I. Introduction
The binary syndrome decoding problem (SDP) is a foundational problem of code-based cryptosystems. Its NP-hardness was proven in 1978 [1] and is the basis of various cryptographic constructs like the Niederreiter public-key cryptosystem [2], the FSB hash function [3], the SYND stream cipher [4], the Stern identification scheme [5] or a pseudo-random number generator [6]. It is also the basis of several Key Encapsulation Mechanisms submitted to the NIST post-quantum cryptography standardisation process, like BIKE [7] or Classic McEliece [8]. The latter has been selected as a finalist for the third round, as announced on July 2020. It instantiates the Niederreiter cryptosystem [2] with binary Goppa codes, which is the dual of the McEliece cryptosystem [9]. The parameters of the cryptosystem are set with respect to the complexity of the best information-set decoding (ISD) attack strategy [10], [11], [12], [13], [14], which is the best known general attack path against code-based cryptosystems. As the scheme started to gain scientific confidence, sustained efforts were directed towards the practical side, i.e., implementations [15], [16], [17], [18], [19], [20], [21], [22], [23] as well as physical attacks, both side-channel [24] and fault injection attacks [25], [26], [27].