Editing Diffie–Hellman key exchange (section)

== Operation with more than two parties ==
Diffie–Hellman key agreement is not limited to negotiating a key shared by only two participants. Any number of users can take part in an agreement by performing iterations of the agreement protocol and exchanging intermediate data (which does not itself need to be kept secret). For example, Alice, Bob, and Carol could participate in a Diffie–Hellman agreement as follows, with all operations taken to be modulo ''p'':
# The parties agree on the algorithm parameters ''p'' and ''g''.
# The parties generate their private keys, named ''a'', ''b'', and ''c''.
# Alice computes {{math|{{var|g<sup>a</sup>}} mod {{var|p}}}} and sends it to Bob.
# Bob computes {{math|1=({{var|g<sup>a</sup>}})<sup>{{var|b}}</sup> mod {{var|p}} = {{var|g<sup>ab</sup>}} mod {{var|p}}}} and sends it to Carol.
# Carol computes {{math|1=({{var|g<sup>ab</sup>}})<sup>{{var|c}}</sup> mod {{var|p}} = {{var|g<sup>abc</sup>}} mod {{var|p}}}} and uses it as her secret.
# Bob computes {{math|g<sup>b</sup> mod {{var|p}}}} and sends it to Carol.
# Carol computes {{math|1=({{var|g<sup>b</sup>}})<sup>{{var|c}}</sup> mod {{var|p}} = {{var|g<sup>bc</sup>}} mod {{var|p}}}} and sends it to Alice.
# Alice computes {{math|1=({{var|g<sup>bc</sup>}})<sup>{{var|a}}</sup> mod {{var|p}} = {{var|g<sup>bca</sup>}} mod {{var|p}} = {{var|g<sup>abc</sup>}} mod {{var|p}}}} and uses it as her secret.
# Carol computes {{math|{{var|g<sup>c</sup>}} mod {{var|p}}}} and sends it to Alice.
# Alice computes {{math|1=({{var|g<sup>c</sup>}})<sup>{{var|a}}</sup> mod {{var|p}} = {{var|g<sup>ca</sup>}} mod {{var|p}}}} and sends it to Bob.
# Bob computes {{math|1=({{var|g<sup>ca</sup>}})<sup>{{var|b}}</sup> mod {{var|p}} = {{var|g<sup>cab</sup>}} mod {{var|p}} = {{var|g<sup>abc</sup>}} mod {{var|p}}}} and uses it as his secret.

An eavesdropper has been able to see {{math|1={{var|g<sup>a</sup>}} mod {{var|p}}}}, {{math|1={{var|g<sup>b</sup>}} mod {{var|p}}}}, {{math|1={{var|g<sup>c</sup>}} mod {{var|p}}}}, {{math|1={{var|g<sup>ab</sup>}} mod {{var|p}}}}, {{math|1={{var|g<sup>ac</sup>}} mod {{var|p}}}}, and {{math|1={{var|g<sup>bc</sup>}} mod {{var|p}}}}, but cannot use any combination of these to efficiently reproduce {{math|1={{var|g<sup>abc</sup>}} mod {{var|p}}}}.

To extend this mechanism to larger groups, two basic principles must be followed:
* Starting with an "empty" key consisting only of ''g'', the secret is made by raising the current value to every participant's private exponent once, in any order (the first such exponentiation yields the participant's own public key).
* Any intermediate value (having up to ''N''&minus;1 exponents applied, where ''N'' is the number of participants in the group) may be revealed publicly, but the final value (having had all ''N'' exponents applied) constitutes the shared secret and hence must never be revealed publicly. Thus, each user must obtain their copy of the secret by applying their own private key last (otherwise there would be no way for the last contributor to communicate the final key to its recipient, as that last contributor would have turned the key into the very secret the group wished to protect).

These principles leave open various options for choosing in which order participants contribute to keys. The simplest and most obvious solution is to arrange the ''N'' participants in a circle and have ''N'' keys rotate around the circle, until eventually every key has been contributed to by all ''N'' participants (ending with its owner) and each participant has contributed to ''N'' keys (ending with their own). However, this requires that every participant perform ''N'' modular exponentiations.

By choosing a more desirable order, and relying on the fact that keys can be duplicated, it is possible to reduce the number of modular exponentiations performed by each participant to {{math|log<sub>2</sub>(''N'') + 1}} using a [[Divide and conquer algorithms|divide-and-conquer-style]] approach, given here for eight participants:
# Participants A, B, C, and D each perform one exponentiation, yielding {{math|1={{var|g<sup>abcd</sup>}}}}; this value is sent to E, F, G, and H. In return, participants A, B, C, and D receive {{math|1={{var|g<sup>efgh</sup>}}}}.
# Participants A and B each perform one exponentiation, yielding {{math|1={{var|g<sup>efghab</sup>}}}}, which they send to C and D, while C and D do the same, yielding {{math|1={{var|g<sup>efghcd</sup>}}}}, which they send to A and B.
# Participant A performs an exponentiation, yielding {{math|1={{var|g<sup>efghcda</sup>}}}}, which it sends to B; similarly, B sends {{math|1={{var|g<sup>efghcdb</sup>}}}} to A. C and D do similarly.
# Participant A performs one final exponentiation, yielding the secret {{math|1={{var|g<sup>efghcdba</sup>}}}} = {{math|1={{var|g<sup>abcdefgh</sup>}}}}, while B does the same to get {{math|1={{var|g<sup>efghcdab</sup>}}}} = {{math|1={{var|g<sup>abcdefgh</sup>}}}}; again, C and D do similarly.
# Participants E through H simultaneously perform the same operations using {{math|1={{var|g<sup>abcd</sup>}}}} as their starting point.

Once this operation has been completed all participants will possess the secret {{math|1={{var|g<sup>abcdefgh</sup>}}}}, but each participant will have performed only four modular exponentiations, rather than the eight implied by a simple circular arrangement.