Diffie-Hellman Key Exchange - Clarification?

Question

A Brief :

Alice and Bob is trying to communicate without wanting Eve (which is listening) to know what they are going to talk about.

So

               Bad Eve
                  |
                  |
Alice ------------+--------------- Bob                               

Alice and Bob are publicly agree on a prime modulus and a generator.

Say

• Generator = 3
• Prime = 17

So the formula will be (for example) :

3^x % 17

OK.

Alice is choosing a private number (say 15) and do 3^15 %17 => 6
Bob is choosing a private number (say 13) and do 3^13 %17 => 12

Now Alice and Bob tell each other their results (not their private keys) while Eve is listening.

So now the picture is :

                Bad Eve ( knows : 3^x %17 , 12,6)
                   |
                   |
 Alice ------------+--------------- Bob  
 (15)private                       (13)private 
  12(Bob's)                        6(Eve's)                       

Now Alice takes Bob's 12 and her private key and do :

((other's public num) ^ secret number) % 17

Alice is doing : 12^15 % 17 => 10

Bob is doing : 6^13 % 17 => 10

So now they have the same symmetric number.

Now:

This is an example and it's easy to hack.

All Eve has to do is to try to find which x in 3^x % 17 would be 15 or 13.

But Apparently we are talking about big numbers here.

If so - I wrote this demo :

Console.WriteLine(BigInteger.Pow( new BigInteger(3213213213212123332), 6549875) % 17);

Which is :

3213213213212123332 ^ 6549875 % 17

I have I7 with 16gb ram and this run over 5 min

Question :

If both sides ( Alice & Bob) uses big numbers , then it takes a very very long time for them to get a result for the first step ( which later they should exchange that value)

I might be missing something here but it seems that making Eve's life hard by using large numbers , also makes Alice's and Bob's lifes hard.

What am I missing?

Answer 1

The thing you're missing is called modular exponentiation. This is a fast method for calculating huge exponentials modulo some value.

For example, suppose you want to calculate (123^456) mod 777.

If you perform the exponentiation first, you'll get a result with about 1000 digits. For the sort of values typically used in DH key exchange, you could end up working with many more digits, possibly even millions. This is clearly not at all efficient.

Modular exponentiation breaks the problem down into much easier steps. There are two mathematical identities that make this possible:

1. (x^a) × (x^b) = x^(a+b), and
2. (x^y) mod n = ((x mod n)^y) mod n

---

Proof:

The first of these should be fairly self-evident. The second can be proved as follows:

If x mod n == z, then x is equal to (c×n + z) for some integer value of c. The binomial expansion of (c×n + z)^y has (y+1) terms

c^y×n^y + k1×c^(y-1)×n^(y-1).z + k2×c^(y-2)×n^(y-2)×z^2 + ... + k(y-1)c×n×z^(y-1) + z^y

(where k1 ... k(y-1) are binomial coefficients)

All of these terms except for the last one (z^y) are multiples of n, and are therefore equal to zero (mod n). Therefore (x^y) mod n == (z^y) mod n == ((x mod n)^y) mod n.

---

Modular exponentiation algorithm:

To calculate (x^y) mod n, repeatedly multiply x by itself to obtain the following sequence:

X0 = x mod n
X1 = X0×X0 mod n = x^2 mod n
X2 = X1×X1 mod n = x^4 mod n
X3 = X2×X2 mod n = x^8 mod n
X4 = X3×X3 mod n = x^16 mod n

Now multiply together the terms in this series that correspond to the set bits in the binary representation of y. For example, suppose y=21:

(x^21) mod n = ((x^16) × (x^4) × x) mod n = (X4 * X2 * X0) mod n

There are two advantages of doing the calculation this way. First, the largest number you will have to calculate will have at most twice as many digits as the modulus n. Second, the number of calculations you have to perform is proportional to the (base 2) logarithm of the exponent, which means the calculation will run millions of times faster for exponents like 6549875.