I have been thinking about a rather simple enhancement for (EC)IES / RSA-KEM. The scheme would allow you to encrypt data while the calculation of the session / data key can be performed afterwards or in parallel. It would also allow you to encrypt for multiple recipients.
Anyway, the scheme would simply be:
- Generate a (random) symmetric key: $K_d$;
- Encrypt data with key $K_d$ using a symmetric cipher, resulting in $C$;
- Generate an ephemeral key pair with public key $\widetilde{P}$;
- For each recipient enumerated by $i$:
- Calculate a session key $K_i$ by performing key agreement with a static public key of the receiver (followed by a KDF);
- Perform $A_i = K_i \oplus K_d$;
- The messages consist of a quad $(i, A_i, \widetilde{P}, C)$ where the $i$ is just used to indicate the recipient.
To decrypt you would simply perform the key agreement again, followed by $K_d = K_i \oplus A_i$. For RSA-KEM the ephemeral key pair derivation is not required, and $\widetilde{P}$ is replaced by the result of the RSA-KEM operation with the public key of the receiver.
This seems to be a specific version of a simple Multi-Recipient Symmetric Encryption Scheme using Secret Sharing combined with (EC)IES or RSA-KEM. Obviously you'd have to store the $A_i$ values with the ciphertext, so that is a disadvantage compared with the normal ECIES approach.
Are there any particular problems with above approach? Are there more secure / flexible / efficient schemes to do the same?