j🌻m18h ago
Julia Evans

how diffie hellman key exchange works

(with as little math as possible)

Mar 26 at 7:46pmWeb
Show threadJulia Evans20h ago

(the above happened because i realized at some point that even though diffie hellman key exchange _uses_ things like "elliptic curves" or "modular arithmetic" to work, you do not need to actually _understand_ those things to understand the basic idea, and I thought that was cool!)

anyway this is what your computer is doing every time you make a HTTPS connection, to figure out what secret key to use to encrypt the connection

Show threadanarcat20h ago
@b0rk that's beautiful.
Show threadMark Dominus20h ago

@b0rk That is a really nice explanation, thanks!

Your remark that “you do not need to actually _understand_ those things to understand the basic idea” reminds me of a math SE question I answered a while back: “My little cousin (12year) asked me about how emails are encrypted … Is there a teacher here who knows how to make her understand how to factor a number in to primes and what a prime number is?”

I had to answer twice. First I answered the question that was asked: I do know how to explain prime and composite to kids. But if what the the kid wants is to understand how emails are encrypted, the prime number thing is an unimportant implementation detail. I suggested explaining Vigenère ciphers instead.

https://math.stackexchange.com/a/508205/25554

Show threadJulia Evans20h ago
@mjd yeah this happened because someone asked me how DH works and I started explaining modular arithmetic and I realized, wait, that's not important, I don't understand that much about elliptic curve addition or whatever either but I still get the basic idea behind ECDH
Show threadGlitzersachen20h ago

@b0rk

Wow, thanks.

Show threadtanavit20h ago

@b0rk

Excellent.

Show threaddivVerent20h ago
@b0rk Nice! You actually need one more fact: an attacker can't be able to, given S o A and S o B, find (S o A) o B.

Of course, if you can find B given S o B, you can do this; however the converse is not true in general (but may be in concrete cases). So in a way, the DH problem is likely easier than the DL problem, and is probably the real fact that needs to be hard.

However, if you were to put that in panel 2, you'd already be giving away too much there... organizing things well is hard to impossible.
Show threadJulia Evans20h ago
@divVerent ah yeah good point! do you know an example offhand where you can find (S o A) o B given S o A and S o B? (but not find B given S o B)
Show threadSamir Parikh19h ago

@b0rk @divVerent Not sure what you're asking but might it be like the mixing paint example in the video I linked to?

In that example, Alice and Bob share a common paint color to which they mix their secret color. They share that combination with each other, add their secret color again to arrive at a shared secret key. Horrible explanation on my part which the video does a much better job at.

But I probably am completely misunderstanding your question in which case ignore this!

Show threaddivVerent11h ago
@b0rk No such groups are known yet. However one can easily prove that discrete log solves CDH, whereas no general reduction from CDH to discrete log exists, which in a way tells that DL is a "harder or equivalent" problem.

There exists however such a reduction for some elliptic curves (e.g. the NIST curves and Curve25519); these curves are usually preferred, as we then only depend on one problem being hard.
Show threadSamir Parikh20h ago

@b0rk Great explanation. For anyone who may still not understand this or prefer a video, I highly recommend watching this one:

https://youtu.be/YEBfamv-_do?si=rEEW5MdYTOrbzhBU&t=138

Diffie-Hellman Key Exchange

YouTube
Show threadChristopher Kruse19h ago

RE: https://infosec.exchange/@sophieschmieg/116246805758237078

@b0rk you don't just get Diffie to sign it?

Show threadJan Lehnardt 19h ago
@b0rk 😭😭😭😭this is so well done and clear 💖💖💖💖
Show threadCraig Stewart19h ago
@b0rk have you seen the paint explainer for Diffie-Helman? That's quite a good way to get the idea across.
Show threadJulia Evans19h ago
@pmb00cs i have! i wanted to write something a little closer to the mathematical reality
Show threadCraig Stewart19h ago
@b0rk that's fair enough, and I think you've done an excellent job of it. I just like the paint analogy because it's easy to grasp that unmixing paint is hard.
Show threadJulia Evans19h ago

@pmb00cs one interesting way the mixing paint metaphor doesn't work (imo) is that when you're mixing paint the two colours you're mixing both have the same "type", and it's a symmetric operation (a mixed with b is the same as b mixed with a)

but in diffie hellman the operation is not symmetric at all, like the type of the function is more like f(type1, type2) => type1

I think saying that "s" and "a" are both "numbers" might be a bit of an oversimplification in that sense

Show threadJulia Evans19h ago

@pmb00cs but I definitely have a tendency to be overly critical about the specifics of metaphors in a way that's not necessarily helpful :)

the paint thing is cool!

Show threadCraig Stewart19h ago

@b0rk I mean, there's a point where a metaphor doesn't work anymore, because it's not the truth, just a way to explain part of the truth. If you need perfect accuracy you're just explaining reality.

The paint metaphor also breaks down because there are tools for recreating paint colours accurately from pure pigments. Do that for (sxa), (sxb), and s, and you recover a and b. So it's not really suitable as a form of key exchange. But it is easy to understand on a basic level.

Show threadCy19h ago
https://fedicy.us.to/Diffie-Hellman%20Key%20Exchange-Art%20of%20the%20Problem.webm
Show threadednl 🇪🇺17h ago
@b0rk Small typo in panel 4, choose = chose?
Show threadCounting Is Hard17h ago

@b0rk you can do it without maths at all. Say I want to give you my bicycle, but our schedules just will never work out for me to give you it directly. Well, we pick a place both of us can access, say outside the train station. I lock my bike up at a designated spot and go about my day. You come along with your own lock and use it to fasten the bike to the same spot without interfering with my lock, then go about your day. At some point I remove my lock, after which you can remove yours and gain a bicycle.

As I understand it, such a protocol was the inspiration for DH key exchange. Picking a spot is picking a generator. Locking is exponentiating. Locks not interfering is the commutativity property.

It's the explanation I always use when TAing cryptography

Show threadthe esoteric programmer16h ago
@b0rk I would boost it, but the attached image doesn't have any alt text, so I can't. What's the image about? is it showing a mathematical formula or something similar? a diagram?
Show threadJulia Evans16h ago
@esoteric_programmer will write some and let you know when it’s added
Show threadactive landslide15h ago
@b0rk I love it. when I have taught this material, I have fallen back on the paint mixing analogy, but as a colorblind person this never felt right!
Show threadSnoopJ12h ago
@b0rk am I missing something or is "add the result s to itself x times) a result of mixed-up puncutation? Did a double-take at that
Show threadSnoopJ12h ago
@b0rk fantastic work as usual, thanks for sharing 
Show threadJulia Evans8h ago

@SnoopJ what do you mean by mixed up punctuation?

it’s trying to explain how on an elliptic curve, you start with an initial point s on the elliptic curve, choose a random integer x , and then add that point s to itself x times (using elliptic curve addition) to get the result of the “magic function”

Show threadBrandon Mitchell7h ago
@b0rk @SnoopJ the "add the point" bit starts with a double quote, but ends with a parenthesis. I think it should be closed with a double quote.
Show threadJulia Evans4h ago
@bmitch @SnoopJ oops yeah thanks
Show threadThomas Arildsen10h ago
@b0rk that’s a great explainer. You made it straightforward for me to understand how it works without having to know how the functions involved work (I don’t).
And the keys are for symmetric encryption, I guess?
Show threadProgrammer 832-529 🍅4h ago
@b0rk like how you used 'hard to undo'. I used to explain it by saying the inverse is really hard to do but that explanation is simpler.
Show threadGerbrand van Dieyen3h ago
@b0rk @agturcz Ik love the smiley operator!
Show threadLindsey Kuper2h ago
@b0rk The Wikipedia article uses a color-mixing analogy that I've always liked. I used to know someone who would do the color-mixing thing live in a class she taught!