True or false: "After a DHKE, both participants can choose a symmetric key of their liking."
False — neither participant can choose the key. The shared secret $K = g^{ab} \mod p$ is determined by both random exponents $a$ and $b$, and neither party controls the outcome.
This falls straight out of how the secret is built: it depends on both private exponents at once, and neither party ever sees the other's. The key is therefore an emergent value rather than anyone's deliberate choice — which is exactly why DH's output is only good as a random session key, and why ElGamal is needed when someone actually wants to choose what gets sent.
Why neither party can choose K:
- Alice chooses $a$ freely, but she doesn't know Bob's $b$
- Bob chooses $b$ freely, but he doesn't know Alice's $a$
- The result $K = g^{ab} \mod p$ depends on both values
- Neither party can predict or manipulate what $K$ will be
This is precisely the limitation that ElGamal solves:
- With ElGamal, Alice CAN send a specific chosen value $x$ to Bob
- She does this by masking it: $y = x \cdot K \mod p$
- The key $K$ is still random and uncontrollable, but Alice uses it as a one-time mask to hide her chosen message
A key distinction:
- DHKE: both parties contribute randomness → shared random key → used for symmetric encryption afterward
- ElGamal: Alice contributes randomness, but the message is her choice → direct asymmetric encryption
Go deeper:
Key-agreement protocol — Wikipedia — why a jointly derived key is nobody's free choice.