diff --git a/doc/config.but b/doc/config.but
index cdc71d7c..355ef8bc 100644
--- a/doc/config.but
+++ b/doc/config.but
@@ -2534,9 +2534,12 @@ Configuration is similar to cipher selection (see
 
 PuTTY currently supports the following host key types:
 
-\b \q{Ed25519}: \i{Edwards-curve} \i{DSA} using a twisted Edwards
+\b \q{\i{Ed25519}}: \I{EdDSA}Edwards-curve DSA using a twisted Edwards
 curve with modulus \cw{2^255-19}.
 
+\b \q{\i{Ed448}}: another \I{EdDSA}Edwards-curve DSA type.
+\#{XXX-REVIEW-BEFORE-RELEASE: better description}
+
 \b \q{ECDSA}: \i{elliptic curve} \i{DSA} using one of the
 NIST-standardised elliptic curves.
 
diff --git a/doc/index.but b/doc/index.but
index cd68d504..da6d083a 100644
--- a/doc/index.but
+++ b/doc/index.but
@@ -795,6 +795,9 @@ saved sessions from
 \IM{DSA} DSA
 \IM{DSA} Digital Signature Standard
 
+\IM{EdDSA} EdDSA
+\IM{EdDSA} Edwards-curve DSA
+
 \IM{public-key algorithm} public-key algorithm
 \IM{public-key algorithm} asymmetric key algorithm
 \IM{public-key algorithm} algorithm, public-key
@@ -805,6 +808,12 @@ saved sessions from
 \IM{generating keys} public keys, generating
 \IM{generating keys} private keys, generating
 
+\IM{probable primes} probable primes
+\IM{probable primes} primes, probable
+
+\IM{proven primes} proven primes
+\IM{proven primes} primes, proven
+
 \IM{authorized_keys file}{authorized_keys} \cw{authorized_keys} file
 
 \IM{key fingerprint} fingerprint, of SSH authentication key
diff --git a/doc/man-pg.but b/doc/man-pg.but
index 7e244d15..20f52983 100644
--- a/doc/man-pg.but
+++ b/doc/man-pg.but
@@ -8,8 +8,8 @@
 
 \S{puttygen-manpage-synopsis} SYNOPSIS
 
-\c puttygen ( keyfile | -t keytype [ -b bits ] )
-\e bbbbbbbb   iiiiiii   bb iiiiiii   bb iiii
+\c puttygen ( keyfile | -t keytype [ -b bits ] [ --primes method ] )
+\e bbbbbbbb   iiiiiii   bb iiiiiii   bb iiii     bbbbbbbb iiiiii
 \c          [ -C new-comment ] [ -P ] [ -q ]
 \e            bb iiiiiiiiiii     bb     bb
 \c          [ -O output-type | -l | -L | -p ]
@@ -63,12 +63,22 @@ OpenSSH format, or the standard SSH-1 format.
 \dt \cw{\-t} \e{keytype}
 
 \dd Specify a type of key to generate. The acceptable values here are
-\c{rsa}, \c{dsa}, \c{ecdsa}, and \c{ed25519} (to generate SSH-2 keys),
-and \c{rsa1} (to generate SSH-1 keys).
+\c{rsa}, \c{dsa}, \c{ecdsa}, \c{eddsa}, \c{ed25519}, and \c{ed448}
+(to generate SSH-2 keys), and \c{rsa1} (to generate SSH-1 keys).
 
 \dt \cw{\-b} \e{bits}
 
-\dd Specify the size of the key to generate, in bits. Default is 2048.
+\dd Specify the size of the key to generate, in bits. Default for
+\c{rsa} and \c{dsa} keys is 2048.
+
+\dt \cw{\-\-primes} \e{method}
+
+\dd Method for generating prime numbers. The acceptable values here
+are \c{probable} (the default), \c{proven}, and \c{proven-even}; the
+the later methods are slower. (Various synonyms for these method
+names are also accepted.)
+\#{XXX-REVIEW-BEFORE-RELEASE: explain in more detail why you would
+want to fiddle with this}
 
 \dt \cw{\-q}
 
diff --git a/doc/pubkey.but b/doc/pubkey.but
index 9a360e72..2d9c9019 100644
--- a/doc/pubkey.but
+++ b/doc/pubkey.but
@@ -64,7 +64,7 @@ The key types supported by PuTTY are described in \k{puttygen-keytype}.
 PuTTYgen is a key generator. It \I{generating keys}generates pairs of
 public and private keys to be used with PuTTY, PSCP, and Plink, as well
 as the PuTTY authentication agent, Pageant (see \k{pageant}).  PuTTYgen
-generates RSA, DSA, ECDSA, and Ed25519 keys.
+generates RSA, DSA, ECDSA, and EdDSA keys.
 
 When you run PuTTYgen you will see a window where you have two main
 choices: \q{Generate}, to generate a new public/private key pair, or
@@ -117,8 +117,8 @@ different key types. PuTTYgen can generate:
 \b An \i{ECDSA} (\i{elliptic curve} DSA) key for use with the
 SSH-2 protocol.
 
-\b An \i{Ed25519} key (another elliptic curve algorithm) for use
-with the SSH-2 protocol.
+\b An \i{EdDSA} key (Edwards-curve DSA, another elliptic curve
+algorithm) for use with the SSH-2 protocol.
 
 PuTTYgen can also generate an RSA key suitable for use with the old
 SSH-1 protocol (which only supports RSA); for this, you need to select
@@ -137,7 +137,28 @@ of the key PuTTYgen will generate.
 \b For ECDSA, only 256, 384, and 521 bits are supported. (ECDSA offers
 equivalent security to RSA with smaller key sizes.)
 
-\b For Ed25519, the only valid size is 256 bits.
+\b For EdDSA, the only valid sizes are 255 bits (these keys are also
+known as \q{\i{Ed25519}} and are commonly used) and 448 bits
+(\q{\i{Ed448}}, which is much less common at the time of writing).
+(256 is also accepted for backward compatibility, but the effect is
+the same as 255.)
+
+\S{puttygen-primes} Selecting the \i{prime generation method}
+
+On the \q{Key} menu, you can also optionally change the method for
+generating the prime numbers used in the generated key. This affects
+the quality of the key, but not its compatibility. The default method
+is usually fine. The available methods are:
+
+\b Use \i{probable primes} (fast)
+
+\b Use \i{proven primes} (slower)
+
+\b Use proven primes with even distribution (slowest)
+
+\#{XXX-REVIEW-BEFORE-RELEASE: really need more words here, about why
+you'd fiddle with this, and particularly around why 'probable' is ever
+considered fine}
 
 \S{puttygen-generate} The \q{Generate} button