Article · Wikipedia archive · Last revised Jul 7, 2026

Key-recovery attack

A key-recovery attack is an adversary's attempt to recover the cryptographic key of an encryption scheme. Normally this means that the attacker has a pair, or more than one pair, of plaintext message and the corresponding ciphertext. Historically, cryptanalysis of block ciphers has focused on key-recovery, but security against these sorts of attacks is a very weak guarantee since it may not be necessary to recover the key to obtain partial information about the message or decrypt message entirely. Modern cryptography uses more robust notions of security. Recently, indistinguishability under adaptive chosen-ciphertext attack has become the "golden standard" of security. The most obvious key-recovery attack is the exhaustive key-search attack. But modern ciphers often have a key space of size or greater, making such attacks infeasible with current technology.

Last revised
Jul 7, 2026
Read time
≈ 1 min
Length
312 w
Citations
7
Source

A key-recovery attack is an adversary's attempt to recover the cryptographic key of an encryption scheme. Normally this means that the attacker has a pair, or more than one pair, of plaintext message and the corresponding ciphertext.1: 52  Historically, cryptanalysis of block ciphers has focused on key-recovery, but security against these sorts of attacks is a very weak guarantee since it may not be necessary to recover the key to obtain partial information about the message or decrypt message entirely.1: 52  Modern cryptography uses more robust notions of security. Recently, indistinguishability under adaptive chosen-ciphertext attack (IND-CCA2 security) has become the "golden standard" of security.2: 566  The most obvious key-recovery attack is the exhaustive key-search attack. But modern ciphers often have a key space of size 2 128 {\displaystyle 2^{128}} or greater, making such attacks infeasible with current technology.

KR advantage

In cryptography, the key-recovery advantage (KR advantage) of a particular algorithm is a measure of how effective an algorithm can mount a key-recovery attack. Consequently, the maximum key-recovery advantage attainable by any algorithm with a fixed amount of computational resources is a measure of how difficult it is to recover a cipher's key. It is defined as the probability that the adversary algorithm can guess a cipher's randomly selected key, given a fixed amount of computational resources.3 An extremely low KR advantage is essential for an encryption scheme's security.

References

References

  1. Goldwasser, S. and Bellare, M. "Lecture Notes on Cryptography" Archived 2012-04-21 at the Wayback Machine. Summer course on cryptography, MIT, 1996-2001
  2. Boneh, Dan. Advances in Cryptology – Crypto 2003: 23rd Annual International Cryptology Conference, Santa Barbara, California, Usa, August 17–21, 2003, Proceedings. Berlin: Springer, 2003.
  3. Goldwasser, S. and Bellare, M. "Lecture Notes on Cryptography" Archived 2012-04-21 at the Wayback Machine. Summer course on cryptography, MIT, 1996-2001
External links