Diffie-Hellman Key Exchange Animator

SEC-101 Week 5 interactive · classic DH and elliptic-curve DH at small-prime scale · SEC-101 · pcap-tools

Why is this secure? Alice and Bob agree on a shared key by sending two numbers (A and B) over a channel that Eve, the eavesdropper, can read. Eve sees the public values p, g, A, B but cannot derive the shared K without solving the discrete logarithm problem: given g^a mod p, find a. For tiny primes like p = 23 she can brute-force; for production-sized primes (p with 2048 or 3072 bits) the best known algorithm needs more compute than every computer ever built. This is the math that powers the key_share extensions in the TLS 1.3 handshake replay you stepped through in NET-101 Week 10.
Pick an example or set parameters below.

Alice

Holds secret a
Computes A = g^a mod p
Sends A on the channel
Receives B from the channel
Computes K = B^a mod p
A = -
Public channel
A = -
B = -
Eve sees both
(but cannot derive K)

Bob

Holds secret b
Computes B = g^b mod p
Sends B on the channel
Receives A from the channel
Computes K = A^b mod p
B = -

Eve's view

Eve, a passive eavesdropper on the channel, sees p, g, A, B. To compute the shared key K she would need a or b. The only way she can recover a from A is to solve g^a ≡ A (mod p) for the unknown a. This is the discrete logarithm problem. For a 2048-bit prime, the best known general-purpose algorithm (general number field sieve) takes more compute than every computer ever built. For a tiny prime like p = 23, Eve can just brute-force every a in 1..22 and check; the tiny prime makes the structure visible for learning, but no real protocol uses a prime this small.

The cyclic group g^x mod p for x = 0, 1, 2, ..., p-1












  

    
    
    
    
    Pick an example or set parameters below.
  


  

    

    

    

    

    

    

    

  


  

    

      
Alice

      
Holds scalar a

      
Computes A = a·G (point multiplication)

      
Sends point A on the channel

      
Receives B from the channel

      
Computes S = a·B

      
A = -

      
    


    

      
Public channel

      
A = -

      
B = -

      
Eve sees both points
but cannot derive a or b

    


    

      
Bob

      
Holds scalar b

      
Computes B = b·G

      
Sends B on the channel

      
Receives A from the channel

      
Computes S = b·A

      
B = -

      
    

  


  

    
Eve's view (ECDH)

    
Eve sees the curve parameters, the base point G, and the two public points A and B. To recover a from A = a·G she would have to solve the elliptic-curve discrete logarithm problem (ECDLP): given the curve, G, and A, find the scalar a such that a·G = A. The best known general-purpose algorithm (Pollard rho) costs about sqrt(n) point operations, where n is the order of G. The 256-bit ECDH curves real protocols use (P-256, X25519, secp256k1) have n ≈ 2^256, so Pollard rho costs about 2^128 operations: infeasible on Earth.

    
For the small p = 17 curve above the order is 19, so Pollard rho would take only sqrt(19) ≈ 4.4 operations on average. Tiny prime makes the structure visible; real ECDH uses curves with 256-bit order.

  


  

    
Curve points over F_p (Alice green, Bob blue, shared point gold)