LESS-FM: Fine-Tuning Signatures from the Code Equivalence Problem

Abstract

Code-based cryptographic schemes are highly regarded among the quantum-safe alternatives to current standards. Yet, designing code-based signatures using traditional methods has always been a challenging task, and current proposals are still far from the target set by other post-quantum primitives (e.g. lattice-based). In this paper, we revisit a recent work using an innovative approach for signing, based on the hardness of the code equivalence problem. We introduce some optimizations and provide a security analysis for all variants considered. We then show that the new parameters produce instances of practical interest.

J.-F. Biasse is supported by NIST grant 60NANB17D184 and NSF grant 183980. Edoardo Persichetti is supported by NSF grant 1906360.

Appendices

A Cryptographic Group Actions

At a high level, a group action is an operator involving a group, for which an identity exists, and that satisfies the compatibility property, as follows.

Definition 2

Let X be a set and \((G,\circ )\) be a group. A group action is a mapping

\(\begin{array}{cccc} \star :&{} X\times G &{}\rightarrow &{} X \\ &{} (x,g) &{} \rightarrow &{} x\star g \end{array}\)

such that, for all \(x\in X\) and \(g_1,g_2\in G\), it holds that \((x\star g_1)\star g_2=x\star (g_1\circ g_2)\).

A group action is usually called cryptographic if it satisfies some additional properties that make it interesting in a cryptographic context. In the first place, besides efficient sampling, computation, and membership testing, a cryptographic group action should certainly be one-way, i.e. given randomly chosen \(x_1,x_2\in X\), it should be hard to find \(g\in G\) such that \(x_1\star g=x_2\) (if such a g exists). Other desirable properties include, for instance, pseudorandomness of the output, as well as more traditional ones such as commutativity, transitivity etc. Due to space constraints, we refer the reader to [2] for an extensive treatment of cryptographic group actions and their properties.

B EUF-CMA Security of LESS

In here, we show that the LESS signature scheme is EUF-CMA secure. We begin with the following trivial result.

Lemma 1

Let \(\mathsf {M}_{n}\) be the set of monomial matrices as defined in Sect. 2. Then for any \(\boldsymbol{A}\in \mathsf {M}_{n}\) and \(\boldsymbol{B}\xleftarrow {\$}\mathsf {M}_{n}\), \(\boldsymbol{A}^{-1}\boldsymbol{B}\) is uniformly distributed over \(\mathsf {M}_{n}\).

Next, we recall the Forking Lemma, which is the traditional tool required for proofs of this kind. We use the formulation of Bellare-Neven (see [7]).

Lemma 2

Fix an integer \(Q\ge 1\) and a set H of size \(|H|\ge 2\). Let \(\mathcal A\) be a randomized algorithm that takes as input elements \(h_1,\dots ,h_Q\in H\) and outputs a pair \((J,\sigma )\) where \(1\le J\le Q\) with probability P. Consider the following experiment:

1. 1.

   Choose \(h_1,\dots ,h_Q\) uniformly at random from H.

2. 2.

   \(\mathcal A(h_1,\dots ,h_Q)\) outputs \((I,\sigma )\) with \(I\ge 1\).

3. 3.

   Choose \(h'_I,\dots ,h'_Q\) uniformly at random from H.

4. 4.

   \(\mathcal A(h_1,\dots ,h_{I-1},h'_I,\dots ,h'_Q)\) outputs \((I',\sigma ')\).

Then the probability that \(I'=I\) and \(h'_I\ne h_I\) is at least

$$P\left( \frac{P}{Q}-\frac{1}{|H|}\right) .$$

The main result is given below.

Theorem 1

The LESS signature scheme described in Table 1 is existentially unforgeable under adaptive chosen-message attacks, in the random oracle model, under the hardness of the linear code equivalence problem.

Proof

Let \(\mathcal A\) be a polynomial-time EUF-CMA adversary for LESS. \(\mathcal A\) takes as input a verification key \(\mathsf {vk}\), then performs a polynomial number of signing queries, say \(q_s\), and a polynomial number of random oracle queries, say \(q_r\). Eventually, \(\mathcal A\) outputs a forgery \((\boldsymbol{m}^*,\sigma ^*)\), with a certain probability of success p. We now show how to construct an adversary \(\mathcal A'\) that is able to solve the linear code equivalence problem. \(\mathcal A'\) will interact with \(\mathcal A\) and use it as a subroutine, playing the role of the challenger in the EUF-CMA game and simulating correct executions of the LESS protocol, without obviously having access to the private key.

To begin with, \(\mathcal A'\) is given an instance \((\boldsymbol{G},\boldsymbol{G}'=\boldsymbol{S}\boldsymbol{G}\boldsymbol{Q})\) of Problem 1, which he sets up as public key in the simulated LESS protocol. \(\mathcal A'\) will answer signing queries and random oracle queries as described below; to ensure consistency of the simulation, the queries will be tracked with the help of a table \(\mathsf T\), initially empty, where the calls to the random oracle will be stored as they are answered, in the form of pairs (input, output).

Setup. Set \(\boldsymbol{G}_0=\boldsymbol{G}\) and \(\boldsymbol{G}_1=\boldsymbol{G}'\).

Random Oracle Queries. In a random oracle query, \(\mathcal A\) submits an input \(\boldsymbol{x}\) of the form and expects to receive a \(\lambda \)-bit string h. \(\mathcal A'\) proceeds as follows:

1. 1.

   Look up \(\boldsymbol{x}\) in \(\mathsf T\). If \((\boldsymbol{x},h)\in \mathsf T\) for some h, return h and halt.

2. 2.

   Generate uniformly at random a \(\lambda \)-bit string h.

3. 3.

   Add \((\boldsymbol{x},h)\) to \(\mathsf T\).

4. 4.

   Return h.

Signing Queries. In a signing query, \(\mathcal A\) submits a message \(\boldsymbol{m}\) and expects to receive a valid signature \(\sigma \) for it. \(\mathcal A'\) proceeds as follows:

1. 1.

   Generate uniformly at random a \(\lambda \)-bit string h.

2. 2.

   Generate uniformly at random matrices .

3. 3.

   Set .

4. 4.

   Return signature \(\sigma =(\mu _0,\dots \mu _{t-1},h)\).

After that, \(\mathcal A'\) adjusts his registry of queries by recording the query corresponding to h in table \(\mathsf T\). More specifically, \(\mathcal A'\) will parse \(h=h_0,\dots h_{t-1}\), where \(h_i\in \{0,1\}\), then compute and finally set h to be the response to the random oracle query with input . Note that, due to Lemma 1, signatures produced in this way are indistinguishable from authentic signatures, since they follow the exact same distribution.

The simulation halts if, during a signing query, the input to the random oracle had already been queried before, in which case the signing query outputs \(\bot \) instead. Note that this can only happen with negligible probability; more precisely, the probability is at most \(q'/K^t\), where \(q'=q_s+q_r\) is the total number of queries performed, and K is an upper bound on the probability of finding a collision, i.e. sampling two monomial matrices that lead to linearly equivalent codes (see Proposition 1 of Appendix E)².

Once \(\mathcal A\) has finished performing queries, it will output a forgery \((\boldsymbol{m},\sigma )\), where \(\sigma =(\mu _0,\dots \mu _{t-1},h_0,\dots h_{t-1})\), that successfully passes verification. At this point, \(\mathcal A'\) rewinds his tape and plays the simulation again, in the exact same way, except that one of the random oracle queries is answered differently. By the Forking Lemma, \(\mathcal A\) will now output, with non-negligible probability, a forgery \(({\boldsymbol{m}}',\sigma ')\), where \(\sigma '=(\mu '_0,\dots \mu '_{t-1}, h'_0,\dots h'_{t-1})\), for the same message \({\boldsymbol{m}}'=\boldsymbol{m}\) and the same random oracle input , such that \(\sigma '\ne \sigma \). Let l be the index such that \( h'_l\ne h_l\); then \(\mathsf {sf}(\boldsymbol{G}_{ h'_l}\mu '_l)=\mathsf {sf}(\boldsymbol{G}_{h_l}\mu _l)\), which means that the monomial matrix \(\mu '_l\mu _l^{-1}\) is a solution to the linear code equivalence problem as desired.   \(\square \)

C EUF-CMA Security of LESS-M

We begin showing that the Multiple Codes Linear Equivalence Problem (Problem 2) reduces tightly to the Linear Equivalence Problem (Problem 1).

Theorem 2

Given an algorithm to solve Problem 2, that runs in time T and succeeds with probability \(\varepsilon \), it is possible to solve Problem 1, in time approximately equal to \(T+O(rn^3)\), with probability of success equal to \(\varepsilon /2\).

Proof

Let \(\mathcal A\) be an adversary for Problem 2. We now show how to construct an adversary \(\mathcal A'\) that is able to solve the linear code equivalence problem. \(\mathcal A'\) will interact with \(\mathcal A\) and use it as a subroutine. To begin, \(\mathcal A'\) is given an instance \((\boldsymbol{G},\boldsymbol{G}'=\boldsymbol{S}\boldsymbol{G}\boldsymbol{Q})\) of Problem 1. It will then proceed to generate \(r=2^\ell \) equivalent codes, in the following way. First, \(\mathcal A'\) samples uniformly at random matrices \(\boldsymbol{S}_{0},\dots ,\boldsymbol{S}_{r-1}\) and \(\boldsymbol{Q}_{0},\dots ,\boldsymbol{Q}_{r-1}\). Then, it computes half of the codes starting from \(\boldsymbol{G}\), and half starting from \(\boldsymbol{G}'\); wlog, we can imagine that \(\boldsymbol{G}_i\) is generated as \(\boldsymbol{S}_i\boldsymbol{G}\boldsymbol{Q}_i\) when \(i\in [0;r/2-1]\), and as \(\boldsymbol{S}_i\boldsymbol{G}'\boldsymbol{Q}_i\) when \(i\in [r/2;r-1]\) (and then reordered). It is clear that this computation can be done in polynomial time, at most \(O(rn^3)\), and that there is no way to distinguish how an individual matrix was generated (i.e. from \(\boldsymbol{G}\) rather than \(\boldsymbol{G}'\)). At this point \(\mathcal A'\) runs \(\mathcal A\) on input \(\boldsymbol{G}_0,\dots ,\boldsymbol{G}_{r-1}\), and \(\mathcal A\) will output, with probability \(\varepsilon \), a response \((\boldsymbol{S}^*,\boldsymbol{Q}^*)\) such that \(\boldsymbol{G}_{j'}=\boldsymbol{S}^*\boldsymbol{G}_j\boldsymbol{Q}^*\). Now, if one of the two matrices was of the first type, and the other of the second type, \(\mathcal A'\) is able to win. For instance, if \(\boldsymbol{G}_j=\boldsymbol{S}_j\boldsymbol{G}\boldsymbol{Q}_j\) and \(\boldsymbol{G}_{j'}=\boldsymbol{S}_{j'}\boldsymbol{G}'\boldsymbol{Q}_{j'}\), then it must be \(\boldsymbol{Q}^*=\boldsymbol{Q}_j^{-1}\boldsymbol{Q}\boldsymbol{Q}_{j'}\), which immediately reveals³ \(\boldsymbol{Q}\). Since this happens with probability 1/2, we get the thesis.    \(\square \)

We now state the security result.

Theorem 3

The LESS-M signature scheme described in Table 2 is existentially unforgeable under adaptive chosen-message attacks, in the random oracle model, under the hardness of the multiple codes linear equivalence problem.

Proof

(Sketch) The proof is nearly identical to the proof of Theorem 1, above. Indeed, let \(\mathcal A\) be a polynomial-time EUF-CMA adversary for LESS-M. In this case \(\mathcal A\) will serve as subroutine for an adversary \(\mathcal A'\) against Problem 2. To begin with, \(\mathcal A'\) is given an instance \((\boldsymbol{G}_0,\dots ,\boldsymbol{G}_{r-1})\) of Problem 2, which he sets up as public key in the simulated LESS-M protocol. As before, \(\mathcal A'\) will answer signing queries and random oracle queries with the help of an auxiliary table \(\mathsf T\). For random oracle queries, the input is still of the form , with the only difference being that before we had \(t=\lambda \), whereas now we have \(t=\lambda /\ell \). Queries are answered in the exact same way as above, by selecting a uniform random \(\lambda \)-string h and updating the table. For signing queries, the procedure is also very similar. Once again, a signature is created using uniformly-sampled matrices (with \(t=\lambda /\ell \)). Now, when \(\mathcal A'\) adjusts his registry of queries, he will parse \(h=h_0,\dots h_{t-1}\), where \(h_i\in \mathbb Z_2^\ell \), then proceed as before, computing and matching h with the random oracle query with input . It is easy to see that signatures produced in this way are still indistinguishable from authentic signatures.

The rest of the proof proceeds exactly as before, with \(\mathcal A'\) rewinding the tape, repeating the simulation and invoking the Forking Lemma to obtain two valid forged signatures \(\sigma '\ne \sigma \) for the same message. Again, if l is the index such that \( h'_l\ne h_l\), then \(\mathsf {sf}(\boldsymbol{G}_{ h'_l}\mu '_l)=\mathsf {sf}(\boldsymbol{G}_{h_l}\mu _l)\) and therefore \(\mu '_l\mu _l^{-1}\) is a solution to the multiple codes linear equivalence problem as desired (with \(j'=h'_l\ne h_l=j\) as per the formulation of Problem 2).    \(\square \)

D EUF-CMA Security of LESS-F

In this section we discuss the EUF-CMA security of LESS-F. We have the following result.

Theorem 4

The LESS-F signature scheme described in Table 3 is existentially unforgeable under adaptive chosen-message attacks, in the random oracle model, under the hardness of the linear code equivalence problem.

Proof

(Sketch) The proof is essentially identical to the proof of Theorem 1. If \(\mathcal A\) is a polynomial-time EUF-CMA adversary for LESS-F, it will be used as subroutine by an adversary \(\mathcal A'\) against Problem 1. The setup is the same, including the use of the auxiliary table \(\mathsf T\). Indeed the only difference between the two proofs is in the output of the hash function \(\mathsf H\). This means that the random string h, generated to answer both random oracle and signing queries, is sampled uniformly from \(\mathbb Z_{2,\omega }^t\) rather than from \(\{0,1\}^\lambda \). The remainder of the proof proceeds unchanged.   \(\square \)

Note that the aforementioned difference is relevant exclusively in the statement of the Forking Lemma. In fact, the (inverse of the) size of H appears in the Lemma’s statement as a negative term (and should therefore be negligible). In the original LESS scheme (as is customary) one has \(H=\{0,1\}^\lambda \), so \(|H|=2^\lambda \) and thus the term appearing in the Lemma is \(1/2^\lambda \). Accordingly, with this variant, we have \(H=\mathbb Z_{2,\omega }^t\), so \(|H|=\left( {\begin{array}{c}t\\ \omega \end{array}}\right) \), which is precisely why we require \(\log _2\left( {\begin{array}{c}t\\ \omega \end{array}}\right) \ge \lambda \).

E The Automorphism Group of a Random Code

We now derive an estimate on the size of the automorphism group of a random linear code, and use it to derive an upper bound on the probability that applying a random monomial (or permutation) returns an equivalent code. We anticipate the main result, and then proceed by proving it.

Proposition 1

Let \(\mathfrak C\subseteq \mathbb F_q^n\) be a random linear code with dimension k. Let \(d_{GV}\) denote the GV distance of \(\mathfrak C\), and \(N_{d_{GV}} = \left\lceil \left( {\begin{array}{c}n\\ d_{GV}\end{array}}\right) (q-1)^{d_{GV}-2}q^{k-n+1}\right\rceil \). Let \(d^\bot _{GV}\) be the GV distance of \(\mathfrak C^\bot \), and \(N_{d_{GV}}^\bot = \left\lceil \left( {\begin{array}{c}n\\ d_{GV}^\bot \end{array}}\right) (q-1)^{d^\bot _{GV}-2}q^{-k+1}\right\rceil \). The probability that \(\pi \xleftarrow {\$}\mathsf {S}_n\) is in the permutations automorphism group of \(\mathfrak C\), i.e., \(\pi (\mathfrak C) = \mathfrak C\), is not greater than

$$\begin{aligned} (q-1)\min \left\{ \frac{N_{d_{GV}}!}{\left( {\begin{array}{c}n\\ d_{GV}!\end{array}}\right) },\frac{N_{d_{GV}}^\bot !}{\left( {\begin{array}{c}n\\ d_{GV}^\bot !\end{array}}\right) }\right\} , \end{aligned}$$

while the probability that \(\mu \xleftarrow {\$}\mathsf {M}_{n}\) is in the monomials automorphism group of \(\mathfrak C\), i.e., \(\mu (\mathfrak C) = \mathfrak C\), is not greater than

$$\begin{aligned} \min \left\{ \frac{N_{d_{GV}}!(q-1)^{-d_{GV}+1}}{\left( {\begin{array}{c}n\\ d_{GV}!\end{array}}\right) },\frac{N_{d_{GV}}^\bot !(q-1)^{-d_{GV}^\bot +1}}{\left( {\begin{array}{c}n\\ d_{GV}^\bot !\end{array}}\right) }\right\} . \end{aligned}$$

We prove the above result explicitly for the case of permutations. In the case of monomials, the proof can be easily adapted; due to space constraints, such a proof will be presented explicitly only in the full version of this paper.

1.1 E.1 Proof for the Permutations Automorphism Group

To derive a bound on the size of the automorphism group of a code, we will consider the action of permutations on the set of minimum weight codewords. To this end, we first derive some preliminary results.

Lemma 3

Let \(\boldsymbol{a},\boldsymbol{b}\in \mathbb F_q^n\) with the same Hamming weight d and same entries multisets. Let \(\mathsf{{Mor}}_{\mathsf {S}_n}(\boldsymbol{a},\boldsymbol{b}) = \left\{ \pi \in \mathsf {S}_n\mid \pi (\boldsymbol{a}) = \boldsymbol{b}\right\} \). Then, the cardinality of \(\mathsf{{Mor}}_{\mathsf {S}_n}(\boldsymbol{a},\boldsymbol{b})\) is not greater than \(w!(n-w)!\).

Proof

Let \(E = \{i\in [0 ; n-1]\mid a_i = 0\}\). For a permutation \(\pi \), we can have \(\pi (i) = j\) if and only if \(a_i = b_j\). Let \(m_x\), for \(x\in \mathbb F_q\), be the number of entries with value equal to x in both \(\boldsymbol{a}\) and \(\boldsymbol{b}\); since \(\boldsymbol{a}\) and \(\boldsymbol{b}\) have Hamming weight w, it holds that \(m_0 = n-w\) and \(\sum _{x\in \mathbb F_q^*}m_x = w\). Then, we have

$$\begin{aligned} \left| \mathsf{{Mor}}_{\mathsf {S}_n}(\boldsymbol{a},\boldsymbol{b})\right| \nonumber&= \prod _{x \in \mathbb F_q}m_x! = (n-w)!\prod _{x \in \mathbb F_q^*}m_x!. \end{aligned}$$

It is immediately seen that \(\prod _{x\in \mathbb Fq^*}m_x!\le \left( \sum _{x\in \mathbb F_q^*}m_x\right) ! = w!\), so that as an upper bound on the size of \(\mathsf{{Mor}}_{\mathsf {S}_n}(\boldsymbol{a},\boldsymbol{b})\) we can use \((n-w!)w!\).   \(\square \)

Lemma 4

Let \(A\subseteq \mathbb F_q^n\), with cardinality M, such that all the contained vectors have Hamming weight w. Let \(\mathsf{{Aut}}_{\mathsf {S}_n}(A) = \left\{ \pi \in \mathsf {S}_n\mid \pi (\boldsymbol{a}) \in A,\forall \boldsymbol{a}\in A\right\} \); then, the size of \(\mathsf{{Aut}}_{\mathsf {S}_n}(A)\) is not greater than \(M!w!(n-w)!\).

Proof

If \(\pi \in \mathsf{{Aut}}_{\mathsf {S}_n}(A)\), then for each \(\boldsymbol{a}\in A\), either \(\pi (\boldsymbol{a}) = \boldsymbol{a}\) or there exists \(\boldsymbol{a}'\in A\), \(\boldsymbol{a}'\ne \boldsymbol{a}\), such that \(\pi (\boldsymbol{a}) = \boldsymbol{a}'\). Let us define some order for the elements of A and write \(A = \left\{ \boldsymbol{a}^{1},\boldsymbol{a}^{2},\cdots ,\boldsymbol{a}^{M}\right\} \). For each \(\pi \in \mathsf{{Aut}}_{\mathsf {S}_n}(A)\), there exists one and only one bijection \(f:\{1,\cdots ,M\}\mapsto \{1,\cdots ,M\}\) such that \(f(i) = j\) if and only if \(\pi (\boldsymbol{a}^{i}) = \boldsymbol{a}^{j}\). On the contrary, for a fixed bijection f, we may have more than one valid permutation, i.e., a permutation that places i in position j if and only if \(f(i) = j\). It is easily seen that, for a bijection f, the set of all valid permutations is obtained as follows \(\mathsf{{Aut}}_{\mathsf {S}_n}^{(f)}(A) = \bigcap _{i = 1}^M\mathsf{{Mor}}_{\mathsf {S}_n}\big (\boldsymbol{a}^{i},\boldsymbol{a}^{f(i)}\big )\). Each bijection f can be seen as an element of the symmetric group on M elements (which we denote as \(\mathsf{{S}}_M\)), so that the number of possible bijections is given by M!. Notice that, if \(\pi \in \mathsf{{Aut}}_{\mathsf {S}_n}^{(f)}(A)\), then it is also in \(\mathsf{{Aut}}_{\mathsf {S}_n}(A)\): hence, \(\mathsf{{Aut}}_{\mathsf {S}_n}(A)\) corresponds to the union of all sets \(\mathsf{{Aut}}_{\mathsf {S}_n}^{(f)}(A)\), that is

$$\begin{aligned} \mathsf{{Aut}}_{\mathsf {S}_n}(A)&\nonumber = \bigcup _{f \in \mathsf{{S}}_M}\mathsf{{Aut}}^{(f)}_{\mathsf {S}_n}(A) = \bigcup _{f \in \mathsf{{S}}_M}\left( \bigcap _{i = 1}^M\mathsf{{Mor}}_{\mathsf {S}_n}\big (\boldsymbol{a}^{i},\boldsymbol{a}^{f(i)}\big )\right) . \end{aligned}$$

We are now able to derive an upper bound on the size of \(\mathsf{{Aut}}_{\mathsf {S}_n}(A)\), as follows

$$\begin{aligned} \left| \mathsf{{Aut}}_{\mathsf {S}_n}(A)\right| =&\nonumber \left| \bigcup _{f \in \mathsf{{S}}_M}\left( \bigcap _{i = 1}^M\mathsf{{Mor}}_{\mathsf {S}_n}\big (\boldsymbol{a}^{i},\boldsymbol{a}^{f(i)}\big )\right) \right| \le |\mathsf{{S}}_M|\cdot \left| \bigcap _{i = 1}^M\mathsf{{Mor}}_{\mathsf {S}_n}\big (\boldsymbol{a}^{i},\boldsymbol{a}^{f(i)}\big )\right| \\\nonumber&= M! \cdot \left| \bigcap _{i = 1}^M\mathsf{{Mor}}_{\mathsf {S}_n}\big (\boldsymbol{a}^{i},\boldsymbol{a}^{f(i)}\big )\right| \le M!w!(n-w!), \end{aligned}$$

where the last inequality comes from Lemma 3.   \(\square \)

Using the previous results, we prove the following theorem.

Theorem 5

Let \(\mathfrak C\subseteq \mathbb F_q^n\) be a linear code with minimum distance d. Let \(T_q(\boldsymbol{c}) = \left\{ b\boldsymbol{c}\mid b\in \mathbb F_q^*\right\} \), and let \(V\subset \mathbb F_q\) be the set of \(N_d\) codewords such that

1. i)

   if \(\boldsymbol{c}\in \mathfrak C\) has weight d, then \(T_q(\boldsymbol{c})\) and V have only one element in common;

2. ii)

   all codewords in V have weight d.

Let \(\mathsf{{Aut}}_{\mathsf {S}_n}(\mathfrak C)\) be the permutations automorphism group of \(\mathfrak C\). Then, the cardinality of \(\mathsf{{Aut}}_{\mathsf {S}_n}(\mathfrak C)\) is not greater than \((N_d)!(q-1)d!(n-d)!\).

Proof

Without loss of generality, we can define V such that all of its codewords have the first entry that is equal to 1. Now, let \(\pi \in \mathsf{{Aut}}_{\mathsf {S}_n}(\mathfrak C)\); then, \(\pi \) must map the set of codewords of \(\mathfrak C\) with weight d into itself. Since this set is obtained as \(V_q = \bigcup _{\boldsymbol{c}\in V}T_q(\boldsymbol{c})\), we have that the image of \(V_q\) under the permutation \(\pi \) is equal to itself. Hence, for each \(\boldsymbol{c}\in \mathfrak C\) with weight d, there must be \(\boldsymbol{c}'\in V\) such that \(\pi (\boldsymbol{c})\in T_q(\boldsymbol{c}')\). Note that this also guarantees that, for each \(\hat{\boldsymbol{c}}\in T_q(\boldsymbol{c})\), one also has \(\pi (\hat{\boldsymbol{c}})\in T_q(\boldsymbol{c}')\). To put it differently, for each \(\boldsymbol{c}\in V\) there must exist i) another codeword \(\boldsymbol{c}'\in V\), and ii) a non null element \(b\in \mathbb F_q^*\), such that \(\pi (\boldsymbol{c}) = b\boldsymbol{c}'\). Hence, we have

$$\mathsf{{Aut}}_{\mathsf {S}_n}\left( V_q\right) = \bigcup _{f\in \mathsf{{S}}_{N_d}}\bigcup _{b\in \mathbb F_q^*}\left( \bigcap _{i = 1}^{N_d}\mathsf{{Mor}}_{\mathsf {S}_n}\left( \boldsymbol{c}^{i},b\boldsymbol{c}^{f(i)}\right) \right) .$$

This allows us to derive a bound on the size of \(\mathsf{{Aut}}_{\mathsf {S}_n}(V_q)\), using the union bound for two times

$$\begin{aligned} \left| {\mathsf{{Aut}}}_{\mathsf {S}_n}(V)\right|&\nonumber = \left| \bigcup _{f\in \mathsf{{S}}_{N_d}}\bigcup _{b\in \mathbb F_q^*}\left( \bigcap _{i = 1}^{N_d}\mathsf{{Mor}}_{\mathsf {S}_n}\left( \boldsymbol{c}^{i},b\boldsymbol{c}^{f(i)}\right) \right) \right| \nonumber \\&\le \left| \mathsf{{S}}_{N_d}\right| \cdot \left| \mathbb F_q^*\right| \cdot \left| \bigcap _{i = 1}^{N_d}\mathsf{{Mor}}_{\mathsf {S}_n}\left( \boldsymbol{c}^{i},b\boldsymbol{c}^{f(i)}\right) \right| \le N_d!(q-1)d!(n-d)!. \end{aligned}$$

Finally, we consider that if \(\pi \in \mathsf{{Aut}}_{\mathsf {S}_n}(\mathfrak C)\), then it must necessarily be \(\pi \in \mathsf{{Aut}}_{\mathsf {S}_n}(V_q)\): hence, it must be \(\mathsf{{Aut}}_{\mathsf {S}_n}(\mathfrak C)\subseteq \mathsf{{Aut}}_{\mathsf {S}_n}(V_q)\). So, we can use the bound on the cardinality of \(\mathsf{{Aut}}_{\mathsf {S}_n}(V_q)\) as an upper bound for the size of \(\mathsf{{Aut}}_{\mathsf {S}_n}(\mathfrak C)\).   \(\square \)

The above results allow to prove the bound on the permutations automorphism group stated in Proposition 1. To estimate the minimum distance of a code, we use the well known Gilbert-Varshamov bound, and estimate the number of weight w codewords (without counting scalar multiples) as \(\left\lceil \left( {\begin{array}{c}n\\ w\end{array}}\right) (q-1)^{w-2}q^{k-n+1}\right\rceil \). We then divide the upper bound on the size of the automorphism group resulting from Lemma 5 by the cardinality of \(\mathsf {S}_n\) (that is, n!). Finally, we consider that the automorphism group of a code coincides with that of its dual: we repeat the reasoning for the dual code and, take the minimum between the two obtained probabilities (i.e., the one for the code and that for its dual).