Key
Exchange

The key distribution paradox

To send a secret, you need encryption. To use encryption, you need a shared secret. The obvious answer is to send the key over the channel, but the channel is insecure. Anyone listening gets the key and every future message.

This is not a theoretical concern. Every time your browser connects to a website, every time two servers communicate, every time you open a messaging app, this exact problem must be solved first. Without key exchange, symmetric encryption is useless beyond face-to-face meetings.

Why naive solutions fail

Pre-shared keys. Give every pair of users a unique key before they need to communicate. For 10 users, that is 45 keys. For 1,000 users, it is 499,500. For the internet, it is impossible. The number of keys grows as n(n-1)/2, and distributing them securely requires solving the very problem you are trying to avoid.

Trusted couriers. Send someone with the key in a locked briefcase. This works for embassies. It does not work for a billion HTTPS connections per second. Physical delivery is slow, expensive, and does not scale.

Trusted third party. A central server that knows every key and relays them to the right users. This works until the server is compromised, and then every key is exposed at once. It is a single point of failure for the entire system.

From paint to math

Now replace colors with numbers and mixing with a math operation called modular exponentiation (explained in the next section). Alice and Bob agree on a large prime $\color{#e8e8ed}p$ and a generator $\color{#e8e8ed}g$. Alice picks a secret exponent $\color{#8b5cf6}a$, computes $\color{#8b5cf6}A = g^a \bmod p$, and sends A publicly. Bob does the same with his secret $\color{#f59e0b}b$, sending $\color{#f59e0b}B = g^b \bmod p$.

Alice computes $\color{#00e5a0}B^a \bmod p$. Bob computes $\color{#00e5a0}A^b \bmod p$. Both equal $\color{#00e5a0}g^{ab} \bmod p$. The shared secret is identical, yet neither secret exponent ever crossed the channel.

Modular arithmetic

Think of a clock. After 12, you wrap back to 1. Modular arithmetic works the same way: pick a number (the modulus), and after you reach it, wrap around. 17 mod 5 = 2, because 17 divided by 5 leaves a remainder of 2. All arithmetic in Diffie-Hellman happens modulo a prime number p.

Modular exponentiation means raising a number to a power, then taking the remainder. Computing $5^3 \bmod 23 = 125 \bmod 23 = 10$. For small numbers this is trivial. For large numbers, an algorithm called repeated squaring makes it fast even when the exponent has hundreds of digits.

Groups and generators

Take a prime p = 23 and the numbers 1 through 22. Under multiplication mod 23, this set forms a group: you can multiply any two elements and the result is always another element in the set. The set is "closed" under this operation, meaning you never escape the set no matter what you multiply.

A generator is a special element whose successive powers produce every element in the group. For p = 23, the number 5 is a generator: $5^1$ = 5, $5^2$ = 2, $5^3$ = 10, and so on through all 22 elements before returning to 1. Diffie-Hellman uses a generator because it guarantees the shared secret can be any element in the group.

The discrete logarithm problem

Forward (easy): given g, a, and p, computing $g^a \bmod p$ takes microseconds. Even with numbers hundreds of digits long, the computation finishes instantly using repeated squaring.

Backward (hard): given g, p, and the result $g^a \bmod p$, recovering the exponent a requires solving the discrete logarithm problem. For a 2048-bit prime, the best known algorithms need roughly $2^{112}$ operations. This one-way property is the trapdoor that makes Diffie-Hellman secure.

Real-world parameters

The small primes in the demo above (23, 47, 97) are intentionally tiny. An attacker could brute-force the discrete log for those in microseconds. Real Diffie-Hellman uses primes of 2048 bits or more. That is a number with over 600 decimal digits.

NIST recommends 2048-bit primes for 112-bit security (meaning an attacker would need roughly 2^112 operations to break it, far beyond any computer) and 3072-bit primes for 128-bit security. The private exponents must also be large enough to prevent attacks that exploit small exponent spaces.

What is an elliptic curve?

An elliptic curve is the set of points (x, y) satisfying an equation of the form $y^2 = x^3 + ax + b$. Over the real numbers, this produces a smooth curve with a distinctive shape. The specific values of a and b determine the curve. Cryptographic standards define specific curves: P-256 uses particular values chosen by NIST.

These points form a groupunder a special addition operation: you can "add" any two points and get another point on the curve, just like with numbers mod p. This is the same group structure from Chapter 7, but the elements are points on a curve and the operation is geometric addition instead of multiplication mod p. Chapter 7 also showed what these curves look like over a finite field, which is what real implementations compute.

Point addition

To "add" two points P and Q on the curve, draw a straight line through them. That line intersects the curve at exactly one more point. Reflect that intersection over the x-axis, and the result is P + Q. When P and Q are the same point, the line becomes the tangent at P, and you get point doubling: $2P = P + P$.

Scalar multiplication is just repeated addition: $kP = P + P + \cdots + P$ (k times). Computing $kP$ is fast (using a doubling-and-adding algorithm, similar to repeated squaring). But given P and $Q = kP$, recovering k is the Elliptic Curve Discrete Logarithm Problem (ECDLP). Same trapdoor, different math.

The ECDH protocol

The protocol structure is identical to classic DH. Alice and Bob agree on a curve and a base point G. Alice picks a secret number (called a scalar) a, publishes aG. Bob picks b, publishes bG. Both compute abG as the shared secret. The ECDLP from Section 6 is what keeps a and b hidden.

The practical advantage: a 256-bit ECDH key provides roughly 128-bit security, the same as a 3072-bit classic DH key. Smaller keys mean faster computation, less bandwidth, and more efficient handshakes. This is why the industry moved to curves.

How the attack works

Mallory (the name cryptographers use for an active attacker, as opposed to Eve who only eavesdrops) sits between Alice and Bob on the network. When Alice sends her public value, Mallory intercepts it and substitutes her own. She does the same to Bob. Now Mallory has a shared secret with Alice (who thinks she is talking to Bob) and a different shared secret with Bob (who thinks he is talking to Alice).

When Alice sends an encrypted message, Mallory decrypts it with her Alice-side key, reads or modifies it, re-encrypts it with her Bob-side key, and forwards it. Bob receives a valid encrypted message and has no way to detect the interception. The math is correct on every leg. The problem is that the math does not prove identity.

TLS 1.3: the protocol behind HTTPS

Every HTTPS connection starts with a TLS handshake. In TLS 1.3, the client and server perform ephemeral (temporary, single-use) ECDH: they generate fresh key pairs just for this session, exchange public values, derive a shared secret, then discard the private keys. The shared secret is fed through HKDF (a key derivation function that stretches and cleans up raw shared secrets into proper encryption keys) to produce the actual encryption keys.

Forward secrecy is the key property. Because the ECDH keys are ephemeral and discarded after the handshake, even if the server's long-term private key is compromised in the future, past session keys cannot be recovered. The attacker would need the ephemeral keys, which no longer exist.

Signal Protocol: X3DH

The Signal Protocol (used by Signal, WhatsApp, and Google Messages) combines multiple DH operations with different key types to achieve three things at once: authentication (proving who you are talking to), forward secrecy (past messages stay safe even if a key leaks later), and asynchronous initiation (Bob does not need to be online when Alice starts the conversation).

The core idea: Bob pre-publishes some public keys on the server. When Alice wants to start a conversation, she uses those keys to perform ECDH without Bob being present. After the initial setup, the protocol continually rotates keys for every message.

The story so far

The key distribution problem was the missing piece in symmetric cryptography. Diffie-Hellman solved it: two parties can derive a shared secret over a public channel using modular exponentiation and the hardness of the discrete logarithm problem.

ECDH modernized the idea with elliptic curves, achieving the same security with smaller keys and faster computation. TLS 1.3 uses ephemeral ECDH for every HTTPS connection, providing forward secrecy by discarding keys after each session.

The man-in-the-middle attack showed that key exchange without authentication is dangerously incomplete. Mallory can transparently hijack the conversation because Diffie-Hellman proves nothing about identity.