[Cryptography] composing EC & RSA encryption?

[Ron Garret]

On Oct 25, 2015, at 5:42 AM, ianG <iang at iang.org> wrote:

> An EC/RSA signing form is easy - just make one signature in RSA and one in EC, and we're done.  At least at a trivial level, this works, although I imagine it might be possible to do better - interesting work for a grad student perhaps.
> 
> But what about encryption?  Doing that in parallel makes it weaker, it would have to be done in serial.
> 
> If one encrypts using RSA and then EC, does that run into problems with "groups”?

Encrypting directly with RSA is a theoretical possibility that is taught in textbooks but AFAIK no one actually does it because it is fraught with all manner of peril.  Encrypting directly with EC is not even a theoretical possibility.  What is invariably done in practice is a Diffie-Helman key exchange (or the EC equivalent ECDH key exchange) followed by a symmetric encryption.

So yes, it’s possible to combine regular DH and ECDH into a composite key exchange algorithm that would stand up against an attack against either (but obviously not both).  The most straightforward construction would be to do the two key exchanges separately, then encrypt one key using the second key and use the result as the final key.  A simpler approach (like just XORing the two keys) might work as well because the keys are theoretically sampled from a PRF but I’d be leery of that without further analysis by someone who actually knew what they were doing.

rg