I am talking about Symmetric Cryptography only in the following.
- We know that Semantic Security (in the presence of eavesdropper) implies security against message recovery (in the presence of eavesdropper) but not in general security against key-recovery (as defined in the exercise 2.11 of A Graduate Course in Applied Cryptography By Dan Boneh and Victor Shoup https://toc.cryptobook.us/book.pdf).
- We know (see https://ieeexplore.ieee.org/document/646128) that IND-ATK (indistinguishability with respect to Find then Guess distinguishers) is equivalent to SEM-ATK, semantic security with respect to -ATK, where ATK can be -EAV (presence of eavesdropper),-CPA (chosen-plaintext attack), -CCA1 (chosen-ciphertext attack) or -CCA2 (adaptative chosen-ciphertext attack).
- We know that these properties are essential in formal proofs of security for encryption SCHEMES (say AES-GCM for example) and not in general for primitives (say block ciphers). We also know (see exercise 7.6 page 255 of http://www.cs.umd.edu/~jkatz/imc.html ) that function for which key-recovery is "efficient" cannot be PRP (pseudo-random permutations).
- We also know (see again http://www.cs.umd.edu/~jkatz/imc.html) that some constructions for obtaining, say, ATK-secure encryption schemes require using PRPs, PRFs, PRNGs.
I think all of the above points are true. If these premises are true I have to formulate a question I cannot answer.
Have anyone ever worked out a definition of security against key-recovery attacks in say the CPA (or CCA2) scenario that is equivalent to IND-CPA (or IND-CCA2)?
p.s. I'm asking this because I understand wyh in statistical cryptanalysis we look distinguishing attacks (way of proving a primitive is not a PRP essentially) and key-recovery attacks with emphasis put (I think) on the latter but I cannot fit study of notions like IND-CPA and these type of analyses in the same theoretical framework.
Thank you all.
We know that Semantic Security (in the presence of eavesdropper) implies security against message recovery (in the presence of eavesdropper) but not in general security against key-recovery
key recovery implies message recovery. $\endgroup$