Every time you open WhatsApp, Signal, or Telegram, your phone and the other person's phone agree on a secret key. They do it over the public internet — through routers, ISPs, and data centers that could be watching. And they do it without ever sending that key across the wire.
That's not magic. It's Diffie–Hellman key exchange. It's one of the few algorithms where understanding the math makes the result feel more impressive, not less.
The Problem Symmetric Encryption Can't Solve
The obvious way to secure a message: encrypt it with a key, share the key with the recipient. But this just moves the problem — how do you share the key securely in the first place?
If you send the encryption key over the same network as the message, an attacker who can intercept one can intercept both. Symmetric encryption doesn't help here.
Asymmetric encryption looked like the fix. Two keys: a public key anyone can use to encrypt, and a private key only you hold to decrypt. Your friend sends you their public key, you encrypt with it, only they can decrypt.
But it has a hole.
The Man-in-the-Middle Problem
Both sides believe the conversation is private. Neither can detect the interception. This is why certificate authorities exist in TLS — to verify that the public key really belongs to who it claims to belong to.
But Diffie–Hellman takes a different approach entirely: instead of sending keys, both sides derive the same shared secret independently.
How Diffie–Hellman Works
Both parties agree on two public values — a prime p and a base g. These are visible to everyone, including any attacker. That's fine.
p = 23 (prime modulus)
g = 5 (generator base)
Each party picks a private secret they never share:
secretA = 6 // Friend A's private number
secretB = 15 // Friend B's private number
Each computes a public value using modular exponentiation:
publicA = (g ^ secretA) % p = (5^6) % 23 = 15625 % 23 = 8
publicB = (g ^ secretB) % p = (5^15) % 23 = 30517578125 % 23 = 19
They exchange publicA and publicB over the network. The attacker sees these numbers too. Doesn't matter.
Now each side computes the shared key using the other's public value and their own private secret:
sharedA = (publicB ^ secretA) % p = (19^6) % 23 = 47045881 % 23 = 2
sharedB = (publicA ^ secretB) % p = (8^15) % 23 = 35184372088832 % 23 = 2
Both arrive at 2. They never sent 2 anywhere.
This works because of a property of modular exponentiation: (g^a)^b mod p equals (g^b)^a mod p. Both sides are computing the same thing — just from different directions.
Why the Attacker Can't Reverse It
Given publicA = 8, the attacker knows g=5 and p=23. They need to find secretA such that 5^secretA mod 23 = 8. This is the discrete logarithm problem.
For small numbers like these, brute force works. For real-world DH, the prime is 2048–4096 bits long. The number of possible values is astronomically large. No known algorithm makes this feasible.
Small primes (like p=23) are illustrative only. Real DH uses primes large enough that brute force would take longer than the age of the universe. The security of the entire scheme rests on the hardness of the discrete logarithm problem.
The Full Exchange Visualized
Beyond Basic DH — ECDH and Forward Secrecy
Classic Diffie–Hellman works, but modern applications use Elliptic Curve Diffie–Hellman (ECDH). Instead of primes and exponentiation, it uses the geometry of elliptic curves. The hardness guarantee is stronger, and the keys are much smaller.
On top of ECDH, modern protocols add Forward Secrecy: every session generates a fresh, ephemeral key pair. When the session ends, those keys are discarded. If an attacker records your encrypted traffic today and steals your private key next year, they still can't decrypt the old sessions — the ephemeral keys are gone.
ECDH + Forward Secrecy is what Signal, WhatsApp, and TLS 1.3 all use. A 256-bit ECDH key provides the same security as a 3072-bit classic DH key at 6× less wire overhead.
A Minimal JavaScript Implementation
Here's the classic DH exchange in Node.js using the built-in crypto module — no libraries needed:
import { createDiffieHellman } from "crypto";
// Friend A generates group params and their keypair
const alice = createDiffieHellman(2048); // 2048-bit prime
const alicePublic = alice.generateKeys();
const prime = alice.getPrime();
const generator = alice.getGenerator();
// Friend B uses the same group, generates their keypair
const bob = createDiffieHellman(prime, generator);
const bobPublic = bob.generateKeys();
// Each computes the shared secret from the other's public key
const aliceShared = alice.computeSecret(bobPublic);
const bobShared = bob.computeSecret(alicePublic);
console.log(aliceShared.equals(bobShared)); // true
// Both have identical buffers — the shared secret — without ever transmitting itFor production use, prefer ECDH:
import { createECDH } from "crypto";
const alice = createECDH("prime256v1");
const alicePublic = alice.generateKeys();
const bob = createECDH("prime256v1");
const bobPublic = bob.generateKeys();
const aliceShared = alice.computeSecret(bobPublic);
const bobShared = bob.computeSecret(alicePublic);
console.log(aliceShared.equals(bobShared)); // trueWhen to Use Each
Diffie–Hellman doesn't transmit the secret — it transmits the ingredients to independently derive it. The security comes from the fact that the ingredients (public values) cannot be reversed to reveal the private inputs. That asymmetry is the entire trick.