- For OpenPGP format of Curve448, it is ok for me to change the format, but I found more serious issue about use of AESWRAP.
- Considering about new public key API for libgcrypt, I thought that calling encrypt/decrypt would be confusing for ECDH. (because it's actually doing ECDH computation, which is used for KDF in later stage, and then it's AESWRAP which does encryption/decryption with session key in an application)
- Then, I found that: for use of AESWRAP for ECC with larger keysize (like Curve 448), while it is expected to use larger block size (for Curve 448, use of 256-bit) naturally, but current experimental implementation in gnupg2.3 does AESWRAP with 128-bit block size.
- That's because of the situation, AESWRAP in libgcrypt is only for 128-bit block size currently.
- Continue T5576: New set of API for public key cryptography
- ???libgcrypt: AESWRAP with different block/key size???
I was a bit confused about AESWRAP. Please forget I wrote above. (We already have support of larger keysize ECC, NIST P-521, for example.)
Let me rephrase my concern, it is KEK parameters we use for Curve448. Currently, in GnuPG 2.3, we use SHA512 and AES256 for Curve448. Is it OK? Or, perhaps, some people expect use of SHAKE256, here.