# Exploring Diffie-Hellman Encryption

Communicating "in the clear", Alice and Bob select two numbers, q and n. Alice then selects the secret number xa. Bob selects the secret number xb. From the two public numbers, q and n, and her secret number xa, Alice calculates ya and sends the number to Bob. Using the same two public numbers, q and n, and his secret number xb, Bob calculates yb and sends the number to Alice. Alice and Bob have completed step one of the Diffie-Hellman process.

The program crypto.bc shows how Alice calculates ya using the formula

**ya = (n ^ xa) % q**

This says, multiply n by itself xa times, then divide the product by q and save only the remainder.

Alice sends the number ya to Bob. In the meantime, Bob applies the same formula to the numbers n, xb and q to calculate the number yb:

**yb = (n ^ xb) % q**

Bob sends the number yb to Alice. They are ready for step two.

Using the number yb received from Bob, Alice calculates

**ka = (yb ^ xa) % q**

Again, this means multiply yb by itself xa times, and then save the remainder after dividing the product by q. When Bob receives Alice's number ya he calculates:

**kb = (ya ^ xb) % q**

Alice and Bob have completed the Diffie-Hellman encryption process.

Alice applied her secret number xa to Bob's value yb and calculated ka. Bob applied his secret number xb to Alice's value ya and calculated kb. Presto: it turns out that ka = kb, a number now known to Alice and Bob, but to no one else. Even though Eve, the eavesdropper, may have been monitoring their communications studiously, Eve cannot discover the number ka easily.

The following program, written for the bc compiler, was adapted from Simson Garfinkel's book on Phil Zimmerman's Pretty Good Privacy. Where large numbers would be used in practice, we use small numbers for clarity. The operation x % y returns x modulo y, that is, the remainder obtained when x is divided by y. The operation n ^ xa multiplies the number n times itself xa times. In programs designed to handle really large numbers, we can speed up the calculation of (n ^ xa) % q by applying the modulo operation after each multiply. While using relatively small numbers, illustration is made simpler with the naïve literal method used below:

/* crypto.bc - From Simson Garfinkel: PGP, appendix F * the mathematics of Diffie-Hellman encryption. */ q = 563 /* Alice and Bob select a large prime */ a = 5 /* ...and another random number */ xa = 9 /* Alice picks the random number 9 */ xb = 14 /* Bob picks the random number 14 */ ya = a ^ xa /* Alice */ ya = ya % q print "_nAlice sends ya = ", ya," to Bob_n"; yb = a ^ xb /* Bob */ yb = yb % q print "Bob sends yb = ", yb," to Alice_n"; ka = yb ^ xa print "_n from yb^xa = ";ka; ka = ka % q print " Alice calculates ka = ",ka,"_n" kb = ya ^ xb print " from ya^xb = "; kb; kb = kb % q print " Bob calculates kb = ",kb,"_n"; print "_nThey can now use ",kb," to encrypt messages._n"; quit

When executed with the command **bc
crypto.bc**, this program writes the following output to
stdout:

Alice sends ya = 78 to Bob Bob sends yb = 534 to Alice from yb^xa = 3530785328217308860798464 Alice calculates ka = 117 from ya^xb = 308549209196654470906527744 Bob calculates kb = 117 They can now use 117 to encrypt messages.

Operating entirely in the clear, Alice and Bob have passed the number 117 between them without disclosing it to anyone else. Eve, who may have been monitoring their communications or recording them for analysis, may have difficulty discovering the number ka = 117.

Eve knows the numbers n, q, ya and yb, so she could write the equation

**ya = ( n ^ xa) % q**

and try all possible values of xa until she finds one that generates the known value of ya. Using that value of xa in the equation

**ka = (yb ^ xa) % q**

Eve could calculate the value of ka. This "brute force" method of attack, however, is practical only if Alice and Bob use small numbers. By using large numbers, preferably large prime numbers, Alice and Bob can make Eve's brute force attack impractical.

If the only two numbers that can be multiplied together to form the number n are the number 1 and the number n itself, then n is said to be prime. Any number can be formed as the product of some two numbers. For example, the number 21 can be formed as the product of 3 and 7, the number 221 can be formed as the product of 13 and 17 and so on. To continue, the number 221 is said to have the "factors" 13 and 17, but a prime number has only the factors 1 and itself.

We need prime numbers for the Diffie-Hellman process, so
let's write a bc program to find them. Call your favorite text
editor with a command such as **able testprime.bc**,
and type in the following:

/* testprime2.bc: test for prime numbers The exhaustive search method used here works ok for numbers up to about 12 digits. */ define qprime(value) { auto d, rem small_factor = 2 rem = value % 2 if ( rem == 0 ) return(rem) # it is even small_factor = 3 if ( value == 9) return(0) # skip it so we can start at 3 for (d = 3; d^2 <= value; d += 2) { rem = value % d /* print "d = ",d print "rem = ",rem print "_n" */ if ( rem == 0 ) break } small_factor = d return(rem) } scale = 0 print "enter a starting value, then increments (or 0 to quit):_n" testvalue = read(); /* get the starting value */ while ( 1 ) { a = qprime(testvalue) print testvalue if ( a == 0 && testvalue != 2 ) { print " is not prime, smallest factor is ",small_factor } if ( a != 0 ) { print " is a prime number" } if ( testvalue == 2 ) { print " is a special case, Ducky" } print "_n" increment = read() if (increment == 0) { break } testvalue += increment } halt

Save the text file and then call the program with the command
**bc testprime.bc**.

The program first asks for a starting value. It tests the number entered, then loops repeatedly asking for an increment, advancing the test value by that amount and then testing again. Here is an example interaction:

enter a starting value, then increments (or 0 to quit): 123487 is not prime, smallest factor is 7 2 123489 is not prime, smallest factor is 3 2 123491 is a prime number 0

We need two prime numbers, so call the program again:

bc testprime.bc enter a starting value, then increments (or 0 to quit): 394323 is not prime, smallest factor is 3 2 394325 is not prime, smallest factor is 5 2 394327 is a prime number 0

Now we need bc programs to evaluate the Diffie-Hellman
equations for Alice and for Bob. Call your text editor with a
command such as **able alice.bc**, and key in the
following text:

/* alice.bc: Diffie-Hellman encryption demo */ # this modexp() bc routine is a transliteration # of the C routine found in Bruce Schneier's # "Applied Cryptography" Wiley, New York. 1994. # ISBN 0-471-59756-2 # modexp: from page 200 define modexp(a, x, n) { # return a ^ x mod n auto r r = 1 while ( x > 0 ) { if ( (x % 2) == 1 ) { r = (r * a) % n } a = ( a * a ) % n x /= 2 } return(r) } print "Alice:_n" print "Enter public value q: "; q = read() print "Enter public value n: "; n = read() print "_nEnter your secret number xa: "; xa = read() ya = modexp(n,xa,q) print "_nAlice, here is the number to send to Bob, ya: "; ya print "_nEnter the number you received from Bob, yb: "; yb = read() ka = modexp(yb,xa,q) print "Result: "; ka print "_n_n" halt

Make a copy of Alice's program with the command **cp
alice.bc bob.bc**. Then call your text editor with a
command such as **able bob.bc**, and modify the
program to look like this for Bob:

/* bob.bc: Diffie-Hellman encryption demo for Bob */ # this modexp() bc routine is a transliteration # of the C routine found in Bruce Schneier's # "Applied Cryptography" Wiley, New York. 1994. # ISBN 0-471-59756-2 # modexp: from page 200 define modexp(a, x, n) { # return a ^ x mod n auto r r = 1 while ( x > 0 ) { if ( (x % 2) == 1 ) { r = (r * a) % n } a = ( a * a ) % n x /= 2 } return(r) } print "Bob:_n" print "Enter public value q: "; q = read() print "Enter public value n: "; n = read() print "_nEnter your secret number xb: "; xb = read() yb = modexp(n,xb,q) print "_nBob, here is the number to send to Alice, yb: "; yb print "_nEnter the number received from Alice, ya: "; ya = read() kb = modexp(ya,xb,q) print "_nResult: "; kb print "_n_n" halt

When Alice selects a secret number, such as 76697, and calls
her program with the command **bc alice.bc**, her
interactive session looks like this:

Alice: Enter public value q: 394327 Enter public value n: 123493 Enter your secret number xa: 76697 Alice, here is the number to send to Bob, ya: 323823

Hold down Alt and press F2, for example, to switch your
console to a different virtual terminal (or if using a graphical
user interface, open a new xterm), and then call Bob's program with
the command **bc bob.bc**. Bob selects the secret
number 69623. His interactive session looks like this:

Bob: Enter public value q: 394327 Enter public value n: 123493 Enter your secret number xb: 69623 Bob, here is the number to send to Alice, yb: 32675 Enter the number received from Alice, ya: 323823 Result: 74297

Bob has completed his side of the Diffie-Hellman process.

Switch back to Alice's virtual terminal, or window. When Alice receives the number yb from Bob, she cam complete the process on her side:

Enter the number you received from Bob, yb: 32675 Result: 74297

Alice and Bob each have slipped the number 74297 past Eve, and they now can use that number to generate a key for encrypting messages.

Eve, of course, has been watching all this and has written a program of her own. Here is Eve's program:

/* eve.bc: Brute force attack on Diffie-Hellman encryption */ define modexp(a, x, n) { # return a ^ x mod n auto r r = 1 while ( x > 0 ) { if ( (x % 2) == 1 ) { r = (r * a) % n } a = ( a * a ) % n x /= 2 } return(r) } print "Eve:_n" print "enter public value q: "; q = read() print "enter public value n: "; n = read() #print "_nenter your secret number x: "; xa = read() print "_nenter observed public number ya: "; ya = read() print "_nenter observed public number yb: "; yb = read() print "_nenter a starting value for xa: "; xa = read() while ( 1 ) { tya = modexp(n,xa,q) if (tya == ya) { break } xa += 1 print "trying ", xa, "_r" } print "_nfound xa = "; xa ka = modexp(yb,xa,q) print "_nResult: "; ka quit

When Eve calls her program with the command **bc
eve.bc**, her interactive session looks like this:

Eve: enter public value q: 394327 enter public value n: 123493 enter observed public number ya: 323823 enter observed public number yb: 32675 enter a starting value for xa: 2 trying 3 trying 4 trying 5 trying 6 trying 7 <snip> trying 76693 trying 76694 trying 76695 trying 76696 trying 76697 found xa = 76697 Result: 74297

Depending on the speed of Eve's computer, this may take several minutes.

If the output routine used by your bc compiler, like the one used above, refuses to recognize that the program statement

**print "trying ", xa, "_r"**

is expected to repeatedly use the same display line, as in C, you may need to post the following little patch to your bc system. The patch adds a few lines of code at the beginning of the routine out_schar(). Source for this routine is in util.c, located in the directory bc_1.06/bc.

341a342,347 > if (ch == '_r') > { > out_col = 0; > putchar('_r'); > return; > }

When selecting two prime numbers for the Diffie-Hellman process, use the larger number for q and the smaller number for n. To discover why, try swapping the two numbers around. With the values of q and n swapped, that is, with n larger than q, while Alice and Bob may see nothing out of the ordinary, Eve's cryptanalysis becomes much easier.

And there is more. In addition to q being a prime number, the
value (q-1)/2 should also be a prime number. So let's write a
modified version of testprime.bc that will test for that condition.
Make a copy of testprime.bc with the command **cp
testprime.bc testqm1.bc**, and then call your editor with a
command such as **able testqm1.bc**. Modify the
program to look like this:

/* testqm1.bc: find prime number q and test (q-1)/2 also. The exhaustive search method used here works ok for numbers up to about 12 digits. */ define qprime(value) { auto d, rem small_factor = 2 rem = value % 2 if ( rem == 0 ) return(rem) # it is even small_factor = 3 if ( value == 9) return(0) # skip it so we can start at 3 for (d = 3; d^2 <= value; d += 2) { rem = value % d if ( rem == 0 ) break } small_factor = d return(rem) } scale = 0 print "enter a starting value, then state how many primes to find:_n" testvalue = read() /* get the starting value */ find = read() /* get the count of primes to find */ i = 0; increment = 2 while ( i < find ) { a = qprime(testvalue) if ( a != 0 ) { savetest = testvalue t = (testvalue - 1)/2 aa = qprime(t) if ( aa != 0 ) { print "q = ", testvalue print " is prime and (q-1)/2 = ", t print " is ALSO prime_n" i += 1 } } if ( testvalue == 2 ) { print testvalue print " is a special case, Ducky_n" testvalue += 1 } testvalue += increment } halt

When called with the command **bc
testqm1.bc**, an example session looks like:

enter a starting value, then state how many primes to find: 2426697105 3 q = 2426697107 is prime and (q-1)/2 = 1213348553 is ALSO prime q = 2426697359 is prime and (q-1)/2 = 1213348679 is ALSO prime q = 2426698727 is prime and (q-1)/2 = 1213349363 is ALSO prime

Knowing all of this, Alice selects 2426697107 for q and calls the testqm1 program again to find a smaller prime to use for n:

enter a starting value, then state how many primes to find: 17123201 2 q = 17123207 is prime and (q-1)/2 = 8561603 is ALSO prime q = 17124539 is prime and (q-1)/2 = 8562269 is ALSO prime

Alice selects 17123207 for n. With these numbers, and selecting the arbitrary number 31925631 for xa, Alice's interactive session looks like:

Alice: Enter public value q: 2426697107 Enter public value n: 17123207 Enter your secret number xa: 31925631 Alice, here is the number to send to Bob, ya: 919478360

Alice sends the numbers q, n and ya to Bob. Using his selected secret number 19758139, Bob's interactive session looks like:

Bob: Enter public value q: 2426697107 Enter public value n: 17123207 Enter your secret number xb: 19758139 Bob, here is the number to send to Alice, yb: 1724324231 Enter the number received from Alice, ya: 919478360 Result: 1490225501

When Alice receives Bob's number yb, she completes her calculation:

Enter the number you received from Bob, yb: 1724324231 Result: 1490225501

Eve calls her program with the command **time bc
eve.bc**. The time utility will print the elapsed time when
the process is complete. Her interactive session looks like:

Eve: enter public value q: 2426697107 enter public value n: 17123207 enter observed public number ya: 919478360 enter observed public number yb: 1724324231 enter a starting value for xa: 2 trying 3 trying 4 trying 5 trying 6 trying 7 ... <snip>

Eve's program found xa = 31925631 and the result = 1490225501. On a Slackware Linux 2.4 system with a 451 MHz K6 processor reporting 897.84 BogoMIPS, the search took a little over 19 hours. Eve's program tried each of about 31.9 million possible values of xa before it got a hit. On this system it appears that brute force discovery of xa takes about one half hour per one million trial values of xa.

If Eve is on a network where she has access to, say, 30 other similar systems, she could run 30 copies of her program simultaneously; starting the first program near 0, the second at 1000000, the third at 2000000 and so on. One of the computers should find the solution within about 30 minutes. That being the case, perhaps Alice and Bob should use numbers even larger.

Alice and Bob used a 10-digit value for q and an 8-digit value for n. Alice selected an 8-digit value for her secret number xa and Bob selected an 8-digit value for his secret number xb. Because it is xa or xb that Eve will be trying to find, we should investigate the result of Alice and Bob each selecting a 9-digit value for their secret numbers. From the previous experiment it would appear that even Eve's network scheme would need four or five hours to find the solution. On a single computer, Eve's program evidently would need about a week to find the solution.

Because it is xa that Eve's program must find, it might appear that simply selecting a very large value for xa would defeat Eve's brute force attack. The reality, though, is exactly the opposite. For the values

q = 394327 n = 123493 xa = 76697 xb = 59232

Alice and Bob found result 365557. Eve's program found the same xa = 77797 and result = 365557 in about three minutes. For the same values of q and n with the larger values

xa = 766973423 xb = 592329871

Alice and Bob obtained the result = 32000. In only eight seconds, Eve's program found this same result at a test value of xa = 9353. So it seems that if xa has more digits than q, then Eve's program doesn't even need to discover Alice's secret number xa at all. Instead it can find a solution at the much smaller trial value of xa. Modulo arithmetic is like a football--it's hard to guess which way it will bounce.

Sources for all the programs in this article are in the compressed project file dhcrypt.tgz that can be downloaded from www.seasurf.com/~jdennon

On that site you can also check out my pretty good editor for
GNU/Linux, described in the book *Build Your Own LINUX C
Toolbox*.

An interactive calculator for finding large prime numbers is available at wims.unice.fr.

GNU Privacy Guard, a free replacement for PGP, can be downloaded from www.gnupg.org.

Also available from the Free Software Foundation is the GNU bc compiler written by Philip A. Nelson. The entire bc package, including sources, can be downloaded from www.gnu.org/directory/bc.html.

An introduction to Pretty Good Privacy, including a
blow-by-blow account of Phil Zimmerman's many battles, can be found
in the book *PGP: Pretty Good Privacy*, by
Simson Garfinkel, published in 1995 by O'Reilly. ISBN
1-56592-098-8.

For additional background on PGP, see Phil Zimmerman's own
book, *The Official PGP User's Guide*, published
in 1995 by The MIT Press.

For background on cryptography in practice that is written by
a professional in the field, with details on Diffie-Hellman, RSA
and many other algorithms, find a copy of Bruce Schneier's
*Applied Cryptography*, published by Wiley. The
second edition is available on Amazon.

email: jdennon@seasurf.com