An Interactive Guide to Diffie-Hellman Key Exchange

Suppose two people want to send messages that no one else can read. The obvious approach is encryption. Scramble the message with a key, and only someone with the same key can unscramble it. But that raises an immediate question. How do they agree on a key without anyone else seeing it?

Before 1976, the only answer was to meet in person and exchange keys physically. That works at small scale. It does not work for the internet, where millions of strangers need secure sessions without ever having met.

Whitfield Diffie and Martin Hellman answered it in 1976, in a paper called “New Directions in Cryptography”. Their key exchange lets two parties derive a shared secret purely through public messages. Every HTTPS connection today descends from that idea.

# One-way operations

The whole protocol depends on one idea. Some operations are easy to do and hard to reverse. Computing $g^x \bmod p$ (raise $g$ to the power $x$ , divide by $p$ , keep the remainder) takes a fraction of a second. But given only the result, recovering $x$ is believed to be infeasible for large enough numbers. There is no known fast way to run it backwards. This operation is called modular exponentiation, and that asymmetry is the only thing DH needs.

# Parameters

The exchange uses two public parameters, a prime $p$ and a generator $g$ .

$p$ is a large prime. All calculations happen mod $p$ , meaning results are taken as remainders after division by $p$ . Every value stays in the range $1$ through $p-1$ . In practice, $p$ is chosen as a safe prime of the form $p = 2q + 1$ , where $q$ is also prime. If $p-1$ factors into small primes, an attack called Pohlig-Hellman can solve the discrete logarithm cheaply by factoring the problem into small pieces and combining them. Making $p-1 = 2q$ with $q$ prime leaves only the large factor $q$ to attack.

$g$ is an integer whose powers cycle through much of that range. Raise $g$ to successive powers mod $p$ and you visit distinct values before looping back to $g^0 = 1$ . The length of that cycle is the order of $g$ . A short cycle makes recovering a secret cheap regardless of how large $p$ is, so $g$ is chosen to generate the subgroup of order $q$ , giving its cycle exactly $q$ elements. The brute-force cost of recovering a secret from this subgroup is on the order of $\sqrt{q}$ operations. When $q$ is thousands of bits long, that number is out of reach.

Both are agreed on in advance and sent in the clear. An attacker knows $p$ and $g$ too. The security comes not from hiding them but from the gap between what is easy to compute and what is hard to reverse.

The 2 parties, Alice and Bob in our case, pick their secret keys $a$ and $b$ respectively.

Parameters

Alice’s and Bob’s secret values are hidden by default to reflect that they stay private during the exchange. Click the eye icon to reveal them and watch how each secret feeds into the computations below.

# The exchange

They don’t exchange their secret keys. Each uses their secret to compute a public value from $g$ and $p$ , and sends only that result across the channel.

Alice sends

5^? mod 238

Bob sends

5^? mod 2319

Alice computes19^? mod 232

Bob computes8^? mod 232

# Why it works

Bob’s public value is $g^b \bmod p$ . When Alice raises that to $a$ , she gets $(g^b)^a \bmod p$ , which equals $g^{ab} \bmod p$ . Alice’s public value is $g^a \bmod p$ . When Bob raises that to $b$ , he gets $(g^a)^b \bmod p$ , which also equals $g^{ab} \bmod p$ .

The eavesdropper saw $g$ , $p$ , $g^a \bmod p$ and $g^b \bmod p$ . To find the shared secret, they need to recover $a$ from $g^a \bmod p$ or $b$ from $g^b \bmod p$ . That is the discrete logarithm problem. For small numbers, you try every possibility until something matches. For a 2048-bit prime, the search space exceeds the number of atoms in the observable universe. No computer can exhaust it.

The best known classical algorithms, like the General Number Field Sieve, do better than brute force, but not enough to matter at proper parameter sizes. This is why implementations use primes of at least 2048 bits.

Quantum computers break this. Shor’s algorithm solves the discrete logarithm problem efficiently, so a sufficiently powerful quantum computer breaks standard DH outright. Modern TLS increasingly favors elliptic curve Diffie-Hellman (ECDHE), which offers stronger security per bit even against classical attackers, and post-quantum cryptography exists precisely because Shor’s threat is real.

Table Of Contents