2018-09-21 Tavian Barnes Reddit

I recently saw a video that explains Diffie–Hellman key exchange in terms of mixing colors of paint. It's a wonderfully simple and informative analogy, that Wikipedia actually uses as well. If you don't know about Diffie-Hellman, definitely watch the video and/or read the Wikipedia page to get a handle on it—it's not that complicated once you get the "trick." The color analogy intrigued me because I know just enough about both cryptography and color theory to be dangerous. So in this post, I'm going to attack the security of the color exchange protocol. ("Real" Diffie-Hellman remains secure, as far as I know.)

To summarize and somewhat formalize the "DHCE" protocol, suppose we have a $\mathrm{mix}(x, y, r)$ function that mixes the colors $x$ and $y$ in an $r : (1 - r)$ ratio. Starting with a shared, public color $S$ , Alice and Bob do the following:

Alice Bob Picks a secret color $a$ Picks as secret color $b$ Sends $A = \mathrm{mix}(S, a, 1/2)$ Sends $B = \mathrm{mix}(S, b, 1/2)$ Computes $k = \mathrm{mix}(a, B, 1/3)$ Computes $k = \mathrm{mix}(b, A, 1/3)$

In the end, they end up with the same secret color $k$ because paint mixing is associative and commutative, i.e. it doesn't matter what order you mix the paints in. The $1/3$ ratio in the final mixing step is because $A$ and $B$ contain twice as much paint as $a$ and $b$ , and we want the final mixture to contain equal parts of $a$ , $b$ , and $S$ .

But how secret is $k$ , really? In order for it to be secret, our eavesdropper Eve must be unable to feasibly compute $k$ given the public information $S$ , $A$ , and $B$ . How hard this is for her depends on the details of the $\mathrm{mix}$ function, specifically how hard it is to invert. If there were a simple $\mathrm{unmix}(x, y, r)$ function such that $\mathrm{unmix}(S, A, 1/2) = a$ , that would be terrible for the security of our protocol—Eve could trivially compute a and b from the public information, and use them to reconstruct the key. In fact, such a function does exist.

Recall that mixing paint is a subtractive process. That is, each pigment absorbs some wavelengths of light while reflecting others. The mixture of two pigments absorbs much of the light that either pigment would have absorbed, so adding a pigment to another tends to reduce the number of wavelengths that are strongly reflected. Unfortunately for us, literal subtraction is too simplistic to be a realistic model of subtractive color mixing; a weighted geometric average is more accurate. This excellent article by Scott Allen Burns explains why.

An accurate color mixing model would consider the absorption/reflection of many different ranges of wavelengths, but to a first approximation you can pretend that light is only composed of three components: the primary colors red, green, and blue. Either way, pigments can be represented by a vector in $\mathbb{R}^n$ whose components are the reflectivity of that pigment to different ranges of light wavelengths. Our mixing function is then

\mathrm{mix}(x, y, r) = x^r * y^{1-r}

where $x^r$ denotes elementwise exponentiation, and $*$ is elementwise multiplication. The inverse function is then

\mathrm{unmix}(x, y, r) = (y * x^{-r})^{1/(1-r)}.

To break our protocol, Eve simply computes

a = \mathrm{unmix}(S, A, 1/2) = A^2 * S^{-1}

and uses it to compute

k = \mathrm{mix}(a, B, 1/3) = A^{2/3} * B^{2/3} * S^{-1/3}.