Part 1: Public Key Cryptography
Part 2: Hash functions
Part 3: Integrity Mechanisms
Part 4: Diffie-Hellman
Part 5: Putting It All Together
Part 6: Quantum Attacks and Post-Quantum Cryptography

Part 4 - Diffie-Hellman Key Exchange

How can you communicate securely with someone you have never met?

If Alice and Bob already share a secret key, symmetric cryptography solves the problem. But if they have no prior contact, how do they agree on a key without sending it in the clear? Any key sent directly can be intercepted by an eavesdropper. This was the puzzle facing cryptographers in the early 1970s.

The first answer to this puzzle was the Diffie-Hellman key exchange, introduced in 1976. It came before the general public-key encryption algorithms we discussed earlier and was groundbreaking because it showed that two parties could establish a shared secret over an insecure channel without ever exchanging the secret itself.

Historical Background

In 1976, Whitfield Diffie and Martin Hellman introduced the first practical method for two parties to establish a shared secret key over an insecure channel. Until then, the only way to share a key was to transmit it in person, send it through a trusted courier, or rely on an existing secret channel. Diffie-Hellman showed that two people could agree on a secret key even if an eavesdropper observed every message exchanged. This was the breakthrough that opened the door to modern public key cryptography.

The Basic Idea

The scheme is based on the mathematical operation of modular exponentiation. It exploits the fact that exponentiation is easy to compute, but finding the exponent (the discrete logarithm) is computationally difficult when the numbers involved are large.

The process works as follows:

1. Alice and Bob agree publicly on two values: a large prime number \(p\) and a base \(g\) (also called a generator). These values are not secret and can be known to everyone.
2. Alice chooses a private random number \(a\) and computes
   \[A = g^a \bmod p\] She sends \(A\) to Bob.
3. Bob chooses his own private random number \(b\) and computes
   \[B = g^b \bmod p\] He sends \(B\) to Alice.
4. Alice computes
   \[K = B^a \bmod p\] Bob computes
   \[K = A^b \bmod p\]

Both Alice and Bob now hold the same value \(K\), which can be used as a shared secret key. An eavesdropper sees \(g\), \(p\), \(A\), and \(B\) but does not know \(a\) or \(b\). Recovering \(a\) from \(A = g^a \bmod p\) requires solving the discrete logarithm problem, which is believed to be infeasible for large \(p\).

Worked Example with Small Numbers

To see the mechanics, let us work with small values. Real systems use numbers hundreds or thousands of bits long, but small examples make the arithmetic clear.

1. Public values: \(p = 23\), \(g = 5\).
2. Alice chooses \(a = 6\) and computes
   \[A = 5^6 \bmod 23 = 15625 \bmod 23 = 8\]
   She sends \(A = 8\) to Bob.
3. Bob chooses \(b = 15\) and computes
   \[B = 5^{15} \bmod 23\]
   Computing step by step: \(5^2 = 25 \equiv 2\), \(5^4 \equiv 4\), \(5^8 \equiv 16\), so \(5^{15} = 5^8 \cdot 5^4 \cdot 5^2 \cdot 5 \equiv 16 \cdot 4 \cdot 2 \cdot 5 \equiv 1024 \equiv 19 \pmod{23}\).
   He sends \(B = 19\) to Alice.
4. Alice computes
   \[K = B^a \bmod 23 = 19^6 \bmod 23\]
   Calculation: \(19^2 = 361 \equiv 16\), \(19^4 \equiv 16^2 = 256 \equiv 3\), \(19^6 = 19^4 \cdot 19^2 \equiv 3 \cdot 16 = 48 \equiv 2 \pmod{23}\).
   So \(K = 2\).
5. Bob computes
   \[K = A^b \bmod 23 = 8^{15} \bmod 23\]
   Calculation: \(8^2 = 64 \equiv 18\), \(8^4 \equiv 18^2 = 324 \equiv 2\), \(8^8 \equiv 2^2 = 4\), so \(8^{15} = 8^8 \cdot 8^4 \cdot 8^2 \cdot 8 \equiv 4 \cdot 2 \cdot 18 \cdot 8 \equiv 2 \pmod{23}\).
   So Bob also gets \(K = 2\).

Alice and Bob now share the key \(K = 2\). An eavesdropper who saw \(g=5\), \(p=23\), \(A=8\), and \(B=19\) would still have to solve a discrete logarithm to recover \(a\) or \(b\).

Security Basis

The hardness of Diffie-Hellman comes from the discrete logarithm problem: given \(g\), \(p\), and \(y = g^x \bmod p\), find \(x\).

For small numbers this is easy, but for primes with thousands of bits no efficient algorithm is known. Security depends on choosing \(p\) large enough and \(g\) with suitable properties.

Elliptic Curve Diffie-Hellman (ECDH)

Just as elliptic curves can replace RSA, they can also replace modular exponentiation in Diffie-Hellman. Instead of exponentiation, ECDH uses point multiplication on an elliptic curve:

• Parties agree on a curve and a base point \(P\).
• Alice chooses a private key \(a\) and sends \(A = aP\).
• Bob chooses a private key \(b\) and sends \(B = bP\).
• Both compute the shared secret \(K = abP\).

As with discrete exponentiation, computing \(K\) without knowing \(a\) or \(b\) requires solving the elliptic curve discrete logarithm problem, which is believed to be infeasible. ECDH provides the same security as traditional Diffie-Hellman but with much smaller keys and faster computations.

Limitations

Diffie-Hellman by itself provides no authentication. An attacker in the middle could intercept messages, choose their own exponents, and establish separate keys with Alice and Bob. This is the classic man-in-the-middle attack.

To prevent this, Diffie-Hellman must be combined with authentication mechanisms, such as digital signatures or public key certificates. We will address these combinations in the next lecture.

Diffie-Hellman solved the key distribution problem: two strangers can establish a shared secret key without ever sending the key itself. This secret then becomes the basis for fast symmetric encryption in practice.

From Key Exchange to Hybrid Cryptosystems

Diffie-Hellman does not encrypt messages. Its only purpose is to let two parties establish a shared secret key. Once Alice and Bob compute this key, they can use it as a session key for a symmetric cipher such as AES or ChaCha20. The symmetric cipher then handles the actual encryption of data.

Why use Diffie-Hellman instead of RSA or ECC, which can also be used for key transport or encryption?

The answer lies in efficiency and focus. Diffie-Hellman is designed only for key exchange, so generating new keys for each run of the protocol is relatively fast. RSA and ECC are more flexible but come with the overhead of creating fresh key pairs and supporting infrastructure if used this way. In practice, Diffie-Hellman and elliptic-curve Diffie-Hellman (ECDH) are the standard choices for setting up session keys because they provide strong security with less overhead.

This design of using a public key method for exchanging or protecting a session key and a symmetric cipher for the actual data is the essence of a hybrid cryptosystem. We will return to hybrid systems in more detail in the next part, where we look at how real-world protocols combine public key algorithms, signatures, and symmetric encryption into complete solutions.

Next: Part 5: Putting It All Together