Add DL_Group::exponent_bits

Just a useful helper

2 files changed, 22 insertions, 1 deletions

diff --git a/src/lib/pubkey/dl_group/dl_group.cpp b/src/lib/pubkey/dl_group/dl_group.cpp
index 7a35c6362..e3c7ac65b 100644
--- a/src/lib/pubkey/dl_group/dl_group.cpp
+++ b/src/lib/pubkey/dl_group/dl_group.cpp
@@ -26,7 +26,8 @@ class DL_Group_Data final
          m_monty_params(std::make_shared<Montgomery_Params>(m_p, m_mod_p)),
          m_monty(monty_precompute(m_monty_params, m_g, /*window bits=*/4)),
          m_p_bits(p.bits()),
-         m_estimated_strength(dl_work_factor(m_p_bits))
+         m_estimated_strength(dl_work_factor(m_p_bits)),
+         m_exponent_bits(dl_exponent_size(m_p_bits))
          {}
 
       ~DL_Group_Data() = default;
@@ -53,6 +54,8 @@ class DL_Group_Data final
 
       size_t estimated_strength() const { return m_estimated_strength; }
 
+      size_t exponent_bits() const { return m_exponent_bits; }
+
       BigInt power_g_p(const BigInt& k) const { return monty_execute(*m_monty, k); }
 
    private:
@@ -64,6 +67,7 @@ class DL_Group_Data final
       std::shared_ptr<const Montgomery_Exponentation_State> m_monty;
       size_t m_p_bits;
       size_t m_estimated_strength;
+      size_t m_exponent_bits;
    };
 
 //static
@@ -414,6 +418,11 @@ size_t DL_Group::estimated_strength() const
    return data().estimated_strength();
    }
 
+size_t DL_Group::exponent_bits() const
+   {
+   return data().exponent_bits();
+   }
+
 BigInt DL_Group::inverse_mod_p(const BigInt& x) const
    {
    // precompute??
diff --git a/src/lib/pubkey/dl_group/dl_group.h b/src/lib/pubkey/dl_group/dl_group.h
index 921b4060e..131151072 100644
--- a/src/lib/pubkey/dl_group/dl_group.h
+++ b/src/lib/pubkey/dl_group/dl_group.h
@@ -211,6 +211,18 @@ class BOTAN_PUBLIC_API(2,0) DL_Group final
       size_t p_bytes() const;
 
       /**
+      * Return size in bits of a secret exponent
+      *
+      * This attempts to balance between the attack costs of NFS
+      * (which depends on the size of the modulus) and Pollard's rho
+      * (which depends on the size of the exponent).
+      *
+      * It may vary over time for a particular group, if the attack
+      * costs change.
+      */
+      size_t exponent_bits() const;
+
+      /**
       * Return an estimate of the strength of this group against
       * discrete logarithm attacks (eg NFS). Warning: since this only
       * takes into account known attacks it is by necessity an