>- The costs claimed in [16] are 2529 for the smallest proposed Classic McEliece param- eters. This is much more expensive than a brute-force search through 256-bit seeds, and much more expensive than ISD.

>- The costs are for an algorithm that is merely distinguishing public keys from random, not attacking OW-CPA. The indistinguishability assumption targeted in [16] is not used in the Classic McEliece security analysis; it is even explicitly disclaimed by the Classic McEliece security analysis.

> [16] incorrectly suggests that it (1) attacks a problem that Classic McEliece relies upon and (2) is faster than the best previous attacks against Classic McEliece. We promptly responded when [16] appeared, but no errata were issued. Some third parties are now citing [16] as supposedly significant attack progress.

[16] Hugues Randriambololona. The syzygy distinguisher, 2024. URL: https://eprint. iacr.org/archive/2024/1193/1722424045.p