Ring signatures are a powerful primitive that allows a member to sign on behalf of a group, without revealing their identity. Recently, ring signatures have received additional attention as an ingredient for post-quantum deniable authenticated key exchange, e.g., for a post-quantum version of the Signal protocol, employed by virtually all end-to-end-encrypted messenger services. While several ring signature constructions from post-quantum assumptions offer suitable security and efficiency for use in deniable key exchange, they are currently proven secure in the random oracle model (ROM) only, which is insufficient for post-quantum security. In this work, we provide four security reductions in the quantum-accessible random oracle model (QROM) for two generic ring signature constructions: two for the AOS framework and two for a construction paradigm based on ring trapdoors, whose generic backbone we formalize. The two security proofs for AOS ring signatures differ in their requirements on the underlying sigma protocol and their tightness. The two reductions for the ring-trapdoor-based ring signatures exhibit various differences in requirements and the security they provide. We employ the measure-and-reprogram technique, QROM straightline extraction tools based on the compressed oracle, history-free reductions and QROM reprogramming tools. To make use of Rényi divergence properties in the QROM, we study the behavior of quantum algorithms that interact with an oracle whose distribution is based on one of two different distributions over the set of outputs. We provide tight bounds for the statistical distance, show that the Rényi divergence can not be used to replace the entire oracle and provide a workaround.

翻译：环签名是一种强大的密码学原语，允许群体成员代表群体进行签名，同时不泄露其身份。近年来，环签名作为后量子可否认认证密钥交换的组成部分受到额外关注，例如用于几乎所有端到端加密即时通讯服务所采用的Signal协议的后量子版本。虽然基于后量子假设的若干环签名构造在安全性和效率上适用于可否认密钥交换，但它们目前仅在随机预言机模型（ROM）中被证明安全，这对于后量子安全性而言是不充分的。在本工作中，我们为两种通用环签名构造提供了四个量子可访问随机预言机模型（QROM）下的安全性归约：两个针对AOS框架，两个针对基于环陷门的构造范式（我们形式化了其通用框架）。针对AOS环签名的两个安全性证明在底层Sigma协议的要求和紧致性上有所不同。基于环陷门的环签名的两个归约在要求及所提供的安全性方面表现出多种差异。我们采用了测量重编程技术、基于压缩预言机的QROM直线提取工具、无历史归约以及QROM重编程工具。为了在QROM中利用Rényi散度特性，我们研究了与预言机交互的量子算法的行为，该预言机的分布基于输出集上两种不同分布之一。我们给出了统计距离的紧界，证明了Rényi散度无法用于完全替换整个预言机，并提供了一种解决方案。