Key-recovery attack

A key-recovery attack is an adversary's attempt to recover the cryptographic key of an encryption scheme. Normally this means that the attacker has a pair, or more than one pair, of plaintext message and the corresponding ciphertext. Historically, cryptanalysis of block ciphers has focused on key-recovery, but security against these sorts of attacks is a very weak guarantee since it may not be necessary to recover the key to obtain partial information about the message or decrypt message entirely. Modern cryptography uses more robust notions of security. Recently, indistinguishability under adaptive chosen-ciphertext attack (IND-CCA2 security) has become the "golden standard" of security. The most obvious key-recovery attack is the exhaustive key-search attack. But modern ciphers often have a key space of size $$2^{128}$$ or greater, making such attacks infeasible with current technology.

KR advantage
In cryptography, the key-recovery advantage (KR advantage) of a particular algorithm is a measure of how effective an algorithm can mount a key-recovery attack. Consequently, the maximum key-recovery advantage attainable by any algorithm with a fixed amount of computational resources is a measure of how difficult it is to recover a cipher's key. It is defined as the probability that the adversary algorithm can guess a cipher's randomly selected key, given a fixed amount of computational resources. An extremely low KR advantage is essential for an encryption scheme's security.