Hybrid Encryption combines the efficiency of symmetric encryption with the convenience of * public-key encryption: to encrypt a message a fresh symmetric key is generated and used to * encrypt the actual plaintext data, while the recipient’s public key is used to encrypt the * symmetric key only, and the final ciphertext consists of the symmetric ciphertext and the * encrypted symmetric key. * *
Hybrid Encryption does not provide authenticity, that is the recipient of an encrypted message * does not know the identity of the sender. Similar to general public-key encryption schemes the * security goal of Hybrid Encryption is to provide privacy only. In other words, Hybrid Encryption * is secure if and only if the recipient can accept anonymous messages or can rely on other * mechanisms to authenticate the sender. * *
The functionality of Hybrid Encryption is represented as a pair of primitives (interfaces): * {@link HybridEncrypt} for encryption of data, and {@link HybridDecrypt} for decryption. * Implementations of these interfaces are secure against adaptive chosen ciphertext attacks. In * addition to {@code plaintext} the encryption takes an extra parameter {@code contextInfo}, which * usually is public data implicit from the context, but should be bound to the resulting * ciphertext, i.e. the ciphertext allows for checking the integrity of {@code contextInfo} (but * there are no guarantees wrt. the secrecy or authenticity of {@code contextInfo}). * *
{@code contextInfo} can be empty or null, but to ensure the correct decryption of a ciphertext * the same value must be provided for the decryption operation as was used during encryption (cf. * {@link HybridEncrypt}). * *
A concrete instantiation of this interface can implement the binding of {@code contextInfo} to * the ciphertext in various ways, for example: * *