In cryptography, public-key cryptosystems are convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely (among other useful properties). However, they often rely on complicated mathematical computations and are thus generally much more inefficient than comparable symmetric-key cryptosystems. In many applications, the high cost of encrypting long messages in a public-key cryptosystem can be prohibitive. A **hybrid cryptosystem** is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem.

A hybrid cryptosystem can be constructed using any two separate cryptosystems:

- a
**key encapsulation**scheme, which is a public-key cryptosystem, and - a
**data encapsulation**scheme, which is a symmetric-key cryptosystem.

The hybrid cryptosystem is itself a public-key system, whose public and private keys are the same as in the key encapsulation scheme.

Note that for very long messages the bulk of the work in encryption/decryption is done by the more efficient symmetric-key scheme, while the inefficient public-key scheme is used only to encrypt/decrypt a short key value.

Perhaps the most commonly used hybrid cryptosystems are the OpenPGP (RFC 4880) file format and the PKCS #7 (RFC 2315) file format, both used by many different systems.

## Example[edit]

To encrypt a message addressed to Alice in a hybrid cryptosystem, Bob does the following:

- Obtains Alice's public key.
- Generates a fresh symmetric key for the data encapsulation scheme.
- Encrypts the message under the data encapsulation scheme, using the symmetric key just generated.
- Encrypt the symmetric key under the key encapsulation scheme, using Alice's public key.
- Send both of these encryptions to Alice.

To decrypt this hybrid ciphertext, Alice does the following:

- uses her private key to decrypt the symmetric key contained in the key encapsulation segment.
- uses this symmetric key to decrypt the message contained in the data encapsulation segment.

## Security[edit]

If both the key encapsulation and data encapsulation schemes are secure against adaptive chosen ciphertext attacks, then the hybrid scheme inherits that property as well.^{[1]} However, it is possible to construct a hybrid scheme secure against adaptive chosen ciphertext attack even if the key encapsulation has a slightly weakened security definition (though the security of the data encapsulation must be slightly stronger).^{[2]}

## References[edit]

**^**Cramer, Ronald; Shoup, Victor (2004). "Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack".*SIAM Journal on Computing***33**(1): 167–226. doi:10.1137/S0097539702403773.**^**Dennis, Hofheinz; Kiltz, Eike (2007). "Secure Hybrid Encryption from Weakened Key Encapsulation".*Advances in Cryptology -- CRYPTO 2007*. Springer. pp. 553–571.

A portion of the proceeds from advertising on Digplanet goes to supporting Wikipedia.