Diffie–Hellman key exchange

Diffie–Hellman key exchange (D–H)[nb 1] is a specific Alice Bob

method of exchanging cryptographic keys. It is one of the
earliest practical examples of key exchange implemented
within the field of cryptography. The Diffie–Hellman key Common paint
exchange method allows two parties that have no prior
knowledge of each other to jointly establish a shared se- + +
cret key over an insecure communications channel. This Secret colours
key can then be used to encrypt subsequent communica-
tions using a symmetric key cipher. = =

The scheme was first published by Whitfield Diffie and

Martin Hellman in 1976, although it had been sepa-
rately invented a few years earlier within GCHQ, the
British signals intelligence agency, by James H. Ellis, Public transport
Clifford Cocks and Malcolm J. Williamson but was kept
classified.[1] (assume
Although Diffie–Hellman key agreement itself is an that mixture separation
is expensive)
anonymous (non-authenticated) key-agreement protocol,
it provides the basis for a variety of authenticated pro-
tocols, and is used to provide perfect forward secrecy in + +
Transport Layer Security's ephemeral modes (referred to
Secret colours
as EDH or DHE depending on the cipher suite).
= =
The method was followed shortly afterwards by RSA,
an implementation of public key cryptography using
asymmetric algorithms. Common secret

In 2002, Hellman suggested the algorithm be called

Diffie–Hellman–Merkle key exchange in recognition
Illustration of the Diffie–Hellman Key Exchange
of Ralph Merkle's contribution to the invention of public-
key cryptography (Hellman, 2002), writing:

1 Description

The system...has since become known as

Diffie–Hellman establishes a shared secret that can be
Diffie–Hellman key exchange. While that sys-
used for secret communications while exchanging data
tem was first described in a paper by Diffie and
over a public network. The following diagram illustrates
me, it is a public key distribution system, a con-
the general idea of the key exchange by using colors in-
cept developed by Merkle, and hence should be
stead of a very large number. The crucial part of the
called 'Diffie–Hellman–Merkle key exchange'
process is that Alice and Bob exchange their secret col-
if names are to be associated with it. I hope
ors in a mix only. Finally this generates an identical key
this small pulpit might help in that endeavor
that is computationally difficult (impossible for modern
to recognize Merkle’s equal contribution to the
supercomputers to do in a reasonable amount of time) to
invention of public key cryptography.[2]
reverse for another party that might have been listening
in on them. Alice and Bob now use this common secret
to encrypt and decrypt their sent and received data. Note
that the starting color (yellow) is arbitrary, but is agreed
U.S. Patent 4,200,770, from 1977 is now expired and on in advance by Alice and Bob. The starting color is
describes the algorithm. It credits Hellman, Diffie, and assumed to be known to any eavesdropping opponent. It
Merkle as inventors. may even be public.

1
2 1 DESCRIPTION

1.1 Cryptographic explanation be known by all attackers.) We will write the group
G multiplicatively.
The simplest and the original implementation of the pro-
tocol uses the multiplicative group of integers modulo p, 2. Alice picks a random natural number a and sends ga
where p is prime, and a primitive root modulo p. Here to Bob.
is an example of the protocol, with non-secret values in 3. Bob picks a random natural number b and sends gb
blue, and secret values in red. to Alice.

1. Alice and Bob agree to use a prime number p = 23 4. Alice computes (gb )a .
and base g = 5 (which is a primitive root modulo 23). 5. Bob computes (ga )b .
2. Alice chooses a secret integer a = 6, then sends Bob
A = ga mod p Both Alice and Bob are now in possession of the group
element gab , which can serve as the shared secret key. The
• A = 56 mod 23 = 8 values of (gb )a and (ga )b are the same because groups are
3. Bob chooses a secret integer b = 15, then sends Alice power associative. (See also exponentiation.)
B = gb mod p If m is a message, and an element of the group, then we
can encrypt e = mgab . Then, to decrypt e we must first
• B = 515 mod 23 = 19 compute (gab )−1 , as follows:
4. Alice computes s = Ba mod p Bob knows |G|, b, and ga . A corollary of Lagrange’s the-
orem states that h|G| = 1, the group identity, for all h ε
• s = 196 mod 23 = 2
G.
5. Bob computes s = Ab mod p Bob then calculates (ga )|G|−b = ga(|G|−b) = ga|G|−ab = ga|G| g−ab
• s = 815 mod 23 = 2 = (g|G| )a g−ab = 1a g−ab = g−ab = (gab )−1 .
When Alice sends Bob the encrypted message, e =mgab ,
6. Alice and Bob now share a secret (the number 2). Bob computes (gab )−1 e = mgab (gab )−1 = m(1) = m.

Both Alice and Bob have arrived at the same value, be- When the group is too large for a multiplication ta-
cause (ga )b (for Bob, 815 mod 23 = (ga mod p)b mod p = ble, then a multiplication algorithm is needed, and
(ga )b mod p) and (gb )a are equal mod p. Note that only Exponentiation for finite cyclic groups should be used.
a, b, and (gab mod p = gba mod p) are kept secret. All the How could the key be extracted, in general, from the
other values – p, g, ga mod p, and gb mod p – are sent in shared group element gab ? One could extract a set of AES
the clear. Once Alice and Bob compute the shared secret keys from it. This would require a mapping from G to the
they can use it as an encryption key, known only to them, set of n-bit binary strings, and the mapping would depend
for sending messages across the same open communica- on G. For example, if G consisted of the powers of a fixed
tions channel. nonsingular matrix A defined over a finite field, and if gab
Of course, much larger values of a, b, and p would be = {gᵢ, }, then the element g11 would be an element of the
needed to make this example secure, since there are only field and would have a binary representation that could be
23 possible results of n mod 23. However, if p is a prime divided up into AES keys.
of at least 300 digits, and a and b are at least 100 digits
long, then even the fastest modern computers cannot find 1.3 Secrecy chart
a given only g, p, gb mod p and ga mod p. The problem
such a computer needs to solve is called the discrete loga- The chart below depicts who knows what, again with non-
rithm problem. The computation of ga mod p is known as secret values in blue, and secret values in red. Here Eve is
modular exponentiation and can be done efficiently even an eavesdropper—she watches what is sent between Al-
for large numbers. Note that g need not be large at all, ice and Bob, but she does not alter the contents of their
and in practice is usually a small prime (like 2, 3, 5...) communications.
because primitive roots usually are quite numerous.
• g = public (prime) base, known to Alice, Bob, and
1.2 Generalization to finite cyclic groups Eve. g = 5
• p = public (prime) number, known to Alice, Bob,
Here’s a more general description of the protocol, and Eve. p = 23

1. Alice and Bob agree on a finite cyclic group G and • a = Alice’s private key, known only to Alice. a = 6
a generating element g in G. (This is usually done
long before the rest of the protocol; g is assumed to • b = Bob’s private key known only to Bob. b = 15
3

• A = Alice’s public key, known to Alice, Bob, and An eavesdropper has been able to see g a , g b , g c , g ab ,
Eve. A = ga mod p = 8 g ac , and g bc , but cannot use any combination of these
to reproduce g abc .
• B = Bob’s public key, known to Alice, Bob, and Eve.
B = gb mod p = 19 To extend this mechanism to larger groups, two basic
principles must be followed:
• Now s = the shared secret key and it is known to both
Alice and Bob, but not to Eve. s = 2 • Starting with an “empty” key consisting only of g ,
the secret is made by raising the current value to ev-
Note: It should be difficult for Alice to solve for Bob’s ery participant’s private exponent once, in any order
private key or for Bob to solve for Alice’s private key. (the first such exponentiation yields the participant’s
If it is not difficult for Alice to solve for Bob’s private own public key).
key (or vice versa), Eve may simply substitute her own
private / public key pair, plug Bob’s public key into her • Any intermediate value (having up to N − 1 expo-
private key, produce a fake shared secret key, and solve nents applied, where N is the number of partici-
for Bob’s private key (and use that to solve for the shared pants in the group) may be revealed publicly, but
secret key. Eve may attempt to choose a public / private the final value (having had all N exponents applied)
key pair that will make it easy for her to solve for Bob’s constitutes the shared secret and hence must never
private key). Another demonstration of Diffie-Hellman be revealed publicly. Thus, each user must obtain
(also using numbers too small for practical use) is given their copy of the secret by applying their own private
here [3] key last (otherwise there would be no way for the last
contributor to communicate the final key to its recip-
ient, as that last contributor would have turned the
key into the very secret the group wished to protect).
2 Operation with more than two
parties These principles leave open various options for choosing
in which order participants contribute to keys. The sim-
Diffie–Hellman key agreement is not limited to negotiat- plest and most obvious solution is to arrange the N partic-
ing a key shared by only two participants. Any number of ipants in a circle and have N keys rotate around the circle,
users can take part in an agreement by performing itera- until eventually every key has been contributed to by all
tions of the agreement protocol and exchanging interme- N participants (ending with its owner) and each partici-
diate data (which does not itself need to be kept secret). pant has contributed to N keys (ending with their own).
For example, Alice, Bob, and Carol could participate in a However, this requires that every participant perform N
Diffie–Hellman agreement as follows, with all operations modular exponentiations.
taken to be modulo p :
By choosing a more optimal order, and relying on the fact
that keys can be duplicated, it is possible to reduce the
1. The parties agree on the algorithm parameters p and number of modular exponentiations performed by each
g. participant to log2 (N ) + 1 using a divide-and-conquer-
2. The parties generate their private keys, named a , b style approach, given here for eight participants:
, and c .
1. Participants A, B, C, and D each perform one ex-
3. Alice computes g a and sends it to Bob.
ponentiation, yielding g abcd ; this value is sent to E,
4. Bob computes (g a )b = g ab and sends it to Carol. F, G, and H. In return, participants A, B, C, and D
receive g ef gh .
ab c abc
5. Carol computes (g ) = g and uses it as her
secret. 2. Participants A and B each perform one exponentia-
tion, yielding g ef ghab , which they send to C and D,
6. Bob computes g b and sends it to Carol.
while C and D do the same, yielding g ef ghcd , which
7. Carol computes (g b )c = g bc and sends it to Alice. they send to A and B.

8. Alice computes (g bc )a = g bca = g abc and uses it 3. Participant A performs an exponentiation, yielding
as her secret. g ef ghcda , which it sends to B; similarly, B sends
g ef ghcdb to A. C and D do similarly.
9. Carol computes g c and sends it to Alice.
10. Alice computes (g c )a = g ca and sends it to Bob. 4. Participant A performs one final exponentiation,
yielding the secret g ef ghcdba = g abcdef gh , while B
11. Bob computes (g ca )b = g cab = g abc and uses it as does the same to get g ef ghcdab = g abcdef gh ; again,
his secret. C and D do similarly.
4 5 SEE ALSO

5. Participants E through H simultaneously perform 4 Other uses

the same operations using g abcd as their starting
point.
4.1 Password-authenticated key agree-
ment
Once this operation has been completed all participants
will possess the secret g abcdef gh , but each participant When Alice and Bob share a password, they may use
will have performed only four modular exponentiations, a password-authenticated key agreement (PAKE) form
rather than the eight implied by a simple circular arrange- of Diffie–Hellman to prevent man-in-the-middle attacks.
ment. One simple scheme is to compare the hash of s concate-
nated with the password calculated independently on both
ends of channel. A feature of these schemes is that an at-
tacker can only test one specific password on each itera-
3 Security tion with the other party, and so the system provides good
security with relatively weak passwords. This approach is
described in ITU-T Recommendation X.1035, which is
The protocol is considered secure against eavesdroppers used by the G.hn home networking standard.
if G and g are chosen properly. The eavesdropper ("Eve")
would have to solve the Diffie–Hellman problem to ob-
tain gab . This is currently considered difficult. An ef- 4.2 Public key
ficient algorithm to solve the discrete logarithm problem
would make it easy to compute a or b and solve the Diffie– It is also possible to use Diffie–Hellman as part of a
Hellman problem, making this and many other public public key infrastructure. Alice’s public key is simply
key cryptosystems insecure. Fields of small character- (g a modp, g, p) . To send her a message, Bob chooses
istic may be less secure.[4] a random b and then sends Alice g b modp (un-encrypted)
together with the message encrypted with symmetric key
The order of G should have a large prime factor to prevent
(g a )b modp . Only Alice can decrypt the message be-
use of the Pohlig–Hellman algorithm to obtain a or b. For
cause only she has a (the private key). A preshared public
this reason, a Sophie Germain prime q is sometimes used
key also prevents man-in-the-middle attacks.
to calculate p = 2q + 1, called a safe prime, since the order
of G is then only divisible by 2 and q. g is then sometimes In practice, Diffie–Hellman is not used in this way, with
chosen to generate the order q subgroup of G, rather than RSA being the dominant public key algorithm. This is
G, so that the Legendre symbol of ga never reveals the largely for historical and commercial reasons, namely that
low order bit of a. RSA Security created a certificate authority for key sign-
ing that became Verisign. Diffie–Hellman cannot be used
If Alice and Bob use random number generators whose
to sign certificates. However, the ElGamal and DSA sig-
outputs are not completely random and can be predicted
nature algorithms are mathematically related to it, as well
to some extent, then Eve’s task is much easier.
as MQV, STS and the IKE component of the IPsec proto-
The secret integers a and b are discarded at the end of the col suite for securing Internet Protocol communications.
session. Therefore, Diffie–Hellman key exchange by it-
self trivially achieves perfect forward secrecy because no
long-term private keying material exists to be disclosed. 4.3 Cryptocurrency
In the original description, the Diffie–Hellman exchange The sender can produce only the public part of the key,
by itself does not provide authentication of the commu- whereas only the receiver can compute the private part.
nicating parties and is thus vulnerable to a man-in-the- Because of that, the receiver is the only one who can re-
middle attack. Mallory may establish two distinct key lease the funds after the transaction is committed. They
exchanges, one with Alice and the other with Bob, ef- need to perform a single-formula check on each trans-
fectively masquerading as Alice to Bob, and vice versa, actions to establish if it belongs to them. This process
allowing her to decrypt, then re-encrypt, the messages involves their private key, therefore no third party can
passed between them. Note that Mallory must continue perform this check and discover the link between the one-
to be in the middle, transferring messages every time Al- time key generated by the sender and the receiver’s unique
ice and Bob communicate. If she is ever absent, her pre- public address.
vious presence is then revealed to Alice and Bob. They
will know that all of their private conversations had been
intercepted and decoded by someone in the channel.
5 See also
A method to authenticate the communicating parties to
each other is generally needed to prevent this type of at- • Key exchange
tack. Variants of Diffie–Hellman, such as STS protocol,
may be used instead to avoid these types of attacks. • Cryptography portal
5

• Modular arithmetic • Cryptographic apparatus and method Martin E.

Hellman, Bailey W. Diffie, and Ralph C. Merkle,
• Elliptic curve Diffie–Hellman U.S. Patent #4,200,770, 29 April 1980
• Public-key cryptography • The History of Non-Secret Encryption JH Ellis
• ElGamal encryption 1987 (28K PDF file) (HTML version)

• Diffie–Hellman problem • The First Ten Years of Public-Key Cryptography

Whitfield Diffie, Proceedings of the IEEE, vol. 76,
• MQV no. 5, May 1988, pp: 560–577 (1.9MB PDF file)
• Password-authenticated key agreement • Menezes, Alfred; van Oorschot, Paul; Vanstone,
Scott (1997). Handbook of Applied Cryptography
• Secure Remote Password Protocol
Boca Raton, Florida: CRC Press. ISBN 0-8493-
8523-7. (Available online)

6 Notes • Singh, Simon (1999) The Code Book: the evolution

of secrecy from Mary Queen of Scots to quantum
[1] Synonyms of Diffie–Hellman key exchange include: cryptography New York: Doubleday ISBN 0-385-
49531-5
• Diffie–Hellman key agreement
• Diffie–Hellman key establishment • An Overview of Public Key Cryptography Martin
E. Hellman, IEEE Communications Magazine, May
• Diffie–Hellman key negotiation
2002, pp:42–49. (123kB PDF file)
• Exponential key exchange
• Diffie–Hellman protocol
• Diffie–Hellman handshake 8 External links
• Public Key Cryptography: Diffie-Hellman Key Ex-
7 References change - A 5 minute YouTube video by Khan
Academy faculty member Brit Cruise
[1] “GCHQ trio recognised for key to secure shopping on-
line”. BBC. 5 October 2010. Retrieved 5 August 2014. • Oral history interview with Martin Hellman, Charles
Babbage Institute, University of Minnesota. Lead-
[2] IEEE Communications Magazine Homepage | IEEE ing cryptography scholar Martin Hellman discusses
Communications Society. Comsoc.org. Retrieved on the circumstances and fundamental insights of his
2013-10-29. invention of public key cryptography with collabo-
[3] http://buchananweb.co.uk/security02.aspx rators Whitfield Diffie and Ralph Merkle at Stanford
University in the mid-1970s.
[4] A Heuristic Quasi-Polynomial Algorithm for Discrete
Logarithm in Finite Fields of Small Characteristic,” Raz- • RFC 2631 – Diffie–Hellman Key Agreement Method
van Barbulescu, Pierrick Gaudry, Antoine Joux, Em- E. Rescorla June 1999.
manuel Thomé, Advances in Cryptology – EUROCRYPT
2014, Lecture Notes in Computer Science, Volume 8441, • Summary of ANSI X9.42: Agreement of Symmet-
2014, pp 1-16. ric Keys Using Discrete Logarithm Cryptography
(64K PDF file) (Description of ANSI 9 Standards)
• Dieter Gollmann (2006). Computer Security Second • Diffie–Hellman Key Exchange – A Non-
Edition West Sussex, England: John Wiley & Sons, Mathematician’s Explanation by Keith Palmgren
Ltd.
• Crypt::DH Perl module from CPAN
• The possibility of Non-Secret digital encryption J.
H. Ellis, January 1970. • Hands-on Diffie–Hellman demonstration

• Non-Secret Encryption Using a Finite Field MJ • C implementation using GNU Multiple Precision
Williamson, January 21, 1974. Arithmetic Library

• Thoughts on Cheaper Non-Secret Encryption MJ • Diffie Hellman in 2 lines of Perl (using dc)
Williamson, August 10, 1976. • Smart Account Management (SAcct) (using DH key
• Diffie, W.; Hellman, M. (1976). “New di- exchange to derive session key)
rections in cryptography”. IEEE Transac- • Talk by Martin Hellman in 2007, Google video (bro-
tions on Information Theory 22 (6): 644–654. ken link)
doi:10.1109/TIT.1976.1055638.
6 9 TEXT AND IMAGE SOURCES, CONTRIBUTORS, AND LICENSES

9 Text and image sources, contributors, and licenses

9.1 Text
• Diffie–Hellman key exchange Source: http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange?oldid=631374275 Contributors: Ax-
elBoldt, Malcolm Farmer, Etu, Arvindn, PierreAbbat, PhilipMW, Michael Hardy, Looxix, Haakon, CatherineMunro, Yaronf, Cyan, Ehn,
Hashar, JidGom, Timwi, Ww, The Anomebot, Ed g2s, Raul654, Bcorr, Pakaran, Saqib (usurped), Robbot, Fredrik, Lowellian, PrimeFan,
Jleedev, Vacuum, Captain Segfault, Giftlite, Sin1man, Lunkwill, Qartis, Inkling, Stern, Leonard G., Plato, Rchandra, AlistairMcMillan,
Tweenk, Matt Crypto, Thecrypto, CryptoDerk, Peter Hendrickson, Piotrus, Two Bananas, Jklamo, TonyW, Frenchwhale, Flex, Blokhead,
Discospinster, Rich Farmbrough, Guanabot, ArnoldReinhold, Bender235, ZeroOne, Shanes, Dalf, Bobo192, Dreish, Phansen, Giraffedata,
Dila, Davidgothberg, Wrs1864, Mark Bergsma, Nuno Tavares, Simetrical, OwenX, Armando, Fbriere, Brentdax, GregorB, FlaBot, An-
rie Nord, Wabasso, Quentin X, RobotE, RussBot, ENeville, Vanished user 1029384756, DavidJablon, Abune, Phil Holmes, SmackBot,
Mmernex, Bigbluefish, Anastrophe, Pfaff9, Kurykh, Thumperward, HughNo, Cophus, Michel SALES, Plustgarten, MichaelBillington,
A5b, Autopilot, MrDomino, Littleman TAMU, JoshuaZ, Boky, Aslaveofaudio, Momet, Courcelles, Dokaspar, WhiteAvenger, Jesse Vi-
viano, Dub13, Cydebot, Grahamrichter, Gogo Dodo, Neustradamus, Thijs!bot, A3RO, [email protected], Electron9, Peashy,
AntiVandalBot, Widefox, TenguTech, JAnDbot, Jheiv, Magioladitis, KConWiki, Rfellows, Charliet, Grammrsnob, STBot, Nmichaels,
Uncle Dick, Maurice Carbonaro, Dispenser, Jerry Segers, Jr., Signalhead, Soliloquial, TXiKiBoT, Combatentropy, Liko81, Don4of4,
Duncan.Hull, Meuston, AlleborgoBot, SieBot, VVVBot, Djadams35, Hawk777, Garde, Tuntable, ImageRemovalBot, Travis.m.granvold,
MagnusPI, Jwpat7, Theking2, XLinkBot, Doru001, Dsimic, AkhtaBot, Torla42, Ozob, Lightbot, Wiso, Legobot, Rs-leo, Luckas-bot,
Yobot, AnomieBOT, TinucherianBot II, Louelle, Sashagolin, Kineticabstract, Almabot, GrouchoBot, Omnipaedista, 2ndjpeg, Samwb123,
Nageh, Itusg15q4user, Martinvl, Van Rijn, Yecheng Fu, RedBot, Montpelier Vermont, Vishayv, Mrogalski, Tim-J.Swan, Pythomit, Min-
imac, NerdyScienceDude, DdEe4Aai, EmausBot, Noloader, Moshahmed, ZéroBot, Quondum, Qwertyshark, Orby1, EdoBot, Mikhail
Ryazanov, ClueBot NG, Dav-FL-IN-AZ-id, Doh5678, Dsperlich, Burningstarfour, Hammadhaleem, Compfreak7, Flugaal, Joey80nl, Elec-
tricmuffin11, Thom2729, Jmic0006, Eyesnore, Karol Babioch, OccultZone, Dodi 8238, Abitslow, FOXIBOX, Garfield Garfield, Luce71,
James Merrill and Anonymous: 204

9.2 Images
• File:Ambox_content.png Source: http://upload.wikimedia.org/wikipedia/en/f/f4/Ambox_content.png License: ? Contributors:
Derived from Image:Information icon.svg Original artist:
El T (original icon); David Levy (modified design); Penubag (modified color)
• File:Crypto_key.svg Source: http://upload.wikimedia.org/wikipedia/commons/6/65/Crypto_key.svg License: CC-BY-SA-3.0 Contribu-
tors: Own work based on image:Key-crypto-sideways.png by MisterMatt originally from English Wikipedia Original artist: MesserWoland
• File:Diffie-Hellman_Key_Exchange.svg Source: http://upload.wikimedia.org/wikipedia/commons/4/46/Diffie-Hellman_Key_
Exchange.svg License: Public domain Contributors: A.J. Han Vinck, Introduction to public key cryptography, p. 16 Original artist:
• SVG version: Flugaal
• File:Edit-clear.svg Source: http://upload.wikimedia.org/wikipedia/en/f/f2/Edit-clear.svg License: ? Contributors: The Tango! Desktop
Project. Original artist:
The people from the Tango! project. And according to the meta-data in the file, specifically: “Andreas Nilsson, and Jakub Steiner (although
minimally).”
• File:Text_document_with_red_question_mark.svg Source: http://upload.wikimedia.org/wikipedia/commons/a/a4/Text_document_
with_red_question_mark.svg License: Public domain Contributors: Created by bdesham with Inkscape; based upon Text-x-generic.svg
from the Tango project. Original artist: Benjamin D. Esham (bdesham)

9.3 Content license

• Creative Commons Attribution-Share Alike 3.0