.B cipher
and
.B mac
-attributes.
+attributes. Run
+.B catcrypt show cipher
+for a list of supported symmetric encryption algorithms; the default
+.I cipher
+is
+.BR blowfish-cbc .
This is the default transform.
.TP
.B naclbox
.I bulk
in the
.I kemalgspec
-is used; if that it absent, then the default of
-.B blowfish-cbc
-is used. Run
-.B catcrypt show cipher
-for a list of supported symmetric encryption algorithms.
+is used; if that it absent, then the default depends on the bulk
+transform.
.TP
.B hash
This is the hash function used to distil entropy from the shared secret
.BR key (1))
to generate the key.
.TP
+.B ed448
+This is Bernstein, Duif, Lange, Schwabe, and Yang's EdDSA algorithm,
+using Hamburg's Ed448-Goldilocks elliptic curve,
+as specified in RFC8032.
+More specifically, this is HashEd448
+using the selected
+.B hash
+algorithm \(en by default
+.BR sha3-512 .
+Use the
+.B ed448
+algorithm of the
+.B key add
+command
+(see
+.BR key (1))
+to generate the key.
+.TP
.B mac
This uses a symmetric message-authentication algorithm rather than a
digital signature. The precise message-authentication scheme used is
.BR ed25519 ,
the default hash function is
.BR sha512 .
+For
+.BR ed448 ,
+the default hash function is
+.BR shake256 .
.PP
Run
.B catcrypt show hash
attribute.
.TP
.B cipher
-The symmetric encryption algorithms which can be used in a
+The symmetric encryption algorithms which can be named in a
key-encapsulation key's
.B cipher
-attribute.
+attribute when using the
+.B gencomp
+bulk transform.
.TP
.B mac
-The message authentication algorithms which can be used in a
+The message authentication algorithms which can be named in a
key-encapsulation key's
.B mac
attribute.
.TP
.B sig
-The signature algorithms which can be used in a signing key's
+The signature algorithms which can be named in a signing key's
.B sig
attribute.
.TP
.B hash
-The hash functions which can be used in a key's
+The hash functions which can be named in a key's
.B hash
attribute.
.TP