Diffie-Hellman Key Exchange

How two people can agree on a shared secret key over a completely public channel — even with an eavesdropper listening to every message — using only modular exponentiation.

👩

Alice

😈 Eve watches everything here

👨

Bob

0 Why Do We Need Diffie-Hellman?

RSA lets you encrypt with a public key and decrypt with a private one. But what if Alice and Bob want to establish a shared symmetric key for fast AES encryption — without ever having met?

RSA solves…

Sending encrypted messages to someone using their public key. One-directional. Computationally heavy for large data.

See RSA e2e demo →

DH solves…

Agreeing on a shared secret that neither party ever transmits. Used to bootstrap symmetric encryption (e.g., AES) in TLS, SSH, Signal.

Real-world context: When your browser connects to a website via HTTPS, it almost certainly uses Diffie-Hellman (or its elliptic-curve variant ECDH) to agree on a session key. RSA may authenticate the server's identity, but DH establishes the symmetric key for the actual data.

📐 Same mathematical foundation: DH and RSA both rely on modular exponentiation. The hard problem for DH is the Discrete Logarithm Problem instead of integer factorization. Modular arithmetic refresher →

1 The Paint-Mixing Analogy

DH is famously explained with mixing paint. Mixing colors is easy — unmixing is hard. This mirrors modular exponentiation: easy forward, hard backward.

Step 1 — Agree on a shared base color (public)

Alice and Bob publicly agree on a starting color. Eve knows it too.

Yellow
(public)

In DH: prime p and generator g play this role — public, known to everyone.

Step 2 — Alice adds her secret color

Yellow (pub)

Green
(secret)

Alice's mix
(public!)

She sends this mix to Bob. Eve sees it but can't extract the green.

In DH: A = g^a mod p where a is Alice's secret.

Step 2 — Bob adds his secret color

Yellow (pub)

Purple
(secret)

Bob's mix
(public!)

He sends this mix to Alice. Eve sees it too.

In DH: B = g^b mod p where b is Bob's secret.

Step 3 — Both add their own secret to the OTHER's mix

Bob's mix

Alice's secret

SAME result

Alice computes K = B^a mod p

Alice's mix

Bob's secret

SAME result

Bob computes K = A^b mod p

Both arrive at the same shared secret K = g^ab mod p. Eve has all four public values but can't reconstruct K without solving the Discrete Logarithm Problem.

2 Step 1: Agree on Public Parameters

Alice and Bob (and Eve — she knows these too) agree on two public numbers: a large prime p and a generator g.

p = prime, g = generator (primitive root mod p), 1 < g < p

What is a generator? A primitive root mod p is a number g such that g¹, g², …, g^p−1 (all mod p) produce every integer from 1 to p−1. This "covers" the entire group, making the shared secret hard to predict.

Public parameters — everyone knows these

Show powers of g mod p (verify it's a generator)

3 Alice & 3 Bob Pick Private Secrets

Each person independently chooses a secret exponent. They never transmit or reveal this number.

Alice's secret: a

Known only to Alice. Random integer in [2, p−2].

Bob's secret: b

Known only to Bob. Random integer in [2, p−2].

4 Compute & Exchange Public Values

Each party computes their "partial result" and sends it across the channel. Eve intercepts both — but can't do anything useful with them.

A = g^a \bmod p \quad\quad B = g^b \bmod p

⚠ Run the interactive demo below first.

5 Both Compute the Shared Secret

Alice applies her secret to Bob's public value. Bob applies his secret to Alice's public value. They arrive at the same number.

K_A = B^a \bmod p = g^{ba} \bmod p \quad=\quad K_B = A^b \bmod p = g^{ab} \bmod p

⚠ Run the interactive demo below first.

6 What Eve Sees

Eve intercepts every message on the channel. Let's audit exactly what she knows versus what she'd need.

⚠ Run the interactive demo below first.

Why can't Eve compute K from A and g?
Eve knows A = g^a mod p and needs to find a. This is the Discrete Logarithm Problem: given g, A, p — find a. No efficient classical algorithm exists for large p. Addressed in Section 8.

7 Interactive Demo

Set all four parameters and watch the full exchange. Try small numbers you can verify by hand, then try larger ones.

Parameters

p (prime)

g (generator)

Alice's secret a

Bob's secret b

8 Why Eve Can't Break It: The Discrete Log Problem

The security of DH rests on one assumption: given g, A = g^a mod p, and p — finding a is computationally infeasible for large p.

\text{Given}\; g,\; A = g^a \bmod p,\; p \quad\Longrightarrow\quad \text{find } a \quad\text{[HARD]}

Contrast: Easy vs. Hard

      Easy (exponentiation):    a=6, g=5, p=23  →  5⁶ mod 23 = 8    (microseconds)

      Hard (discrete log):      g=5, A=8, p=23  →  find a?           (easy for small p, infeasible for large p)

      At scale (2048-bit p):    State-of-the-art algorithms still take >1024 operations

Try: Brute-Force the Discrete Log

For small p, Eve CAN brute-force — just try all possible a until g^a mod p = A. This demo shows the exponential search:

A (= g^a mod p)

Comparison to RSA:

RSA security ← Integer Factorization Problem (factor n = p·q) →
DH security ← Discrete Logarithm Problem (find a from g^a mod p)
ECDH (Elliptic-Curve DH) ← Discrete log on elliptic curves (even harder, smaller key sizes)

Note: The basic DH protocol shown here is vulnerable to a man-in-the-middle attack — Eve could impersonate Bob to Alice and Alice to Bob, establishing separate secrets with each. In practice, DH is combined with digital signatures (using RSA or ECDSA) to authenticate the parties. This combination is called Authenticated Key Exchange.