summaryrefslogtreecommitdiff
path: root/source/know/concept/diffie-hellman-key-exchange/index.md
blob: 3525881d19d277d56a438590833703a396722d7d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
---
title: "Diffie-Hellman key exchange"
sort_title: "Diffie-Hellman key exchange"
date: 2021-03-06
categories:
- Cryptography
layout: "concept"
---

In cryptography, the **Diffie-Hellman key exchange** is a method for two parties,
who can only communicate over an insecure channel,
to securely agree on an encryption key.

The fundamental assumption of the Diffie-Hellman scheme,
upon which its security rests,
is that the following function $$f(n)$$ is a **trapdoor function**,
which means that calculating $$f$$ is easy,
but its inverse $$f^{-1}$$ is extremely hard:

$$\begin{aligned}
    f(n)
    \equiv g^n \bmod p
\end{aligned}$$

Where $$n$$ is a natural number, and $$p$$ is a prime.
The natural number $$g$$ is a so-called *primitive root modulo* $$p$$.
Importantly, $$g$$ and $$p$$ have been specifically chosen
such that $$f(n)$$ can take any value in $$\{1, ..., p \!-\! 1\}$$
for $$n$$ in $$\{0, ..., p \!-\! 2\}$$.
The trapdoor assumption is that, given $$g$$, $$p$$ and $$f(n)$$,
there is no efficient algorithm to recover $$n$$.

Suppose that Alice and Bob want to exchange encrypted data in the future,
so they need to agree on an encryption key to use.
However, they can only exchange messages with each other over
an insecure channel, which is being eavesdropped.

After they publicly agree on the values of $$g$$ and $$p$$,
Alice and Bob each choose a secret number from $$\{0, ..., p \!-\! 2\}$$, respectively $$a$$ and $$b$$,
and then privately calculate $$A$$ and $$B$$ as follows:

$$\begin{aligned}
    A
    \equiv g^a \bmod p
    \qquad \qquad
    B
    \equiv g^b \bmod p
\end{aligned}$$

Finally, they transmit these numbers $$A$$ and $$B$$
to each other over the insecure connection,
and then each side calculates $$k$$, which is the desired secret key:

$$\begin{aligned}
    \boxed{
        k
        \equiv A^b \bmod p
        = B^a \bmod p
        = g^{ab} \bmod p
    }
\end{aligned}$$

The point is that $$k$$ includes both $$a$$ *and* $$b$$,
but each side only needs to know *either* $$a$$ *or* $$b$$.
Thanks to the trapdoor assumption,
the eavesdropper knows $$A$$ and $$B$$,
but cannot recover $$a$$ or $$b$$.

This assumption is just that: an assumption.
So far, nobody has been able to prove or disprove it
for classical computation.
However, for quantum computers,
it has already been *dis*proven!
In this case, another method must be used,
for example the [BB84 protocol](/know/concept/bb84-protocol/).



## References
1.  J.B. Brask,
    *Quantum information: lecture notes*,
    2021, unpublished.