Diffie-Hellman Key Exchanges

What is Diffie-Hellman?

The Diffie-Hellman key exchange protocol, named after Whitfield Diffie and Martin Hellman, is a protocol for two parties to create a shared secret over a public channel without revealing information about the key.

The exchange is made possible by using commutativity in finite cyclic groups, particularly with elliptic curve cyclic groups. That is to say, given a common generator point on an elliptic curve over a finite field $G \in E (F_{p})$ , two parties, Alice and Bob may choose secrets, $a \in F_{p}$ and $b \in F_{p}$ respectively, compute their respective elliptic curve points $[a] G = A \in E (F_{p})$ and $[b] G = B \in E (F_{p})$ (again respectively), and exchange these on a public channel. Finally, they may perform the elliptic curve point arithmetic on their received points with their secrets as follows.

Alice:

$[a] (B) = [a] ([b] G) = [ab] G$

Bob:

$[b] (A) = [b] ([a] G) = [ba] G$

Finally:

$[ba] G = [ab] G$

As such, Alice and Bob have computed a shared secret $[ab] G \in E (F_{p})$ by sharing only $B$ and $A$ over a public channel, which, provided the elliptic curve discrete log problem is intractable, leaks no useful information about $a, b \in F_{p}$ .

This protocol is often used to exchange a cryptographic key to be used in a symmetric encryption algorithm and is used in protocols such as SSH, HTTPS, and a variant of it in the Signal Protocol.

What does a Diffie-Hellman Key Exchange look like?

In practice, each of the two parties performs the following.

Generate a local secret $a \in F_{p}$ with a cryptographically secure pseudorandom number generator.
Add the generator point $G \in E (F_{p})$ to itself $a$ times via elliptic curve point addition and doubling.
Publish the generated point $A \in E (F_{p})$ so the other party can receive it.
Receive the other party's generated point $B \in E (F_{p})$
Add the other party's generated point $B$ to itself $a$ times via elliptic curve point addition and doubling.
The generated point is the shared secret.

Tripartite Diffie-Hellman

A variant of the Diffie-Hellman key exchange protocol is the tripartite Diffie-Hellman key exchange. There are a few variants with different tradeoffs, but we focus on single-round tripartite Diffie-Hellman, which enables a single transmission from each party, irrespective of ordering.

However, for the single-round tripartite Diffie-Hellman, we use the bilinearity of an elliptic curve pairing. The elliptic curves over which the pairing exists are $E (F_{p})$ as above and $E (F_{p^{2}})$ , which is the same elliptic curve function but with scalars as elements of a polynomial field extension $F_{p^{2}}$ . The ellipitic curve pairing function is $e : E (F_{p}) \times E (F_{p^{2}}) \to F_{p^{12}}$ , where the output is an element of a polynomial extension field of degree 12. Alice, Bob, and Charlie agree on two generator points $G_{1} \in E (F_{p})$ and $G_{2} \in E (F_{p^{2}})$ , each chose their respective secret scalar $a, b, c \in F_{p}$ , compute their respective points in both curves $[a] G_{1}, [b] G_{1}, [c] G_{1} \in E (F_{p})$ and $[a] G_{2}, [b] G_{2}, [c] G_{2} \in E (F_{p^{2}})$ , each transmits their respective pairs: $(A_{1}, A_{2}), (B_{1}, B_{2}), (C_{1}, C_{2})$ , then on receiving the other two pairs, compute the elliptic curve pairing and exponentiate the result by their own secret.

Alice:

$e (B, C)^{a} = e ([b] G_{1}, [c] G_{2})^{a} = e (G_{1}, G_{2})^{ab c}$

Bob:

$e (A, C)^{b} = e ([a] G_{1}, [c] G_{2})^{b} = e (G_{1}, G_{2})^{ba c}$

Charlie:

$e (A, B)^{c} = e ([a] G_{1}, [b] G_{2})^{c} = e (G_{1}, G_{2})^{c ab}$

Finally:

$e (G_{1}, G_{2})^{ab c} = e (G_{1}, G_{2})^{ba c} = e (G_{1}, G_{2})^{c ab}$

Note that the ordering of points works out the same, that is to say $e (A_{1}, B_{2}) = e (B_{1}, A_{2})$ .

The steps for each party are as follows.

Generate a local secret $a \in F_{p}$ with a cryptographically secure pseudorandom number generator.
Add the generator point of each curve $G_{1} \in E (F_{p})$ and $G_{2} \in E (F_{p^{2}})$ to itself $a$ times via elliptic curve point addition and doubling.
Publish the generated pair $(A_{1}, A_{2}) \in (E (F_{p}), E (F_{p^{2}}))$ so the other parties can receive it.
Receive the other parties' pairs of generated points $(B_{1}, B_{2})$ and $(C_{1}, C_{2})$
Compute the ellptic curve pairing $e (B_{1}, C_{2})$ (or $e (C_{1}, B_{2})$ ).
Exponentiate the output of the elliptic curve pairing to the power of $a$ : $e (B_{1}, C_{2})^{a}$
The final scalar in $F_{p^{12}}$ is the shared secret.

References

Pairings for Beginners (PDF)

Ronkathon: Cryptography Educational Foundations

Diffie-Hellman Key Exchanges

What is Diffie-Hellman?

What does a Diffie-Hellman Key Exchange look like?

Tripartite Diffie-Hellman

References