Skip to content

Comments

For FFDH exponents follow the guidance of NIST SP 800-56A and 800-56B#5384

Merged
randombit merged 1 commit intomasterfrom
jack/dl-exp-sp-800-56a
Feb 25, 2026
Merged

For FFDH exponents follow the guidance of NIST SP 800-56A and 800-56B#5384
randombit merged 1 commit intomasterfrom
jack/dl-exp-sp-800-56a

Conversation

@randombit
Copy link
Owner

@randombit randombit commented Feb 24, 2026

For many common group sizes this results in using a slightly smaller exponent and thus faster computation

Group Size Old Exponent Size NIST SP 800-56A Exponent
2048 256 224
3072 384 256
4096 384 304
6144 512 352
8192 512 400

cc @reneme since possibly BSI has opinions on this, though I would hope it more or less matches up with NIST

@randombit randombit requested review from Copilot and reneme February 24, 2026 11:42
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Botan’s discrete-log exponent sizing to follow NIST guidance for common FFDHE/DL group sizes (typically selecting smaller exponents for improved performance), and refreshes test vectors accordingly.

Changes:

  • Adjust dl_exponent_size() thresholds (e.g., 2048→224 bits, 3072→256 bits, 4096→304 bits, etc.).
  • Update public-key workfactor test vectors to match the new exponent sizing rules, including boundary/step cases.
  • Regenerate TLS KeyShare extension test vectors that depend on FFDHE exponent generation.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
src/lib/pubkey/workfactor.cpp Implements new piecewise exponent-size mapping and adds input validation/comments.
src/tests/data/pubkey/workfactor.vec Updates expected exponent sizes and adds cases around new thresholds.
src/tests/data/tls_extensions/generation/key_share_CH_offers.vec Updates KeyShare serialized outputs and RNG pools due to changed FFDHE exponent lengths.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@reneme
Copy link
Collaborator

reneme commented Feb 24, 2026

cc @reneme since possibly BSI has opinions on this, though I would hope it more or less matches up with NIST

I take the liberty to pass this question on to @falko-strenzke :)

@coveralls
Copy link

coveralls commented Feb 24, 2026
edited
Loading

Coverage Status

coverage: 90.335% (+0.001%) from 90.334%
when pulling 03a6a77 on jack/dl-exp-sp-800-56a
into af19f62 on master.

@randombit
For FFDH exponents follow the guidance of NIST SP 800-56A and SP 800-56B
03a6a77 
For many common group sizes this results in using a slightly smaller
exponent and thus faster computation

| Group Size | Old Exponent Size | NIST SP 800-56B Exponent |
| ---------- | ----------------- | ------------------------ |
|       2048 |              256  |                      224 |
|       3072 |              384  |                      256 |
|       4096 |              384  |                      304 |
|       6144 |              512  |                      352 |
|       8192 |              512  |                      400 |
@randombit randombit force-pushed the jack/dl-exp-sp-800-56a branch from cf34a6f to 03a6a77 Compare February 24, 2026 12:38
@randombit randombit changed the title For FFDH exponents follow the guidance of NIST SP 800-56A For FFDH exponents follow the guidance of NIST SP 800-56A and 800-56B Feb 24, 2026
@falko-strenzke
Copy link
Collaborator

falko-strenzke commented Feb 25, 2026

@randombit
Comparing it with the requirements in BSI TR 02102, the parameters look OK, since BSI requires prime ≥ 3000 and exponent ≥ 250. This is fulfilled for by the table. So I think it should be fine.

@randombit randombit merged commit ee07c59 into master Feb 25, 2026
46 checks passed
@randombit randombit deleted the jack/dl-exp-sp-800-56a branch February 25, 2026 11:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@falko-strenzke falko-strenzke falko-strenzke approved these changes

@reneme reneme Awaiting requested review from reneme

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@randombit @reneme @coveralls @falko-strenzke