## Implement Diffie-Hellman

For one of the most important algorithms in cryptography this exercise couldn't be a whole lot easier.

### Warm up with a small prime
Set a variable "p" to 37 and "g" to 5. This algorithm is so easy I'm not even going to explain it. Just do what I do.

Generate "a", a random number mod 37. Now generate "A", which is "g" raised to the "a" power mode 37 --- A = (g**a) % p.

Do the same for "b" and "B".

"A" and "B" are public keys. Generate a session key with them; set "s" to "B" raised to the "a" power mod 37 --- s = (B**a) % p.

Do the same with A**b, check that you come up with the same "s".


In [1]:
p = 37
g = 5

In [2]:
from random import randrange

This is Alice's private key $a$.

In [3]:
a = randrange(1, p)
a

21

This is Alice's public key $A$, which she sends to Bob.

In [4]:
A = pow(g, a, p)
A

23

This is Bob's private key $b$.

In [5]:
b = randrange(1, p)
b

25

This is Bob's public key $B$, which he sends to Alice.

In [6]:
B = pow(g, b, p)
B

19

Shared secret $s$ calculated from Alice's perspective.

In [7]:
s = pow(B, a, p)
s

23

Confirm shared secret $s$ is the same from Bob's perspective.

In [8]:
assert s == pow(A, b, p)

### Turn shared secret into a key
To turn "s" into a key, you can just hash it to create 128 bits of key material (or SHA256 it to create a key for encrypting and a key for a MAC). 

For giggles, let's dissect the provided key derivation for (CryptoHack) DH starter challenges.

In [9]:
import hashlib

In [10]:
sha1 = hashlib.sha1()
sha1.digest_size

20

In [11]:
str(s)

'23'

In [12]:
str(s).encode('ascii')

b'23'

In [13]:
sha1.update(str(s).encode('ascii'))

In [14]:
key = sha1.digest()
key

b'\xd45\xa6\xcd\xd7\x860\r\xff N\xe7\xc2\xef\x94->\x904\xe2'

In [15]:
len(key)

20

In [16]:
print(key[:16], len(key[:16]))

b'\xd45\xa6\xcd\xd7\x860\r\xff N\xe7\xc2\xef\x94-' 16


Ok, that was fun, now repeat the exercise with bignums like in the real world. Here are parameters NIST likes:

```
p:
ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024
e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd
3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec
6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f
24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361
c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552
bb9ed529077096966d670c354e4abc9804f1746c08ca237327fff
fffffffffffff
 
g: 2
```

This is very easy to do in Python or Ruby or other high-level languages that auto-promote fixnums to bignums, but it isn't "hard" anywhere.

Note that you'll need to write your own modexp (this is blackboard math, don't freak out), because you'll blow out your bignum library raising "a" to the 1024-bit-numberth power. You can find modexp routines on Rosetta Code for most languages. 

In [2]:
g = 2
p = int(
"ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024"
"e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd"
"3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec"
"6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f"
"24117c4b1fe649286651ece45b3dc2007cb8a163bf0598da48361"
"c55d39a69163fa8fd24cf5f83655d23dca3ad961c62f356208552"
"bb9ed529077096966d670c354e4abc9804f1746c08ca237327fff"
"fffffffffffff", 16)
p

2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919