 The RSA algorithm can be used for digital signatures. We can encrypt using a private key to sign something. It can be used for exchanging secrets. We can encrypt with the public key of the recipient to ensure we have confidentiality. The original public key algorithm created by Diffie and Hellman was not used for those two purposes. It was designed initially just for key exchange. We want to get a secret from A to B, and I don't want anyone else to know that secret. So that's the problem we have. How do I do that? What's your suggestion? You want to get a secret to someone else, the secret values, maybe some number. Stegonography, where we hide that secret in another message, but as soon as the attacker knows the algorithm we're using, they find and discover it. So Stegonography maybe works for a short time, but not for long. What else can we do? I want to get a secret from A to B. I choose the secret, or I create a value. We want to get it from A to B, and B is on the other side of the world. We only have communications via the internet. So we want to do it in a matter of seconds. I want to get a secret from A to B. We could use R as A. I generate the secret. I encrypt using B's public key. So that would work. This is a different way, and it's maybe a little bit simpler. Let's see how Diffie-Helman Key Exchange works. Here's the algorithm. We'll start this slide, and we'll use it to go through an example to show the steps. We start with some public values called global public elements, basically two values which are known by everyone, known by A and B, and also known by the attacker, we assume. We call them Q and Alpha. Q will be a prime number. Alpha will be less than Q and a primitive root of Q. Can you remember primitive roots? So from number theory, primitive roots, remember if we take a number and raise it to the power of one, raise it to the power of two, raise it to the power of three, up to N, and the answers are unique. We said that number is a primitive root of N. We had an example, I think, with 19. Mod 19, we took some number, three to the power of one, three to the power of two, three to the power of three, up to three to the power of 18, all Mod 19, and since all of those answers were distinct, they're all different, there was no repetitions, we said three was a primitive root in Mod 19. I will tell you the value we'll use for Alpha, so you don't need to calculate that. But these will be public, everyone knows them. User A will go through some steps, exchange some values with user B. Any questions? Let's have some volunteers come down the front. One, two. Come down the front. One, two. There's three seats down here, so we only have two people at the moment. I need another volunteer shortly. So you'll help us and calculate the answers. But before we get them involved, let's just summarise what we're going to do. User A is going to select a private value, and they can choose a random value here. It just must be less than Q, we'll call it XA, the private value X. User B will do the same, so you'll be user B. You'll choose your own random value, X, it'll be less than Q, easy. And you'll calculate a public value, which we'll call Y. And the way to calculate this value of Y is take Alpha, raise to the power of your X and mod by Q. And B does exactly the same, but they use their X value. So A has private X from public Y, B has private X from public Y, then they exchange their Y values. They send their Y values to each other. And the last step is that they'll calculate a secret key, K. And the equations given here take the public Y, raise to the power of the private X, mod by Q, and similar at B. And the idea, the aim, A and B, exchange some values such that they both end up with the same value, K. Both sides have the same value, K, the secret key, and that the attacker, the third person, cannot discover K. So the aim is A and B know K, and no one else knows K. And K is the same at both sides, of course. Let's illustrate this through an example. Everyone can follow along on this example, then we'll get you to do your own. I will choose some values, again, small enough that we can do them or some parts by hand. You have a phone, you have a tablet, good, get your calculator ready. You'll need us, you'll need it. And if you want, you can... If you don't have a calculator or your calculator is not very accurate, you can use a website, your favorite search engine to calculate exponentials and modulus. Google, Bing or others will calculate for you, if you need. They want to exchange a secret. There are two public values, Q and alpha. And I'm going to choose these values for this first example. Q of 353 and alpha is 3. And both of them know those values. That is, they posted them on a website, they sent an email to each other containing these two values. The attacker may also know them because they are public. Alpha of 3 is a primitive root of the prime 353. User A. User A is our first user. User A chooses a private value X. What are you going to choose? Choose X. How are you going to choose it? Should not be less than 3, necessarily. It should be less than 353. Q is our limit. We're going to mod by Q, which should be less than 353 in this case. So he will choose a random number between 0 and 353. And he does that. And he chooses a random number. What did you choose? X. I'll call it X of A. He chose 97. Good. That's chosen. B does the same thing independently. But we'll come back to B in a moment. And now you choose... After you've chosen your private value, don't tell anyone your value of X. Calculate Y. Use your calculator to calculate Y. And you can see on the slides the equation for calculating Y. Y of A, alpha to the power of XA mod Q. Someone help him use a calculator. And as a shortcut, if you've got internet access, just open up Google Bing or something and type it in and it will calculate for you. Wolfram, anything. Most search engines will just type in your value of alpha 3 3 to the power of 97 mod. So you can use percent sign in the search engine 353. And what does it tell you? What does it tell you? 40. 3 to the power of 97 is that number? Mod 353. 40. That's your public value. Send it to B. Send it to B. In fact here, we could also send alpha and Q to B as well. If B didn't know them in advance, we could send a message containing the three values. They either agree in advance or in the first message sent from A to B, it sends 30 as well as alpha and Q. What are you going to do next? You receive this message. B generates a random number, XB less than 353, and then calculates his public value, Y, YB. It's the same as the steps that are used. Quite easy. Select a secret, random number, there's a random number, say Y. Same algorithm. Use your calculator and find the answer. What do you get? 233, space, 248. You should not... When you use your calculator, you should not calculate the exponent first, get the answer, and then mod. Because often when you calculate the exponent, the answer will be approximated. It will not be the full one. But many algorithms today or many calculators, if you include the mod in the first operation, it will find you the exact answer. I'll show you on my calculator what I mean by that. I think it will work. I'm not sure the limits of this one. 3 to the power of 233, it doesn't give me the exact number. It gives me an approximation. And now if I want mod by 353, my calculator is smart enough to know. So that was a bad example. Your calculator may not know. That is, let's see how smart it is. It still remembers. Your calculator may be as smart as this one. Good. But normally you should do the full equation. Because some calculators will calculate the mod without the approximation. We get 248. Just to be... There's 3 to the power of 233. This calculator goes as long as it can. 248 is our answer. Send it back to A. YB, the public value. Are we finished? Now, the aim is that A and B have a secret key. We'll call it K. To calculate that, they both, once B has calculated and sent this value, can calculate the secret. And similar, when A receives YB, it can calculate the secret. I'll call it KA. Take the Y of the other person, raise it to your X, mod by Q. And B does the same. To calculate KB, take the Y of the other person, raise it to your X, mod by Q. Both of them do that independently. You will do it first. And you can do it at the same time. Don't copy him though. You're on the other side of the world. You can't see what he's doing. Let's find out. Calculate KA and KB. Here's how to use your phone. You can do the calculations. Probably faster than the calculator. KA and KB. Let's plug in the numbers and see. YB, 248. XA, I chose to be 97. Or user A did. Mod 353. 248 to the power of 97, mod 353. Note that's a large number. Mod 353. Right down the bottom is 160 is the answer. What about B? YA was 40. XB was 233. Mod 353. Calculator time. 40 to the power of 233 is this large number. Has many zero at the end. 40 raised to the power of 233. 40 raised to the power is going to end with zeros. Mod 353. 160. Is it lucky? KA and KB end up to be the same. We now have a shared secret between A and B. They both know 116. Any questions? 3 to the power of zero is always one, isn't it? Yeah. I think we don't consider zero. So two questions that you should have. Do we always get the same K? That is, does A and B always end up with the same K? The answer is yes. Next question from that should be why? Well, you'll prove that. In the same way we proved that RSA always works. You can very easily, much easier than RSA, prove that using this algorithm A and B will always end up with the same value of K. Try and prove that. Another question is what about the attacker? Can an attacker find K? What does the attacker need to do to find K? Let's consider the attacker. What does the attacker know? They know the public values and alpha. Alpha is three. What else do they know? Whatever was sent these messages sent across the network between A and B were not encrypted. So they also know why A is 40 and why B is 248. And of course they also know the algorithm. They know every equation used, the steps that were used by A and B. So now the question is can the attacker find K? K, A, K, B are the same value? Or what do they need to do to find K? Let's try some approaches. Well, let's see what we know. We know K let's say K, A. If I find K, A, I find K, B we can go from either direction. We know the equation. Y, B the power of X, A mod Q. We know 248. X, A we don't know, not yet. And we know Q. So the attacker has a problem. I have an equation for variables. Two of them are unknown. So I can't solve that unless I find X, A. So I need to know X, A. If I find X, A, easy to calculate K. I could have tried from K, B as well. If I use from the attacker's perspective K, B equals Y, A to the power of X, B mod Q same problem for the attacker they don't know X, B. So X, A, X, B I need to find one of them. Let's try and find X, A. What's an equation for X, A? Or what's another equation? Well, there's another one that contains X, A. How did... How did user A generate Y, A? That was the equation they used. Just to remind you here user A chose X, A. I'm trying to find it as the attacker. I know that user A calculated Y, A from alpha to the power of X, A mod Q. So I know this equation. Y, A what is the value? 40. Alpha X, A don't know yet. Q, we know. This looks better. I have an equation with four terms. I know three of them. There's only one missing. So just rearrange and find X, A. Rearrange it. What do you get? So we have an equation with four terms. Only one of them is unknown so we should be able to rearrange and find X, A. When you rearrange this, what do you write the rearrangement as? Well, it's something about a logarithm, isn't it? A discrete logarithm. X, A equals the discrete log base 3 mod 3, 5, 3 of 40. The inverse of exponential logarithm, when we have mod we call it a discrete logarithm. We just need to solve the discrete logarithm. But we know from when I look at RSA we've said solving discrete logarithms when the numbers are large, these are not large, but if they were very large numbers, solving a discrete logarithm is not possible. So the security of Diffie-Hellman depends upon the fact that it's hard to find discrete logarithms when we have large enough numbers. This one you could find, you can calculate this a computer would do it for you quite quickly. But if our numbers are thousands of bits long then finding the discrete log will not be possible. Since we can't find the discrete log we will not be able to find X, A and therefore not find K, A. Similar with other approaches from the attacker. Diffie-Hellman's security depends on the logarithms. Questions on Diffie-Hellman This is the first public key algorithm. Only use for exchanging a secret. We don't encrypt anything. We don't sign anything. We just do some exchanges such that A and B both know K. The key is considered a shared secret key in this case a symmetric key. So now the key could be used for AES for encryption. That's a large value.