Dominik Farhan

On the origin of the name

The system...has since become known as Diffie–Hellman key exchange. While that system was first described in a paper by Diffie and me, it is a public key distribution system, a concept developed by Merkle, and hence should be called 'Diffie–Hellman–Merkle key exchange' if names are to be associated with it. I hope this small pulpit might help in that endeavor to recognize Merkle's equal contribution to the invention of public-key cryptography. — Hellman 2002

Description

The following was take from a Wikipedia article on it which I recommend to read to anyone interested.

Alice and Bob agree on a finite cyclic group $G$ of order $n$ and a generating element $g$ in $G$ . (This is usually done long before the rest of the protocol, $g$ is assumed to be known by all attackers.).
Alice picks a random number $a$ with $1 < a < n$ , and sends the element $g^a$ of $G$ to Bob.
Bob picks a random natural number $b$ with $1 < b < n$ , and sends the element $g^b$ of $G$ to Alice.
Alice computes the element $(g^b)^a = g^{ba}$ of $G$ .
Bob computes the element $(g^a)^b = g^{ab}$ of $G$ .

Both Alice and Bob are now in possession of the group element $g^{ab} = g^{ba}$ , which can serve as the shared secret key. Group $G$ satisfies the requisite condition for secure communication if there is not an efficient algorithm for determining $g^{ab}$ given $g$ , $g^a$ , and $g^b$ .

Used in ElGamal cipher.

Such construction is not attackable by a passive attacker but someone more active can do it. For this, it is important to sign the conversation (usually with RSA). Ideally the complete exchange.

An interesting idea is to hash the result of the communication before using it further in the protocol.

Some common pitfalls

Agreeing

If we are agreeing on $g,n$ or we don’t trust the authority that chose them, it is necessary to check that $n$ is really a prime and that $g$ is a generator of a sufficiently large subgroup.

Small subgroups, tricky attacker

Attacker can find $k$ so that $g^k$ is little baby subgroup. When this happens, she can change $g^a$ to $(g^a)^k$ and the same for Bob’s. Voilà, we are a small subgroup once again. This is the chief reason why we are signing the whole communication, not just the result.

QR and Legendre

The symbol of monsieur Legendre leaks in DH so it is possible to say if $a \text{ in } g^a$ was odd or even. But not a big deal.

Avoiding small subgroups

2|p-1

which is almost always the case, then there is a subgroup with two elements. QR subgroup, has

\frac{p-1}{2}

elements.

Safe primes

To avoid falling into some ugly small subgroups we use so-called safe primes.

p = 2q + 1

The multiplicative group of this prime has $2q$ elements and from monsieur’s Lagrange theorem there are just three subgroups we can venture to. The full group, the two-element group, and $q$ group. We can also jump straight into the $q$ group because of the leak on QR.

Speeding it up

We can use a different prime than the one specified above, but they are pretty much the same. $p = Nq + 1$ $N$ is even and laarge. $q$ can have around $256$ bits.

We will work in a nice group defined by $g^N$ — order $q$ , we can easily check that $x^q = 1$ and computation in such setting are reasonably fast.

$p-1$ has a lot of small factors

This is generally something that must be avoided.

ElGamal

Params: $p, g$

Key setup: $k \in_R \mathbb{Z}_{p-1}$ — private decryption key, $h = g^k$ — public encryption key.

Encryption

x \in \mathbb{Z}_{p}^*

is plaintext.

t \in_R \mathbb{Z}_{p-1}

s = h^t = g^{kt}

this is the shared secret.

y = sx

send

(g^t, y),

acts as one-time pad.

Decryption

calculate

(g^t)^{-k} = g^{-kt}

. Then

x = y g^{-kt} = x g^{kt} g^{-kt}

Some interesting properties

The encryption key can be generated from the decryption — a big difference from RSA. You can’t sign with it.

There is ElGamal signing protocol (used in DSA), different and more complicated than what is described here.

Dominik Farhan

Diffie-Hellman key exchange

On the origin of the name

Description

Some common pitfalls

Agreeing

Small subgroups, tricky attacker

QR and Legendre

Avoiding small subgroups

Safe primes

Speeding it up

$p-1$ has a lot of small factors

Like an asymmetric cipher

ElGamal

Encryption

Decryption

Some interesting properties

Diffie-Hellman key exchange

On the origin of the name

Description

Some common pitfalls

Agreeing

Small subgroups, tricky attacker

QR and Legendre

Avoiding small subgroups

Safe primes

Speeding it up

p−1p-1p−1 has a lot of small factors

Like an asymmetric cipher

ElGamal

Encryption

Decryption

Some interesting properties

$p-1$ has a lot of small factors