🎨 Color Mixing Paint
Diffie-Hellman Key Exchange Made Simple
In 10 minutes: Understand how Alice and Bob share a secret without Eve knowing
Prerequisite: Public/Private Keys (not strictly needed, but helpful)
🎯 The Simple Story
Alice and Bob want to agree on a secret color (a secret key).
Problem: Eve is watching everything they say!
Alice's idea: Color mixing!
- Alice has yellow paint (secret)
- Bob has blue paint (secret)
- Alice and Bob each share a common white paint (public)
- Alice mixes: yellow + white = light yellow (shares this)
- Bob mixes: blue + white = light blue (shares this)
- Eve sees: light yellow and light blue paint
- Alice mixes: light yellow + blue = green (shared secret!)
- Bob mixes: light blue + yellow = green (shared secret!)
- Eve has: light yellow and light blue, can't make green!
Both Alice and Bob now know the secret color green, but Eve can't figure it out!
🧠 Mental Model
Hold this picture in your head:
Diffie-Hellman Color Mixing:
Alice's secret: Yellow 🟡 Bob's secret: Blue 🔵
↓ ↓
Alice mixes with white (public) → Light Yellow 🟨 Bob mixes with white → Light Blue 🔵
↓ ↓
Alice sends Light Yellow → Eve sees this → Bob receives Bob sends Light Blue → Eve sees this → Alice receives
↓ ↓
Alice mixes Light Yellow + Blue = GREEN! 🟩 Bob mixes Light Blue + Yellow = GREEN! 🟩
Eve has: Light Yellow 🟨, Light Blue 🔵
Eve tries: Can't get GREEN! (One-way mixing)
Alice and Bob share SECRET: GREEN! Eve doesn't know!
Think of it like:
🎨 One-way painting (Can mix, can't unmix)
🔐 Cryptographic mixing (Can multiply, can't reverse division)
🌊 Tidal exchange (Water flows, can't flow back)
📊 See It Happen
Let's watch Diffie-Hellman in action:
🎭 The Story: Paint Colors
Alice and Bob want to talk privately. Eve is watching.
Step 1: Alice picks a secret: Yellow paint
Step 2: Bob picks a secret: Blue paint
Step 3: Alice and Bob agree on a public paint: White paint
Step 4: Alice mixes yellow + white = Light yellow paint. She sends this to Bob.
Step 5: Bob mixes blue + white = Light blue paint. He sends this to Alice.
Step 6: Eve sees: "Alice sent light yellow, Bob sent light blue. What's the secret?"
Step 7: Alice mixes light yellow + blue = Green paint
Step 8: Bob mixes light blue + yellow = Green paint
Step 9: Alice and Bob now both have green paint! They can use this as a secret key!
Step 10: Eve has light yellow and light blue. She tries to mix them: Light yellow + light blue doesn't make green. She needs yellow + light blue or light yellow + blue. But she doesn't have yellow or blue!
Result: Alice and Bob agree on a secret color (green), but Eve can't figure it out!
🎮 Try It Yourself
Question 1: Alice's secret = 3, Bob's secret = 4, public base = 5. What do Alice and Bob compute as the shared secret?
Show Answer
Let's use real math (using * for exponent, ^ for exponent):
Alice computes:
- A = g^a = 5^3 = 5 × 5 × 5 = 125 (sends to Bob)
Bob computes:
- B = g^b = 5^4 = 5 × 5 × 5 × 5 = 625 (sends to Alice)
Alice computes:
- s = B^a = 625^3 = 625 × 625 × 625 = 244,140,625
Bob computes:
- s = A^b = 125^4 = 125 × 125 × 125 × 125 = 244,140,625
Both got the same number: 244,140,625!
Answer: 244,140,625 (same for both)
Question 2: In the real Diffie-Hellman, why can't Eve figure out the secret from A and B?
Show Answer
Eve sees:
- A = g^a (Alice's mixed paint)
- B = g^b (Bob's mixed paint)
Eve wants to find:
- a = Alice's secret (the yellow paint)
- b = Bob's secret (the blue paint)
The only way Eve gets a or b is:
- Reverse the "mixing" (find a when A = g^a)
- This is the discrete logarithm problem
For small numbers, this is easy. For real cryptographic numbers (like 256-bit), finding a or b from A or B takes billions of years!
Answer: Discrete logarithm is too hard to solve with large numbers
Question 3: What's the benefit of Diffie-Hellman over just sending a secret key directly?
Show Answer
Traditional key exchange:
- Alice generates secret key K
- Alice sends K to Bob
- Eve sees K!
- Eve can use K!
- ❌ Problem: Key exposed during transmission
Diffie-Hellman:
- Alice and Bob exchange public values (A and B)
- Eve sees A and B, but can't recover secrets a and b
- Both derive the same secret key s from different ends
- ✅ Solution: Secret key never transmitted over network!
Answer: Secret key never sent, only public values exchanged
🔢 The Math
Diffie-Hellman Steps (Simplified)
Setup:
Bob chooses: Large prime p and generator g (public)
Everyone knows p and g
Step 1: Alice generates secret
Alice: a = random secret number
Alice: A = g^a mod p (send to Bob)
Step 2: Bob generates secret
Bob: b = random secret number
Bob: B = g^b mod p (send to Alice)
Step 3: Alice computes shared secret
Alice: s = B^a mod p = (g^b)^a mod p = g^(ab) mod p
Step 4: Bob computes shared secret
Bob: s = A^b mod p = (g^a)^b mod p = g^(ab) mod p
Result: Both Alice and Bob have the same s!
Eve's view:
Sees: A, B, p, g
Wants: Find a, b, or s
Problem: Can't compute discrete logarithm (extremely hard!)
Why It Works
Alice: s = (g^b)^a = g^b × g^b × ... × g^b (a times) = g^(ab)
Bob: s = (g^a)^b = g^a × g^a × ... × g^a (b times) = g^(ab)
Both are computing g^(ab), just in different orders!
Security: Discrete Logarithm Problem
Given A = g^a mod p, finding a is the discrete logarithm.
- For p with 2048 bits (like X25519): ~2^112 operations to solve
- That's like trying 5×10^33 combinations
- Even with quantum computers, this is still very hard!
💡 Why We Care
The Real-World Value
Without Diffie-Hellman:
- Alice generates key: K = 12345
- Alice sends K to Bob
- Eve sees K = 12345
- Eve knows the key!
With Diffie-Hellman:
- Alice and Bob generate secrets a and b (never shared)
- Exchange public A and B (Eve sees them)
- Both compute same secret s (but Eve can't)
- Use s as key for symmetric encryption!
Signal Protocol Context
The Signal Protocol uses X3DH, which is 4 Diffie-Hellman operations combined:
DH1 = Alice_Identity × Bob_SignedPrekey
DH2 = Alice_Ephemeral × Bob_Identity
DH3 = Alice_Ephemeral × Bob_SignedPrekey
DH4 = Alice_Ephemeral × Bob_OneTimePrekey
Secret = Combine(DH1, DH2, DH3, DH4)
We'll learn this in detail in the X3DH section!
✅ Quick Check
Can you explain Diffie-Hellman to a 5-year-old?
Try saying this out loud:
"Imagine Alice has yellow paint and Bob has blue paint. They both add some white paint what they have. After they share, Alice mixes the yellow with Bob's blue, and Bob mixes the yellow and blue too. Both get green paint! But Eve watching only sees the light colors and can't figure out the green!"
Can you explain the math?
Traditional vs DH:
Traditional: Alice sends secret key K directly. Eve sees K.
Diffie-Hellman: Alice and Bob exchange public values. Both derive same secret K from different ends, but K is never transmitted. Eve can't get K.
📋 Key Takeaways
✅ Diffie-Hellman = Two-way secret agreement without transmission
✅ Public exchange = A and B (Eve can see)
✅ Secret exchange = a and b (Eve can't see)
✅ Shared secret = s = g^(ab) (computed on both sides)
✅ Security = Discrete logarithm problem (very hard to solve)
✅ Metaphor = Color mixing: can mix, can't unmix
✅ Use in Signal = X3DH uses 4 DH operations combined
🎉 What You'll Learn Next
Now you know how two people can agree on a secret without sending it! This is the foundation of X3DH.
Next, we'll learn about symmetric vs asymmetric encryption - when to use each and why.
↔️ Continue: Symmetric vs Asymmetric
We'll compare key types and understand when to use public/private keys and when to use shared secrets!
Now you know Diffie-Hellman! Next: Comparing symmetric and asymmetric encryption