1
$\begingroup$

I am talking about Symmetric Cryptography only in the following.

  1. We know that Semantic Security (in the presence of eavesdropper) implies security against message recovery (in the presence of eavesdropper) but not in general security against key-recovery (as defined in the exercise 2.11 of A Graduate Course in Applied Cryptography By Dan Boneh and Victor Shoup https://toc.cryptobook.us/book.pdf).
  2. We know (see https://ieeexplore.ieee.org/document/646128) that IND-ATK (indistinguishability with respect to Find then Guess distinguishers) is equivalent to SEM-ATK, semantic security with respect to -ATK, where ATK can be -EAV (presence of eavesdropper),-CPA (chosen-plaintext attack), -CCA1 (chosen-ciphertext attack) or -CCA2 (adaptative chosen-ciphertext attack).
  3. We know that these properties are essential in formal proofs of security for encryption SCHEMES (say AES-GCM for example) and not in general for primitives (say block ciphers). We also know (see exercise 7.6 page 255 of http://www.cs.umd.edu/~jkatz/imc.html ) that function for which key-recovery is "efficient" cannot be PRP (pseudo-random permutations).
  4. We also know (see again http://www.cs.umd.edu/~jkatz/imc.html) that some constructions for obtaining, say, ATK-secure encryption schemes require using PRPs, PRFs, PRNGs.

I think all of the above points are true. If these premises are true I have to formulate a question I cannot answer.

Have anyone ever worked out a definition of security against key-recovery attacks in say the CPA (or CCA2) scenario that is equivalent to IND-CPA (or IND-CCA2)?

p.s. I'm asking this because I understand wyh in statistical cryptanalysis we look distinguishing attacks (way of proving a primitive is not a PRP essentially) and key-recovery attacks with emphasis put (I think) on the latter but I cannot fit study of notions like IND-CPA and these type of analyses in the same theoretical framework.

Thank you all.

Improve this question
$\endgroup$
5
  • 1
    $\begingroup$ I've got the strong feeling that this question could be simplified, especially the title. Do we need to reconcile an accent put on anything? Is "how can statistical analysis be useful for a proof" a trick question? How can key recovery be equivalent to the notion of indistinguishably? I'd tag this "terminology" due to these questions but we're out of tags. $\endgroup$
    – Maarten Bodewes
    Commented May 19 at 16:51
  • $\begingroup$ Thanks for feedback. I'll try to simplify title and body asap. $\endgroup$
    – Alessio Proietti
    Commented May 19 at 16:58
  • 1
    $\begingroup$ We know that Semantic Security (in the presence of eavesdropper) implies security against message recovery (in the presence of eavesdropper) but not in general security against key-recovery key recovery implies message recovery. $\endgroup$
    – kelalaka
    Commented May 19 at 23:06
  • $\begingroup$ 3.) Block cipher are primitives, one needs mode of operation to talk about Ind-, NM- games. $\endgroup$
    – kelalaka
    Commented May 19 at 23:07
  • $\begingroup$ final, if key recovery is poly-time in query and computation, then there is no IND-, NM- security. The converse is not true, we can easily create a block-cipher and mode of operation that one can distinguish however, cannot recovery the key since it will be breaking AES. $\endgroup$
    – kelalaka
    Commented May 19 at 23:12

1 Answer 1

Reset to default
2
$\begingroup$

I don't think an equivalence proof can exist, unless you significantly change the key recovery definition. I don't think this is unexpected, since it seems natural that key recovery is harder than distinguishing.

Argument

We know that, under some conditions, a key recovery adversary can be turned into an adversary against semantic security.

However, suppose you have some encryption scheme. You can construct a new scheme for which there exists (a) a trivial semantic security adversary, and (b) a reduction from key recovery from the original scheme to key recovery for the new scheme. (The new scheme simply leaks a bit of the plaintext.)

Now, suppose there exists a scheme that is secure against key recovery. Then there exists a scheme that is secure against key recovery, but not semantically secure.

In other words, security against key recovery cannot imply semantic security.

Final comment

Key recovery is typically what an adversary really wants to achieve, so it makes sense to study key recovery and try to design key recovery attacks. But even if key recovery is hard, the system as such may very well be insecure (for whatever value of secure is appropriate for the system). Therefore we care about semantic security, because that is what we need to prove systems secure.

Improve this answer
$\endgroup$

Not the answer you're looking for? Browse other questions tagged or ask your own question.