Progress in open source work is rarely dramatic. But when you look back after a few months, the distance covered is real.
This is my second summary of 2026 about the work done within the SPDX Cryptography Group. In February, I described the state of the list and the directions we were heading. This post reports on what happened since then.
What Has Changed
A Restructured CryptoClass
We went through a detailed discussion about the structure of the list. The previous structure was functional but improvable. After a second iteration, we now have six CryptoClass values:
- Cryptographic-Hash-Function
- Symmetric-Key-Algorithm
- Asymmetric-Key-Algorithm
- Message-Authentication-Code (new)
- Key-Derivation-Function (new)
- Random-Number-Generator (new)
We reorganized the cryptoSubClass property accordingly. We are now discussing the cryptoSubClass values for the three new classes, which you can follow here.
Cardinality Added to Property Descriptions
To improve how each property is described, we introduced the concept of cardinality in the Cryptographic Algorithms List Properties Description document. This makes it straightforward to understand how many values each property can hold.
A Cleaner Document Structure
All documents associated with the CryptAlg List are now organized in a dedicated docs folder, following the same approach used by the SPDX License List.
Two new documents have been added alongside the properties description file:
- SPDX CryptAlg Release Process. This document will help coordinate releases of the CryptAlg List across the Cryptography Group, SPDX Profiles, and tools such as Software Composition Analysis (SCA) or security scanners. Some sections will be completed once we perform the first release.
- Inclusion and Removal Criteria. Following the License List model, we have now documented the criteria the Cryptography Group uses to add or remove algorithms. This is both a transparency effort and a practical guide for contributors.
More Algorithms Now Have References
A growing number of algorithms in the list now include references pointing to authors’ papers or standardization documents. These references describe how the algorithm works, its main purpose, and its design details. They are also a useful entry point for anyone considering a contribution. There are still many algorithms without references, so there is plenty of room to help.
Bug Fixes
We resolved bugs in two specific algorithms, cmac and gostr3412-2015. There is still a pending bug on the latter. The GOST family will keep us busy for some time.
Where We Are Headed
Working on Parameters: Mode
Our main focus right now is describing how cryptographic algorithm parameters will be represented within the list. We are starting with the parameter mode, applying it first to Block Cipher as a working example. You can follow the work in progress in this issue and this PR.
Post-Quantum Cryptography as a New Property
On 2026-04-22, the SPDX Cryptography Group decided to treat Post-Quantum Cryptography (PQC) as a new property, rather than a cryptoSubClass. This makes it orthogonal to the existing cryptoClass and cryptoSubClass structure. We are at the very beginning of this workstream. You can follow it here. Contributions to the discussion are more than welcome.
Open Questions on Structure
Not everything is settled on the new structure. Some questions are relatively straightforward, like whether Public-Key-Encryption and Public-Key-Cipher should be merged into a single cryptoSubClass. Others will require more thinking, such as how to handle compositions of algorithms (primitives).
Toolchain Development
We have a clear picture of what the toolchain needed to release the CryptAlg List should look like. What we lack is a developer with the knowledge and the time to make it happen. The work is not complex, but we have not yet found a contributor who can take it on. If that might be you, please get in touch. I am happy to provide all the detail you need.
One last highlight
One of the highlights of these past months was a presentation by Quique Goñi about how SCANOSS is consuming information from the SPDX Cryptographic Algorithm List within their open data set, which in turn feeds their commercial offering. In other words, we now have a user who is also a contributor to the list. That matters.
Summary
The SPDX Cryptographic Algorithm List is maturing steadily. The structure of the list has been significantly improved, new governance documents are in place, and we have our first user who is also a contributor. The coming months will be focused on parameters, Post-Quantum Cryptography, and building the release toolchain.
I want to thank the Software Transparency Foundation for sponsoring my time and effort as Cryptography Group Coordinator.
toscalix 