Does Diffie-Hellman by itself authenticate the parties?

No. Plain Diffie-Hellman establishes a shared secret but does not verify who is on the other end, so an active attacker can run two exchanges and sit in the middle. Real protocols authenticate the exchange with certificates, signatures, or a pre-shared key.

What is forward secrecy and how does Diffie-Hellman provide it?

Forward secrecy means that compromising long-term keys later does not expose past sessions. Using fresh, ephemeral Diffie-Hellman exponents for each session and discarding them afterward ensures that no stored key can reconstruct previously recorded traffic.

Diffie-Hellman Key Exchange

The Diffie-Hellman protocol lets two parties establish a shared secret over an insecure channel without any prior shared key, by exchanging public values derived from private exponents.

PaperMindでテーマを探す近日公開Find papers & topics

Tools & resources

スライドをダウンロード

Learn & explore

動画近日公開

Definition

Diffie-Hellman key exchange is a protocol in which each party raises a common generator to a private exponent, exchanges the result, and raises the received value to its own exponent, both arriving at the same shared secret that an eavesdropper cannot feasibly compute.

Scope

This topic covers the Diffie-Hellman key-exchange protocol and the discrete logarithm problem underlying its security, the Computational and Decisional Diffie-Hellman assumptions, ElGamal encryption built on the same structure, ephemeral key exchange for forward secrecy, and the man-in-the-middle threat that motivates authentication. It excludes RSA (factoring-based) and the elliptic-curve realization of Diffie-Hellman, which is treated under elliptic-curve cryptography.

Core questions

How can two parties agree on a shared secret while an eavesdropper sees all messages?
Why does the discrete logarithm problem make the exchanged secret hard to recover?
What is the difference between the Computational and Decisional Diffie-Hellman assumptions?
How does ephemeral Diffie-Hellman provide forward secrecy?
Why is unauthenticated Diffie-Hellman vulnerable to a man-in-the-middle attack?

Key concepts

shared secret agreement
generator and cyclic group
private and public exponents
discrete logarithm problem
Computational Diffie-Hellman (CDH)
Decisional Diffie-Hellman (DDH)
ephemeral key exchange and forward secrecy
man-in-the-middle attack
ElGamal encryption

Key theories

Discrete logarithm hardness: Diffie-Hellman is secure because, while modular exponentiation is easy, recovering the private exponent from the public value (the discrete logarithm) is believed intractable in suitable groups.
Computational and Decisional Diffie-Hellman assumptions: Security is formalized via the CDH assumption (computing the shared secret is hard) and the stronger DDH assumption (the shared secret is indistinguishable from random), the latter underpinning provably secure ElGamal-style encryption.

Mechanisms

Over a cyclic group with public generator g, Alice picks a secret a and sends g^a, Bob picks b and sends g^b; each computes the shared secret g^(ab) by raising the received value to its own exponent. An eavesdropper sees g, g^a, and g^b but must solve the discrete logarithm or Diffie-Hellman problem to find g^(ab). Using fresh (ephemeral) exponents per session yields forward secrecy: compromising long-term keys later does not reveal past session keys.

Clinical relevance

Diffie-Hellman is the basis of key establishment in TLS, IPsec/IKE, SSH, Signal, and WireGuard. The ephemeral variants (DHE and the elliptic-curve ECDHE) provide the forward secrecy that protects recorded traffic against future key compromise. Authenticating the exchange (with certificates or signatures) is what defeats the man-in-the-middle attack to which plain Diffie-Hellman is exposed.

Evidence & guidelines

Finite-field Diffie-Hellman parameters are specified in RFC 7919 (safe named groups); NIST SP 800-56A standardizes key establishment. Best practice uses ephemeral keys for forward secrecy and well-vetted groups. The Logjam attack (2015) showed that weak 512-bit export-grade and reused 1024-bit groups are exploitable, prompting migration to 2048-bit groups or elliptic curves.

History

Diffie and Hellman published the key-exchange protocol in their 1976 paper that launched public-key cryptography, building on Merkle's earlier puzzle idea. (Malcolm Williamson had discovered an equivalent method at GCHQ in 1974.) ElGamal generalized the construction into a public-key encryption and signature scheme in 1985. The protocol moved from finite-field groups to elliptic curves and became the standard means of session-key establishment on the internet.

Key figures

Whitfield Diffie
Martin Hellman
Ralph Merkle
Taher ElGamal
Malcolm Williamson

Seminal works

diffie1976
katz2020
menezes1996

Frequently asked questions

Does Diffie-Hellman by itself authenticate the parties?: No. Plain Diffie-Hellman establishes a shared secret but does not verify who is on the other end, so an active attacker can run two exchanges and sit in the middle. Real protocols authenticate the exchange with certificates, signatures, or a pre-shared key.
What is forward secrecy and how does Diffie-Hellman provide it?: Forward secrecy means that compromising long-term keys later does not expose past sessions. Using fresh, ephemeral Diffie-Hellman exponents for each session and discarding them afterward ensures that no stored key can reconstruct previously recorded traffic.