Key-recovery attack

{{Short description|Cyber attack whereby the attacker attempts to recover the key to an encryption scheme}}

A key-recovery attack is an adversary's attempt to recover the cryptographic key of an encryption scheme. Normally this means that the attacker has a pair, or more than one pair, of plaintext message and the corresponding ciphertext.Goldwasser, S. and Bellare, M. [http://cseweb.ucsd.edu/~mihir/papers/gb.pdf "Lecture Notes on Cryptography"] {{Webarchive|url=https://web.archive.org/web/20120421084751/http://cseweb.ucsd.edu/~mihir/papers/gb.html|date=2012-04-21}}. Summer course on cryptography, MIT, 1996-2001{{rp|52}} Historically, cryptanalysis of block ciphers has focused on key-recovery, but security against these sorts of attacks is a very weak guarantee since it may not be necessary to recover the key to obtain partial information about the message or decrypt message entirely.{{rp|52}} Modern cryptography uses more robust notions of security. Recently, indistinguishability under adaptive chosen-ciphertext attack (IND-CCA2 security) has become the "golden standard" of security.Boneh, Dan. Advances in Cryptology – Crypto 2003: 23rd Annual International Cryptology Conference, Santa Barbara, California, Usa, August 17–21, 2003, Proceedings. Berlin: Springer, 2003.{{rp|566}} The most obvious key-recovery attack is the exhaustive key-search attack. But modern ciphers often have a key space of size $2^\{128\}$ or greater, making such attacks infeasible with current technology.