Skip to content

[FEATURE]: Add yescrypt to Cryptography Registry #757

New issue
New issue
Open
Open
[FEATURE]: Add yescrypt to Cryptography Registry#757
Labels
cap: cryptographyCapability: Cryptography (CBOM)proposed core enhancement
@beatquantum

Description

@beatquantum
beatquantum
opened on Dec 31, 2025

Problem Statement

yescrypt is the default password hashing algorithm in major Linux distributions (Debian 11+, Fedora 35+, Ubuntu 22.04+, Kali Linux 2021.1+, Arch Linux) yet it is not currently in the CycloneDX Cryptography Registry. This creates a critical gap in registry coverage for system authentication on Linux infrastructure.

Proposed Pattern

Yescrypt[-{N_log2}][-{r}][-{p}][-{t}][-{flags}]

Valid examples:

  • Yescrypt (variant only)
  • Yescrypt-5-8-1-0 (default parameters: N=2^5, r=8, p=1, t=0)
  • Yescrypt-7-8-1-0 (higher memory: N=2^7, r=8, p=1, t=0)
  • gost-yescrypt-5-8-1-0 (GOST R 34.11-2012 variant)
  • sm3-yescrypt-5-8-1-0 (ShangMi 3 variant)

Illustration of Compatibility (json)

{
  "type": "cryptographic-asset",
  "name": "Yescrypt-5-8-1-0",
  "cryptoProperties": {
    "assetType": "algorithm",
    "algorithmProperties": {
      "primitive": "password-hashing",
      "algorithmFamily": "Yescrypt",
      "parameterSetIdentifier": "5-8-1-0"
    }
  }
}

Request to other contributors / moderators

  • I do not use gost and sm3 in my infrastructure. Please can someone check for accuracy.
  • If a simplification was desireable, I would be happy for you to consider the cost_factor alone. For example, in Debian /etc/pam.d/common-password I usually specify "yescrypt rounds=8".

Justification

  1. Default password hashing in production Linux distributions
  2. Parametric algorithm similar to bcrypt and PBKDF2 (already in registry)
  3. Parameter variation critically impacts security (N, r, p, t parameters)
  4. Enables policy enforcement and system authentication visibility in CBOMs
  5. Critical for Linux infrastructure compliance and inventory

Standards Reference

Metadata

Metadata

Assignees

No one assigned

    Labels

    cap: cryptographyCapability: Cryptography (CBOM)proposed core enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions