From 62ab8e6a288ce9354fca016058fa17217091381e Mon Sep 17 00:00:00 2001
From: Basil Hess <bhe@zurich.ibm.com>
Date: Tue, 24 Feb 2026 17:05:49 +0100
Subject: [PATCH 1/4] Update crypto definitions

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
---
 schema/cryptography-defs.json | 65 +++++++++++++++++++++--------------
 1 file changed, 40 insertions(+), 25 deletions(-)

diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json
index d5615389..8f839326 100644
--- a/schema/cryptography-defs.json
+++ b/schema/cryptography-defs.json
@@ -1,6 +1,6 @@
 {
   "$schema": "http://cyclonedx.org/schema/cryptography-defs.schema.json",
-  "lastUpdated": "2025-03-22T00:00:00Z",
+  "lastUpdated": "2026-02-24T00:00:00Z",
   "algorithms": [
     {
       "family": "RSASSA-PKCS1",
@@ -16,7 +16,7 @@
       ],
       "variant": [
         {
-          "pattern": "RSA-PKCS1-1.5[-{digestAlgorithm}][-{keyLength}]",
+          "pattern": "RSA-PKCS1-1.5[-{hashAlgorithm}][-{keyLength}]",
           "primitive": "signature"
         }
       ]
@@ -35,7 +35,7 @@
       ],
       "variant": [
         {
-          "pattern": "RSA-PSS[-{digestAlgorithm}][-{saltLength}][-{keyLength}]",
+          "pattern": "RSA-PSS[-{hashAlgorithm}][-{maskGenAlgorithm}][-{saltLength}][-{keyLength}]",
           "primitive": "signature"
         }
       ]
@@ -99,7 +99,7 @@
       ],
       "variant": [
         {
-          "pattern": "ECDSA[-{ellipticCurve}][-{hash}]",
+          "pattern": "ECDSA[-{ellipticCurve}][-{hashAlgorithm}]",
           "primitive": "signature"
         }
       ]
@@ -186,7 +186,7 @@
       ],
       "variant": [
         {
-          "pattern": "DSA[-{length}][-{hash}]",
+          "pattern": "DSA[-{length}][-{hashAlgorithm}]",
           "primitive": "signature"
         }
       ]
@@ -251,11 +251,11 @@
       ],
       "variant": [
         {
-          "pattern": "SRP-3[-{hashFunction}][-{namedGroup}]",
+          "pattern": "SRP-3[-{hashAlgorithm}][-{namedGroup}]",
           "primitive": "key-agree"
         },
         {
-          "pattern": "SRP-6[-{hashFunction}][-{namedGroup}]",
+          "pattern": "SRP-6[-{hashAlgorithm}][-{namedGroup}]",
           "primitive": "key-agree"
         }
       ]
@@ -465,7 +465,7 @@
       ],
       "variant": [
         {
-          "pattern": "HKDF[-{hashFunction}]",
+          "pattern": "HKDF[-{hashAlgorithm}]",
           "primitive": "kdf"
         }
       ]
@@ -484,7 +484,7 @@
       ],
       "variant": [
         {
-          "pattern": "HMAC[-{hashFunction}][-{tagLength}]",
+          "pattern": "HMAC[-{hashAlgorithm}][-{tagLength}]",
           "primitive": "mac"
         }
       ]
@@ -733,7 +733,7 @@
           "primitive": "signature"
         },
         {
-          "pattern": "HashML-DSA-(44|65|87)[-{hashFunction}]",
+          "pattern": "HashML-DSA-(44|65|87)[-{hashAlgorithm}]",
           "primitive": "signature"
         }
       ]
@@ -752,7 +752,7 @@
           "primitive": "signature"
         },
         {
-          "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)[-{hashFunction}]",
+          "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)[-{hashAlgorithm}]",
           "primitive": "signature"
         }
       ]
@@ -798,7 +798,7 @@
       ],
       "variant": [
         {
-          "pattern": "LMS[_{hashFunction}][_M{bytesPerNode}][_H{treeHeight}]",
+          "pattern": "LMS[_{hashAlgorithm}][_M{bytesPerNode}][_H{treeHeight}]",
           "primitive": "signature"
         },
         {
@@ -1006,7 +1006,7 @@
           "primitive": "block-cipher"
         },
         {
-          "pattern": "SEED-128[-{mode}][-{padding}]-HMAC[-{hashFunction}][-{tagLength}]",
+          "pattern": "SEED-128[-{mode}][-{padding}]-HMAC[-{hashAlgorithm}][-{tagLength}]",
           "primitive": "ae"
         },
         {
@@ -1165,7 +1165,7 @@
       ],
       "variant": [
         {
-          "pattern": "X3DH[-{hashFunction}]",
+          "pattern": "X3DH[-{hashAlgorithm}]",
           "primitive": "key-agree"
         }
       ]
@@ -1199,7 +1199,7 @@
       ],
       "variant": [
         {
-          "pattern": "OPAQUE-3DH[-{group}][-{hashFunction}][-{ksf}][-{kdf}][-{mac}]",
+          "pattern": "OPAQUE-3DH[-{group}][-{hashAlgorithm}][-{ksf}][-{kdf}][-{mac}]",
           "primitive": "key-agree"
         }
       ]
@@ -1233,7 +1233,7 @@
       ],
       "variant": [
         {
-          "pattern": "SPAKE2[-{group}][-{hashFunction}][-{kdf}][-{mac}]",
+          "pattern": "SPAKE2[-{group}][-{hashAlgorithm}][-{kdf}][-{mac}]",
           "primitive": "key-agree"
         }
       ]
@@ -1248,7 +1248,7 @@
       ],
       "variant": [
         {
-          "pattern": "SPAKE2+[-{group}][-{hashFunction}][-{kdf}][-{mac}]",
+          "pattern": "SPAKE2+[-{group}][-{hashAlgorithm}][-{kdf}][-{mac}]",
           "primitive": "key-agree"
         }
       ]
@@ -1588,7 +1588,7 @@
       ],
       "variant": [
         {
-          "pattern": "PBKDF1[-{hashFunction}][-{iterations}][-{dkLen}]",
+          "pattern": "PBKDF1[-{hashAlgorithm}][-{iterations}][-{dkLen}]",
           "primitive": "kdf"
         }
       ]
@@ -1607,7 +1607,7 @@
       ],
       "variant": [
         {
-          "pattern": "PBKDF2[-{hashFunction}][-{iterations}][-{dkLen}]",
+          "pattern": "PBKDF2[-{hashAlgorithm}][-{iterations}][-{dkLen}]",
           "primitive": "kdf"
         }
       ]
@@ -1652,7 +1652,7 @@
       ],
       "variant": [
         {
-          "pattern": "PBMAC1[-{macAlgorithm}][-{hashFunction}][-{iterations}][-{dkLen}]",
+          "pattern": "PBMAC1[-{macAlgorithm}][-{hashAlgorithm}][-{iterations}][-{dkLen}]",
           "primitive": "mac"
         }
       ]
@@ -1687,6 +1687,21 @@
         }
       ]
     },
+    {
+      "family": "yescrypt",
+      "standard": [
+        {
+          "name": "yescrypt - scalable KDF and password hashing scheme",
+          "url": "https://www.openwall.com/yescrypt/"
+        }
+      ],
+      "variant": [
+        {
+          "pattern": "[(gost-|sm3-)]yescrypt[-{N_log2}][-{r}][-{p}][-{t}]",
+          "primitive": "hash"
+        }
+      ]
+    },
     {
       "family": "A5/1",
       "variant": [
@@ -1716,7 +1731,7 @@
       "standard": [
         {
           "name": "TIA TR45.0.A",
-          "url": ""
+          "url": "https://patents.google.com/patent/US5159634"
         }
       ],
       "variant": [
@@ -1736,7 +1751,7 @@
       ],
       "variant": [
         {
-          "pattern": "Fortuna[-{blockCipher}][-{hashFunction}]",
+          "pattern": "Fortuna[-{blockCipher}][-{hashAlgorithm}]",
           "primitive": "drbg"
         }
       ]
@@ -1751,7 +1766,7 @@
       ],
       "variant": [
         {
-          "pattern": "Yarrow[-{blockCipher}][-{hashFunction}]",
+          "pattern": "Yarrow[-{blockCipher}][-{hashAlgorithm}]",
           "primitive": "drbg"
         }
       ]
@@ -1781,7 +1796,7 @@
       ],
       "variant": [
         {
-          "pattern": "Hash_DRBG[-{hashFunction}]",
+          "pattern": "Hash_DRBG[-{hashAlgorithm}]",
           "primitive": "drbg"
         }
       ]
@@ -1796,7 +1811,7 @@
       ],
       "variant": [
         {
-          "pattern": "HMAC_DRBG[-{hashFunction}]",
+          "pattern": "HMAC_DRBG[-{hashAlgorithm}]",
           "primitive": "drbg"
         }
       ]

From 3c92ef0ec714a229a9f47919e4e12f136a4727bd Mon Sep 17 00:00:00 2001
From: Basil Hess <bhe@zurich.ibm.com>
Date: Thu, 26 Feb 2026 14:48:49 +0100
Subject: [PATCH 2/4] Remove duplicate KDF, merge with kdf with SP800-108r1

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
---
 schema/cryptography-defs.json | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json
index 8f839326..19fa3b86 100644
--- a/schema/cryptography-defs.json
+++ b/schema/cryptography-defs.json
@@ -504,21 +504,6 @@
         }
       ]
     },
-    {
-      "family": "KMAC",
-      "standard": [
-        {
-          "name": "SP800-108r1",
-          "url": "https://doi.org/10.6028/NIST.SP.800-108r1-upd1"
-        }
-      ],
-      "variant": [
-        {
-          "pattern": "KMAC[-(128|256)]",
-          "primitive": "mac"
-        }
-      ]
-    },
     {
       "family": "UMAC",
       "standard": [
@@ -1108,7 +1093,7 @@
       ],
       "variant": [
         {
-          "pattern": "SP800_108_(CounterKDF|FeedbackKDF|DoublePipelineKDF)[-{prfFunction}][-{dkmLength}]",
+          "pattern": "SP800_108_(CounterKDF|FeedbackKDF|DoublePipelineKDF|KMAC)[-{prfFunction}][-{dkmLength}]",
           "primitive": "key-derive"
         }
       ]

From ca4d2f62984f89ea632efc42f948947a50b383e1 Mon Sep 17 00:00:00 2001
From: Basil Hess <bhe@zurich.ibm.com>
Date: Thu, 5 Mar 2026 14:13:17 +0100
Subject: [PATCH 3/4] Consistent use of kdf for password-based key derivation
 algorithms, add hashAlgorithm prefix for yescrypt

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
---
 schema/cryptography-defs.json | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json
index 19fa3b86..6ef81847 100644
--- a/schema/cryptography-defs.json
+++ b/schema/cryptography-defs.json
@@ -1653,7 +1653,7 @@
       "variant": [
         {
           "pattern": "bcrypt[-{cost}]",
-          "primitive": "hash"
+          "primitive": "kdf"
         }
       ]
     },
@@ -1668,7 +1668,7 @@
       "variant": [
         {
           "pattern": "scrypt[-{N}][-{r}][-{p}][-{dkLen}]",
-          "primitive": "hash"
+          "primitive": "kdf"
         }
       ]
     },
@@ -1682,8 +1682,8 @@
       ],
       "variant": [
         {
-          "pattern": "[(gost-|sm3-)]yescrypt[-{N_log2}][-{r}][-{p}][-{t}]",
-          "primitive": "hash"
+          "pattern": "[{hashAlgorithm}-]yescrypt[-{N_log2}][-{r}][-{p}][-{t}]",
+          "primitive": "kdf"
         }
       ]
     },

From f9ab2ad441dc79b1f2ea3518f6460413304bec65 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 5 Mar 2026 14:27:50 +0000
Subject: [PATCH 4/4] chore: update algorithm families [skip ci]

---
 schema/cryptography-defs.schema.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json
index 43a06741..e1781505 100644
--- a/schema/cryptography-defs.schema.json
+++ b/schema/cryptography-defs.schema.json
@@ -1,7 +1,7 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "$id": "http://cyclonedx.org/schema/cryptography-defs.schema.json",
-  "$comment": "2026-02-26T14:12:39Z",
+  "$comment": "2026-03-05T14:27:50Z",
   "title": "Cryptographic Algorithm Family Definitions",
   "description": "Enumerates cryptographic algorithm families and their specific metadata.",
   "type": "object",
@@ -281,7 +281,6 @@
         "IDEA",
         "IKE-PRF",
         "J-PAKE",
-        "KMAC",
         "LMS",
         "MD2",
         "MD4",
@@ -334,7 +333,8 @@
         "Yarrow",
         "ZUC",
         "bcrypt",
-        "scrypt"
+        "scrypt",
+        "yescrypt"
       ]
     },
     "ellipticCurvesEnum": {