How do you send the same encrypted document to two different recipients using hybrid encryption without encrypting the document twice?
Encrypt the document once with a random session key, then encrypt the session key separately with each recipient's public key — send one encrypted document plus two encrypted session keys.
The process:
- Generate random session key: $K_S$
- Encrypt document once: $c = E_{sym}(K_S, m)$
- Encrypt $K_S$ for recipient 1: $K_{S,1} = E_{asym}(K_{pub,1}, K_S)$
- Encrypt $K_S$ for recipient 2: $K_{S,2} = E_{asym}(K_{pub,2}, K_S)$
- Send: $c \| K_{S,1} \| K_{S,2}$
Why not encrypt the document twice?
- The document could be huge (e.g., 1 GB video)
- Asymmetric encryption is ~1000x slower than symmetric
- Encrypting 1 GB twice with RSA would be extremely slow
With hybrid encryption:
- The expensive symmetric encryption of the document happens only once
- Only the small session key (~256 bits) is asymmetrically encrypted per recipient
- Scales beautifully: for $k$ recipients, add $k$ encrypted session keys (negligible overhead)
This is exactly how PGP/GPG works when you encrypt an email to multiple recipients. The email body is encrypted once; only the session key is encrypted separately for each recipient's public key.
Why this also prevents a cryptanalysis problem (RSA determinism): Textbook RSA is deterministic — the same plaintext encrypted with the same key always produces the same ciphertext. By using a random session key, even sending the same document twice produces different ciphertexts, preventing lookup table attacks.