This work addresses the gap in post-quantum security guarantees for ring signature schemes, which to date have only been proven secure in the classical random oracle model (ROM) and thus fall short of meeting quantum resistance requirements. For the first time, it establishes rigorous security reductions in the quantum-accessible random oracle model (QROM) for two prominent classes of ring signatures: those based on the AOS framework and the ring trapdoor paradigm. By introducing novel techniques—including measure-and-reprogram, compressed oracle extraction, history-free reductions, and QROM reprogramming—the paper develops a new methodology for handling distributional switches in the presence of quantum adversaries. It further elucidates the limitations of Rényi divergence in the QROM setting and proposes corresponding countermeasures. The study delivers four tight QROM security reductions, significantly advancing the practical deployment of post-quantum anonymous authenticated key exchange.

Ring signatures are a powerful primitive that allows a member to sign on behalf of a group, without revealing their identity. Recently, ring signatures have received additional attention as an ingredient for post-quantum deniable authenticated key exchange, e.g., for a post-quantum version of the Signal protocol, employed by virtually all end-to-end-encrypted messenger services. While several ring signature constructions from post-quantum assumptions offer suitable security and efficiency for use in deniable key exchange, they are currently proven secure in the random oracle model (ROM) only, which is insufficient for post-quantum security. In this work, we provide four security reductions in the quantum-accessible random oracle model (QROM) for two generic ring signature constructions: two for the AOS framework and two for a construction paradigm based on ring trapdoors, whose generic backbone we formalize. The two security proofs for AOS ring signatures differ in their requirements on the underlying sigma protocol and their tightness. The two reductions for the ring-trapdoor-based ring signatures exhibit various differences in requirements and the security they provide. We employ the measure-and-reprogram technique, QROM straightline extraction tools based on the compressed oracle, history-free reductions and QROM reprogramming tools. To make use of Rényi divergence properties in the QROM, we study the behavior of quantum algorithms that interact with an oracle whose distribution is based on one of two different distributions over the set of outputs. We provide tight bounds for the statistical distance, show that the Rényi divergence can not be used to replace the entire oracle and provide a workaround.