\'Hybrid\' encryption, where we combine symmetric encryption with public-key cry

Question

'Hybrid' encryption, where we combine symmetric encryption with public-key cryptography, is pretty 'tried and tested'.

To summarise, we generate a symmetric key and encrypt it using RSA. We would encrypt our data using the symmetric, and prefix it with the IV and encrypted key. You therefore need the private key from the RSA keypair to be able to decrypt the symmetric key and then decrypt the data using the symmetric key.

My question is about combining RSA with autheticated encryption, specifically AES in GCM mode. Are there any pitfalls, or any reasons this might be a bad idea?

Is it a good idea to include the IV and RSA-encrypted symmetric key in the additional data (to provide integrity for them), or should they simply be prefixed to the encrypted data?

Explanation / Answer

The main pitfall is possibly thinking that it provides authentication.
The result is still a public key scheme.

It won't help to include the IV in the associated data, since
that is already covered by the authenticated part of AEAD.

Including the RSA-encrypted symmetric key in the associated data would help by making the
resulting hybrid encryption CCA2 secure even if the core public key scheme is only RCCA secure.

RCCA: Relaxing Chosen-Ciphertext Security

Related Questions

Navigate

• Browse (All)
• Browse #
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.