This is an accepted version of this page
Diffie–Hellman (DH)key exchange[nb 1] is a mathematical method of securely generating a symmetriccryptographic key over a public channel and was one of the firstprotocols as conceived byRalph Merkle and named afterWhitfield Diffie andMartin Hellman.[1] DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.
Traditionally, secure encrypted communication between two parties required that they first exchange keys by some secure physical means, such as paper key lists transported by a trustedcourier. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish ashared secret key over aninsecure channel. This key can then be used to encrypt subsequent communications using asymmetric-keycipher.
Diffie–Hellman is used to secure a variety ofInternet services. However, research published in October 2015 suggests that the parameters in use for many DH Internet applications at that time are not strong enough to prevent compromise by very well-funded attackers, such as the security services of some countries.[2]
The scheme was published by Whitfield Diffie and Martin Hellman in 1976,[3] but in 1997 it was revealed thatJames H. Ellis,[4]Clifford Cocks, andMalcolm J. Williamson ofGCHQ, the British signals intelligence agency, had previously shown in 1969[5] how public-key cryptography could be achieved.[6]
Although Diffie–Hellman key exchange itself is a non-authenticatedkey-agreement protocol, it provides the basis for a variety of authenticated protocols, and is used to provideforward secrecy inTransport Layer Security'sephemeral modes (referred to as EDH or DHE depending on the cipher suite). Forward secrecy results from the use of ephemeral keys: the private keys are discarded once key agreement is complete, making them safe from later compromise. Ephemeral keys are practical because it is computationally cheap to create public-private key pairs suitable for use with Diffie-Hellman exchange.
The method was followed shortly afterwards byRSA, an implementation of public-key cryptography using asymmetric algorithms.
Expired US patent 4200770[7] from 1977 describes the now public-domain algorithm. It credits Hellman, Diffie, and Merkle as inventors.
In 2006, Hellman suggested the algorithm be calledDiffie–Hellman–Merkle key exchange in recognition ofRalph Merkle's contribution to the invention ofpublic-key cryptography (Hellman, 2006), writing:
The system ... has since become known as Diffie–Hellman key exchange. While that system was first described in a paper by Diffie and me, it is a public key distribution system, a concept developed by Merkle, and hence should be called 'Diffie–Hellman–Merkle key exchange' if names are to be associated with it. I hope this small pulpit might help in that endeavor to recognize Merkle's equal contribution to the invention of public key cryptography.[8]
Diffie–Hellman key exchange establishes a shared secret between two parties that can be used for secret communication for exchanging data over a public network. An analogy illustrates the concept of public key exchange by using colors instead of very large numbers:
The process begins by having the two parties,Alice and Bob, publicly agree on an arbitrary starting color that does not need to be kept secret. In this example, the color is yellow. Each person also selects a secret color that they keep to themselves – in this case, red and cyan. The crucial part of the process is that Alice and Bob each mix their own secret color together with their mutually shared color, resulting in orange-tan and light-blue mixtures respectively, and then publicly exchange the two mixed colors. Finally, each of them mixes the color they received from the partner with their own private color. The result is a final color mixture (yellow-brown in this case) that is identical to their partner's final color mixture.
If a third party listened to the exchange, they would only know the common color (yellow) and the first mixed colors (orange-tan and light-blue), but it would be very hard for them to find out the final secret color (yellow-brown). Bringing the analogy back to areal-life exchange using large numbers rather than colors, this determination is computationally expensive; it is impossible to compute in a practical amount of time even for modernsupercomputers.
The simplest and the original implementation,[3] later formalized asFinite Field Diffie–Hellman in RFC 7919,[9] of the protocol uses themultiplicative group of integers modulop, wherep isprime, andg is aprimitive root modulop. To guard against potential vulnerabilities, it is recommended to use prime numbers of at least 2048 bits in length. This increases the difficulty for an adversary attempting to compute the discrete logarithm and compromise the shared secret. These two values are chosen in this way to ensure that the resulting shared secret can take on any value from 1 top − 1. Here is an example of the protocol, with non-secret values inblue, and secret values inred.
Both Alice and Bob have arrived at the same values because under modp,
More specifically,
Onlya andb are kept secret. All the other values –p,g,ga modp, andgb modp – are sent in the clear. The strength of the scheme comes from the fact thatgab modp =gba modp take extremely long times to compute by any known classical algorithm just from the knowledge ofp,g,ga modp, andgb modp. Such a function that is easy to compute but hard to invert is called aone-way function. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel.
Of course, much larger values ofa,b, andp would be needed to make this example secure, since there are only 23 possible results ofn mod 23. However, ifp is a prime of at least 600 digits, then even the fastest modern computers using the fastest known algorithm cannot finda given onlyg,p andga modp. Such a problem is called thediscrete logarithm problem.[2] The computation ofga modp is known asmodular exponentiation and can be done efficiently even for large numbers.Note thatg need not be large at all, and in practice is usually a small integer (like 2, 3, ...).
The chart below depicts who knows what, again with non-secret values inblue, and secret values inred. HereEve is aneavesdropper – she watches what is sent between Alice and Bob, but she does not alter the contents of their communications.
|
|
|
Nows is the shared secret key and it is known to both Alice and Bob, butnot to Eve. Note that it is not helpful for Eve to computeAB, which equalsga+b modp.
Note: It should be difficult for Alice to solve for Bob's private key or for Bob to solve for Alice's private key. If it is not difficult for Alice to solve for Bob's private key (or vice versa), then an eavesdropper,Eve, may simply substitute her own private / public key pair, plug Bob's public key into her private key, produce a fake shared secret key, and solve for Bob's private key (and use that to solve for the shared secret key).Eve may attempt to choose a public / private key pair that will make it easy for her to solve for Bob's private key.
Here is a more general description of the protocol:[10]
Both Alice and Bob are now in possession of the group elementgab =gba, which can serve as the shared secret key. The groupG satisfies the requisite condition forsecure communication as long as there is no efficient algorithm for determininggab giveng,ga, andgb.
For example, theelliptic curve Diffie–Hellman protocol is a variant that represents an element of G as a point on an elliptic curve instead of as an integer modulo n. Variants usinghyperelliptic curves have also been proposed. Thesupersingular isogeny key exchange is a Diffie–Hellman variant that was designed to be secure againstquantum computers, but it was broken in July 2022.[11]
The used keys can either be ephemeral or static (long term) key, but could even be mixed, so called semi-static DH. These variants have different properties and hence different use cases. An overview over many variants and some also discussions can for example be found in NIST SP 800-56A.[12] A basic list:
It is possible to use ephemeral and static keys in one key agreement to provide more security as for example shown in NIST SP 800-56A, but it is also possible to combine those in a single DH key exchange, which is then called triple DH (3-DH).
In 1997 a kind of triple DH was proposed by Simon Blake-Wilson, Don Johnson and Alfred Menezes,[13] which was improved by C. Kudla and K. G. Paterson in 2005[14] and shown to be secure.
The long term secret keys of Alice and Bob are denoted bya andb respectively, with public keysA andB, as well as the ephemeral key pairs (x,X) and (y,Y). Then protocol is:
| Alice () | Bob () | |
|---|---|---|
The long term public keys need to be transferred somehow. That can be done beforehand in a separate, trusted channel, or the public keys can be encrypted using some partial key agreement to preserve anonymity. For more of such details as well as other improvements likeside channel protection or explicitkey confirmation, as well as early messages and additional password authentication, see e.g. US patent "Advanced modular handshake for key agreement and optional authentication".[15]
X3DH was initially proposed as part of theDouble Ratchet Algorithm used in theSignal Protocol. The protocol offers forward secrecy and cryptographic deniability. It operates on an elliptic curve.[16]
The protocol uses five public keys. Alice has an identity key IKA and an ephemeral key EKA. Bob has an identity key IKB, a signed prekey SPKB, and a one-time prekey OPKB.[16] Bob first publishes his three keys to a server, which Alice downloads and verifies the signature on. Alice then initiates the exchange to Bob.[16] The OPK is optional.[16]
Diffie–Hellman key agreement is not limited to negotiating a key shared by only two participants. Any number of users can take part in an agreement by performing iterations of the agreement protocol and exchanging intermediate data (which does not itself need to be kept secret). For example, Alice, Bob, and Carol could participate in a Diffie–Hellman agreement as follows, with all operations taken to be modulop:
An eavesdropper has been able to seega modp,gb modp,gc modp,gab modp,gac modp, andgbc modp, but cannot use any combination of these to efficiently reproducegabc modp.
To extend this mechanism to larger groups, two basic principles must be followed:
These principles leave open various options for choosing in which order participants contribute to keys. The simplest and most obvious solution is to arrange theN participants in a circle and haveN keys rotate around the circle, until eventually every key has been contributed to by allN participants (ending with its owner) and each participant has contributed toN keys (ending with their own). However, this requires that every participant performN modular exponentiations.
By choosing a more desirable order, and relying on the fact that keys can be duplicated, it is possible to reduce the number of modular exponentiations performed by each participant tolog2(N) + 1 using adivide-and-conquer-style approach, given here for eight participants:
Once this operation has been completed all participants will possess the secretgabcdefgh, but each participant will have performed only four modular exponentiations, rather than the eight implied by a simple circular arrangement.
The protocol is considered secure against eavesdroppers ifG andg are chosen properly. In particular, the order of the group G must be large, particularly if the same group is used for large amounts of traffic. The eavesdropper has to solve theDiffie–Hellman problem to obtaingab. This is currently considered difficult for groups whose order is large enough. An efficient algorithm to solve thediscrete logarithm problem would make it easy to computea orb and solve the Diffie–Hellman problem, making this and many other public key cryptosystems insecure. Fields of small characteristic may be less secure.[17]
Theorder ofG should have a large prime factor to prevent use of thePohlig–Hellman algorithm to obtaina orb. For this reason, aSophie Germain primeq is sometimes used to calculatep = 2q + 1, called asafe prime, since the order ofG is then only divisible by 2 andq. Sometimesg is chosen to generate the orderq subgroup ofG, rather thanG, so that theLegendre symbol ofga never reveals the low order bit ofa. A protocol using such a choice is for exampleIKEv2.[18]
The generatorg is often a small integer such as 2. Because of therandom self-reducibility of the discrete logarithm problem a smallg is equally secure as any other generator of the same group.
If Alice and Bob userandom number generators whose outputs are not completely random and can be predicted to some extent, then it is much easier to eavesdrop.
In the original description, the Diffie–Hellman exchange by itself does not provideauthentication of the communicating parties and can be vulnerable to aman-in-the-middle attack.Mallory (an active attacker executing the man-in-the-middle attack) may establish two distinct key exchanges, one with Alice and the other with Bob, effectively masquerading as Alice to Bob, and vice versa, allowing her to decrypt, then re-encrypt, the messages passed between them. Note that Mallory must be in the middle from the beginning and continuing to be so, actively decrypting and re-encrypting messages every time Alice and Bob communicate. If she arrives after the keys have been generated and the encrypted conversation between Alice and Bob has already begun, the attack cannot succeed. If she is ever absent, her previous presence is then revealed to Alice and Bob. They will know that all of their private conversations had been intercepted and decoded by someone in the channel. In most cases it will not help them get Mallory's private key, even if she used the same key for both exchanges.
A method to authenticate the communicating parties to each other is generally needed to prevent this type of attack. Variants of Diffie–Hellman, such asSTS protocol, may be used instead to avoid these types of attacks.
ACVE released in 2021 (CVE-2002-20001) disclosed adenial-of-service attack (DoS) against the protocol variants using ephemeral keys, called D(HE)at attack.[19] The attack exploits that the Diffie–Hellman key exchange allows attackers to send arbitrary numbers that are actually not public keys, triggering expensive modular exponentiation calculations on the victim's side. Another CVEs release disclosed that the Diffie–Hellman key exchange implementations may use long private exponents (CVE-2022-40735) that arguably make modular exponentiation calculations unnecessarily expensive[20] or may unnecessarily check a peer's public key (CVE-2024-41996) which has similar resource requirement as key calculation using a long exponent.[21] An attacker can exploit both vulnerabilities together.
Thenumber field sieve algorithm, which is generally the most effective in solving thediscrete logarithm problem, consists of four computational steps. The first three steps only depend on the order of the group G, not on the specific number whose finite log is desired.[22] It turns out that much Internet traffic uses one of a handful of groups that are of order 1024 bits or less.[2] Byprecomputing the first three steps of the number field sieve for the most common groups, an attacker need only carry out the last step, which is much less computationally expensive than the first three steps, to obtain a specific logarithm. TheLogjam attack used this vulnerability to compromise a variety of Internet services that allowed the use of groups whose order was a 512-bit prime number, so calledexport grade. The authors needed several thousand CPU cores for a week to precompute data for a single 512-bit prime. Once that was done, individual logarithms could be solved in about a minute using two 18-core Intel Xeon CPUs.[2]
As estimated by the authors behind the Logjam attack, the much more difficult precomputation needed to solve the discrete log problem for a 1024-bit prime would cost on the order of $100 million, well within the budget of a large nationalintelligence agency such as the U.S.National Security Agency (NSA). The Logjam authors speculate that precomputation against widely reused 1024-bit DH primes is behind claims inleaked NSA documents that NSA is able to break much of current cryptography.[2]
To avoid these vulnerabilities, the Logjam authors recommend use ofelliptic curve cryptography, for which no similar attack is known. Failing that, they recommend that the order,p, of the Diffie–Hellman group should be at least 2048 bits. They estimate that the pre-computation required for a 2048-bit prime is 109 times more difficult than for 1024-bit primes.[2]
Quantum computers can break public-key cryptographic schemes, such as RSA, finite-field DH and elliptic-curve DH key-exchange protocols, usingShor's algorithm for solving thefactoring problem, thediscrete logarithm problem, and the period-finding problem. Apost-quantum variant of Diffie-Hellman algorithm was proposed in 2023, and relies on a combination of the quantum-resistant CRYSTALS-Kyber protocol, as well as the old elliptic curveX25519 protocol.
Public key encryption schemes based on the Diffie–Hellman key exchange have been proposed. The first such scheme is theElGamal encryption. A more modern variant is theIntegrated Encryption Scheme.
Protocols that achieveforward secrecy generate new key pairs for eachsession and discard them at the end of the session. The Diffie–Hellman key exchange is a frequent choice for such protocols, because of its fast key generation.
When Alice and Bob share a password, they may use apassword-authenticated key agreement (PK) form of Diffie–Hellman to prevent man-in-the-middle attacks. One simple scheme is to compare thehash ofs concatenated with the password calculated independently on both ends of channel. A feature of these schemes is that an attacker can only test one specific password on each iteration with the other party, and so the system provides good security with relatively weak passwords. This approach is described inITU-T RecommendationX.1035, which is used by theG.hn home networking standard.
An example of such a protocol is theSecure Remote Password protocol.
It is also possible to use Diffie–Hellman as part of apublic key infrastructure, allowing Bob to encrypt a message so that only Alice will be able to decrypt it, with no prior communication between them other than Bob having trusted knowledge of Alice's public key. Alice's public key is. To send her a message, Bob chooses a randomb and then sends Alice (unencrypted) together with the message encrypted with symmetric key. Only Alice can determine the symmetric key and hence decrypt the message because only she hasa (the private key). A pre-shared public key also prevents man-in-the-middle attacks.
In practice, Diffie–Hellman is not used in this way, withRSA being the dominant public key algorithm. This is largely for historical and commercial reasons,[citation needed] namely thatRSA Security created acertificate authority for key signing that becameVerisign. Diffie–Hellman, as elaborated above, cannot directly be used to sign certificates. However, theElGamal andDSA signature algorithms are mathematically related to it, as well asMQV,STS and theIKE component of theIPsec protocol suite for securingInternet Protocol communications.
Received August, 1975; revised September 1977
