🤝 Diffie-Hellman

🇺🇦 UK ← Back
Step-by-Step Math
Colour Mixing Analogy

🔑 Diffie-Hellman Key Exchange

Two parties establish a shared secret over an insecure channel using modular exponentiation. A colour-mixing analogy makes the discrete logarithm problem — the one-way function at the heart of DH — intuitive.

🔬 What It Demonstrates

Alice and Bob each choose a secret, compute g^a mod p and g^b mod p publicly, then raise the other's public value to their own secret power. Both arrive at g^(ab) mod p — the shared secret that Eve cannot compute without solving the discrete log problem.

🎮 How to Use

Follow the step-by-step protocol: choose primes p and g, pick secrets a and b. Watch the colour-mixing analogy unfold. Try to compute the shared secret from the public values — you'll see why it's computationally infeasible.

💡 Did You Know?

Diffie-Hellman (1976) was the first published public-key protocol. Whitfield Diffie and Martin Hellman received the Turing Award in 2015. GCHQ's James Ellis and Malcolm Williamson discovered the same idea in 1969 but it remained classified.

About Diffie-Hellman Key Exchange

This simulation shows how two parties, Alice and Bob, agree on a shared secret over an open channel without ever transmitting it. It uses modular exponentiation in a finite cyclic group: from public values, a prime p and a generator g, each party computes g raised to their private exponent, modulo p. The security rests on the discrete logarithm problem, which makes the operation a practical one-way function.

You pick the public prime p and generator g from the drop-down menus, then set Alice's secret a and Bob's secret b with the sliders. The step-by-step panel evaluates A = g^a mod p, B = g^b mod p and the shared secret g^(ab) mod p, while the colour-mixing canvas illustrates the idea. Diffie-Hellman underpins HTTPS, SSH and VPN key agreement worldwide.

Frequently Asked Questions

What is Diffie-Hellman key exchange?

It is a method, published in 1976, that lets two parties who have never met agree on a shared secret key over a public channel. Each keeps a private number and exchanges only a derived public value. An eavesdropper sees the public values but cannot feasibly reconstruct the secret.

How does the protocol actually work?

Both sides agree on a public prime p and a generator g. Alice computes A = g^a mod p and Bob computes B = g^b mod p, then they swap A and B openly. Alice raises B to her secret a, Bob raises A to his secret b, and both arrive at the same value g^(ab) mod p.

What do the controls on this page do?

The Prime p and Generator g drop-downs set the public parameters everyone can see. The Alice a and Bob b sliders, ranging from 2 to 20, set the two private exponents. Changing any control instantly recomputes the public keys and the shared secret in the maths panel.

Why do both parties get the same secret?

Because exponentiation commutes: (g^a)^b mod p equals (g^b)^a mod p, both being g^(ab) mod p. Alice computes B^a and Bob computes A^b, so they land on the identical number even though neither learned the other's private exponent.

What is the discrete logarithm problem?

Given p, g and the value g^a mod p, recovering the exponent a is the discrete logarithm problem. There is no known efficient algorithm for large primes, so this difficulty is what keeps the shared secret safe even when the public keys are visible.

What can an eavesdropper see, and why can't they break it?

Eve observes p, g, A and B, all sent in the clear. To find the secret she would need to solve the discrete log to recover a or b. With the small primes used here that is easy by hand, but with 2048-bit primes it is computationally infeasible with current hardware.

Is this simulation cryptographically accurate?

The mathematics is exact: it uses true modular exponentiation via fast square-and-multiply on big integers, so A, B and the shared secret are correct. The small primes and the limited slider range are chosen for clarity, not security, so real systems use far larger parameters.

What is the role of the generator g?

The generator g is a base whose powers, taken modulo p, cycle through a large set of residues. A good generator produces many distinct values, giving more possible shared secrets. In practice g is chosen so the group it generates is large and lacks small subgroups that would weaken the exchange.

Does Diffie-Hellman provide authentication?

No. Plain Diffie-Hellman gives confidentiality of the key but not identity, so it is vulnerable to a man-in-the-middle who sits between the parties. Real deployments combine it with signatures or certificates to authenticate the public values before trusting them.

Where is Diffie-Hellman used in the real world?

It secures the key agreement step in TLS for HTTPS websites, in SSH remote logins, in IPsec and other VPNs, and in messaging apps. Modern variants such as ephemeral Diffie-Hellman and elliptic-curve Diffie-Hellman add forward secrecy and use smaller, faster keys.