*Dedicated to the memory of Robert J. McEliece, 1942–2019*

The first code-based public-key cryptosystem was introduced in 1978 by McEliece. The public key specifies a random binary Goppa code. A ciphertext is a codeword plus random errors. The private key allows efficient decoding: extracting the codeword from the ciphertext, identifying and removing the errors.

The McEliece system was designed to be one-way (OW-CPA),
meaning that
an attacker cannot efficiently find the codeword
from a ciphertext and public key,
when the codeword is chosen randomly.
The security level of the McEliece system
has remained remarkably stable,
despite dozens of attack papers over 40 years.
The original McEliece parameters
were designed for only 2^{64} security,
but the system easily scales up to "overkill" parameters
that provide ample security margin
against advances in computer technology,
including quantum computers.

The McEliece system has prompted a tremendous amount of followup work. Some of this work improves efficiency while clearly preserving security: this includes a "dual" PKE proposed by Niederreiter, software speedups, and hardware speedups.

Furthermore, it is now well known how to efficiently convert an OW-CPA PKE into a KEM that is IND-CCA2 secure against all ROM attacks. This conversion is tight, preserving the security level, under two assumptions that are satisfied by the McEliece PKE: first, the PKE is deterministic (i.e., decryption recovers all randomness that was used); second, the PKE has no decryption failures for valid ciphertexts. Even better, recent work achieves similar tightness for a broader class of attacks, namely QROM attacks. The risk that a hash-function-specific attack could be faster than a ROM or QROM attack is addressed by the standard practice of selecting a well-studied, high-security, "unstructured" hash function.

**Classic McEliece** brings all of this together.
It is a KEM designed for
IND-CCA2 security at a very high security level,
even against quantum computers.
The KEM is built conservatively
from a PKE designed for OW-CPA security,
namely Niederreiter's dual version
of McEliece's PKE using binary Goppa codes.
Every level of the construction is designed
so that future cryptographic auditors
can be confident in the long-term security
of post-quantum public-key encryption.

**Version:**This is version 2022.10.23 of the "Intro" web page.