Signcryption in a Quantum World
Abstract
With recent advancements and research on quantum computers, it is conjectured that in the foreseeable
future, sufficiently large quantum computers will be built to break essentially all public key
cryptosystems currently in use. As a response, quantum-safe cryptography has recently garnered significant
attention. The aim of quantum-safe cryptography is to design cryptosystems that are secure against
both classical and quantum computers. This involves identifying computational problems that are believed
to be secure against quantum adversaries and building cryptosystems based on such problems.
A related problem of interest is arguing security of quantum-safe cryptosystems within the paradigm
of provable security. Quantum security models for basic primitives like encryption and signature are
gradually evolving and the security of different cryptosystems are being investigated in these models.
Signcryption is a public key primitive that ensures both confidentiality and authenticity of data.
Signcryption security can be modeled in different ways depending on whether the adversary can corrupt
an insider, i.e., the sender or receiver, or not. The aim of this work is a comprehensive treatment of
signcryption against quantum adversaries that are allowed to make oracle queries on quantum superposition
of classical input values. We formulate suitable quantum security definitions for confidentiality and
authenticity of signcryption both in insider and outsider models. We investigate the quantum security of
generic constructions of signcryption schemes based on three paradigms, viz., encrypt-then-sign (EtS),
sign-then-encrypt (StE) and commit-then-encrypt-and-sign (CtE&S). We show that the quantum analogues
of the classical results hold in the insider model with an exception in the StE paradigm. However,
in outsider model we need to consider an intermediate setting in which the adversary is given quantum
access to unsigncryption oracle but classical access to signcryption oracle. In two-user outsider model,
as in the classical setting, we show that post-quantum CPA security of the base encryption scheme is
amplified in the EtS paradigm if the base signature scheme satisfies a stronger notion of security. We
prove an analogous result in the StE paradigm. Interestingly, in the multi-user setting, our results
strengthen the known classical results.
Our results for the EtS and StE paradigms in the two-user outsider model also extend to the setting
of authenticated encryption. We briefly discuss the difficulties in analyzing the full quantum security
of signcryption in outsider model. Finally, we briefly discuss about some existing quantum secure
encryption and signature proposals which can be used to instantiate signcryption schemes based on the
above paradigms.