Syndrome decoding of linear codes (when considered as a decision problem) is an NP-complete problem if the number of errors is not bounded. However, there are classes of linear codes which have very fast decoding algorithms. The basic idea of the McEliece system is to take one of these linear codes and disguise it so that Oscar, when trying to decrypt a message, is forced to use syndrome decoding, while Bob, who set up the system, can remove the disguise and use the fast decoding algorithm. McEliece suggested using **Goppa Codes**, which are linear codes with a fast decoding algorithm, in the system, but any linear code with a good decoding algorithm can be used.

Oscar, upon intercepting this message, would have to find the nearest codeword to y of the code generated by G'. This would involve calculating the syndrome of y and comparing it to the syndromes of all the error vectors of weight t. As there are n choose t of these error vectors, good choices of n and t will make this computation infeasible. Bob, on the other hand, would calculate

For McEleice's Goppa Code example, n = 1024 and t = 50 which gives Oscar more than 10^{80} syndromes to calculate.

1 0 0 0 1 1 0 G = 0 1 0 0 1 0 1 0 0 1 0 0 1 1 0 0 0 1 1 1 1and Bob chooses the scrambler matrix

1 1 0 1 S = 1 0 0 1 0 1 1 1 1 1 0 0and the permutation matrix

0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 P = 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0Bob makes public the generator matrix

1 1 1 1 0 0 0 G' = SGP = 1 1 0 0 1 0 0 1 0 0 1 1 0 1 0 1 0 1 1 1 0If Alice wishes to send the message x = (1 1 0 1) to Bob, she first constructs a weight 1 error vector, say e = (0 0 0 0 1 0 0) and computes

= (0 1 1 0 0 1 0) + (0 0 0 0 1 0 0)

= (0 1 1 0 1 1 0)

Upon receiving y, Bob first computes y' = yP^{-1}, where

0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 Pobtaining y' = (1 0 0 0 1 1 1). Now Bob decodes y' by the fast decoding algorithm (Hamming decoding in this example). The syndrome of y' is (1 1 1 0)^{-1}= 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 1 0 0 0 0

1 1 0 1 Sobtaining x = (1 0 0 0)S^{-1}= 1 1 0 0 0 1 1 1 1 0 0 1

- The size of the public key (G') is quite large. Using the Goppa code with parameters suggested by McEliece, the public key would consist of 2
^{19}bits. This will certainly cause implementation problems. - The encrypted message is much longer than the plaintext message. This increase of the bandwidth makes the system more prone to transmission errors.
- The cryptosystem can not be used for authentication or signature schemes because the encryption algorithm is not one-to-one and the total algorithm is truly asymmetric (encryption and decryption do not commute).

For each irreducible polynomial of degree **t** over GF(2^{m}) there corresponds a binary, irreducible Goppa Code of length n = 2m, dimension k n-tm and minimum distance d 2t+1. A fast decoding algorithm, with running time nt, exists. Goppa Codes are easily set up once the irreducible polynomial is found. This is not difficult since there are about 2^{mt}/t irreducible polynomials of degree t over GF(2^{m}). So, a random polynomial of degree t over GF(2^{m}) will be irreducible with probability 1/t. Since there is a fast algorithm for testing irreduciblity, one can find one quickly by simply guessing and testing.