich to break (in polynomial time) McEliece based on wild Goppa codes over quadratic extensions [23] ; and A. Couvreur, I. MárquezCorbella, and R. Pellikaan to break McEliece based on algebraic geometry codes from curves of arbitrary genus [22] , [26] .