2986:. Mallory (an active attacker executing the man-in-the-middle attack) may establish two distinct key exchanges, one with Alice and the other with Bob, effectively masquerading as Alice to Bob, and vice versa, allowing her to decrypt, then re-encrypt, the messages passed between them. Note that Mallory must be in the middle from the beginning and continuing to be so, actively decrypting and re-encrypting messages every time Alice and Bob communicate. If she arrives after the keys have been generated and the encrypted conversation between Alice and Bob has already begun, the attack cannot succeed. If she is ever absent, her previous presence is then revealed to Alice and Bob. They will know that all of their private conversations had been intercepted and decoded by someone in the channel. In most cases it will not help them get Mallory's private key, even if she used the same key for both exchanges.
203:, publicly agree on an arbitrary starting color that does not need to be kept secret. In this example, the color is yellow. Each person also selects a secret color that they keep to themselves – in this case, red and cyan. The crucial part of the process is that Alice and Bob each mix their own secret color together with their mutually shared color, resulting in orange-tan and light-blue mixtures respectively, and then publicly exchange the two mixed colors. Finally, each of them mixes the color they received from the partner with their own private color. The result is a final color mixture (yellow-brown in this case) that is identical to their partner's final color mixture.
188:
5340:
20:
4321:
647:
783:
3015:(DoS) against the protocol variants use ephemeral keys, called D(HE)at attack. The attack exploits that the Diffie–Hellman key exchange allows attackers to send arbitrary numbers that are actually not public keys, triggering expensive modular exponentiation calculations on the victim's side. Another CVE released in 2022 (
508:
2696:
exponents applied) constitutes the shared secret and hence must never be revealed publicly. Thus, each user must obtain their copy of the secret by applying their own private key last (otherwise there would be no way for the last contributor to communicate the final key to its recipient, as that last
2380:
Diffie–Hellman key agreement is not limited to negotiating a key shared by only two participants. Any number of users can take part in an agreement by performing iterations of the agreement protocol and exchanging intermediate data (which does not itself need to be kept secret). For example, Alice,
172:
The system...has since become known as Diffie–Hellman key exchange. While that system was first described in a paper by Diffie and me, it is a public key distribution system, a concept developed by Merkle, and hence should be called 'Diffie–Hellman–Merkle key exchange' if names are to be associated
1823:
The used keys can either be ephemeral or static (long term) key, but could even be mixed, so called semi-static DH. These variants have different properties and hence different use cases. An overview over many variants and some also discussions can for example be found in NIST SP 800-56A. A basic
3134:
concatenated with the password calculated independently on both ends of channel. A feature of these schemes is that an attacker can only test one specific password on each iteration with the other party, and so the system provides good security with relatively weak passwords. This approach is
658:
3037:, consists of four computational steps. The first three steps only depend on the order of the group G, not on the specific number whose finite log is desired. It turns out that much Internet traffic uses one of a handful of groups that are of order 1024 bits or less. By
2324:
The long term public keys need to be transferred somehow. That can be done beforehand in a separate, trusted channel, or the public keys can be encrypted using some partial key agreement to preserve anonymity. For more of such details as well as other improvements like
62:. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.
3969:
195:
Diffie–Hellman key exchange establishes a shared secret between two parties that can be used for secret communication for exchanging data over a public network. An analogy illustrates the concept of public key exchange by using colors instead of very large numbers:
206:
If a third party listened to the exchange, they would only know the common color (yellow) and the first mixed colors (orange-tan and light-blue), but it would be very hard for them to find out the final secret color (yellow-brown). Bringing the analogy back to a
91:
services. However, research published in
October 2015 suggests that the parameters in use for many DH Internet applications at that time are not strong enough to prevent compromise by very well-funded attackers, such as the security services of some countries.
642:{\displaystyle {\color {Blue}A}^{\color {Red}b}{\bmod {\color {Blue}p}}={\color {Blue}g}^{\color {Red}ab}{\bmod {\color {Blue}p}}={\color {Blue}g}^{\color {Red}ba}{\bmod {\color {Blue}p}}={\color {Blue}B}^{\color {Red}a}{\bmod {\color {Blue}p}}}
1858:
It is possible to use ephemeral and static keys in one key agreement to provide more security as for example shown in NIST SP 800-56A, but it is also possible to combine those in a single DH key exchange, which is then called triple DH (3-DH).
3053:
As estimated by the authors behind the Logjam attack, the much more difficult precomputation needed to solve the discrete log problem for a 1024-bit prime would cost on the order of $ 100 million, well within the budget of a large national
3041:
the first three steps of the number field sieve for the most common groups, an attacker need only carry out the last step, which is much less computationally expensive than the first three steps, to obtain a specific logarithm. The
3021:) disclosed that the Diffie–Hellman key exchange implementations may use long private exponents that arguably make modular exponentiation calculations unnecessarily expensive. An attacker can exploit both vulnerabilities together.
2317:
2209:
4289:
4390:, University of Minnesota. Leading cryptography scholar Martin Hellman discusses the circumstances and fundamental insights of his invention of public key cryptography with collaborators Whitfield Diffie and Ralph Merkle at
1632:, may simply substitute her own private / public key pair, plug Bob's public key into her private key, produce a fake shared secret key, and solve for Bob's private key (and use that to solve for the shared secret key).
1627:
Note: It should be difficult for Alice to solve for Bob's private key or for Bob to solve for Alice's private key. If it is not difficult for Alice to solve for Bob's private key (or vice versa), then an eavesdropper,
3050:. The authors needed several thousand CPU cores for a week to precompute data for a single 512-bit prime. Once that was done, individual logarithms could be solved in about a minute using two 18-core Intel Xeon CPUs.
778:{\displaystyle ({\color {Blue}g}^{\color {Red}a}{\bmod {\color {Blue}p}})^{\color {Red}b}{\bmod {\color {Blue}p}}=({\color {Blue}g}^{\color {Red}b}{\bmod {\color {Blue}p}})^{\color {Red}a}{\bmod {\color {Blue}p}}}
3166:, allowing Bob to encrypt a message so that only Alice will be able to decrypt it, with no prior communication between them other than Bob having trusted knowledge of Alice's public key. Alice's public key is
4139:
Whitfield Diffie, Paul C. Van
Oorschot, and Michael J. Wiener "Authentication and Authenticated Key Exchanges", in Designs, Codes and Cryptography, 2, 107–125 (1992), Section 5.2, available as Appendix B to
4019:. Proceedings 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques. Lecture Notes in Computer Science. Vol. 8441. Copenhagen, Denmark. pp. 1–16.
4343:
3077:, of the Diffie–Hellman group should be at least 2048 bits. They estimate that the pre-computation required for a 2048-bit prime is 10 times more difficult than for 1024-bit primes.
1839:
static, static: Would generate a long term shared secret. Does not provide forward secrecy, but implicit authenticity. Since the keys are static it would for example not protect against
2724:
By choosing a more desirable order, and relying on the fact that keys can be duplicated, it is possible to reduce the number of modular exponentiations performed by each participant to
65:
Traditionally, secure encrypted communication between two parties required that they first exchange keys by some secure physical means, such as paper key lists transported by a trusted
4265:
1867:
In 1997 a kind of triple DH was proposed by Simon Blake-Wilson, Don
Johnson, Alfred Menezes in 1997, which was improved by C. Kudla and K. G. Paterson in 2005 and shown to be secure.
3310:
3219:
2681:, the secret is made by raising the current value to every participant's private exponent once, in any order (the first such exponentiation yields the participant's own public key).
2848:
are chosen properly. In particular, the order of the group G must be large, particularly if the same group is used for large amounts of traffic. The eavesdropper has to solve the
1854:. If used in key agreement it could provide implicit one-sided authenticity (the ephemeral side could verify the authenticity of the static side). No forward secrecy is provided.
4188:
3260:
2035:
2067:
211:
exchange using large numbers rather than colors, this determination is computationally expensive. It is impossible to compute in a practical amount of time even for modern
3657:
864:. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel.
2372:. Bob first publishes his three keys to a server, which Alice downloads and verifies the signature on. Alice then initiates the exchange to Bob. The OPK is optional.
2101:
2009:
1972:
1934:
2333:, as well as early messages and additional password authentication, see e.g. US patent "Advanced modular handshake for key agreement and optional authentication".
2701:
These principles leave open various options for choosing in which order participants contribute to keys. The simplest and most obvious solution is to arrange the
5320:
5150:
2217:
2109:
3046:
attack used this vulnerability to compromise a variety of
Internet services that allowed the use of groups whose order was a 512-bit prime number, so called
4765:
3114:
and discard them at the end of the session. The Diffie–Hellman key exchange is a frequent choice for such protocols, because of its fast key generation.
2989:
A method to authenticate the communicating parties to each other is generally needed to prevent this type of attack. Variants of Diffie–Hellman, such as
2868:
and solve the Diffie–Hellman problem, making this and many other public key cryptosystems insecure. Fields of small characteristic may be less secure.
4475:
3717:
173:
with it. I hope this small pulpit might help in that endeavor to recognize Merkle's equal contribution to the invention of public key cryptography.
4434:
4893:
2832:, but each participant will have performed only four modular exponentiations, rather than the eight implied by a simple circular arrangement.
4988:
1803:
protocol is a variant that represents an element of G as a point on an elliptic curve instead of as an integer modulo n. Variants using
23:
With Diffie–Hellman key exchange, two parties arrive at a common secret key, without passing the common secret key across the public channel.
3615:
4888:
3691:
4233:
4126:
4617:
3773:
4419:
4179:
232:
3594:
3558:
4796:
4790:
4038:
3399:
4423:
4216:
3531:
3650:
3791:
108:
69:. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a
4914:
4468:
4032:
3948:
3832:
3063:
3123:
3002:
4095:
3924:
Kudla, Caroline; Paterson, Kenneth G. (2005). "Modular
Security Proofs for Key Agreement Protocols". In Roy, Bimal (ed.).
4442: – This demo properly supports very-large key data and enforces the use of prime numbers where required.
3090:
Public key encryption schemes based on the Diffie–Hellman key exchange have been proposed. The first such scheme is the
887:
is a prime of at least 600 digits, then even the fastest modern computers using the fastest known algorithm cannot find
4532:
4168:
3967:, Fay, Bjorn, "Advanced modular handshake for key agreement and optional authentication", issued 2021-06-01
3374:
1808:
111:, the British signals intelligence agency, had previously shown in 1969 how public-key cryptography could be achieved.
4981:
4600:
4557:
4369:
4298:
4274:
3805:
3368:
3062:(NSA). The Logjam authors speculate that precomputation against widely reused 1024-bit DH primes is behind claims in
2856:. This is currently considered difficult for groups whose order is large enough. An efficient algorithm to solve the
1800:
257:. These two values are chosen in this way to ensure that the resulting shared secret can take on any value from 1 to
4522:
5373:
5368:
4512:
4461:
1804:
3849:
2975:
whose outputs are not completely random and can be predicted to some extent, then it is much easier to eavesdrop.
2381:
Bob, and Carol could participate in a Diffie–Hellman agreement as follows, with all operations taken to be modulo
4676:
4537:
3151:
1636:
may attempt to choose a public / private key pair that will make it easy for her to solve for Bob's private key.
5199:
5130:
4701:
953:– she watches what is sent between Alice and Bob, but she does not alter the contents of their communications.
4585:
4339:
2737:
3323:
being the dominant public key algorithm. This is largely for historical and commercial reasons, namely that
3265:
3169:
4974:
4842:
4775:
3095:
2880:
1851:
2692:
is the number of participants in the group) may be revealed publicly, but the final value (having had all
95:
The scheme was published by
Whitfield Diffie and Martin Hellman in 1976, but in 1997 it was revealed that
5315:
5270:
5073:
4939:
4832:
4681:
4595:
4517:
4240:
3344:
3336:
3127:
3070:
2990:
4010:"A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic"
5194:
4691:
4580:
4562:
3384:
3111:
3043:
3034:
3030:
2857:
2849:
2349:. The protocol offers forward secrecy and cryptographic deniability. It operates on an elliptic curve.
908:
4435:
Crypto dream team Diffie & Hellman wins $ 1M 2015 Turing Award (a.k.a. "Nobel Prize of
Computing")
3713:
3228:
3126:(PK) form of Diffie–Hellman to prevent man-in-the-middle attacks. One simple scheme is to compare the
5310:
4944:
4924:
4387:
3933:. Lecture Notes in Computer Science. Vol. 3788. Berlin, Heidelberg: Springer. pp. 549–565.
3462:
3163:
2015:
1653:
4827:
3752:
3476:
2047:
5300:
5290:
5145:
4883:
4654:
4351:
4347:
4331:
3545:
3394:
3332:
3059:
3012:
2983:
2961:
2342:
123:
3902:
3331:. Diffie–Hellman, as elaborated above, cannot directly be used to sign certificates. However, the
5295:
5285:
5078:
5038:
5031:
5016:
5011:
4837:
4484:
4249:
Whitfield Diffie, Proceedings of the IEEE, vol. 76, no. 5, May 1988, pp: 560–577 (1.9MB PDF file)
3681:
2972:
251:
165:
78:
47:
3964:
3626:
3312:. Only Alice can determine the symmetric key and hence decrypt the message because only she has
1633:
1629:
946:
5083:
5026:
4919:
4770:
4709:
4644:
4072:"D(HE)at: A Practical Denial-of-Service Attack on the Finite Field Diffie-Hellman Key Exchange"
3897:
3747:
3540:
3471:
3389:
3047:
920:
115:
39:
3822:
5343:
5189:
5135:
4785:
4542:
4499:
4110:
4055:"RFC 4306 Internet Key Exchange (IKEv2) Protocol". Internet Engineeringrg/web/20150107073645/
3877:
Barker, Elaine; Chen, Lily; Roginsky, Allen; Vassilev, Apostol; Davis, Richard (2018-04-16).
3348:
2950:
2073:
1981:
1944:
1906:
950:
104:
3879:
Recommendation for Pair-Wise Key-Establishment
Schemes Using Discrete Logarithm Cryptography
5305:
5229:
4696:
4507:
4306:
Martin E. Hellman, IEEE Communications
Magazine, May 2002, pp. 42–49. (123kB PDF file)
2892:
2872:
1777:
3857:
Annual
International Conference on the Theory and Applications of Cryptographic Techniques
3732:
8:
5058:
4802:
4391:
3587:
3324:
3055:
2709:
keys rotate around the circle, until eventually every key has been contributed to by all
2326:
879:
would be needed to make this example secure, since there are only 23 possible results of
118:, it provides the basis for a variety of authenticated protocols, and is used to provide
4420:
Summary of ANSI X9.42: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography
4290:
The Code Book: the evolution of secrecy from Mary Queen of Scots to quantum cryptography
3523:
2697:
contributor would have turned the key into the very secret the group wished to protect).
2312:{\displaystyle K=\operatorname {KDF} \left(X^{y},\,X^{b},\,A^{y},\,X,\,Y,\,A,\,B\right)}
2204:{\displaystyle K=\operatorname {KDF} \left(Y^{x},\,B^{x},\,Y^{a},\,X,\,Y,\,A,\,B\right)}
5174:
5158:
5100:
4649:
4572:
4552:
4547:
4527:
4009:
3765:
3489:
3320:
3091:
2750:; this value is sent to E, F, G, and H. In return, participants A, B, C, and D receive
2330:
1847:
927:
need not be large at all, and in practice is usually a small integer (like 2, 3, ...).
836:
take extremely long times to compute by any known algorithm just from the knowledge of
4207:
5234:
5224:
5090:
4909:
4852:
4780:
4666:
4414:
More Modular Exponential (MODP) Diffie–Hellman groups for Internet Key Exchange (IKE)
4294:
4270:
4256:
4164:
4028:
3944:
3925:
3828:
3801:
3356:
3073:, for which no similar attack is known. Failing that, they recommend that the order,
1812:
43:
3316:(the private key). A pre-shared public key also prevents man-in-the-middle attacks.
2978:
In the original description, the Diffie–Hellman exchange by itself does not provide
2717:
keys (ending with their own). However, this requires that every participant perform
5169:
5021:
4755:
4118:
4085:
4020:
3990:
3934:
3907:
3769:
3757:
3550:
3515:
3493:
3481:
861:
74:
55:
4383:
3878:
3017:
3007:
2673:
To extend this mechanism to larger groups, two basic principles must be followed:
3795:
3379:
3107:
2938:
2346:
1829:
138:
119:
4409:
4398:
4090:
4071:
4024:
2826:
Once this operation has been completed all participants will possess the secret
5244:
5164:
5120:
5063:
5048:
4303:
4260:
4252:
4236:
3611:
3519:
3460:
Merkle, Ralph C. (April 1978). "Secure Communications Over Insecure Channels".
2979:
1833:
1687:
100:
96:
59:
4429:
4142:
3761:
187:
5362:
5325:
5280:
5239:
5219:
5110:
5068:
5043:
4122:
4008:
Barbulescu, Razvan; Gaudry, Pierrick; Joux, Antoine; Thomé, Emmanuel (2014).
3554:
2713:
participants (ending with its owner) and each participant has contributed to
1840:
820:– are sent in the clear. The strength of the scheme comes from the fact that
275:
212:
200:
145:
127:
70:
141:, an implementation of public-key cryptography using asymmetric algorithms.
5275:
5115:
5105:
5095:
5053:
4997:
4949:
4929:
3038:
1661:
243:
161:
131:
51:
3485:
2816:
Participants E through H simultaneously perform the same operations using
5254:
4847:
4724:
4284:
4278:
4076:
860:. Such a function that is easy to compute but hard to invert is called a
77:. This key can then be used to encrypt subsequent communications using a
3939:
935:
The chart below depicts who knows what, again with non-secret values in
502:
Both Alice and Bob have arrived at the same values because under mod p,
5214:
5184:
5179:
5140:
4873:
4605:
3911:
3860:
2910:
4246:
4056:
3827:(Second ed.). Springer Science+Business Media. pp. 190–191.
2744:
Participants A, B, C, and D each perform one exponentiation, yielding
5204:
4627:
3262:(unencrypted) together with the message encrypted with symmetric key
2789:
Participant A performs one final exponentiation, yielding the secret
208:
4439:
3069:
To avoid these vulnerabilities, the Logjam authors recommend use of
1604:
is the shared secret key and it is known to both Alice and Bob, but
5249:
5209:
4934:
4868:
4739:
4734:
4729:
4632:
4610:
4350:
external links, and converting useful links where appropriate into
4117:. Springer, Berlin, Heidelberg (published 2001). pp. 332–343.
3686:
3328:
2660:, but cannot use any combination of these to efficiently reproduce
1811:
is a Diffie–Hellman variant that was designed to be secure against
114:
Although Diffie–Hellman key exchange itself is a non-authenticated
88:
4163:(2nd ed.). West Sussex, England: John Wiley & Sons, Ltd.
3339:
signature algorithms are mathematically related to it, as well as
2765:, which they send to C and D, while C and D do the same, yielding
261:–1. Here is an example of the protocol, with non-secret values in
223:
The simplest and the original implementation, later formalized as
4760:
4719:
3588:"Imperfect Forward Secrecy: How Diffie–Hellman Fails in Practice"
66:
3033:
algorithm, which is generally the most effective in solving the
2352:
The protocol uses five public keys. Alice has an identity key IK
148:
algorithm. It credits Hellman, Diffie, and Merkle as inventors.
19:
5125:
4878:
4215:(Technical report). Communications Electronics Security Group.
4187:(Technical report). Communications Electronics Security Group.
3140:
2759:
Participants A and B each perform one exponentiation, yielding
1828:
ephemeral, ephemeral: Usually used for key agreement. Provides
81:
3585:
1764:
Both Alice and Bob are now in possession of the group element
1671:. (This is usually done long before the rest of the protocol;
962:, public (primitive root) base, known to Alice, Bob, and Eve.
923:
and can be done efficiently even for large numbers. Note that
191:
Illustration of the concept behind Diffie–Hellman key exchange
4714:
4671:
4639:
4622:
4416:. T. Kivinen, M. Kojo, SSH Communications Security. May 2003.
3352:
3293:
3243:
3187:
3136:
764:
740:
706:
682:
628:
597:
563:
529:
3327:
created a certificate authority for key signing that became
2968:
is equally secure as any other generator of the same group.
3892:
Blake-Wilson, Simon; Johnson, Don; Menezes, Alfred (1997),
3144:
2840:
The protocol is considered secure against eavesdroppers if
1780:
as long as there is no efficient algorithm for determining
1095:
3891:
3876:
3319:
In practice, Diffie–Hellman is not used in this way, with
1870:
The long term secret keys of Alice and Bob are denoted by
4807:
4661:
4007:
3991:"Specifications >> The X3DH Key Agreement Protocol"
3881:(Report). National Institute of Standards and Technology.
3340:
1639:
4070:
Pfeiffer, Szilárd; Tihanyi, Norbert (25 December 2023).
3682:"GCHQ trio recognised for key to secure shopping online"
3066:
that NSA is able to break much of current cryptography.
3024:
2982:
of the communicating parties and can be vulnerable to a
2835:
2336:
979:, public (prime) modulus, known to Alice, Bob, and Eve.
354:
have the same value 4, but this is usually not the case)
144:
Expired US patent 4,200,770 from 1977 describes the now
3162:
It is also possible to use Diffie–Hellman as part of a
3117:
2993:, may be used instead to avoid these types of attacks.
2879:
should have a large prime factor to prevent use of the
2375:
1608:
to Eve. Note that it is not helpful for Eve to compute
5151:
Cryptographically secure pseudorandom number generator
4111:"On Diffie-Hellman Key Agreement with Short Exponents"
1772:, which can serve as the shared secret key. The group
3651:"The Possibility of Secure Secret Digital Encryption"
3268:
3231:
3172:
2220:
2112:
2076:
2050:
2018:
1984:
1947:
1909:
1679:
are assumed to be known by all attackers.) The group
661:
511:
4445:
4102:
3122:
When Alice and Bob share a password, they may use a
1644:
Here is a more general description of the protocol:
1042:, Alice's public key, known to Alice, Bob, and Eve.
3894:
Key Agreement Protocols and their Security Analysis
2960:is often a small integer such as 2. Because of the
2774:Participant A performs an exponentiation, yielding
156:In 2006, Hellman suggested the algorithm be called
4108:
3616:"The possibility of Non-Secret digital encryption"
3304:
3254:
3213:
2311:
2203:
2095:
2061:
2029:
2003:
1966:
1928:
1071:, Bob's public key, known to Alice, Bob, and Eve.
777:
641:
130:modes (referred to as EDH or DHE depending on the
4334:may not follow Knowledge's policies or guidelines
3841:
3417:Synonyms of Diffie–Hellman key exchange include:
498:Alice and Bob now share a secret (the number 18).
5360:
2949:. A protocol using such a choice is for example
2677:Starting with an "empty" key consisting only of
4069:
2400:The parties generate their private keys, named
1862:
1818:
46:over a public channel and was one of the first
4247:The First Ten Years of Public-Key Cryptography
3848:Castryck, Wouter; Decru, Thomas (April 2023).
3221:. To send her a message, Bob chooses a random
2389:The parties agree on the algorithm parameters
199:The process begins by having the two parties,
137:The method was followed shortly afterwards by
87:Diffie–Hellman is used to secure a variety of
4982:
4469:
4430:Talk by Martin Hellman in 2007, YouTube video
3923:
3847:
3581:
3579:
3577:
3575:
3573:
3571:
3514:
3510:
3508:
3506:
3498:Received August, 1975; revised September 1977
2740:approach, given here for eight participants:
998:, Alice's private key, known only to Alice.
218:
4483:
4178:Williamson, Malcolm J. (January 21, 1974).
4063:
3586:Adrian, David; et al. (October 2015).
2996:
2341:X3DH was initially proposed as part of the
4989:
4975:
4476:
4462:
4384:Oral history interview with Martin Hellman
4206:Williamson, Malcolm J. (August 10, 1976).
4205:
4181:Non-secret encryption using a finite field
4177:
3850:"An efficient key recovery attack on SIDH"
3724:
3568:
3503:
3453:
2964:of the discrete logarithm problem a small
2780:, which it sends to B; similarly, B sends
4370:Learn how and when to remove this message
4209:Thoughts on Cheaper Non-Secret Encryption
4109:van Oorschot, P.C.; Wiener, M.J. (1996).
4089:
3938:
3901:
3751:
3544:
3475:
2300:
2293:
2286:
2279:
2265:
2251:
2192:
2185:
2178:
2171:
2157:
2143:
4440:A Diffie–Hellman demo written in Python3
3820:
3733:"An overview of public key cryptography"
1846:ephemeral, static: For example, used in
1648:Alice and Bob agree on a natural number
796:are kept secret. All the other values –
186:
18:
4158:
4017:Advances in Cryptology – EUROCRYPT 2014
3985:
3983:
3981:
3979:
3927:Advances in Cryptology - ASIACRYPT 2005
3730:
3532:IEEE Transactions on Information Theory
1021:, Bob's private key known only to Bob.
233:multiplicative group of integers modulo
16:Method of exchanging cryptographic keys
5361:
4304:An Overview of Public Key Cryptography
4115:Advances in Cryptology — EUROCRYPT ’96
3459:
3305:{\displaystyle (g^{a})^{b}{\bmod {p}}}
3214:{\displaystyle (g^{a}{\bmod {p}},g,p)}
1898:Triple Diffie–Hellman (3-DH) protocol
1776:satisfies the requisite condition for
1640:Generalization to finite cyclic groups
298:(which is a primitive root modulo 23).
4970:
4457:
4152:
3610:
3150:An example of such a protocol is the
3025:Practical attacks on Internet traffic
2836:Security and practical considerations
2684:Any intermediate value (having up to
2600:An eavesdropper has been able to see
2337:Extended Triple Diffie–Hellman (X3DH)
1886:, as well as the ephemeral key pairs
768:
756:
744:
732:
725:
710:
698:
686:
674:
667:
632:
620:
613:
601:
586:
579:
567:
552:
545:
533:
521:
514:
4797:Naccache–Stern knapsack cryptosystem
4314:
4234:The History of Non-Secret Encryption
3976:
3789:
3400:Post-Quantum Extended Diffie–Hellman
3124:password-authenticated key agreement
3118:Password-authenticated key agreement
2376:Operation with more than two parties
164:'s contribution to the invention of
4403:Diffie–Hellman Key Agreement Method
4057:http://www.ietf.org/rfc/rfc4306.txt
3963:
3694:from the original on 10 August 2014
2945:never reveals the low order bit of
182:
42:of securely generating a symmetric
13:
3420:Diffie–Hellman–Merkle key exchange
3375:Supersingular isogeny key exchange
3101:
2705:participants in a circle and have
2688:−1 exponents applied, where
1852:Integrated Encryption Scheme (IES)
1815:, but it was broken in July 2022.
1809:supersingular isogeny key exchange
1712:Bob picks a random natural number
158:Diffie–Hellman–Merkle key exchange
14:
5385:
4310:
867:Of course, much larger values of
5339:
5338:
4996:
4319:
4269:Boca Raton, Florida: CRC Press.
4266:Handbook of Applied Cryptography
4129:from the original on 2023-02-19.
4098:from the original on 2024-04-22.
4044:from the original on 2020-03-22.
3600:from the original on 2015-09-06.
3564:from the original on 2014-11-29.
3524:"New Directions in Cryptography"
3426:Diffie–Hellman key establishment
3255:{\displaystyle g^{b}{\bmod {p}}}
3110:generate new key pairs for each
2925:is chosen to generate the order
2917:is then only divisible by 2 and
930:
278:publicly agree to use a modulus
4828:Discrete logarithm cryptography
4424:Description of ANSI 9 Standards
4222:from the original on 2004-07-19
4194:from the original on 2017-03-23
4133:
4048:
4001:
3957:
3917:
3885:
3870:
3814:
3783:
3779:from the original on 2016-04-02
3731:Hellman, Martin E. (May 2002),
3663:from the original on 2017-02-16
3152:Secure Remote Password protocol
3094:. A more modern variant is the
2898:is sometimes used to calculate
2801:, while B does the same to get
2030:{\displaystyle X\rightarrow {}}
1878:respectively, with public keys
907:. Such a problem is called the
301:Alice chooses a secret integer
5200:Information-theoretic security
3821:Buchmann, Johannes A. (2013).
3706:
3674:
3643:
3604:
3429:Diffie–Hellman key negotiation
3411:
3283:
3269:
3208:
3173:
2860:would make it easy to compute
2813:; again, C and D do similarly.
2062:{\displaystyle {}\leftarrow Y}
2053:
2022:
752:
720:
694:
662:
177:
1:
3446:
3369:Elliptic-curve Diffie–Hellman
3157:
3085:
3080:
2771:, which they send to A and B.
1807:have also been proposed. The
1801:elliptic curve Diffie–Hellman
359:Bob chooses a secret integer
4843:Non-commutative cryptography
3824:Introduction to Cryptography
3740:IEEE Communications Magazine
3423:Diffie–Hellman key agreement
3355:protocol suite for securing
3096:Integrated Encryption Scheme
2360:. Bob has an identity key IK
1863:Triple Diffie–Hellman (3-DH)
1819:Ephemeral and/or static keys
1683:is written multiplicatively.
7:
5316:Message authentication code
5271:Cryptographic hash function
5074:Cryptographic hash function
4940:Identity-based cryptography
4833:Elliptic-curve cryptography
4091:10.1109/ACCESS.2023.3347422
4025:10.1007/978-3-642-55220-5_1
3362:
3071:elliptic curve cryptography
2786:to A. C and D do similarly.
2368:, and a one-time prekey OPK
1735:Alice computes the element
231:, of the protocol uses the
225:Finite Field Diffie–Hellman
10:
5390:
5195:Harvest now, decrypt later
3147:home networking standard.
3035:discrete logarithm problem
2858:discrete logarithm problem
2596:and uses it as his secret.
2531:and uses it as her secret.
2469:and uses it as her secret.
1462:
1280:
1098:
909:discrete logarithm problem
168:(Hellman, 2006), writing:
5334:
5311:Post-quantum cryptography
5263:
5004:
4966:
4945:Post-quantum cryptography
4902:
4894:Post-Quantum Cryptography
4861:
4820:
4748:
4690:
4571:
4498:
4491:
4453:
4449:
4405:. E. Rescorla. June 1999.
4388:Charles Babbage Institute
3859:: 423–447. Archived from
3810:– via Google Books.
3762:10.1109/MCOM.2002.1006971
3712:
3463:Communications of the ACM
3164:public key infrastructure
2721:modular exponentiations.
1749:Bob computes the element
219:Cryptographic explanation
5301:Quantum key distribution
5291:Authenticated encryption
5146:Random number generation
4159:Gollman, Dieter (2011).
4123:10.1007/3-540-68339-9_29
3792:"Key exchange standards"
3555:10.1109/TIT.1976.1055638
3438:Diffie–Hellman handshake
3432:Exponential key exchange
3405:
3395:Denial-of-service attack
3060:National Security Agency
3013:denial-of-service attack
2997:Denial-of-service attack
2984:man-in-the-middle attack
2973:random number generators
2962:random self-reducibility
2881:Pohlig–Hellman algorithm
2822:as their starting point.
2738:divide-and-conquer-style
2343:Double Ratchet Algorithm
1724:, and sends the element
1701:, and sends the element
124:Transport Layer Security
5374:Public-key cryptography
5369:Key-agreement protocols
5296:Public-key cryptography
5286:Symmetric-key algorithm
5079:Key derivation function
5039:Cryptographic primitive
5032:Authentication protocol
5017:Outline of cryptography
5012:History of cryptography
4838:Hash-based cryptography
4485:Public-key cryptography
3797:Real World Cryptography
3435:Diffie–Hellman protocol
3143:, which is used by the
3106:Protocols that achieve
2356:and an ephemeral key EK
2327:side channel protection
2096:{\displaystyle Y=g^{y}}
2004:{\displaystyle X=g^{x}}
1967:{\displaystyle B=g^{b}}
1929:{\displaystyle A=g^{a}}
166:public-key cryptography
151:
5084:Secure Hash Algorithms
5027:Cryptographic protocol
3390:Modular exponentiation
3385:Diffie–Hellman problem
3306:
3256:
3215:
2850:Diffie–Hellman problem
2544:and sends it to Alice.
2501:and sends it to Alice.
2479:and sends it to Carol.
2447:and sends it to Carol.
2313:
2205:
2097:
2063:
2031:
2005:
1968:
1930:
939:, and secret values in
921:modular exponentiation
779:
643:
367:= 3, then sends Alice
346:(in this example both
265:, and secret values in
192:
175:
116:key-agreement protocol
24:
5190:End-to-end encryption
5136:Cryptojacking malware
4500:Integer factorization
4239:1987 (28K PDF file) (
4143:U.S. patent 5,724,425
3714:US patent 4200770
3486:10.1145/359460.359473
3307:
3257:
3225:and then sends Alice
3216:
2971:If Alice and Bob use
2913:, since the order of
2891:. For this reason, a
2364:, a signed prekey SPK
2314:
2206:
2098:
2064:
2032:
2006:
1969:
1931:
1686:Alice picks a random
911:. The computation of
780:
644:
252:primitive root modulo
190:
170:
105:Malcolm J. Williamson
22:
5306:Quantum cryptography
5230:Trusted timestamping
4340:improve this article
4293:New York: Doubleday
3790:Wong, David (2021).
3623:CESG Research Report
3266:
3229:
3170:
3064:leaked NSA documents
2893:Sophie Germain prime
2566:and sends it to Bob.
2425:and sends it to Bob.
2218:
2110:
2074:
2048:
2016:
1982:
1945:
1907:
1894:. Then protocol is:
1805:hyperelliptic curves
1778:secure communication
883:mod 23. However, if
659:
509:
309:= 4, then sends Bob
48:public-key protocols
5059:Cryptographic nonce
4803:Three-pass protocol
4392:Stanford University
4352:footnote references
3940:10.1007/11593447_30
3056:intelligence agency
1899:
1466:
1284:
1102:
652:More specifically,
5175:Subliminal channel
5159:Pseudorandom noise
5101:Key (cryptography)
4573:Discrete logarithm
4257:van Oorschot, Paul
4153:General references
3912:10.1007/BFb0024447
3690:. 5 October 2010.
3520:Hellman, Martin E.
3302:
3252:
3211:
3092:ElGamal encryption
3031:number field sieve
3005:released in 2021 (
2309:
2201:
2093:
2059:
2027:
2001:
1964:
1926:
1897:
1848:ElGamal encryption
1464:
1282:
1100:
775:
772:
760:
748:
736:
729:
714:
702:
690:
678:
671:
639:
636:
624:
617:
605:
593:
583:
571:
559:
549:
537:
525:
518:
193:
160:in recognition of
38:is a mathematical
25:
5356:
5355:
5352:
5351:
5235:Key-based routing
5225:Trapdoor function
5091:Digital signature
4962:
4961:
4958:
4957:
4910:Digital signature
4853:Trapdoor function
4816:
4815:
4533:Goldwasser–Micali
4394:in the mid-1970s.
4380:
4379:
4372:
4161:Computer Security
4034:978-3-642-55220-5
3950:978-3-540-32267-2
3834:978-1-4419-9003-7
3522:(November 1976).
3516:Diffie, Whitfield
3357:Internet Protocol
3351:component of the
3058:such as the U.S.
2322:
2321:
1813:quantum computers
1799:For example, the
1594:
1593:
1590:
1589:
1460:
1459:
1278:
1277:
44:cryptographic key
5381:
5342:
5341:
5170:Insecure channel
5022:Classical cipher
4991:
4984:
4977:
4968:
4967:
4799:
4700:
4695:
4655:signature scheme
4558:Okamoto–Uchiyama
4496:
4495:
4478:
4471:
4464:
4455:
4454:
4451:
4450:
4447:
4446:
4422:(64K PDF file) (
4375:
4368:
4364:
4361:
4355:
4323:
4322:
4315:
4279:Available online
4230:
4228:
4227:
4221:
4214:
4202:
4200:
4199:
4193:
4186:
4174:
4146:
4145:
4137:
4131:
4130:
4106:
4100:
4099:
4093:
4067:
4061:
4060:
4052:
4046:
4045:
4043:
4014:
4005:
3999:
3998:
3995:Signal Messenger
3987:
3974:
3973:
3972:
3968:
3961:
3955:
3954:
3942:
3932:
3921:
3915:
3914:
3905:
3889:
3883:
3882:
3874:
3868:
3867:
3865:
3854:
3845:
3839:
3838:
3818:
3812:
3811:
3787:
3781:
3780:
3778:
3755:
3737:
3728:
3722:
3721:
3720:
3716:
3710:
3704:
3703:
3701:
3699:
3678:
3672:
3671:
3669:
3668:
3662:
3655:
3647:
3641:
3640:
3638:
3637:
3631:
3625:. Archived from
3620:
3614:(January 1970).
3608:
3602:
3601:
3599:
3592:
3583:
3566:
3565:
3563:
3548:
3528:
3512:
3501:
3500:
3479:
3457:
3441:
3415:
3359:communications.
3311:
3309:
3308:
3303:
3301:
3300:
3291:
3290:
3281:
3280:
3261:
3259:
3258:
3253:
3251:
3250:
3241:
3240:
3220:
3218:
3217:
3212:
3195:
3194:
3185:
3184:
2908:
2831:
2821:
2812:
2806:
2800:
2794:
2785:
2779:
2770:
2764:
2755:
2749:
2735:
2669:
2659:
2649:
2639:
2629:
2619:
2609:
2595:
2565:
2543:
2530:
2500:
2478:
2468:
2446:
2424:
2331:key confirmation
2318:
2316:
2315:
2310:
2308:
2304:
2275:
2274:
2261:
2260:
2247:
2246:
2210:
2208:
2207:
2202:
2200:
2196:
2167:
2166:
2153:
2152:
2139:
2138:
2102:
2100:
2099:
2094:
2092:
2091:
2068:
2066:
2065:
2060:
2052:
2036:
2034:
2033:
2028:
2026:
2010:
2008:
2007:
2002:
2000:
1999:
1973:
1971:
1970:
1965:
1963:
1962:
1935:
1933:
1932:
1927:
1925:
1924:
1900:
1896:
1759:
1745:
1623:
1618:
1612:
1601:
1584:
1563:
1558:
1553:
1548:
1522:
1514:
1501:
1496:
1486:
1481:
1467:
1463:
1453:
1448:
1444:
1438:
1427:
1423:
1417:
1405:
1398:
1387:
1383:
1379:
1374:
1364:
1360:
1355:
1345:
1337:
1330:
1319:
1314:
1304:
1299:
1285:
1281:
1271:
1266:
1262:
1256:
1245:
1241:
1235:
1223:
1216:
1205:
1201:
1197:
1192:
1182:
1178:
1173:
1163:
1155:
1148:
1137:
1132:
1122:
1117:
1103:
1099:
1096:
1092:
1087:
1081:
1075:
1069:
1063:
1058:
1052:
1046:
1040:
1033:
1026:
1018:
1010:
1003:
995:
988:
983:
977:
971:
966:
960:
943:
938:
862:one-way function
784:
782:
781:
776:
774:
773:
762:
761:
750:
749:
738:
737:
730:
716:
715:
704:
703:
692:
691:
680:
679:
672:
648:
646:
645:
640:
638:
637:
626:
625:
618:
607:
606:
595:
594:
584:
573:
572:
561:
560:
550:
539:
538:
527:
526:
519:
493:
489:
485:
479:
471:
465:
458:
448:
444:
440:
434:
426:
420:
413:
403:
399:
395:
390:
383:
377:
371:
364:
353:
349:
345:
341:
337:
332:
325:
319:
313:
306:
297:
292:
287:
282:
269:
264:
183:General overview
75:insecure channel
56:Whitfield Diffie
54:and named after
50:as conceived by
5389:
5388:
5384:
5383:
5382:
5380:
5379:
5378:
5359:
5358:
5357:
5348:
5330:
5259:
5000:
4995:
4954:
4898:
4862:Standardization
4857:
4812:
4795:
4744:
4692:Lattice/SVP/CVP
4686:
4567:
4513:Blum–Goldwasser
4487:
4482:
4376:
4365:
4359:
4356:
4337:
4328:This article's
4324:
4320:
4313:
4261:Vanstone, Scott
4253:Menezes, Alfred
4225:
4223:
4219:
4212:
4197:
4195:
4191:
4184:
4171:
4155:
4150:
4149:
4141:
4138:
4134:
4107:
4103:
4068:
4064:
4054:
4053:
4049:
4041:
4035:
4012:
4006:
4002:
3989:
3988:
3977:
3970:
3962:
3958:
3951:
3930:
3922:
3918:
3890:
3886:
3875:
3871:
3863:
3852:
3846:
3842:
3835:
3819:
3815:
3808:
3788:
3784:
3776:
3753:10.1.1.127.2652
3735:
3729:
3725:
3718:
3711:
3707:
3697:
3695:
3680:
3679:
3675:
3666:
3664:
3660:
3653:
3649:
3648:
3644:
3635:
3633:
3629:
3618:
3609:
3605:
3597:
3590:
3584:
3569:
3561:
3526:
3513:
3504:
3477:10.1.1.364.5157
3458:
3454:
3449:
3444:
3416:
3412:
3408:
3380:Forward secrecy
3365:
3296:
3292:
3286:
3282:
3276:
3272:
3267:
3264:
3263:
3246:
3242:
3236:
3232:
3230:
3227:
3226:
3190:
3186:
3180:
3176:
3171:
3168:
3167:
3160:
3139:Recommendation
3120:
3108:forward secrecy
3104:
3102:Forward secrecy
3088:
3083:
3027:
2999:
2939:Legendre symbol
2899:
2838:
2830:
2827:
2820:
2817:
2811:
2808:
2805:
2802:
2799:
2796:
2793:
2790:
2784:
2781:
2778:
2775:
2769:
2766:
2763:
2760:
2754:
2751:
2748:
2745:
2729:
2725:
2668:
2664:
2661:
2658:
2654:
2651:
2648:
2644:
2641:
2638:
2634:
2631:
2628:
2624:
2621:
2618:
2614:
2611:
2608:
2604:
2601:
2594:
2590:
2586:
2582:
2578:
2574:
2570:
2564:
2560:
2556:
2552:
2548:
2547:Alice computes
2542:
2538:
2535:
2534:Carol computes
2529:
2525:
2521:
2517:
2513:
2509:
2505:
2504:Alice computes
2499:
2495:
2491:
2487:
2483:
2482:Carol computes
2477:
2473:
2467:
2463:
2459:
2455:
2451:
2450:Carol computes
2445:
2441:
2437:
2433:
2429:
2423:
2419:
2416:
2415:Alice computes
2378:
2371:
2367:
2363:
2359:
2355:
2347:Signal Protocol
2339:
2270:
2266:
2256:
2252:
2242:
2238:
2237:
2233:
2219:
2216:
2215:
2162:
2158:
2148:
2144:
2134:
2130:
2129:
2125:
2111:
2108:
2107:
2087:
2083:
2075:
2072:
2071:
2051:
2049:
2046:
2045:
2025:
2017:
2014:
2013:
1995:
1991:
1983:
1980:
1979:
1958:
1954:
1946:
1943:
1942:
1920:
1916:
1908:
1905:
1904:
1865:
1830:forward secrecy
1821:
1750:
1736:
1642:
1621:
1616:
1614:, which equals
1610:
1599:
1582:
1561:
1556:
1551:
1546:
1520:
1512:
1499:
1494:
1484:
1479:
1451:
1446:
1442:
1436:
1425:
1421:
1415:
1403:
1396:
1385:
1381:
1377:
1372:
1362:
1358:
1353:
1343:
1335:
1328:
1317:
1312:
1302:
1297:
1269:
1264:
1260:
1254:
1243:
1239:
1233:
1221:
1214:
1203:
1199:
1195:
1190:
1180:
1176:
1171:
1161:
1153:
1146:
1135:
1130:
1120:
1115:
1090:
1085:
1079:
1073:
1067:
1061:
1056:
1050:
1044:
1038:
1031:
1024:
1016:
1008:
1001:
993:
986:
981:
975:
969:
964:
958:
941:
936:
933:
767:
763:
755:
751:
743:
739:
731:
724:
723:
709:
705:
697:
693:
685:
681:
673:
666:
665:
660:
657:
656:
631:
627:
619:
612:
611:
600:
596:
585:
578:
577:
566:
562:
551:
544:
543:
532:
528:
520:
513:
512:
510:
507:
506:
491:
487:
483:
477:
469:
463:
456:
446:
442:
438:
432:
424:
418:
411:
408:Alice computes
401:
397:
393:
388:
381:
375:
369:
362:
351:
347:
343:
339:
335:
330:
323:
317:
311:
304:
295:
290:
285:
280:
267:
262:
221:
185:
180:
154:
120:forward secrecy
17:
12:
11:
5:
5387:
5377:
5376:
5371:
5354:
5353:
5350:
5349:
5347:
5346:
5335:
5332:
5331:
5329:
5328:
5323:
5321:Random numbers
5318:
5313:
5308:
5303:
5298:
5293:
5288:
5283:
5278:
5273:
5267:
5265:
5261:
5260:
5258:
5257:
5252:
5247:
5245:Garlic routing
5242:
5237:
5232:
5227:
5222:
5217:
5212:
5207:
5202:
5197:
5192:
5187:
5182:
5177:
5172:
5167:
5165:Secure channel
5162:
5156:
5155:
5154:
5143:
5138:
5133:
5128:
5123:
5121:Key stretching
5118:
5113:
5108:
5103:
5098:
5093:
5088:
5087:
5086:
5081:
5076:
5066:
5064:Cryptovirology
5061:
5056:
5051:
5049:Cryptocurrency
5046:
5041:
5036:
5035:
5034:
5024:
5019:
5014:
5008:
5006:
5002:
5001:
4994:
4993:
4986:
4979:
4971:
4964:
4963:
4960:
4959:
4956:
4955:
4953:
4952:
4947:
4942:
4937:
4932:
4927:
4922:
4917:
4912:
4906:
4904:
4900:
4899:
4897:
4896:
4891:
4886:
4881:
4876:
4871:
4865:
4863:
4859:
4858:
4856:
4855:
4850:
4845:
4840:
4835:
4830:
4824:
4822:
4818:
4817:
4814:
4813:
4811:
4810:
4805:
4800:
4793:
4791:Merkle–Hellman
4788:
4783:
4778:
4773:
4768:
4763:
4758:
4752:
4750:
4746:
4745:
4743:
4742:
4737:
4732:
4727:
4722:
4717:
4712:
4706:
4704:
4688:
4687:
4685:
4684:
4679:
4674:
4669:
4664:
4659:
4658:
4657:
4647:
4642:
4637:
4636:
4635:
4630:
4620:
4615:
4614:
4613:
4608:
4598:
4593:
4588:
4583:
4577:
4575:
4569:
4568:
4566:
4565:
4560:
4555:
4550:
4545:
4540:
4538:Naccache–Stern
4535:
4530:
4525:
4520:
4515:
4510:
4504:
4502:
4493:
4489:
4488:
4481:
4480:
4473:
4466:
4458:
4444:
4443:
4437:
4432:
4427:
4417:
4406:
4395:
4378:
4377:
4332:external links
4327:
4325:
4318:
4312:
4311:External links
4309:
4308:
4307:
4301:
4282:
4250:
4244:
4231:
4203:
4175:
4170:978-0470741153
4169:
4154:
4151:
4148:
4147:
4132:
4101:
4062:
4047:
4033:
4000:
3975:
3956:
3949:
3916:
3884:
3869:
3866:on 2024-09-26.
3840:
3833:
3813:
3806:
3782:
3723:
3705:
3673:
3642:
3603:
3567:
3546:10.1.1.37.9720
3539:(6): 644–654.
3502:
3470:(4): 294–299.
3451:
3450:
3448:
3445:
3443:
3442:
3440:
3439:
3436:
3433:
3430:
3427:
3424:
3421:
3409:
3407:
3404:
3403:
3402:
3397:
3392:
3387:
3382:
3377:
3372:
3364:
3361:
3299:
3295:
3289:
3285:
3279:
3275:
3271:
3249:
3245:
3239:
3235:
3210:
3207:
3204:
3201:
3198:
3193:
3189:
3183:
3179:
3175:
3159:
3156:
3119:
3116:
3103:
3100:
3087:
3084:
3082:
3079:
3026:
3023:
3018:CVE-2022-40735
3011:) disclosed a
3008:CVE-2002-20001
2998:
2995:
2980:authentication
2956:The generator
2937:, so that the
2933:, rather than
2837:
2834:
2828:
2824:
2823:
2818:
2814:
2809:
2803:
2797:
2791:
2787:
2782:
2776:
2772:
2767:
2761:
2757:
2752:
2746:
2727:
2699:
2698:
2682:
2666:
2662:
2656:
2652:
2646:
2642:
2636:
2632:
2626:
2622:
2616:
2612:
2606:
2602:
2598:
2597:
2592:
2588:
2584:
2580:
2576:
2572:
2567:
2562:
2558:
2554:
2550:
2545:
2540:
2536:
2532:
2527:
2523:
2519:
2515:
2511:
2507:
2502:
2497:
2493:
2489:
2485:
2480:
2475:
2470:
2465:
2461:
2457:
2453:
2448:
2443:
2439:
2435:
2431:
2426:
2421:
2417:
2413:
2398:
2377:
2374:
2369:
2365:
2361:
2357:
2353:
2338:
2335:
2320:
2319:
2307:
2303:
2299:
2296:
2292:
2289:
2285:
2282:
2278:
2273:
2269:
2264:
2259:
2255:
2250:
2245:
2241:
2236:
2232:
2229:
2226:
2223:
2213:
2211:
2199:
2195:
2191:
2188:
2184:
2181:
2177:
2174:
2170:
2165:
2161:
2156:
2151:
2147:
2142:
2137:
2133:
2128:
2124:
2121:
2118:
2115:
2104:
2103:
2090:
2086:
2082:
2079:
2069:
2058:
2055:
2043:
2040:
2039:
2037:
2024:
2021:
2011:
1998:
1994:
1990:
1987:
1976:
1975:
1961:
1957:
1953:
1950:
1939:
1937:
1923:
1919:
1915:
1912:
1864:
1861:
1856:
1855:
1844:
1841:replay-attacks
1837:
1820:
1817:
1762:
1761:
1747:
1733:
1710:
1688:natural number
1684:
1660:in the finite
1641:
1638:
1592:
1591:
1588:
1587:
1578:
1575:
1574:
1571:
1567:
1566:
1564:
1542:
1541:
1538:
1534:
1533:
1530:
1526:
1525:
1508:
1505:
1504:
1502:
1490:
1489:
1487:
1475:
1474:
1471:
1461:
1458:
1457:
1455:
1431:
1430:
1428:
1410:
1409:
1407:
1391:
1390:
1388:
1368:
1367:
1365:
1349:
1348:
1339:
1323:
1322:
1320:
1308:
1307:
1305:
1293:
1292:
1289:
1279:
1276:
1275:
1273:
1249:
1248:
1246:
1228:
1227:
1225:
1209:
1208:
1206:
1186:
1185:
1183:
1167:
1166:
1157:
1141:
1140:
1138:
1126:
1125:
1123:
1111:
1110:
1107:
1094:
1093:
1064:
1035:
1012:
989:
972:
932:
929:
786:
785:
771:
766:
759:
754:
747:
742:
735:
728:
722:
719:
713:
708:
701:
696:
689:
684:
677:
670:
664:
650:
649:
635:
630:
623:
616:
610:
604:
599:
592:
589:
582:
576:
570:
565:
558:
555:
548:
542:
536:
531:
524:
517:
500:
499:
496:
495:
494:
451:
450:
449:
406:
405:
404:
357:
356:
355:
299:
220:
217:
213:supercomputers
184:
181:
179:
176:
153:
150:
101:Clifford Cocks
97:James H. Ellis
60:Martin Hellman
28:Diffie–Hellman
15:
9:
6:
4:
3:
2:
5386:
5375:
5372:
5370:
5367:
5366:
5364:
5345:
5337:
5336:
5333:
5327:
5326:Steganography
5324:
5322:
5319:
5317:
5314:
5312:
5309:
5307:
5304:
5302:
5299:
5297:
5294:
5292:
5289:
5287:
5284:
5282:
5281:Stream cipher
5279:
5277:
5274:
5272:
5269:
5268:
5266:
5262:
5256:
5253:
5251:
5248:
5246:
5243:
5241:
5240:Onion routing
5238:
5236:
5233:
5231:
5228:
5226:
5223:
5221:
5220:Shared secret
5218:
5216:
5213:
5211:
5208:
5206:
5203:
5201:
5198:
5196:
5193:
5191:
5188:
5186:
5183:
5181:
5178:
5176:
5173:
5171:
5168:
5166:
5163:
5160:
5157:
5152:
5149:
5148:
5147:
5144:
5142:
5139:
5137:
5134:
5132:
5129:
5127:
5124:
5122:
5119:
5117:
5114:
5112:
5111:Key generator
5109:
5107:
5104:
5102:
5099:
5097:
5094:
5092:
5089:
5085:
5082:
5080:
5077:
5075:
5072:
5071:
5070:
5069:Hash function
5067:
5065:
5062:
5060:
5057:
5055:
5052:
5050:
5047:
5045:
5044:Cryptanalysis
5042:
5040:
5037:
5033:
5030:
5029:
5028:
5025:
5023:
5020:
5018:
5015:
5013:
5010:
5009:
5007:
5003:
4999:
4992:
4987:
4985:
4980:
4978:
4973:
4972:
4969:
4965:
4951:
4948:
4946:
4943:
4941:
4938:
4936:
4933:
4931:
4928:
4926:
4923:
4921:
4918:
4916:
4913:
4911:
4908:
4907:
4905:
4901:
4895:
4892:
4890:
4887:
4885:
4882:
4880:
4877:
4875:
4872:
4870:
4867:
4866:
4864:
4860:
4854:
4851:
4849:
4846:
4844:
4841:
4839:
4836:
4834:
4831:
4829:
4826:
4825:
4823:
4819:
4809:
4806:
4804:
4801:
4798:
4794:
4792:
4789:
4787:
4784:
4782:
4779:
4777:
4774:
4772:
4769:
4767:
4764:
4762:
4759:
4757:
4754:
4753:
4751:
4747:
4741:
4738:
4736:
4733:
4731:
4728:
4726:
4723:
4721:
4718:
4716:
4713:
4711:
4708:
4707:
4705:
4703:
4698:
4693:
4689:
4683:
4680:
4678:
4675:
4673:
4670:
4668:
4665:
4663:
4660:
4656:
4653:
4652:
4651:
4648:
4646:
4643:
4641:
4638:
4634:
4631:
4629:
4626:
4625:
4624:
4621:
4619:
4616:
4612:
4609:
4607:
4604:
4603:
4602:
4599:
4597:
4594:
4592:
4589:
4587:
4584:
4582:
4579:
4578:
4576:
4574:
4570:
4564:
4563:Schmidt–Samoa
4561:
4559:
4556:
4554:
4551:
4549:
4546:
4544:
4541:
4539:
4536:
4534:
4531:
4529:
4526:
4524:
4523:Damgård–Jurik
4521:
4519:
4518:Cayley–Purser
4516:
4514:
4511:
4509:
4506:
4505:
4503:
4501:
4497:
4494:
4490:
4486:
4479:
4474:
4472:
4467:
4465:
4460:
4459:
4456:
4452:
4448:
4441:
4438:
4436:
4433:
4431:
4428:
4425:
4421:
4418:
4415:
4411:
4407:
4404:
4400:
4396:
4393:
4389:
4385:
4382:
4381:
4374:
4371:
4363:
4353:
4349:
4348:inappropriate
4345:
4341:
4335:
4333:
4326:
4317:
4316:
4305:
4302:
4300:
4299:0-385-49531-5
4296:
4292:
4291:
4286:
4283:
4280:
4276:
4275:0-8493-8523-7
4272:
4268:
4267:
4262:
4258:
4254:
4251:
4248:
4245:
4242:
4238:
4235:
4232:
4218:
4211:
4210:
4204:
4190:
4183:
4182:
4176:
4172:
4166:
4162:
4157:
4156:
4144:
4136:
4128:
4124:
4120:
4116:
4112:
4105:
4097:
4092:
4087:
4083:
4079:
4078:
4073:
4066:
4058:
4051:
4040:
4036:
4030:
4026:
4022:
4018:
4011:
4004:
3996:
3992:
3986:
3984:
3982:
3980:
3966:
3960:
3952:
3946:
3941:
3936:
3929:
3928:
3920:
3913:
3909:
3904:
3903:10.1.1.25.387
3899:
3895:
3888:
3880:
3873:
3862:
3858:
3851:
3844:
3836:
3830:
3826:
3825:
3817:
3809:
3807:9781617296710
3803:
3799:
3798:
3793:
3786:
3775:
3771:
3767:
3763:
3759:
3754:
3749:
3745:
3741:
3734:
3727:
3715:
3709:
3693:
3689:
3688:
3683:
3677:
3659:
3652:
3646:
3632:on 2014-10-30
3628:
3624:
3617:
3613:
3607:
3596:
3589:
3582:
3580:
3578:
3576:
3574:
3572:
3560:
3556:
3552:
3547:
3542:
3538:
3534:
3533:
3525:
3521:
3517:
3511:
3509:
3507:
3499:
3495:
3491:
3487:
3483:
3478:
3473:
3469:
3465:
3464:
3456:
3452:
3437:
3434:
3431:
3428:
3425:
3422:
3419:
3418:
3414:
3410:
3401:
3398:
3396:
3393:
3391:
3388:
3386:
3383:
3381:
3378:
3376:
3373:
3370:
3367:
3366:
3360:
3358:
3354:
3350:
3346:
3342:
3338:
3334:
3330:
3326:
3322:
3317:
3315:
3297:
3287:
3277:
3273:
3247:
3237:
3233:
3224:
3205:
3202:
3199:
3196:
3191:
3181:
3177:
3165:
3155:
3153:
3148:
3146:
3142:
3138:
3135:described in
3133:
3129:
3125:
3115:
3113:
3109:
3099:
3097:
3093:
3078:
3076:
3072:
3067:
3065:
3061:
3057:
3051:
3049:
3045:
3040:
3036:
3032:
3022:
3020:
3019:
3014:
3010:
3009:
3004:
2994:
2992:
2987:
2985:
2981:
2976:
2974:
2969:
2967:
2963:
2959:
2954:
2952:
2948:
2944:
2940:
2936:
2932:
2928:
2924:
2920:
2916:
2912:
2906:
2902:
2897:
2894:
2890:
2886:
2882:
2878:
2874:
2869:
2867:
2863:
2859:
2855:
2851:
2847:
2843:
2833:
2815:
2788:
2773:
2758:
2743:
2742:
2741:
2739:
2733:
2722:
2720:
2716:
2712:
2708:
2704:
2695:
2691:
2687:
2683:
2680:
2676:
2675:
2674:
2671:
2569:Bob computes
2568:
2546:
2533:
2503:
2481:
2472:Bob computes
2471:
2449:
2428:Bob computes
2427:
2414:
2411:
2407:
2403:
2399:
2396:
2392:
2388:
2387:
2386:
2384:
2373:
2350:
2348:
2344:
2334:
2332:
2328:
2305:
2301:
2297:
2294:
2290:
2287:
2283:
2280:
2276:
2271:
2267:
2262:
2257:
2253:
2248:
2243:
2239:
2234:
2230:
2227:
2224:
2221:
2214:
2212:
2197:
2193:
2189:
2186:
2182:
2179:
2175:
2172:
2168:
2163:
2159:
2154:
2149:
2145:
2140:
2135:
2131:
2126:
2122:
2119:
2116:
2113:
2106:
2105:
2088:
2084:
2080:
2077:
2070:
2056:
2044:
2042:
2041:
2038:
2019:
2012:
1996:
1992:
1988:
1985:
1978:
1977:
1959:
1955:
1951:
1948:
1940:
1938:
1921:
1917:
1913:
1910:
1902:
1901:
1895:
1893:
1889:
1885:
1881:
1877:
1873:
1868:
1860:
1853:
1849:
1845:
1842:
1838:
1835:
1831:
1827:
1826:
1825:
1816:
1814:
1810:
1806:
1802:
1797:
1795:
1791:
1787:
1783:
1779:
1775:
1771:
1767:
1758:
1754:
1748:
1744:
1740:
1734:
1731:
1727:
1723:
1719:
1715:
1711:
1708:
1704:
1700:
1696:
1692:
1689:
1685:
1682:
1678:
1674:
1670:
1666:
1663:
1659:
1655:
1651:
1647:
1646:
1645:
1637:
1635:
1631:
1625:
1619:
1613:
1607:
1603:
1602:
1586:
1585:
1579:
1577:
1576:
1572:
1569:
1568:
1565:
1559:
1549:
1544:
1543:
1539:
1536:
1535:
1531:
1528:
1527:
1524:
1523:
1516:
1515:
1509:
1507:
1506:
1503:
1497:
1492:
1491:
1488:
1482:
1477:
1476:
1472:
1469:
1468:
1456:
1454:
1440:
1439:
1433:
1432:
1429:
1419:
1418:
1412:
1411:
1408:
1406:
1400:
1399:
1393:
1392:
1389:
1375:
1370:
1369:
1366:
1356:
1351:
1350:
1347:
1346:
1340:
1338:
1332:
1331:
1325:
1324:
1321:
1315:
1310:
1309:
1306:
1300:
1295:
1294:
1290:
1287:
1286:
1274:
1272:
1258:
1257:
1251:
1250:
1247:
1237:
1236:
1230:
1229:
1226:
1224:
1218:
1217:
1211:
1210:
1207:
1193:
1188:
1187:
1184:
1174:
1169:
1168:
1165:
1164:
1158:
1156:
1150:
1149:
1143:
1142:
1139:
1133:
1128:
1127:
1124:
1118:
1113:
1112:
1108:
1105:
1104:
1097:
1088:
1082:
1076:
1070:
1065:
1059:
1053:
1047:
1041:
1036:
1034:
1028:
1027:
1020:
1019:
1013:
1011:
1005:
1004:
997:
996:
990:
984:
978:
973:
967:
961:
956:
955:
954:
952:
948:
944:
931:Secrecy chart
928:
926:
922:
918:
914:
910:
906:
902:
898:
894:
890:
886:
882:
878:
874:
870:
865:
863:
859:
855:
851:
847:
843:
839:
835:
831:
827:
823:
819:
815:
811:
807:
803:
799:
795:
791:
769:
757:
745:
733:
726:
717:
711:
699:
687:
675:
668:
655:
654:
653:
633:
621:
614:
608:
602:
590:
587:
580:
574:
568:
556:
553:
546:
540:
534:
522:
515:
505:
504:
503:
497:
481:
480:
474:
473:
472:
466:
460:
459:
453:Bob computes
452:
436:
435:
429:
428:
427:
421:
415:
414:
407:
391:
386:
385:
384:
378:
372:
366:
365:
358:
333:
328:
327:
326:
320:
314:
308:
307:
300:
293:
283:
277:
276:Alice and Bob
274:
273:
272:
270:
260:
256:
253:
249:
245:
241:
237:
234:
230:
226:
216:
214:
210:
204:
202:
201:Alice and Bob
197:
189:
174:
169:
167:
163:
159:
149:
147:
146:public-domain
142:
140:
135:
133:
129:
125:
121:
117:
112:
110:
106:
102:
98:
93:
90:
85:
83:
80:
79:symmetric-key
76:
72:
71:shared secret
68:
63:
61:
57:
53:
49:
45:
41:
37:
33:
29:
21:
5276:Block cipher
5116:Key schedule
5106:Key exchange
5096:Kleptography
5054:Cryptosystem
4998:Cryptography
4950:OpenPGP card
4930:Web of trust
4590:
4586:Cramer–Shoup
4413:
4402:
4366:
4357:
4342:by removing
4329:
4288:
4285:Singh, Simon
4264:
4241:HTML version
4224:. Retrieved
4208:
4196:. Retrieved
4180:
4160:
4135:
4114:
4104:
4081:
4075:
4065:
4050:
4016:
4003:
3994:
3965:US11025421B2
3959:
3926:
3919:
3893:
3887:
3872:
3861:the original
3856:
3843:
3823:
3816:
3796:
3785:
3746:(5): 42–49,
3743:
3739:
3726:
3708:
3696:. Retrieved
3685:
3676:
3665:. Retrieved
3645:
3634:. Retrieved
3627:the original
3622:
3612:Ellis, J. H.
3606:
3536:
3530:
3497:
3467:
3461:
3455:
3413:
3371:key exchange
3325:RSA Security
3318:
3313:
3222:
3161:
3149:
3131:
3121:
3105:
3089:
3074:
3068:
3052:
3048:export grade
3039:precomputing
3028:
3016:
3006:
3000:
2991:STS protocol
2988:
2977:
2970:
2965:
2957:
2955:
2946:
2942:
2934:
2930:
2929:subgroup of
2926:
2922:
2921:. Sometimes
2918:
2914:
2904:
2900:
2895:
2888:
2884:
2876:
2870:
2865:
2861:
2853:
2845:
2841:
2839:
2825:
2731:
2723:
2718:
2714:
2710:
2706:
2702:
2700:
2693:
2689:
2685:
2678:
2672:
2599:
2409:
2405:
2401:
2394:
2390:
2382:
2379:
2351:
2345:used in the
2340:
2329:or explicit
2323:
1891:
1887:
1883:
1879:
1875:
1871:
1869:
1866:
1857:
1834:authenticity
1822:
1798:
1793:
1789:
1785:
1781:
1773:
1769:
1765:
1763:
1756:
1752:
1742:
1738:
1729:
1725:
1721:
1717:
1716:with 1 <
1713:
1706:
1702:
1698:
1694:
1693:with 1 <
1690:
1680:
1676:
1672:
1668:
1664:
1662:cyclic group
1657:
1649:
1643:
1626:
1615:
1609:
1605:
1598:
1597:
1595:
1581:
1580:
1555:
1545:
1519:
1518:
1511:
1510:
1493:
1478:
1450:
1435:
1434:
1414:
1413:
1402:
1395:
1394:
1371:
1352:
1342:
1341:
1334:
1327:
1326:
1311:
1296:
1268:
1253:
1252:
1232:
1231:
1220:
1213:
1212:
1189:
1170:
1160:
1159:
1152:
1145:
1144:
1129:
1114:
1084:
1078:
1072:
1066:
1055:
1049:
1043:
1037:
1030:
1023:
1022:
1015:
1014:
1007:
1000:
999:
992:
991:
980:
974:
963:
957:
951:eavesdropper
940:
934:
924:
919:is known as
916:
912:
904:
900:
896:
892:
888:
884:
880:
876:
872:
868:
866:
857:
853:
849:
845:
841:
837:
833:
829:
825:
821:
817:
813:
809:
805:
801:
797:
793:
789:
787:
651:
501:
476:
475:
468:
462:
455:
454:
431:
430:
423:
417:
410:
409:
387:
380:
374:
368:
361:
360:
329:
322:
316:
310:
303:
302:
289:
279:
266:
258:
254:
247:
239:
235:
228:
224:
222:
205:
198:
194:
171:
162:Ralph Merkle
157:
155:
143:
136:
132:cipher suite
113:
94:
86:
73:key over an
64:
52:Ralph Merkle
36:key exchange
35:
31:
27:
26:
5264:Mathematics
5255:Mix network
4920:Fingerprint
4884:NSA Suite B
4848:RSA problem
4725:NTRUEncrypt
4084:: 957–980.
4077:IEEE Access
3800:. Manning.
2909:, called a
891:given only
178:Description
5363:Categories
5215:Ciphertext
5185:Decryption
5180:Encryption
5141:Ransomware
4874:IEEE P1363
4492:Algorithms
4360:March 2016
4226:2015-08-25
4198:2017-03-22
3667:2017-07-08
3636:2015-08-28
3447:References
3158:Public key
3086:Encryption
3081:Other uses
2911:safe prime
2883:to obtain
2852:to obtain
1654:generating
5205:Plaintext
4408:RFC
4397:RFC
4344:excessive
3898:CiteSeerX
3748:CiteSeerX
3541:CiteSeerX
3472:CiteSeerX
2231:
2123:
2054:←
2023:→
1832:, but no
1732:to Alice.
1667:of order
288:and base
209:real-life
128:ephemeral
5344:Category
5250:Kademlia
5210:Codetext
5153:(CSPRNG)
5131:Machines
4935:Key size
4869:CRYPTREC
4786:McEliece
4740:RLWE-SIG
4735:RLWE-KEX
4730:NTRUSign
4543:Paillier
4263:(1997).
4237:JH Ellis
4217:Archived
4189:Archived
4127:Archived
4096:Archived
4039:Archived
3774:archived
3698:5 August
3692:Archived
3687:BBC News
3658:Archived
3595:Archived
3559:Archived
3363:See also
3347:and the
3329:Verisign
2736:using a
1656:element
1473:Unknown
1291:Unknown
1109:Unknown
238:, where
229:RFC 7919
89:Internet
5005:General
4781:Lamport
4761:CEILIDH
4720:NewHope
4667:Schnorr
4650:ElGamal
4628:Ed25519
4508:Benaloh
4338:Please
4330:use of
4287:(1999)
3770:9504647
3494:6967714
3333:ElGamal
3112:session
1903:Alice (
1709:to Bob.
1573:
1570:
1540:
1537:
1532:
1529:
945:. Here
67:courier
5126:Keygen
4903:Topics
4879:NESSIE
4821:Theory
4749:Others
4606:X25519
4297:
4273:
4167:
4031:
3971:
3947:
3900:
3831:
3804:
3768:
3750:
3719:
3543:
3492:
3474:
3141:X.1035
3044:Logjam
2650:, and
2575:) mod
2553:) mod
2510:) mod
2488:) mod
2474:g mod
2456:) mod
2434:) mod
2408:, and
1824:list:
1792:, and
1784:given
1652:and a
1470:Known
1288:Known
1106:Known
1101:Alice
949:is an
875:, and
852:, and
812:, and
246:, and
103:, and
82:cipher
40:method
5161:(PRN)
4715:Kyber
4710:BLISS
4672:SPEKE
4640:ECMQV
4633:Ed448
4623:EdDSA
4618:ECDSA
4548:Rabin
4220:(PDF)
4213:(PDF)
4192:(PDF)
4185:(PDF)
4042:(PDF)
4013:(PDF)
3931:(PDF)
3864:(PDF)
3853:(PDF)
3777:(PDF)
3766:S2CID
3736:(PDF)
3661:(PDF)
3654:(PDF)
3630:(PDF)
3619:(PDF)
3598:(PDF)
3591:(PDF)
3562:(PDF)
3527:(PDF)
3490:S2CID
3406:Notes
3353:IPsec
3137:ITU-T
2951:IKEv2
2873:order
2734:) + 1
1941:Bob (
1760:of G.
1746:of G.
1720:<
1697:<
788:Only
250:is a
244:prime
4915:OAEP
4889:CNSA
4766:EPOC
4611:X448
4601:ECDH
4410:3526
4399:2631
4295:ISBN
4271:ISBN
4165:ISBN
4029:ISBN
3945:ISBN
3829:ISBN
3802:ISBN
3700:2014
3335:and
3145:G.hn
3128:hash
3029:The
2871:The
2844:and
2665:mod
2655:mod
2645:mod
2635:mod
2625:mod
2615:mod
2605:mod
2591:mod
2583:mod
2561:mod
2539:mod
2526:mod
2518:mod
2496:mod
2464:mod
2442:mod
2420:mod
2393:and
1892:y, Y
1890:and
1888:x, X
1882:and
1874:and
1755:) =
1741:) =
1675:and
1620:mod
1596:Now
1465:Eve
1445:mod
1424:mod
1380:mod
1361:mod
1283:Bob
1263:mod
1242:mod
1198:mod
1179:mod
1083:mod
1054:mod
937:blue
915:mod
903:mod
899:and
856:mod
848:mod
832:mod
824:mod
816:mod
808:mod
792:and
486:mod
467:mod
441:mod
422:mod
396:mod
379:mod
350:and
338:mod
321:mod
263:blue
152:Name
109:GCHQ
58:and
4925:PKI
4808:XTR
4776:IES
4771:HFE
4702:SIS
4697:LWE
4682:STS
4677:SRP
4662:MQV
4645:EKE
4596:DSA
4581:BLS
4553:RSA
4528:GMR
4346:or
4277:. (
4119:doi
4086:doi
4021:doi
3935:doi
3908:doi
3758:doi
3551:doi
3482:doi
3349:IKE
3345:STS
3341:MQV
3337:DSA
3321:RSA
3294:mod
3244:mod
3188:mod
3130:of
3003:CVE
2941:of
2907:+ 1
2903:= 2
2887:or
2875:of
2864:or
2726:log
2228:KDF
2120:KDF
1850:or
1728:of
1705:of
1634:Eve
1630:Eve
1606:not
947:Eve
942:red
765:mod
741:mod
707:mod
683:mod
629:mod
598:mod
564:mod
530:mod
268:red
242:is
227:in
139:RSA
134:).
126:'s
122:in
107:of
5365::
4756:AE
4591:DH
4412:–
4401:–
4386:,
4259:;
4255:;
4125:.
4113:.
4094:.
4082:12
4080:.
4074:.
4037:.
4027:.
4015:.
3993:.
3978:^
3943:.
3906:,
3896:,
3855:.
3794:.
3772:,
3764:,
3756:,
3744:40
3742:,
3738:,
3684:.
3656:.
3621:.
3593:.
3570:^
3557:.
3549:.
3537:22
3535:.
3529:.
3518:;
3505:^
3496:.
3488:.
3480:.
3468:21
3466:.
3343:,
3154:.
3098:.
3001:A
2953:.
2807:=
2795:=
2670:.
2640:,
2630:,
2620:,
2610:,
2587:=
2579:=
2557:=
2522:=
2514:=
2492:=
2460:=
2438:=
2404:,
2385::
1974:)
1936:)
1796:.
1788:,
1768:=
1624:.
1611:AB
1562:19
1560:=
1554:,
1550:=
1517:,
1498:=
1485:23
1483:=
1449:=
1447:23
1441:=
1426:23
1420:=
1401:=
1386:19
1384:=
1382:23
1376:=
1363:23
1357:=
1336:15
1333:=
1316:=
1303:23
1301:=
1267:=
1265:23
1261:19
1259:=
1244:23
1238:=
1222:19
1219:=
1202:=
1200:23
1194:=
1181:23
1175:=
1151:=
1134:=
1121:23
1119:=
1091:19
1089:=
1077:=
1060:=
1048:=
1032:15
1029:=
1006:=
987:23
985:=
968:=
895:,
871:,
844:,
840:,
828:=
804:,
800:,
492:18
490:=
488:23
482:=
461:=
447:18
445:=
443:23
439:10
437:=
416:=
402:10
400:=
398:23
392:=
373:=
342:=
340:23
334:=
315:=
294:=
286:23
284:=
271:.
215:.
99:,
84:.
34:)
32:DH
4990:e
4983:t
4976:v
4699:/
4694:/
4477:e
4470:t
4463:v
4426:)
4373:)
4367:(
4362:)
4358:(
4354:.
4336:.
4281:)
4243:)
4229:.
4201:.
4173:.
4121::
4088::
4059:.
4023::
3997:.
3953:.
3937::
3910::
3837:.
3760::
3702:.
3670:.
3639:.
3553::
3484::
3314:a
3298:p
3288:b
3284:)
3278:a
3274:g
3270:(
3248:p
3238:b
3234:g
3223:b
3209:)
3206:p
3203:,
3200:g
3197:,
3192:p
3182:a
3178:g
3174:(
3132:s
3075:p
2966:g
2958:g
2947:a
2943:g
2935:G
2931:G
2927:q
2923:g
2919:q
2915:G
2905:q
2901:p
2896:q
2889:b
2885:a
2877:G
2866:b
2862:a
2854:g
2846:g
2842:G
2829:g
2819:g
2810:g
2804:g
2798:g
2792:g
2783:g
2777:g
2768:g
2762:g
2756:.
2753:g
2747:g
2732:N
2730:(
2728:2
2719:N
2715:N
2711:N
2707:N
2703:N
2694:N
2690:N
2686:N
2679:g
2667:p
2663:g
2657:p
2653:g
2647:p
2643:g
2637:p
2633:g
2627:p
2623:g
2617:p
2613:g
2607:p
2603:g
2593:p
2589:g
2585:p
2581:g
2577:p
2573:g
2571:(
2563:p
2559:g
2555:p
2551:g
2549:(
2541:p
2537:g
2528:p
2524:g
2520:p
2516:g
2512:p
2508:g
2506:(
2498:p
2494:g
2490:p
2486:g
2484:(
2476:p
2466:p
2462:g
2458:p
2454:g
2452:(
2444:p
2440:g
2436:p
2432:g
2430:(
2422:p
2418:g
2412:.
2410:c
2406:b
2402:a
2397:.
2395:g
2391:p
2383:p
2370:B
2366:B
2362:B
2358:A
2354:A
2306:)
2302:B
2298:,
2295:A
2291:,
2288:Y
2284:,
2281:X
2277:,
2272:y
2268:A
2263:,
2258:b
2254:X
2249:,
2244:y
2240:X
2235:(
2225:=
2222:K
2198:)
2194:B
2190:,
2187:A
2183:,
2180:Y
2176:,
2173:X
2169:,
2164:a
2160:Y
2155:,
2150:x
2146:B
2141:,
2136:x
2132:Y
2127:(
2117:=
2114:K
2089:y
2085:g
2081:=
2078:Y
2057:Y
2020:X
1997:x
1993:g
1989:=
1986:X
1960:b
1956:g
1952:=
1949:B
1922:a
1918:g
1914:=
1911:A
1884:B
1880:A
1876:b
1872:a
1843:.
1836:.
1794:g
1790:g
1786:g
1782:g
1774:G
1770:g
1766:g
1757:g
1753:g
1751:(
1743:g
1739:g
1737:(
1730:G
1726:g
1722:n
1718:b
1714:b
1707:G
1703:g
1699:n
1695:a
1691:a
1681:G
1677:n
1673:g
1669:n
1665:G
1658:g
1650:n
1622:p
1617:g
1600:s
1583:s
1557:B
1552:8
1547:A
1521:b
1513:a
1500:5
1495:g
1480:p
1452:2
1443:8
1437:s
1422:A
1416:s
1404:8
1397:A
1378:5
1373:B
1359:5
1354:B
1344:a
1329:b
1318:5
1313:g
1298:p
1270:2
1255:s
1240:B
1234:s
1215:B
1204:8
1196:5
1191:A
1177:5
1172:A
1162:b
1154:6
1147:a
1136:5
1131:g
1116:p
1086:p
1080:g
1074:B
1068:B
1062:8
1057:p
1051:g
1045:A
1039:A
1025:b
1017:b
1009:6
1002:a
994:a
982:p
976:p
970:5
965:g
959:g
925:g
917:p
913:g
905:p
901:g
897:p
893:g
889:a
885:p
881:n
877:p
873:b
869:a
858:p
854:g
850:p
846:g
842:g
838:p
834:p
830:g
826:p
822:g
818:p
814:g
810:p
806:g
802:g
798:p
794:b
790:a
770:p
758:a
753:)
746:p
734:b
727:g
721:(
718:=
712:p
700:b
695:)
688:p
676:a
669:g
663:(
634:p
622:a
615:B
609:=
603:p
591:a
588:b
581:g
575:=
569:p
557:b
554:a
547:g
541:=
535:p
523:b
516:A
484:4
478:s
470:p
464:A
457:s
433:s
425:p
419:B
412:s
394:5
389:B
382:p
376:g
370:B
363:b
352:a
348:A
344:4
336:5
331:A
324:p
318:g
312:A
305:a
296:5
291:g
281:p
259:p
255:p
248:g
240:p
236:p
30:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.