Diffie-Hellman Strength Calculator
Diffie-Hellman (DH) key exchange security depends on the hardness of the discrete logarithm problem in the multiplicative group of integers modulo a large prime. Like RSA, the DH modulus size in bits does not equal the security strength in bits. The number field sieve algorithm solves the discrete logarithm problem sub-exponentially, meaning a 2,048-bit DH group provides only 112 bits of equivalent symmetric security. This calculator uses NIST SP 800-57 table values to map DH modulus sizes to their security strength and compliance status.
DH security strength table (NIST SP 800-57)
1,024-bit modulus = 80-bit security (deprecated after 2013)
2,048-bit modulus = 112-bit security (acceptable through 2030)
3,072-bit modulus = 128-bit security (recommended post-2030)
7,680-bit modulus = 192-bit security
15,360-bit modulus = 256-bit security
DH and RSA share the same security strength table in NIST SP 800-57 because both rely on similar integer factoring/discrete logarithm hardness. The exponent (private key) in DH must also be at least twice the target security strength in bits.
DH in modern protocols
- TLS 1.3: mandates ECDHE key exchange (P-256, P-384, X25519); DHE with large groups is also allowed.
- TLS 1.2: DHE and ECDHE both optional but strongly preferred over static RSA key exchange.
- SSH: uses Diffie-Hellman Group Exchange or ECDH for session key agreement.
- IKEv2 (IPsec): uses DH or ECDH for key agreement in VPN tunnels.
- NIST recommends moving to ECDH (Curve P-256 or higher) for new designs, as it provides the same security with much smaller key sizes.
Diffie-Hellman strength calculator: frequently asked questions
How does Diffie-Hellman key exchange work?
Diffie-Hellman (DH) allows two parties to establish a shared secret over an insecure channel. Each party generates a private key and a public key (g^private mod p). They exchange public keys and compute the shared secret as the other party's public key raised to their own private key power, modulo p.
What is the security strength of a 2,048-bit DH modulus?
A 2,048-bit DH modulus provides approximately 112 bits of security strength, equivalent to AES-112 or a 2,048-bit RSA key. This is the NIST SP 800-57 minimum for new systems through 2030.
What is the difference between DH and ECDH?
Classic Diffie-Hellman uses modular exponentiation over large integers; security depends on the discrete logarithm problem. Elliptic Curve Diffie-Hellman (ECDH) uses point multiplication on elliptic curves; a 256-bit ECDH key gives the same 128-bit security as a 3,072-bit DH key, with much smaller key sizes.
What is DHE (ephemeral Diffie-Hellman)?
DHE generates a fresh DH key pair for each session rather than reusing static keys. This provides forward secrecy: if long-term keys are compromised later, past sessions remain secure. TLS 1.3 mandates ephemeral key exchange (DHE or ECDHE); TLS 1.2 made it optional.
What minimum DH group size does NIST recommend?
NIST SP 800-57 recommends at least 2,048-bit DH groups (112-bit security) for new applications through 2030. For longer-term security, 3,072-bit groups (128-bit security) are recommended. NIST also recommends using standardized named groups to avoid weak custom parameters.
Official sources
- NIST SP 800-57 Part 1 Rev 5 Recommendation for Key Management: csrc.nist.gov.
- IETF RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS: rfc-editor.org/rfc/rfc7919.
Reviewed by the CalculatorHub team, edited by James Graham, 15 June 2026. See our methodology.