[oleganza]

First of all, we are talking about on-device decryption, so there is no difference in terms of security whether people extract a symmetric secret key or an asymmetric secret key.

Secondly, yes, asymmetric encryption is slower, so you almost always use hybrid scheme: asymmetric scheme (ElGamal, for instance) for encrypting the symmetric key, and then a symmetric scheme (e.g. AES) for the bulk of the data.

Only in very exotic protocols such as digicash blind signatures or anonymous credentials with "algebraic MACs", you want your actual content encrypted directly via ElGamal or RSA, so that you can do some operations or proofs about the ciphertext — in those cases you can't encrypt symmetrically as that would erase all the algebraic relations.

[Nursie]

> First of all, we are talking about on-device decryption, so there is no difference in terms of security whether people extract a symmetric secret key or an asymmetric secret key.

Sure, but we might (potentially) be interested in the encryption part later on too, and having a symmetric key will make that easier (though of course it won't get you past any signature checks.

I've never come across those more exotic protocols, but I'm familiar with symmetric kex under public/private encryption.