Published per NSM-10 (mandating an inventory of all asymmetric cryptography in active use), NIST IR 8547 (PQC transition deadlines), and CNSA 2.0 (signing-algorithm procurement deadline).
Reviewed quarterly. Last review: 2026-05-13.
| Algorithm | Crate | Use | PQ status | Replacement | Deadline |
|---|---|---|---|---|---|
| XChaCha20-Poly1305 | chacha20poly1305 |
Vault AEAD; record encryption | PQ-safe (symmetric, 256-bit key) | none | n/a |
| ChaCha20-Poly1305 | chacha20poly1305 |
Transport AEAD (where used) | PQ-safe | none | n/a |
| Argon2id | argon2 |
Vault passphrase KDF (m=64 MiB, t=3, p=4) | PQ-safe (memory-hard, symmetric) | none | n/a |
| SHA-256 | sha2 |
Integrity hashes, HMAC | PQ-safe (NIST IR 8547 §3.2 — Grover halves bits, 128-bit residual is fine) | optional upgrade to SHA-384 for long-lived audit log entries | 2028 evaluate |
| HMAC-SHA256 | hmac + sha2 |
API bearer tokens, webhook signature verification | PQ-safe | none | n/a |
| Ed25519 | ed25519-dalek |
Connector manifest signing; release signing (current) | DEPRECATED after 2030, DISALLOWED after 2035 per NIST IR 8547 §4 | Hybrid Ed25519+ML-DSA-65; pure ML-DSA-65 or SLH-DSA long-term. CNSA 2.0 prefers LMS/XMSS for code signing. |
2027 manifest schema, 2029 default-on, 2030 mandatory |
| X25519 | via rustls 0.23 |
TLS 1.3 key exchange (mgmt API, connector outbound, Veilid future) | DEPRECATED after 2030, DISALLOWED after 2035 | Hybrid X25519MLKEM768 via rustls-post-quantum 0.2 (TLS draft-ietf-tls-ecdhe-mlkem) |
2026 Q4 enable by default |
Every signing and key-exchange interface in Springtale must carry an algorithm identifier so a future migration is purely additive, never a forklift:
- Connector manifests carry an explicit
algfield. Default"ed25519". Verifier dispatches on the field; refuses unknown values. - Vault file format carries an
algfield for both KDF and AEAD. - Release-signing artifacts (cosign bundles) record the signing algorithm in
the
.intoto.jsonlpredicate. - The
springtale-crypto::Signertrait is object-safe; multiple impls live inspringtale-crypto::signers::*.
| Phase | Status | Action |
|---|---|---|
| 2026 Q2 | DONE | Inventory published (this document). |
| 2026 Q2 | DONE | Hybrid X25519+ML-KEM-768 KEX on TLS 1.3 activated via rustls_post_quantum::provider().install_default() at every binary entry-point (springtaled, springtale-cli, tauri-desktop). Process-global install propagates to every reqwest::Client in the workspace — including all 15 connector clients — without per-builder code change. Delivered ahead of the 2026 Q4 target. |
| 2026 Q2 | DONE | springtale_crypto::signature::SignatureAlgorithm + ConnectorManifest.signature_alg field landed; verifier dispatches on the tag. Extension point for the 2027 Q1 hybrid signer. |
| 2026 Q2 | DONE | springtale_crypto::vault::VaultPlaintext envelope (AEAD + KDF + Argon2 params authenticated by AEAD tag). Vault format is crypto-agile end-to-end; both single-region and dual-vault paths use the envelope. |
| 2026 Q2 | DONE | CBOM emitted at cbom/springtale.cbom.cdx.json (CycloneDX 1.6, 7 cryptographic-asset components). Validated by sbom.yml cbom job. |
| 2027 Q1 | PLANNED | springtale-crypto::signers::ed25519_mldsa65 hybrid signer behind feature flag. Manifest schema accepts alg = "ed25519_mldsa65". |
| 2027 Q3 | PLANNED | Release signing migrates to LMS or hybrid; cosign-bundle predicate records algorithm. |
| 2029 Q1 | PLANNED | Hybrid path becomes default for new manifests. Pure-Ed25519 marked deprecated in signer factory. |
| 2030 Q1 | MANDATORY | NIST IR 8547 deprecation deadline. All new artifacts hybrid or pure-PQ. |
| 2034 Q4 | PLANNED | Remove pure-Ed25519 verify path. |
| 2035 Q1 | MANDATORY | NIST IR 8547 "disallowed" deadline. Pure-Ed25519 / pure-X25519 fully removed. |
Enforced via deny.toml [bans] deny list:
rsacrate — affected by RUSTSEC-2023-0071 (Marvin Attack timing side-channel) with no upstream fix.md-5,sha-1crates — broken hash functions.rust-cryptocrate — abandoned, unaudited.native-tls,openssl-sys,openssl— Springtale usesrustlsexclusively. A[patch]stub in workspaceCargo.tomlmakesnative-tlsfail-to-compile if anything tries to pull it in.
CycloneDX 1.6+ supports Cryptographic Bill of Materials. CI job sbom.yml
emits a CBOM stanza per algorithm above so downstream consumers can audit
algorithm posture without reading this file.
Quarterly. Triggers for ad-hoc review:
- New algorithm added to any new dep.
- Upstream advisory against any algorithm we use.
- NIST publishes any draft / final SP that changes deadlines.
- Any HRR (hardware-resistant) implementation lands for any algorithm we use.