Proposal of a new property: reference

[toscalix]

Background

Every algorithms on the list has a reference, an origin. Usually it is a paper or an article where the cryptographic algorithm is described, including the rationale behind it, the target use case, the mathematical description and some other aspects.
The proposal is to include this origin, in the form of a link to every crypto algorithm

origin

• Description: link pointing at the description of the corresponding algorithm
• Values: URL

examples

For AES (Advanced Encryption Standard)

• origin: https://doi.org/10.6028/NIST.FIPS.197-upd1

The origin is a newer version of https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
Reference: FIPS PUB 197 – Specification for the Advanced Encryption Standard (AES)

For Ed25519

• origin: https://ed25519.cr.yp.to/ed25519-20110926.pdf

Reference: Daniel J. Bernstein et al. – High-speed high-security signatures

Rationale

Each algorithms definition should include in the SPDX C.A. List links pointing to the publication that originally describes the algorithm or to the URL that points to where the algorithm is described technically.

In the detection use case, as well as in the auditing use case, such link is relevant to understand in detail the characteristices of the algorithm, what is used for, how it should be implemented and used, etc...

Description

This new property requires:

• A property name
• A property description
• A values description
• Some origins as example

Points for discussion

• Some of the algorithms has gone through revisions and even standardization processes. origin might refer to the current version of the algorithm.
• If the algorithm is deprecated by another algorithm but still present in the list, origin refers again to the latest version or revision before it was deprecated
• In an original exploration, it might be difficult or controversial to find the origin. What do we do in such cases?
• Is origin the right term, given that there might be revisions and standardizations processes for some cases?
• In some cases, the origin is a well known portal for papers and the origin comes in different formats, like LaTeX, pdf.... Which link should we take?

Actions

• Agreement on a name for the property
• Draft of the property description
  • Agreement on the values prioritization
• Agreement on the description of the property
• Provide the entry for the example algorithm
• List of at least 30 references to include on the list: draft
• Create and confirm
  • A first batch of references
  • A second batch of references
  • A third batch of references
• Created a PR for each batch of references. The first batch includes:
  • Name, description and values (property description)
  • Addition of at at list of at least 10 references to the list
  • Addition of the example algorithm
• PR for the second batch
• PR for the third batch

DoD

• Property name: reference
• Link to the property description draft
• Link to the list of references
• Link to the example algorithm entry
• Agreement on the property name, description and values
• Link to PR
  • Batch 1:
  • Batch 2:
  • Batch 3:
• PR merged

[toscalix]

Attribute convenience

During the last two meetings, there was a general consensus that such a reference would be ideal to have it as part of the list. In which form is still to be discussed, given that we might have to reference papers, standards or descriptions in regulation or standardization bodies.

Another point is that the crypto algorithms might go through several revisions or might be published in more than one place so we might have more than one candidate

Attribute Name

During the SPDX Crypto Algorithms List meeting on 2025-05-21, participants questioned the name "origin". This questioning became a consensus during the following meeting.

Which name do we use instead?

[toscalix]

reference - draft

Description

Option1

Link to the primary technical document that describes the algorithm. This includes the original research paper, the official specification, or the standard that defines the algorithm.

Option 2

URL linking to the original publication, standard, or technical specification that defines the cryptographic algorithm. This resource should detail the algorithm's mathematical basis, rationale, intended applications, and implementation considerations.

Values WIP

These are questions and considerations we need to resolve so we can define the possible values:

• URL pointing to one of these document types:
  • Original research paper (preferred format: DOI link when available)
  • Official specification document (NIST, ISO, IETF, etc.)
  • Standardization body publication
  • Algorithm author's official documentation
• When multiple versions exist, this links to the most current or relevant version.
• For deprecated algorithms, this links to the last official version before deprecation.
• When multiple formats exist (PDF, LaTeX, HTML), prefer the official or most accessible version
• DOI links are preferred over direct PDF links when available
• For algorithms with multiple revisions, link to the current revision
• For deprecated algorithms, link to the final version before deprecation
• If the original source is not available, link to the most authoritative alternative
• What if origin is difficult to find?

[toscalix]

reference

• Description: A link or reference to the authoritative publication, standard, or technical specification that formally defines the cryptographic algorithm. This resource MUST provide details on the algorithm’s mathematical basis, rationale, intended applications, and implementation considerations.
• Value: Array of strings (each string must be a valid URL)
  • Cardinality: 1..n (at least one reference is required; multiple references are permitted and should be ordered by priority).
  • Ordering and Prioritization Rules:
    • Highest priority: Official specification published by a recognized standardization body (e.g., NIST, IETF, ISO/IEC, ANSI, ETSI, RFC series, etc.).
    • Next priority: Original research paper or technical report published by the algorithm designers/authors.
    • Next priority: Any other authoritative, publicly accessible and free of charge document that provide the required detail about the algorithm.
    • Additional references (optional): Any other authoritative documents that provide the required detail about the algorithm.

[toscalix]

References of algorithms from the list

This list is defined to fulfill the requirement expressed on the description of the ticket.

#	Algorithm ID	Confirmed	Reference 1	Reference 2	Comment
1	3des	[x]	https://doi.org/10.17487/RFC1851	https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf	Updated secondary link
2	aes	[x]	https://doi.org/10.6028/NIST.FIPS.197-upd1	https://doi.org/10.6028/NIST.SP.800-38A and https://www.iso.org/standard/81564.html	added a third link
3	aria	[x]	https://doi.org/10.17487/RFC5794	https://link.springer.com/chapter/10.1007/978-3-540-24691-6_32	added the original paper
4	bcrypt	[x]	https://www.usenix.org/legacy/events/usenix99/provos/provos.pdf		paper
5	blake2	[x]	https://doi.org/10.17487/RFC7693		from CycloneDX
6	blake3	[x]	https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf		from CycloneDX, expired internet draft https://datatracker.ietf.org/doc/draft-aumasson-blake3/
7	blowfish	[x]	https://doi.org/10.1007/3-540-58108-1_24	https://www.schneier.com/academic/archives/1994/09/description_of_a_new.html	from CycloneDX + original paper
8	camellia	[x]	https://doi.org/10.17487/RFC3713	https://www.iso.org/standard/54531.html	from CycloneDX + ISO standard
9	cast5	[x]	https://doi.org/10.17487/RFC2144	https://tnlandforms.us/cs594-cns96/cast.pdf	from CycloneDX + paper
10	cast6	[x]	https://doi.org/10.17487/RFC2612		from CycloneDX
11	chacha	[x]	https://doi.org/10.17487/RFC8439	https://cr.yp.to/chacha/chacha-20080128.pdf	from CycloneDX + paper, which also explains the relation between salsa and chacha
12		[ ]
13	cmac	[ ]	https://doi.org/10.6028/NIST.SP.800-38B		from CycloneDX
14	cmea	[ ]			from CycloneDX - TIA TR45.0.A
15	des	[ ]	https://csrc.nist.gov/pubs/fips/46-3/final		from CycloneDX
16	dsa	[ ]	https://doi.org/10.6028/NIST.FIPS.186-4		from CycloneDX
17	ecdh	[ ]	https://doi.org/10.6028/NIST.SP.800-56Ar3	https://doi.org/10.1109/IEEESTD.2000.92290	from CycloneDX
18	elgamal	[ ]	https://www.iso.org/standard/37971.html		from CycloneDX
19	ffdh	[ ]	https://doi.org/10.17487/RFC7919	https://doi.org/10.6028/NIST.SP.800-56Ar3	from CycloneDX
20	fortuna	[ ]	https://www.schneier.com/academic/fortuna		from CycloneDX
21	gost	[ ]			from CycloneDX - no references
22	idea	[ ]	https://doi.org/10.1007%2F3-540-46877-3_35		from CycloneDX
23	md2	[ ]	https://doi.org/10.17487/RFC1319		from CycloneDX
24	md4	[ ]	https://doi.org/10.17487/RFC1320		from CycloneDX
25	md5	[ ]	https://doi.org/10.17487/RFC1321	https://datatracker.ietf.org/doc/rfc6151/	from CycloneDX + RFC 6151 update
26	mqv	[ ]	https://doi.org/10.6028/NIST.SP.800-56Ar3		from CycloneDX
27	pbes1	[ ]	https://doi.org/10.17487/RFC8018		from CycloneDX
28	pbes2	[ ]	https://doi.org/10.17487/RFC8018		from CycloneDX
29	pbkdf1	[ ]	https://doi.org/10.17487/RFC8018		from CycloneDX
30	pbkdf2	[ ]	https://doi.org/10.17487/RFC8018	https://doi.org/10.6028/NIST.SP.800-132	from CycloneDX
31	rabbit	[ ]	https://doi.org/10.17487/RFC4503	https://www.ecrypt.eu.org/stream/	from CycloneDX
32	rc2	[ ]	https://doi.org/10.17487/RFC2268		from CycloneDX
33	rc4	[ ]	https://dl.acm.org/doi/book/10.5555/572932		from CycloneDX
34	rc5	[ ]	https://doi.org/10.17487/RFC2040		from CycloneDX
35	rc6	[ ]	https://web.archive.org/web/20181223080309/http://people.csail.mit.edu/rivest/rc6.pdf		from CycloneDX
36	ripemd	[ ]	https://www.iso.org/standard/67116.html		from CycloneDX
37	rsaes-oaep	[ ]	https://doi.org/10.17487/RFC8017		from CycloneDX
38	rsaes-pkcs1	[ ]	https://doi.org/10.17487/RFC8017		from CycloneDX
39	rsassa-pkcs1	[ ]	https://doi.org/10.17487/RFC8017	https://doi.org/10.1109/IEEESTD.2000.92290	from CycloneDX
40	rsassa-pss	[ ]	https://doi.org/10.17487/RFC8017	https://doi.org/10.1109/IEEESTD.2004.94612	from CycloneDX
41	salsa20	[ ]	https://doi.org/10.1007/978-3-540-68351-3_8		from CycloneDX
42	seed	[ ]	https://doi.org/10.17487/RFC4269	https://doi.org/10.17487/RFC5669	from CycloneDX
43	serpent	[ ]	https://www.cl.cam.ac.uk/~rja14/serpent.html		from CycloneDX
44	sha-1	[ ]	https://doi.org/10.6028/NIST.FIPS.180-4		from CycloneDX
45	sha-2	[ ]	https://doi.org/10.6028/NIST.FIPS.180-4		from CycloneDX
46	sha-3	[ ]	https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf		from CycloneDX
47	skipjack	[ ]	https://doi.org/10.6028/NIST.FIPS.185		from CycloneDX
48	snow3g	[ ]	https://www.3gpp.org/ftp/Specs/archive/35_series/35.216/35216-i00.zip		from CycloneDX
49	twofish	[ ]	https://www.schneier.com/academic/twofish/		from CycloneDX
50	whirlpool	[ ]	https://www.iso.org/standard/67116.html	https://www.cosic.esat.kuleuven.be/nessie/	from CycloneDX
51	yarrow	[ ]	https://www.schneier.com/academic/yarrow		from CycloneDX
52	zuc	[ ]	https://www.3gpp.org/ftp/Specs/archive/35_series/35.221/35221-i00.zip		from CycloneDX

[daijapan]

@toscalix hello - sorry for jumping in the mid of the session today. we have been doing some benchmarking research on post-quantum crypto (like lattice) both in computer science and theoretical mathematics. this topic looks very interesting and i hope to do something after joining next week session.

[toscalix]

Removed from the list: chacha20 https://doi.org/10.17487/RFC8439

We need to discuss the Salsa / Chacha / Salsa20 / Chacha20 case #44

[toscalix]

First batch of references to add to the list

Algorithm ID	Reference 1	Reference 2
3des	https://doi.org/10.17487/RFC1851	https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf
aes	https://doi.org/10.6028/NIST.FIPS.197-upd1	https://doi.org/10.6028/NIST.SP.800-38A and https://www.iso.org/standard/81564.html
aria	https://doi.org/10.17487/RFC5794	https://link.springer.com/chapter/10.1007/978-3-540-24691-6_32
bcrypt	https://www.usenix.org/legacy/events/usenix99/provos/provos.pdf
blake2	https://doi.org/10.17487/RFC7693
blake3	https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf
blowfish	https://doi.org/10.1007/3-540-58108-1_24	https://www.schneier.com/academic/archives/1994/09/description_of_a_new.html
camellia	https://doi.org/10.17487/RFC3713	https://www.iso.org/standard/54531.html
cast5	https://doi.org/10.17487/RFC2144	https://tnlandforms.us/cs594-cns96/cast.pdf
chacha	https://doi.org/10.17487/RFC8439	https://cr.yp.to/chacha/chacha-20080128.pdf

[toscalix]

We do not have cast 5 nor cast6 on our list but cast. cast is cast-128 which is cast5

Keeping this references out of the list until #47 is resolved

• cast6 https://doi.org/10.17487/RFC2612

[toscalix]

Second batch of references

Algorithm ID	Reference 1	Reference 2	Reference 3
cmac	https://csrc.nist.gov/pubs/sp/800/38/b/upd1/final	https://csrc.nist.gov/News/2025/decision-to-revise-sp-800-38b-and-38c	https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
cmea	https://www.3gpp2.org/Public_html/Specs/S.S0053-0_v2.0.pdf	https://doi.org/10.6028/NIST.SP.800-38A and https://www.iso.org/standard/81564.html
des	https://csrc.nist.gov/pubs/fips/46-3/final	https://web.archive.org/web/20140226205104/http://origin-www.computer.org/csdl/mags/co/1977/06/01646525.pdf
dsa	https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf	https://web.archive.org/web/20131213131144/http://www.itl.nist.gov/fipspubs/fip186.htm#FIPS_TOP
ecdh	https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
elgamal	https://caislab.kaist.ac.kr/lecture/2010/spring/cs548/basic/B02.pdf
ffdh	https://csrc.nist.gov/pubs/sp/800/56/a/r3/final	https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf	https://www.rfc-editor.org/info/rfc7919
fortuna	https://www.schneier.com/academic/fortuna/
gost	https://doi.org/10.17487/RFC8891	https://www.rfc-editor.org/info/rfc7801	https://www.rfc-editor.org/info/rfc5830

Implementation #64

[toscalix]

Third batch of references to add to the algorithms

Algorithm ID	Reference 1	Reference 2	Reference 3
idea
md2
md4
md5
mqv
pbes1
pbes2
pbkdf1
pbkdf2
rabbit