**Tittel:** The Security of Hash-and-Sign with Retry against Superposition Attacks # Mitt review ### Paper summary > Give a succinct and positive description of the paper's main contributions ### Suitability > Do you think the topic of the paper belongs to the conference? **1.** Yes ### Novelty, methodology and technical correctness > Q1. Does the paper ignore related works that overlap with the claimed results? Q2. Is the methodology used in order to answer the research question and to demonstrate improvements over previously published state-of-the art solutions appropriate? Q3. Are there technical flaws that affect the correctness of the claims? Q1 (related works). As far as I am aware the authors do not ignore any relevant related work. Q2 (methodology). I find the methodology somewhat lacking: Some proofs are not spelled out in sufficient detail to be fully verifiable, and while I understand that asymptotic- versus concrete-security is a matter of taste, I believe that concrete bounds should at least be derivable from the proofs rather than just jumping from "negligible" to "negligible" with hand-wavy references to literature. (See the proofs of Lemma 1 and Lemma 5; see also technical quality below.) Q3 (technical flaws). While I did not identify any technical flaws in the proofs, technical details are lacking to the point of the claims being hard to verify (see below). ### Technical quality > Q4. Are there technical details missing to verify the contribution? (please put here technical questions\/comments\/suggestions you may have) Q4 (technical quality). I find that the technical quality of the paper fails to meet the standards we expect from a crypto paper. For starters, the preliminaries is in need of significant updating to ensure that all notation introduced is well-defined and consistent. As an illustrative example, their definition of an NP language is circular (L_R := {x in L_R | ...}). More examples, all from Sect. 2: - The use of "proof system" and "argument system" interchangably, without explaining if there is a difference; - the same objects appearing in different fonts; not specifying whether certain poly-time algorithms (like simulators) can be quantum; - Def. 2 containing obvious redundancy given that transcripts are said to be accepting, and then taking the probability that they be accepted; - Thm. 1 allowing for shared states, but not specifying how or between whom the states are shared (in particular, are they quantum or classical states)? The notation used in the probability is also not well-defined, with a conditional treated as pseudocode; - Thm. 2 contains a z that is never used or explained, and an oracle SCtO and a database D that are never introduced or explained; - Thm. 3 employs the notation <S, Theta>, never explained. - Def. 4: "reg" is never defined. - Fig. 1 contains an experiment Exp^corr that never appears in the text (and that also appears to be ill-defined). As mentioned above, I find the proofs of Lemma 1 and 5 in particular to be lacking in detail, more reminiscent of a proof sketch than a formal argument. I am particularly skeptical about the appeal to the compressed oracle technique: The way I remember this technique it comes with a lot of caveats, and it is far from obvious that it can be applied in all cases. Combined with the lacking introduction of the technique in the preliminaries (see comments on Thm. 2 above) I find I can not verify the correctness of the claim. Additionally, as stated above, I would have liked to see all claims with concrete bounds, at least in the proofs if not the theorem statements themselves. The lack of these in Lemma 1 and 5 is particularly jarring given that explicit bounds are indeed derived for Lemma 2, 6, and 7. Why the discrepancy? In my opinion, the lack of concrete bounds from which to derive parameters invalidates the authors' claim that they have demonstrated the practical efficiency of QROM-secure group signatures. Finally, I do not believe the scheme presented in Sect. 5 can be said to be a "Conforming Example" (i.e., instantiation) of their framework, since the scheme is based on the hardness of RLWE/RSIS, etc., which typically do not exhibit perfect correctness. Their framework, in contrast, requires perfect correctness in all primitives. ### Editorial quality > Q5. Is the editorial quality of the paper sufficient to understand the contribution? (please put here editorial questions\/comments\/suggestions you may have) Q5 (editorial quality). The editorial quality is poor. The introduction contains a lot of redundancy, with several elementary points being repeatedly explained (e.g. that QROs can be called in superposition), and borderline tautological statements like (p.3) "For example, security proof (sic) of digital signatures in classical setting (sic) mostly uses a reduction strategy." The introduction also contains several untrue statements, like "the concept of reprogramming was introduced to facilitate programming in the QROM" (reprogramming has been a central feature of random oracles since the beginning); "(earlier work) inherently provide security againts a quantum adversary with quantum computational capabilities" (you just said they didn't because they didn't prove it in the QROM); "any existing partially dynamic group signature scheme can easily be adapted to achieve security in the QROM" (clearly not true: any pre-quantum scheme would serve as a trivial counterexample). The language itself is also poor, with many typos and misused terms, which makes the paper quite hard to read at times. Example: "Therefore, group signatures are one of the momentous schemes." What do you mean by a "momentous scheme"? Finally, Sect. 6 (Conclusion) does not say anything that has not already been said in the introduction, and could (and probably should) be slashed. Minor complaint: Remark 1 is vital to the security of group signatures, and should be moved Sect. 2.4. ### Scientific quality > In case answers to questions 1 to 5 are sufficiently positive: Q6. How do you rate the scientific importance of the research question? Q7. How do you rate the scientific contribution to this research question? Note that there are no universal rules for evaluating scientific quality, and each reviewer is entitled to her or his own view. Try to motivate your opinions based on your specific field of research and whether you, or other members of the IACR community, would be interested to listen to a talk on the paper content during the conference. Q6 (scientific importance). Any scheme that claims post-quantum security that uses random oracles needs to come with a security proof in the QROM. The authors identified an interesting open problem, and made steps in the right direction to address it. Q7 (scientific contribution). I don't see a flaw in the construction itself, and I find it likely that it will indeed turn out to be QROM secure, and showing this would indeed be a valuable contribution to the study of group signatures. Sadly, I find that the current writeup falls short of this goal, as explained above. ### Questions to authors > Please put *all* your questions that the authors are supposed to answer in the rebuttal here. ### Confidence level **2.** Medium: quite confident but I could not check many of the details ### Recommendation **2.** Weak reject.