Hybrid Encryption · Rolling Thunder Security Codex

Why Not Just RSA For Everything

Two answers: speed and message size.

Operation	Throughput (rough order)
AES-256-GCM (hardware-accelerated)	3,000+ MB/s per core
ChaCha20-Poly1305	1,500+ MB/s per core
RSA-2048 encryption	~0.5 MB/s per core
RSA-2048 decryption	~0.05 MB/s per core

RSA encryption is roughly 6,000 times slower than AES, and RSA decryption is 60,000 times slower. Streaming a 4 GB video file through raw RSA would take days. Through AES, it takes seconds.

Beyond speed, RSA has a hard size cap. With a 2048-bit modulus and OAEP padding, the largest message you can encrypt in one operation is 190 bytes. Any larger and the message does not fit, period. ECC native encryption has similar limits. Asymmetric crypto was never designed to encrypt files; it was designed to bootstrap secure channels.

The Hybrid Pattern

The pattern is six steps. Everything from PGP to TLS uses some form of it.

Sender generates a fresh random session key (typically 256 bits for AES-256).
Sender encrypts the session key with the recipient's public key, producing a small wrapped key.
Sender encrypts the bulk message with the session key using a fast symmetric cipher (AES-GCM, ChaCha20-Poly1305).
Sender transmits both: the wrapped key, then the encrypted bulk.
Recipient decrypts the wrapped key with their private key, recovering the session key.
Recipient decrypts the bulk message with the session key.

The fresh random session key is the keystone. Every message gets its own session key. Even if one session key leaks, only that one message is compromised.

Step Through The Hybrid Flow

Click Next to advance through the pattern one beat at a time. The animation tracks each artifact as it gets created, encrypted, and transmitted.

Interactive · Hybrid Flow

Watch the wrapped session key and bulk ciphertext come together

Each step shows what exists on Bob's side, what is being transmitted, and what Alice does with it. Notice that the asymmetric operation only ever touches the small session key, never the bulk data.

Step 1 of 7

Bob has a large plaintext file (say a 5 MB document) that he wants to send to Alice. He has Alice's public RSA key but no shared symmetric secret with her yet.

What TLS Actually Does

TLS has used the hybrid pattern since its inception, but the asymmetric mechanism evolved over time.

TLS version	Asymmetric step	Symmetric step
TLS 1.0 / 1.1 (legacy)	RSA key transport: client encrypts a pre-master secret with server's RSA public key.	RC4 or 3DES (now broken).
TLS 1.2	Either RSA key transport OR ephemeral (EC)DH, depending on cipher suite.	AES-CBC with HMAC, or AES-GCM, or ChaCha20-Poly1305.
TLS 1.3	ECDHE only. RSA key transport removed entirely for forward secrecy.	AES-GCM, ChaCha20-Poly1305, or AES-CCM (AEAD only).

TLS 1.3 also uses RSA or ECDSA signatures from the server's certificate to authenticate the server's identity, but those signatures are separate from the key agreement. The TLS Handshake page traces the full sequence.

Key Encapsulation Mechanisms (KEM)

The formal name for the hybrid pattern is a Key Encapsulation Mechanism. A KEM has three operations:

KeyGen() → (pk, sk): produce a public/private key pair.
Encaps(pk) → (ct, ss): generate a random shared secret ss and an encapsulation ct that only the holder of sk can open.
Decaps(sk, ct) → ss: recover the shared secret from the encapsulation.

The clean separation matters because post-quantum cryptography is structured around KEMs. Kyber (now standardized as ML-KEM in NIST FIPS 203) is a KEM. It does not encrypt arbitrary messages; it encapsulates 256-bit shared secrets. The hybrid pattern then applies: use ML-KEM to establish a session key, switch to AES-GCM for the bulk data. The asymmetric algorithm changed; the architecture did not.

Hybrid post-quantum

Many TLS deployments in 2025-2026 are using hybrid post-quantum key exchange: ECDHE combined with ML-KEM, where the session key is derived from both. If either algorithm holds, the session is safe. Chrome and Cloudflare have shipped this since 2023. The name "hybrid" here is doing double duty: hybrid symmetric/asymmetric (the topic of this page) and hybrid classical/post-quantum.

Practical Examples

PGP / GnuPG encrypted email: Generates a random session key, encrypts it with each recipient's RSA or ECC public key, and encrypts the message body with AES-128. If you encrypt to five recipients, the message contains five wrapped keys and one body.
age (Actually Good Encryption): The modern Unix tool from Filippo Valsorda. Uses X25519 to wrap a ChaCha20-Poly1305 session key. The header is short, the body is fast, the design is one page long.
S/MIME secure email: Uses X.509 certificates instead of PGP keys, but the hybrid pattern is identical.
HPKE (Hybrid Public Key Encryption, RFC 9180): The modern standard. Used in TLS Encrypted Client Hello and the WebPush protocol.
SSH file transfers: SSH establishes a session key via ECDH at handshake time, then encrypts all file data through that session.