X-Git-Url: https://git.distorted.org.uk/u/mdw/catacomb/blobdiff_plain/e9be047b35e12f353e313f60677d80f1e86c73af..6ec3a4cf4aaa7cd375e1aa18f85861986259b8e5:/key.1

diff --git a/key.1 b/key.1
index 459a0b3..3e7a601 100644
--- a/key.1
+++ b/key.1
@@ -48,7 +48,7 @@ is one of:
 .RI [ item ...]
 .br
 .B add
-.RB [ \-lqrLS ]
+.RB [ \-lqrLKS ]
 .RB [ \-a
 .IR alg ]
 .RB [ \-b | \-B
@@ -462,12 +462,17 @@ using a passphrase.
 Suppresses the progress indication which is usually generated while
 time-consuming key generation tasks are being performed.
 .TP
-.BI "\-L, --lim-lee"
+.BI "\-L, \-\-lim-lee"
 When generating Diffie-Hellman parameters, generate a Lim-Lee prime
 rather than a random (or safe) prime.  See the details on Diffie-Hellman
 key generation below.
 .TP
-.BI "\-S, --subgroup"
+.BI "\-K, \-\-kcdsa"
+When generating Diffie-Hellman parameters, generate a KCDSA-style
+Lim-Lee prime rather than a random (or safe) prime.  See the details on
+Diffie-Hellman key generation below.
+.TP
+.BI "\-S, \-\-subgroup"
 When generating Diffie-Hellman parameters with a Lim-Lee prime, choose a
 generator of a prime-order subgroup rather than a subgroup of order
 .RI ( p "- 1)/2."
@@ -574,11 +579,11 @@ option controls the size of the modulus
 .IR p ;
 the default size is 1024 bits.
 .IP
-If no 
+If no
 .I q
 size is selected using the
 .B \-B
-option and the Lim-Lee prime option is disabled, then 
+option and the Lim-Lee prime options are disabled, then
 .I p
 is chosen to be a `safe' prime (i.e.,
 .IR p \ =\ 2 q \ +\ 1,
@@ -602,7 +607,7 @@ is a multiple of
 .IP
 If the
 .B \-L
-option was given Lim-Lee primes are selected: the parameters are chosen
+option was given, Lim-Lee primes are selected: the parameters are chosen
 such that
 .IR p \ =\ 2\  q \*(us0\*(ue\ q \*(us1\*(ue\ q \*(us2\*(ue\ ...\ +\ 1,
 where the
@@ -612,8 +617,22 @@ are primes at least as large as the setting given by the
 option (or 256 bits, if no setting was given).
 .IP
 If the
+.B \-K
+option was given, KCDSA-style Lim-Lee primes are selected: the
+parameters are chosen such that
+.IR p \ =\ 2\  q\ v \ +\ 1,
+where
+.IR p,
+.I q
+and
+.I v
+are primes.
+.IP
+If the
 .B \-S
-option was given, the generator
+or
+.B \-K
+options were given, the generator
 .I g
 is chosen to generate the subgroup of order
 .IR q \*(us0\*(ue;
@@ -756,7 +775,7 @@ if the field type is
 then an optional
 .RB ` , '
 and the representation of the normal element \*(*b; an optional
-.RB ` / ';
+.RB ` ; ';
 a
 .IR "curve type" ,
 which is one of
@@ -771,14 +790,14 @@ an optional
 the two field-element parameters
 .I a
 and
-.IR b 
+.IR b
 which define the elliptic curve
 .IR E ,
 separated by an optional
 .RB ` , ';
 an optional
-.RB ` / ';
-the 
+.RB ` ; ';
+the
 .IR x -
 and
 .IR y -coordinates
@@ -790,11 +809,11 @@ an optional
 .RB ` : ';
 the order
 .I r
-of the group generated by 
+of the group generated by
 .IR G ;
 an optional
 .RB ` * ';
-and the 
+and the
 .I cofactor
 .I h
 =