The SPDX Cryptographic Algorithm List

The SPDX community is now creating a new list — similar to the SPDX License List — but focused on cryptographic algorithms. This post shares how this effort started, its current status, the next steps, and a final call for participation.

FOSSNorth 2024 and Connecting with SPDX

Back in FOSSNorth 2024, Julián Coccia, CTO at SCANOSS, presented the company’s open data journey. There, he introduced the crypto_algorithms_open_dataset, an initiative to:

• Move towards a standard way to declare cryptographic algorithms.
• Improve how open source SCA (Software Composition Analysis) tools detect these cryptographic algorithms.
• Share knowledge on how to detect cryptographic algorithms.

A few weeks earlier, I had started helping SCANOSS strengthen their open source profile, both internally and publicly. I was also at the event that day.

Alexios Zavras, a key member of the SPDX community, was in the audience. After the talk, Julián, Alexios, and I had a conversation about SPDX’s plan to create a list of cryptographic algorithms — similar to how SPDX maintains the SPDX License List. Alexios told us he detected an opportunity: the list of algorithms from SCANOSS’s crypto_algorithms_open_dataset, already published under a CC0 license, could serve as a starting point for SPDX’s new list. Folling his thoughts, Julián shared some ideas on how to improve that potential new list and I described how could Software Transparency Foundation (STF) get involved. We agreed to move this idea forward over the following months.

After returning from the event, SCANOSS made two important decisions:

1. To collaborate in the future SPDX cryptographic algorithms list.
2. To make the SPDX list the upstream for their own open dataset — keeping cryptographic_algorithms_open_dataset, published under the CC0 license, focused on algorithm detection only.

Additionally, SCANOSS proposed within the Software Transparency Foundation, where it is a Strategic Member, that STF could get involved in this new SPDX project initiative, given that it aligns with STF’s mission and key goals. STF’s Governing Board approved that proposal shortly after.

As a result, I would contribute to the new SPDX list, sponsored by STF, while Quique Goñi joined the effort sponsored directly by SCANOSS.

SPDX Cryptography Group Kick-off

Under Alexios’ guidance, the first meeting of the renewed SPDX Cryptography Group took place on May 7th, 2025. The main goal of this group is to develop the SPDX Cryptographic Algorithm List (C.A.L. from now on, for convenience), taking the well-known SPDX License List as a reference.

At the beginning, the group focused on two main use cases: security and export control.

The Group started with a list of around 120 algorithms including Ids and some names, coming from the crypto_algorithms_open_dataset. Seven people attended that Meeting.

Current Status

The SPDX Cryptographic Algorithm List is now close to what I call version v0.1 — a first usable draft. The List is hosted under the SPDX GitHub organization, in a repository called cryptographic-algorithm-list.

As explained in the README file, this repository currently contains:

• A folder with YAML files, each describing one cryptographic algorithm and its properties.
• A Markdown document named SPDX Cryptographic Algorithms List Properties Description, which explains all the properties used in the YAML files.

Since the work at SPDX started, the number of algorithms has grown by about 10%, reaching more than 130. Each algorithm now includes up to six properties:

• An ID, similar to the SPDX License ID.
• A Name.
• Two properties related to key sizes.
• Two more properties are used to categorize the algorithm. Algorithms are grouped into three main categories, called cryptoClass: Cryptographic-Hash-Function, Symmetric-Key-Algorithm, and Asymmetric-Key-Algorithm.

Right now, the main use cases are:

• Cryptographic algorithm detection: this is mainly relevant for open source SCA (Software Composition Analysis) tools.
• Security, especially for the SPDX Security Profile, our most obvious user inside SPDX.

Next Steps

For the second iteration of the SPDX Cryptographic Algorithm List, we already have several improvements planned.

New Properties

We plan to add two new properties to each algorithm entry:

• OID – the Object Identifier used to uniquely identify cryptographic algorithms.
• Reference – a link to a description or document that explains the algorithm. This could be a research paper or a standardization document.

Parameters to Describe Algorithm Configurations

The SPDX Security Profile requires the SPDX C.A.L. to include parameters that will be used when describing/declaring the specific configuration of a given cryptographic algorithm in any SPDX document. The Cryptography Group is currently discussing how to support this requirement.

An Example

We also plan to create a template or example showing how each property should be used. This will help new contributors and users quickly see how to use all the properties without having to check the full list of algorithms. The Group hopes this will make it easier for newcomers to start contributing.

Growing the List

Finally, the list will continue to grow since SCANOSS keeps contributing new algorithms to make the list more complete and useful.

Will the SPDX Cryptography Group deliver this improved v0.2 version before the end of 2025? We are working hard to make that happen.

Challenges

As you can imagine, this journey also comes with challenges. The biggest one is the lack of awareness about this initiative. That is expected — we decided early on to first reach a point where we could show something usable before promoting it widely. We have reached that point.

The Cryptography Group is still small. We need more members with different skills. More people from various backgrounds will bring new knowledge and ideas for use cases.

Call for Participation

The SPDX Cryptographic Algorithm List is now in a stage where I think many people involved with the main use cases will see its potential. At the same time, it is “broken enough” to motivate problem solvers to help us make it better for new use cases.

Come and join us in building a list of cryptographic algorithms that can have the same kind of positive impact as the SPDX License List has had in the open source world and academia.

How to Get Involved

Most of the work happens in the project’s repository: https://github.com/spdx/cryptographic-algorithm-list. We use GitHub Issues to:

• Track discussions and decisions.
• Share useful documents or references.
• Record new requests and ideas.

If you want to contribute, feel free to report bugs or errors, suggest new properties for new use cases, open new topics or join ongoing discussions.

The SPDX Cryptography Group meets every Wednesday at 14:00 UTC for 30 minutes. Meetings are remote and open to everyone via Jitsi. You can check the SPDX Project calendar for any change or additional details.

Final Thoughts

I often refer to open source as a winding road, just like the ones on my home island. I never thought I would spend time on a cryptography project — and enjoy it! I am learning so much. I believe this SPDX Cryptographic Algorithm List will become an important resource for many developers and security experts. We have made good progress, although we are still far from maturity. We will get there… one iteration at a time.

I want to thank Steven Carbno, Bob Martin, Alfred Strauch, and everyone else in the Cryptography Group, as well as Alexios Z. from SPDX. Thank you for welcoming me and being patient enough to let me learn comfortably.

Thanks also to Quique Goñi for working on this with me, to STF for sponsoring my time at SPDX, and to SCANOSS for being the driving force behind this whole effort. Thank you, Julián.

If you work in open source, cryptography, security, or compliance, this is the perfect time to get involved.