What uses are there (if any) for asymmetric message encryption?

There are many scenarios in which asymmetric encryption cannot be replaced by hybrid encryption. At a high level, the common feature of these scenarios is that they exploit some algebraic property of the asymmetric encryption scheme, which a hybrid encryption method would break. This typically happens when we do not want to solely communicate data, but also want to manipulate it in a privacy-preserving manner.

The two most common ways to exploit algebraic properties of asymmetric encryption schemes are:

• Homomorphism: given two ciphertexts $\mathsf{Enc}(m_0)$ and $\mathsf{Enc}(m_1)$, it is possible to maul them into a ciphertext $\mathsf{Enc}(m_0 \boxplus m_1)$, where $\boxplus$ is some operation (e.g. addition or multiplication).
• Proof-friendliness: there exists efficient zero-knowledge proofs for proving statements of the form "$c$ is an encryption of a message $m$ where $m$ satisfies some given property"

Let me illustrate both with a toy scenario. Suppose we want to do a vote between two candidates, $C_0$ and $C_1$, and there are $n$ voters $V_1, \cdots, V_n$. We want to discover the result of the vote, without revealing the individual votes. A possible (simplified) solution is as follows: each voter $V_i$ encrypts its vote, which is either $0$ (if $V_i$ votes for $C_0$) or $1$ (else). Let me call $(E_1, \cdots, E_n)$ the encrypted votes. Observe that what we want to know is the following: what is the sum of the plaintext values? The result divided by $n$ corresponds to the fraction of votes that $C_1$ got; if it is more than $50\%$, they win the election.

I assume that the encryption scheme is additively homomorphic: from encryptions of $m_0$ and $m_1$, one can homomorphically compute an encryption of the sum $m_0+m_1$ (more formally, we also need a technical requirement called functional privacy: the resulting ciphertext should not leak more information than this sum).

We will have two entities: an aggregator and a decryptor. The aggregator takes the ciphertexts $E_1, \cdots E_n$, homomorphically sum them, gets an encryption $E$ of the results, and sends it to the decryptor. The decryptor has the secret key and publishes the result of the election.

But wait, there are issues! What if the decryptor lies about the decrypted values? What if $V_i$ encrypts, say, $18$ instead of $0$ or $1$? This would effectively add $18$ votes for $C_1$. Without going into details, cryptography has methods to deal with that, called zero-knowledge proofs, which allow to append a proof to an object (e.g. a ciphertext) to guarantee that it satisfies a certain property, without compromising its privacy. Here, each $V_i$ could append a proof that $E_i$ does indeed encrypt a bit (without revealing which one), and the decryptor could also send a proof that $E$ indeed decrypts to the right result (without revealing the secret decryption key).

As you can see from above, given an encryption scheme with (1) additive homomorphism and (2) the possibility of performing zero-knowledge proofs, we can build interesting applications - voting being one natural example. You can easily convince yourself that hybrid encryption breaks homomorphism in general, and if you are slightly familiar with zero-knowledge proof, you would also observe that hybrid encryption would make them extremely inefficient.

I could list many other examples along the lines of the above: e-cash, electronic auctions, anonymous credentials, and many more. What they have in common is that we want to do more than transmitting the data: we want to manipulate it, which requires some malleability, and we want to do it securely, which requires the ability to check that only authorized manipulations have been done. Both require specific asymmetric encryption with appropriate properties.