Recently, I have been wondering whether you can turn any PKE scheme into a signature scheme and, if so, how (is there a general construction, or is this scheme-specific?). I have found several posts that seem to suggest this is the case (e.g., this post, and this post); however, they don't really elaborate on how.
For some context:
I started wondering this (for some reason) when looking into Saber's PKE scheme. More precisely, I thought of the following. Suppose you keep the public key secret and publish the private key (so, the opposite of what you would normally do in the PKE scheme), could you then use the encryption algorithm to sign a message (i.e., what would normally be the ciphertext is now the signature) and verify the resulting 'signature' using the decryption algorithm (i.e., verification would be successful iff $m' = m$, where $m'$ results from the decryption and $m$ is the original message)? In the specific case of Saber's PKE scheme, this verification would then only succeed with probability $1-\delta$, corresponding to the correctness of the PKE scheme. Naturally, this is an extremely informal observation/intuition and probably does not work; nevertheless, I can't really find much information on this subject to move forward from (nor does my own reasoning bring me much further).
I hope someone could help me out by elaborating on some of this. My apologies if the post does not properly conform to all guidelines, this is my first time posting here. If anything is wrong with the post, let me know and I will change it.