
Can you sign a quantum state? - zdw
https://arxiv.org/abs/1811.11858
======
westurner
> _Abstract. Cryptography with quantum states exhibits a number of surprising
> and counterintuitive features. In a 2002 work, Barnum et al. argued
> informally that these strange features should imply that digital signatures
> for quantum states are impossible [6]._

> _In this work, we perform the first rigorous study of the problem of signing
> quantum states. We first show that the intuition of [6] was correct, by
> proving an impossibility result which rules out even very weak forms of
> signing quantum states. Essentially, we show that any non-trivial
> combination of correctness and security requirements results in negligible
> security._

> _This rules out all quantum signature schemes except those which simply
> measure the state and then sign the outcome using a classical scheme. In
> other words, only classical signature schemes exist._

> _We then show a positive result: it is possible to sign quantum states,
> provided that they are also encrypted with the public key of the intended
> recipient. Following classical nomenclature, we call this notion quantum
> signcryption. Classically, signcryption is only interesting if it provides
> superior efficiency to simultaneous encryption and signing. Our results
> imply that, quantumly, it is far more interesting: by the laws of quantum
> mechanics, it is the only signing method available._

> _We develop security definitions for quantum signcryption, ranging from a
> simple one-time two-user setting, to a chosen-ciphertext-secure many-time
> multi-user setting. We also give secure constructions based on post-quantum
> public-key primitives. Along the way, we show that a natural hybrid method
> of combining classical and quantum schemes can be used to “upgrade” a secure
> classical scheme to the fully-quantum setting, in a wide range of
> cryptographic settings including signcryption, authenticated encryption, and
> chosen-ciphertext security._

"Quantum signcryption"

