Library

5.6.6 Hybrid Encryption And Key Exchange

Although public-key cryptography provides strong authentication and confidentiality, it is computationally expensive for bulk data. Consequently, most modern secure-communications systems adopt a hybrid encryption approach:

This process, known as a key-exchange protocol, ensures that a secure symmetric key can be established over an insecure channel without pre-shared secrets.

The best-known public-key key-exchange algorithm is the Diffie–Hellman (DH) protocol, introduced in 1976, which allows two parties to derive a shared secret key based on the discrete-logarithm problem rather than integer factorization. In its basic form:

K=Bamod(p)=Abmod(p)
(5.19)

Only the participants, who know a or b, can compute K; an eavesdropper knowing only g, p, A, B cannot feasibly derive the key without solving the discrete logarithm problem. The basic Diffie–Hellman protocol provides key agreement but does not by itself provide authentication; authenticated variants are required in practice.

Elliptic-curve variants such as elliptic-curve Diffie–Hellman (ECDH) now dominate secure-session establishment in TLS 1.3 and IKEv2 VPNs, offering stronger security per bit and faster negotiation than traditional RSA or DH.