Signcryption in a Quantum World

Abstract

With recent advancements and research on quantum computers, it is conjectured that in the foreseeable future, sufficiently large quantum computers will be built to break essentially all public key cryptosystems currently in use. As a response, quantum-safe cryptography has recently garnered significant attention. The aim of quantum-safe cryptography is to design cryptosystems that are secure against both classical and quantum computers. This involves identifying computational problems that are believed to be secure against quantum adversaries and building cryptosystems based on such problems. A related problem of interest is arguing security of quantum-safe cryptosystems within the paradigm of provable security. Quantum security models for basic primitives like encryption and signature are gradually evolving and the security of different cryptosystems are being investigated in these models. Signcryption is a public key primitive that ensures both confidentiality and authenticity of data. Signcryption security can be modeled in different ways depending on whether the adversary can corrupt an insider, i.e., the sender or receiver, or not. The aim of this work is a comprehensive treatment of signcryption against quantum adversaries that are allowed to make oracle queries on quantum superposition of classical input values. We formulate suitable quantum security definitions for confidentiality and authenticity of signcryption both in insider and outsider models. We investigate the quantum security of generic constructions of signcryption schemes based on three paradigms, viz., encrypt-then-sign (EtS), sign-then-encrypt (StE) and commit-then-encrypt-and-sign (CtE&S). We show that the quantum analogues of the classical results hold in the insider model with an exception in the StE paradigm. However, in outsider model we need to consider an intermediate setting in which the adversary is given quantum access to unsigncryption oracle but classical access to signcryption oracle. In two-user outsider model, as in the classical setting, we show that post-quantum CPA security of the base encryption scheme is amplified in the EtS paradigm if the base signature scheme satisfies a stronger notion of security. We prove an analogous result in the StE paradigm. Interestingly, in the multi-user setting, our results strengthen the known classical results. Our results for the EtS and StE paradigms in the two-user outsider model also extend to the setting of authenticated encryption. We briefly discuss the difficulties in analyzing the full quantum security of signcryption in outsider model. Finally, we briefly discuss about some existing quantum secure encryption and signature proposals which can be used to instantiate signcryption schemes based on the above paradigms.