0

I am thinking about CPA-security for symmetric encryption.

So $A$ gets access to an encryption oracle, and it can keep asking queries (training phase). In this training phase, he asks $m_i$ and receives back $y_i$. He can also check if he can find a key which decrypts to the same message he encrypted, just check if $\Pi.\mathsf{Dec}(k, y_i) = m_i$ for some $k$ that $A$ guesses. He can also do the same thing during the challenge phase and see if the $y^*$ he got back decrypts to either of $m_0,m_1$.

Now I can assume that it's hard to find $k$ (it's chosen uniformly at random), but is it possible to find another key $k'$ that happens to work on some of the training queries? I guess this shouldn't happen with more than negligible probability if $\Pi$ is CPA-secure, but it could happen, right?

My question may be similar to: Is it possible to decrypt a ciphertext with a different private key?

eternalmothra
  • 395
  • 1
  • 10
  • What do you mean by "decrypt properly"? If you mean decrypt to the same message as the original plaintext, then the answer will be not with any non-negligible probability. If you mean decrypt to a different but intelligible message, then the answer is yes, often quite easily. – SAI Peregrinus Oct 23 '21 at 02:30

1 Answers1

1

In symmetric cryptography, what you described can happen, at least theoretically. It's referred to as the Consistent Key Recovery attack, as opposed to the more common Target Key Recovery attack. A Consistent Key Recovery is when the attacker finds a key that is consistent with any input-output pair. A Target Key Recovery is when the attacker finds the actual key (which will be consistent with all input-output pairs). If an attacker is conducting an Exhaustive Key Search attack, he's likely to encounter the consistent key (that will work on one or few queries) before he encounters the actual key (that will work on all queries).

It has been a question of how far is the gap between the advantage of finding the consistent key and the advantage of finding the target key. I have found one lecture by Bellare that talks about this issue (but nothing in written format). In that lecture, Bellare mentions that the gap is almost not present (i.e. almost same advantage) if the block cipher is a real block cipher (like AES). He said that such a conclusion is based on heuristic or empirical evidence. If the advantages are almost the same, it means that target key is the ONLY key that is consistent with input-output queries. But in theory, a consistent key (different than the target key) is possible and can be recovered way before a target key is recovered. You may watch the whole lecture as I'm sure Bellare can explain it MUCH better than I can.

hlayhel
  • 376
  • 1
  • 7