*** Welcome to piglix ***

Hybrid encryption


In cryptography, a hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem. Public-key cryptosystems are convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely (among other useful properties). However, they often rely on complicated mathematical computations and are thus generally much more inefficient than comparable symmetric-key cryptosystems. In many applications, the high cost of encrypting long messages in a public-key cryptosystem can be prohibitive. This is addressed by hybrid systems by using a combination of both.

A hybrid cryptosystem can be constructed using any two separate cryptosystems:

The hybrid cryptosystem is itself a public-key system, whose public and private keys are the same as in the key encapsulation scheme.

Note that for very long messages the bulk of the work in encryption/decryption is done by the more efficient symmetric-key scheme, while the inefficient public-key scheme is used only to encrypt/decrypt a short key value.

All practical implementations of public key cryptography today employ the use of a hybrid system. Examples include the TLS protocol which uses a public-key mechanism for key exchange (such as Diffie-Hellman) and a symmetric-key mechanism for data encapsulation (such as AES). The OpenPGP (RFC 4880) file format and the PKCS #7 (RFC 2315) file format are other examples.

To encrypt a message addressed to Alice in a hybrid cryptosystem, Bob does the following:

To decrypt this hybrid ciphertext, Alice does the following:

If both the key encapsulation and data encapsulation schemes are secure against adaptive chosen ciphertext attacks, then the hybrid scheme inherits that property as well. However, it is possible to construct a hybrid scheme secure against adaptive chosen ciphertext attack even if the key encapsulation has a slightly weakened security definition (though the security of the data encapsulation must be slightly stronger).


...
Wikipedia

...