Diffie-Hellman Key Agreement Protocol
Learn about the Diffie-Hellman protocol, which is one of the most influential cryptographic protocols.
The Diffie-Hellman key agreement protocol, which we’ll henceforth refer to simply as the Diffie-Hellman protocol from now on, is one of the most influential cryptographic protocols. Not only does it predate the public discovery of RSA, but it remains the basis for the vast majority of modern AKE protocols based on key agreement. We’ll explain the idea behind the Diffie-Hellman protocol and then examine an example of an AKE protocol based on it.
Idea behind the Diffie-Hellman protocol
The Diffie-Hellman protocol requires the existence of:
-
A public-key cryptosystem with a special property, which we’ll discuss shortly. We denote the public and private keys of Alice and Bob in this cryptosystem by and , respectively. These may be either temporary key pairs that have been generated specifically for this protocol run or long-term key pairs used for more than one protocol run.
-
A combination function with a special property, which we’ll discuss shortly. By a ‘combination’ function, we mean a mathematical process that takes two numbers, and as input and outputs a third number, which we denote with . Addition is an example of a combination function, with .
The Diffie-Hellman protocol is designed for environments where secure channels don’t yet exist. Indeed, it’s often used to establish a symmetric key, which can then be used to secure such a channel. It’s important to remember that, unless otherwise stated, we assume all the exchanged messages take place over an unprotected (public) channel that an attacker can observe and, potentially, modify. The basic idea behind the Diffie-Hellman protocol is that:
-
Alice sends her public key to Bob.
-
Bob sends his public key to Alice.
-
Alice computes . Alice can conduct this computation since it involves her private key .
-
Bob computes . Note that only Bob can conduct this computation since it involves his private key .
The special property for the public-key cryptosystem and the combination function is that:
At the end of the protocol, Alice and Bob will thus share this value, which we denote with . As we’ll discuss in a moment, this shared value can then easily be converted into a key of the required length. Since the private keys of Alice and Bob are both required to compute , it should be computable only by Alice and Bob and not by anyone else (an attacker) who observed the protocol messages. This is true even though the attacker will have seen and .
The somewhat surprising aspect of the Diffie-Hellman protocol is that without sharing any secret information, Alice and Bob can jointly generate a secret value by communicating only over a public channel. This was a revolutionary idea when it was first proposed in 1976, and it remains a slightly counterintuitive one. This property makes the Diffie-Hellman protocol extremely useful.
Instantiation of the Diffie-Hellman protocol
To fully specify the Diffie-Hellman protocol, we need to find a suitable public-key cryptosystem and a suitable function . Fortunately, we won’t need any new public-key cryptosystems to describe the most common instantiation of the Diffie-Hellman protocol. This is because the ElGamal cryptosystem has precisely the property we need. Equally fortunately, the required function is very simple.
Get hands-on with 1400+ tech skills courses.