The Diffie–Hellman key exchange and its discrete-logarithm cousin
The 1976 paper of Diffie and Hellman introduced the idea that
two parties could agree on a shared secret over a public channel. The
construction is parameterised by a finite cyclic group with a hard
discrete-log problem. Alice picks a, sends g^a;
Bob picks b, sends g^b; both compute
g^{ab} as the shared key. An eavesdropper sees
g^a and g^b but cannot derive g^{ab}
without solving discrete log.
The choice of group matters enormously. The original
construction used Z_p^* for a large prime p;
this is now considered weak unless p is well above 2000 bits,
because the number-field sieve gives a sub-exponential attack on the
discrete logarithm in Z_p^*. Modern protocols use elliptic
curve groups, where no analogous sub-exponential attack is known and
256-bit groups are adequate.
The protocol is famously vulnerable to a man-in-the-middle attack if the parties do not authenticate each other's public values. The Diffie–Hellman paper acknowledges this and the entire field of authenticated key exchange exists to fix it. In TLS the authentication comes from the server's certificate; in Signal it comes from prior contact verification; in PAKE protocols it comes from a shared password.
The shared key g^{ab} is not directly usable as
a symmetric cipher key — it is a group element, not a uniform bit string.
A "key derivation function" (KDF) is applied to extract bits suitable for
symmetric use. HKDF (specified in RFC 5869) is the dominant choice. The
KDF step is also where contextual information (protocol version, party
identities, nonces) gets bound into the derived keys, giving the protocol
its overall handshake structure.