# Hybrid cryptosystem

## From Wikipedia, the free encyclopedia

In cryptography, a **hybrid cryptosystem** is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem.^{[1]} Public-key cryptosystems are convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely.^{[2]} However, they often rely on complicated mathematical computations and are thus generally much more inefficient than comparable symmetric-key cryptosystems. In many applications, the high cost of encrypting long messages in a public-key cryptosystem can be prohibitive. This is addressed by hybrid systems by using a combination of both.^{[3]}

A hybrid cryptosystem can be constructed using any two separate cryptosystems:

- a key encapsulation mechanism, which is a public-key cryptosystem
- a data encapsulation scheme, which is a symmetric-key cryptosystem

The hybrid cryptosystem is itself a public-key system, whose public and private keys are the same as in the key encapsulation scheme.^{[4]}

Note that for very long messages the bulk of the work in encryption/decryption is done by the more efficient symmetric-key scheme, while the inefficient public-key scheme is used only to encrypt/decrypt a short key value.^{[3]}

All practical implementations of public key cryptography today employ the use of a hybrid system. Examples include the TLS protocol ^{[5]} and the SSH protocol,^{[6]} that use a public-key mechanism for key exchange (such as Diffie-Hellman) and a symmetric-key mechanism for data encapsulation (such as AES). The OpenPGP^{[7]} file format and the PKCS#7^{[8]} file format are other examples.

Hybrid Public Key Encryption (HPKE, published as RFC 9180) is a modern standard for generic hybrid encryption. HPKE is used within multiple IETF protocols, including MLS and TLS Encrypted Hello.

Envelope encryption is an example of a usage of hybrid cryptosystems in cloud computing. In a cloud context, hybrid cryptosystems also enable centralized key management.^{[9]}^{[10]}