Cryptographic Advancements Enabled by Diffie–Hellman

Symmetric key cryptography was enabled by concepts first proposed in 1976 in “New Directions in Cryptography” by researchers Whitfield Diffie and Martin E. Hellman.¹ Since that paper’s publication, the concepts proposed by Diffie and Hellman have evolved; however, the core ideas remain relevant and can provide valuable insights into how the research community can address security needs.

“New Directions in Cryptography” discusses contemporary developments in cryptography. Telecomputing created the need for new cryptographic systems that reduce secure key distribution requirements. Advances in the development of computer hardware drastically reduced the cost of such hardware, leading to its widespread usage. This created a need for more commercial-grade cryptographic systems that could be used in day-to-day human activities, not just in advanced scientific experiments. Cryptographic innovations resulted in additional complexities such as symmetric key creation and exchange, thus reducing the benefits of teleprocessing. Cryptography is a derivative of security and its primary objective is to provide privacy by preventing unauthorized access when sensitive information is transmitted over insecure channels. The sender and receiver of the communication share a secret key that is sent in advance using a secure communication channel. Diffie and Hellman propose two approaches for key transmission over public communication channels without compromising security. In a public key cryptographic system, the keys for encryption (E) and decryption (D) are different, making it computationally difficult to derive D from E. Hence, E can be made public for each user without compromising D, thus allowing the creation of a public directory of all the Es, such that any user of the system can send messages that only the intended receiver can decrypt.

The Diffie-Hellman key exchange method enables two unknown parties to establish a shared secret key, which can then be used to encrypt subsequent communications over insecure channels. Consider two fictional individuals, Alice and Bob, who are communicating and want to keep it secret. They agree to use two positive integers p and q (p is prime and q is the generator of p). Alice uses “a” as secret key and Bob uses “b” as secret key, where a < p and b < p.

Alice computes a public key; aP=q^a Mod p
Bob computes a public key; bP=q^b Mod p
Alice and Bob share their public keys, aP and bP, to compute the shared secret key:
x=(bP)^aMod p=(aP)^b Mod p

Alice and Bob can now communicate using the symmetric key and the shared secret key.

Diffie–Hellman in Recent Works

“Neural Cryptography Based on Complex-Valued Neural Network,” a paper written by Tao Dong and Tingwen Huang and published in December 2019, describes how neural cryptography can be used as a public key exchange algorithm based on the principle of neural network synchronization.² The paper focuses on cryptographic advancements based on the concept of two neural networks updating themselves through the exchange of each other’s output by using the learning algorithm. In neural networks, weight is a numeric value that represents the strength of the connection between two nodes. The higher the weight, the more influence the node has on the network’s output. The weights of the two neural networks will be the same once the synchronization step is completed. The weights of the neural networks can be used as the secret key. This concept was not part of any prior research, as existing works are based on the real-valued neural network model rather than a complex-valued neural network model. Neural cryptography based on the Complex-Valued Tree Parity Machine (CVTPM) network³ is proposed, whereby the input, output, and weights of CVTPM are complex values. The Tree Parity Machine (TPM)⁴ is a special type of multilayer feed-forward neural network. It consists of one output neuron, K hidden neurons, and K×N input neurons. Inputs to the network take three values (–1, 0, +1); hence the output of TPM is binary. Compared to TPM, the CVTPM model offers two advantages: (1) the security is higher, with the same number of hidden units, input neurons, and synaptic depths; and (2) the two parties can exchange two group keys in one neural synchronization process. The synaptic depth of a neural network is the total number of layers in the network, excluding the input layer. The greater the number of layers, the deeper the neural network is.

Development of Cryptographic Concepts

Dong and Huang investigated based on the use of CVTPM cryptography is based on following two conditions:

1. Any increase in the synaptic depth L of CVTPM causes the average time of synchronization between two neural networks to grow at a polynomial rate.
2. The average time of E’s synchronization with the same network architecture and learning algorithm grows at an exponential rate.

The input, output, and weights of CVTPM are all converted into complex values, and the security and synchronization time for CVTPM are calculated. The experimental calculations performed during the research concluded that security is higher for CVTPM compared with TPM, with the same hidden units, input neurons, and synaptic depths. The two parties in communication with each other using CVTPM methodology will be able to exchange two group keys in a single neural synchronization process.

Enabling Advancement in Cryptography

Diffie and Hellman’s “New Directions in Cryptography” is considered a groundbreaking study in the field of cryptography because it introduced the ideas of public key cryptography and digital signatures. Public key cryptography and digital signatures are foundational to many of the security protocols in use today.

“Neural Cryptography Based on Complex-Valued Neural Network” by Dong and Huang draws inspiration from Diffie and Hellman’s “New Directions in Cryptography.” Interestingly, Dong and Huang’s work has been cited by researchers focused on machine learning, supervised learning, synchronization, and neural networks. For example, Khan et al., in their article “Information Fusion in Autonomous Vehicle Using Artificial Neural Group Key Synchronization,” propose information fusion as the foundation for intelligent decision making in autonomous vehicles.⁵ Various types of data originate from multiple sources, and to facilitate sharing, a variety of communication methods must be integrated into the vehicle’s infrastructure. At present, the use of an information fusion security framework is limited to applications that are insufficient to fulfill the requirements of Mutual Intelligent Transportation Systems (MITS). Khan et al. propose a data fusion security infrastructure—called V2X heterogeneous networks—that can handle multiple levels of trust. The methodology offers an efficient and effective information fusion security mechanism for multiple sources and multiple data types that need to be shared. This requires an area-based public key infrastructure (PKI) architecture. The V2X network data transfer delay requirements are stringent, and the required speed is provided by a Graphics Processing Unit (GPU) for the artificial neural synchronization–based quick group key exchange.

Past Research Made Relevant Today

Before Diffie and Hellman proposed public key cryptography, secure communications relied on symmetric keys. That is, the same key was used to encrypt and decrypt messages. Diffie and Hellman introduced asymmetric keys with the sentence: “We stand today on the brink of a revolution in cryptography.”⁶ This is 100% true. Two parties in communication, without any prior arrangements for security, must establish a secure channel and verify the identity of the other party at the same time. When the Advanced Research Projects Agency Network (ARPANET) was established and began to evolve into today’s Internet,⁷ trust between the communicating parties was the greatest need. Without Diffie–Hellman, it would have been impossible to establish that trust, and Internet communication would have had to rely on primitive, high-cost, less efficient methods. By using one-way functions, the communicating parties compute the secret number (key), which is known only to them and not to anyone who is trying to intercept the communication. The secret key is then shared, after which the transmission can be switched to the traditional, faster symmetric communication method. Diffie and Hellman created a cryptographic milestone, making it possible to establish a key between unknown parties that need to communicate. Their algorithm was a breakthrough in cryptography that eliminated the need to keep keys fully private to achieve security. At approximately 47 years of age, the Diffie–Hellman algorithm is useful even today and has inspired the creation of the Rivest–Shamir–Adleman (RSA) algorithm,⁸ as well as more recent innovations such as elliptic curve cryptography (ECC).⁹ RSA is based on a private key which is kept secret and a public key which is available to everyone. If the private key is used for encryption, then the public can be used for decryption and vice versa. ECC uses points defined by elliptic curves instead of the finite prime fields used in the standard Diffie-Hellman key exchange protocol.

Addressing Today’s Security Needs

The strong security of the Diffie–Hellman algorithm, which is used primarily for key exchange, can be attributed to the difficulty of computing discrete keys. The algorithm has led to many innovative Internet communication protocols that enhance security, including:

• Secure Shell (SSH)—SSH is a secure network protocol useful for logging into remote machines and transmitting files using the Diffie–Hellman algorithm to allow secure key exchange and data transfer between the client and the server.
• Transport Layer Security (TLS) and Secure Sockets Layer (SSL)—SSL and TLS are encryption protocols used to protect online communications. They use the Diffie–Hellman algorithm for encryption key exchange, protecting data integrity and confidentiality by preventing manipulation and eavesdropping.
• Public key infrastructure (PKI)—PKI uses digital certificates, certificate authorities, and public key encryption for secure Internet communication by using the Diffie–Hellman algorithm to ensure secure encryption key exchange, preserving integrity and secrecy.
• Internet Key Exchange (IKE)—IKE is a protocol for virtual private network (VPN) connections that uses the Diffie–Hellman algorithm to create a secure connection for secure encryption key exchange.
• Internet Protocol Security (IPSec)—IPSec was developed to protect online communications and uses the Diffie–Hellman algorithm to exchange encryption keys securely while preserving the confidentiality and integrity of data transmission.

There are numerous benefits of the Diffie–Hellman algorithm. However, there are also certain limitations:¹⁰

• The lack of an authentication procedure leaves information assets vulnerable to man-in-the-middle (MITM) attacks.
• The Diffie–Hellman algorithm is useful for symmetric key exchange only.
• The algorithm is computationally intensive and expensive in terms of CPU resources and time.
• Encryption of information cannot be performed with this algorithm.
• Digital signatures cannot be signed using this algorithm.

The Diffie-Hellman protocol will continue to be secure until the arrival of quantum computing. By using specialized technology—including computer hardware and algorithms that take advantage of quantum mechanics—quantum computing can solve complex problems many times faster than classical computers or supercomputers using cryptographic keys that can be easily broken. Public-key cryptography standards, namely Diffie-Hellman,¹¹ RSA,¹² and Federal Information Processing Standards Publication (FIPS) 186 (Digital Signature Standard [DSS])¹³ are all vulnerable to attacks from a quantum computer.¹⁴ The cryptographic community is researching ways to strengthen the Diffie-Hellman key exchange, including by lattice-based cryptography, multivariate cryptography, and elliptic-curve isogeny cryptography. Further research in this area should focus on eliminating the limitations of this algorithm and expanding its use in authentication methods and digital signatures.

Endnotes

¹ Diffie, W.; Hellman, M.; "New Directions in Cryptography," IEEE Transactions on Information Theory, vol. 22, iss. 6, p. 644-654, 1976, https://doi.org/10.1109%2FTIT.1976.1055638
² Dong, T.; Huang, T.; “Neural Cryptography Based on Complex-Valued Neural Network,” IEEE Transactions on Neural Networks and Learning Systems, vol. 31, iss. 11, p. 4999–5004, 2020, https://doi.org/10.1109/TNNLS.2019.2955165
³ Ibid.
⁴ Ibid.
⁵ Khan, M. Z.; Sarkar, A.; et al.; “Information Fusion in Autonomous Vehicle Using Artificial Neural Group Key Synchronization,” Sensors, vol. 22, iss. 4, 2022, https://doi.org/10.3390/s22041652
⁶ Op cit Diffie; Hellman
⁷ Cs.stanford.edu, “A Brief History of the Internet,” https://cs.stanford.edu/people/eroberts/courses/soco/projects/distributed-computing/html/historyibodyhistory.html
⁸ Wickramasinghe, S.; “RSA Algorithm in Cryptography: Rivest Shamir Adleman Explained,” Splunk, 15 May 2023, https://www.splunk.com/en_us/blog/learn/rsa-algorithm-cryptography.html
⁹ Raza, M.; “Elliptic Curve Cryptography: An Introduction,” Splunk, 17 February 2023, https://www.splunk.com/en_us/blog/learn/elliptic-curve-cryptography.html
¹⁰ GeeksforGeeks, “Applications and Limitations of Diffie-Hellman Algorithm,” 22 February 2023, https://www.geeksforgeeks.org/applications-and-limitations-of-diffie-hellman-algorithm/
¹¹ National Institute of Standards and Technology, NIST SP 800-56A Rev. 3–Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography, USA, April 2018, https://csrc.nist.gov/pubs/sp/800/56/a/r3/final
¹² National Institute of Standards and Technology, NIST SP 800-56B Rev. 2–Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography, USA, March 2019, https://csrc.nist.gov/pubs/sp/800/56/b/r2/final
¹³ National Institute of Standards and Technology, FIPS 186-5–Digital Signature Standard (DSS), USA, 3 February 2023, https://csrc.nist.gov/pubs/fips/186-5/final
¹⁴ Moody, D.; “NIST Post-Quantum Cryptography Update,” National Institute of Standards and Technology (NIST), https://csrc.nist.gov/csrc/media/Presentations/2023/nist-post-quantum-cryptography-update/2a-Moody_NIST_PQC_2.pdf

SRIKANTH AMBATIPUDI

Is an IT professional with approximately 25 years of experience, 16 of which have been spent providing dedicated leadership across the domains of IT internal audit and cybersecurity governance, risk, and compliance (GRC), including by performing risk-based and regulatory compliance IT audits. Ambatipudi is skilled in developing and executing audit plans, risk assessments, and mitigation and treatment plans, with an emphasis on implementing controls and remediation plans in alignment with business strategy.