Diffie-Hellman Key Exchange · Rolling Thunder Security Codex

The Problem DH Solves

Diffie-Hellman is not for encrypting messages. It is for establishing a shared secret. Two parties run the protocol over a public channel, and at the end of it they both possess the same number, while anyone watching the wire does not.

This is the missing piece that the Key Distribution page set up. Once Alice and Bob share a secret, they can use it as an AES key and switch to symmetric encryption for the rest of the conversation. DH is the doorway. Symmetric crypto is the room.

The Color-Mixing Analogy

Before the math, the intuition. Imagine paint that is trivially easy to mix but practically impossible to un-mix.

Alice and Bob publicly agree on a starting color, say yellow. Eve is listening; she sees the yellow.
Alice privately picks a secret color (red) and mixes it with yellow. She gets orange. She mails the orange paint to Bob. Eve sees the orange too.
Bob privately picks his own secret color (blue) and mixes it with yellow. He gets green. He mails the green to Alice. Eve sees the green.
Alice receives Bob's green and mixes her secret red into it. She gets a brown that contains yellow + blue + red.
Bob receives Alice's orange and mixes his secret blue into it. He gets the same brown: yellow + red + blue.

Alice and Bob now share an identical brown. Eve saw yellow, orange, and green go over the wire, but the only way for her to compute the brown would be to un-mix orange or green to extract Alice's or Bob's secret color. Paint does not un-mix. Discrete logarithms do not un-mix either.

Fig 4.1 · Mixing is easy, un-mixing is hard

The Math Version

Replace paint mixing with modular exponentiation. The math has the same one-way property.

Alice and Bob publicly agree on a large prime p and a generator g (a small number whose powers cycle through many values mod p).
Alice picks a private random integer a, computes A = g^a mod p, and sends A to Bob.
Bob picks a private random integer b, computes B = g^b mod p, and sends B to Alice.
Alice computes s = B^a mod p. Bob computes s = A^b mod p. Both arrive at the same value: s = g^ab mod p.

The shared secret s is then run through a key derivation function to produce the actual AES key. Eve, watching the wire, has p, g, A, and B. To compute s she would need to recover a from A, or b from B. That is the discrete logarithm problem.

Step Through The Exchange

The interactive below runs the math version with small numbers. Click Next step to advance through the protocol one beat at a time.

Interactive · DH Step-Through

Watch the shared secret materialize

Adjust the parameters or use the defaults, then click Next step to advance. The three columns show what Alice knows, what Eve sees on the wire, and what Bob knows. Notice how Eve sees the public values but never the private exponents or the final secret.

Prime p

Generator g

Alice's secret a

Bob's secret b

Alice

private side

Eve

eavesdropper, sees the wire

Bob

private side

Click "Next step" to begin. Step 1: Alice and Bob agree on public parameters p and g.

The Discrete Logarithm Problem

Given g, p, and g^a mod p, find a. That is the discrete logarithm problem (DLP). For small numbers it is easy: just try every exponent from 1 up. For numbers used in real DH (primes 2048 to 4096 bits long), the search space is so vast that no efficient algorithm is known.

The best general-purpose algorithm for DLP is the General Number Field Sieve, the same family of method used for RSA factoring. Its difficulty grows sub-exponentially. This is why DH and RSA tend to use similar key sizes for comparable security levels.

DH group size	Status
768-bit (e.g. RFC 2409 Group 1)	Broken in 2016. Used in many old IPSec and TLS deployments. Logjam attack.
1024-bit (RFC 3526 Group 2)	Within reach of well-resourced attackers. Deprecated.
2048-bit and 3072-bit	Current standards. NIST SP 800-57 minimums.
Elliptic-curve DH (Curve25519, P-256)	256-bit ECDH provides roughly 128-bit security. Fast and small. The modern default.

Ephemeral DH and Forward Secrecy

One of the most consequential design choices in modern protocols is to use a fresh DH key pair for every session. The variant is called ephemeral DH (DHE or, on elliptic curves, ECDHE). Alice and Bob each pick brand-new secret exponents at the start of every connection and throw them away when the connection closes.

The payoff is enormous and is called forward secrecy: if an attacker later compromises Alice's or Bob's long-term private key, they still cannot decrypt past sessions. Each session's symmetric key was derived from an ephemeral DH exchange whose private exponents no longer exist.

Why TLS 1.3 removed static RSA key exchange

In old TLS 1.2, the client could encrypt a session key with the server's RSA public key. Years later, if the server's private key leaked, every recorded session could be decrypted retroactively. TLS 1.3 removed that option entirely. Every TLS 1.3 connection uses ephemeral (EC)DH for forward secrecy. This is one of the most important security wins of the last decade.

Where DH Lives Today

TLS 1.3: Every connection uses (EC)DHE. The handshake on the TLS Handshake page works this out step by step.
SSH: All modern key exchanges (curve25519-sha256, ecdh-sha2-nistp256) are ECDH variants.
Signal Protocol: The X3DH handshake plus the Double Ratchet use ECDH repeatedly to derive a fresh key per message.
WireGuard: Curve25519 ECDH for the initial handshake, then ChaCha20-Poly1305 for the tunnel.
IKEv2 / IPsec: DH groups for VPN key establishment.

Diffie-Hellman is not the most famous algorithm in cryptography, but it is arguably the most ubiquitous. Almost every encrypted connection you make on a daily basis begins with a DH exchange whose result you never see.