GnuPG 2.3 has an experimental implementation for Ed448/X448.
In September 2021, I looked around code of ECDH using X448.
- For KDF, is use of SHA2-512 and its left-most bits good? If we can use modern things, it sounds that SHAKE-256 would be relevant here, because it is designed to output arbitrary size.
- Futher, for encryption of session key by KEK (by KDF), is AESWRAP is relevant now? Possibly, use of AEAD cipher instead would be better here, because it gives an information if decrypted session key is valid or not.