1. 7
  1.  

  2. 1

    Encrypting private keys in and IND-CPA scheme is subject to the problem that we lack proofs of security for this special case. You can instantiate a provably secure encryption scheme which fails miserably when encrypting keys from its own keygen algorithm (although generally we care more if it’s the private key associated with the encrypting public key).

    Granted, in practice it’s probably fine. But “probably” and “provably” are two different things.

    https://blog.cryptographyengineering.com/2012/04/27/wonk-post-circular-security/