|
This is the most comprehensive open, documented, and engineering-actionable cryptographic reference available. Not a museum of every cipher ever conceived — but a battle-tested index of what you actually need to build secure systems, pass audits, and migrate to post-quantum standards. |
| 250 planned algorithm surfaces |
8 inventory groups |
29 target variants |
3 core domains |
Status: under active development. Planned algorithms, target badges, and profile names show the roadmap. They do not mean the project is production-ready or audited.
|
TOP-TIER DIRECTION Many algorithms, but safer defaults. NextSSL can keep many algorithms in one place without making all of them default choices. The archive can be wide, while the default profile stays careful. |
SECURITY POSTURE Defaults should be reviewed. Experimental and old algorithms can stay in the archive. They should not become normal defaults unless the project clearly allows them. |
PORTABILITY Built for many platforms. The current layout tracks desktop, mobile, Linux, Windows, and WASM targets from the start. |
|
NextSSL is organized around three areas: Simple rule: keep the archive wide, and keep defaults strict. |
|
|
Current archive inventory: 250 planned algorithm surfaces across 8 groups.
| Group | Count | Purpose |
|---|---|---|
| Modern | 84 | AEAD, MAC, KDF, signatures, curves, and key exchange work |
| Hash / KDF-hash | 59 | Hashes, XOFs, KMAC, and password-hash related surfaces |
| PQC | 41 | KEMs, signatures, and adjacent post-quantum candidates |
| Threshold | 36 | Threshold signatures, MPC, VSS, DKG, and related protocols |
| Encoding | 14 | Encodings and checksum helpers |
| Ascon | 7 | Lightweight AEAD, hash, XOF, MAC, and PRF surfaces |
| DRBG / RNG | 7 | DRBGs and randomness infrastructure |
| Stateful HBS | 2 | LMS and XMSS |
Entries marked NEW in ALGO.md are planned items. They do not mean the code is finished.
|
SAFEST Safe defaults for normal users. The default profile should use modern, reviewed choices and avoid old or risky ones. |
COMPATIBILITY Old-system support with warnings. Older algorithms can be available for compatibility, but they should be clearly marked. |
RESEARCH Experimental algorithms for study. Researchers can inspect candidates, add references, and help move good choices forward. |
| Profile | Purpose |
|---|---|
safest |
Safe defaults for normal users |
compatibility |
Legacy and migration support with warnings |
research |
Experimental algorithms and review hooks |
archive |
Full catalog inspection |
pqc |
Post-quantum and hybrid migration work |
|
NextSSL is not claiming to replace OpenSSL, BoringSSL, libsodium, Botan, Crypto++, wolfSSL, or mbedTLS today. Those projects are older, more tested, and used in real systems. The goal is different: become a useful crypto toolkit for people who want a big algorithm list plus strict defaults. |
|
|
The current bin layout contains 29 target variants. Build docs are still changing; start with BUILD.md.
| Family | Targets |
|---|---|
| Android | arm64-v8a, armeabi-v7a, x86, x86_64 |
| iOS | device-arm64, sim-arm64, sim-x86_64 |
| Linux glibc | arm64, armv7, loongarch64, ppc64le, riscv64, s390x, x86, x86_64 |
| Linux musl | arm64, armv7, x86_64 |
| macOS | arm64, universal, x86_64 |
| WASM | emscripten-wasm32, wasi-wasm32 |
| Windows | arm64-msvc, armv7-msvc, x86-mingw, x86-msvc, x86_64-mingw, x86_64-msvc |
| PLAN.md Roadmap, profiles, safety labels, and contribution flow. |
ALGO.md Complete current inventory and planned surfaces. |
BUILD.md Build notes and target guidance. |
| CONTRIBUTING.md How to add and review algorithms. |
SECURITY.md Security reporting policy. |
LICENSE Apache-2.0. |
 glibc |
arm64 armv7 loongarch64 ppc64le riscv64 s390x x86 x86_64 |
| musl |
arm64 armv7 x86_64 |
 MSVC / MinGW |
arm64-msvc armv7-msvc x86-mingw x86-msvc x86_64-mingw x86_64-msvc |
 Android |
arm64-v8a armeabi-v7a x86 x86_64 |
 iOS |
device-arm64 sim-arm64 sim-x86_64 |
| macOS |
arm64 universal x86_64 |
 WASM |
emscripten-wasm32 wasi-wasm32 |
|
NextSSL is building toward top-tier crypto-library status with a big algorithm catalog and clear safety profiles. |
TL;DR: This inventory aims to be the most comprehensive openly documented cryptographic reference for production engineering, standards compliance, and protocol design. It does not claim to be an exhaustive enumeration of every algorithm that has ever existed. Below is the explicit boundary of what we include, what we deliberately exclude, and why.
| Inclusion Criteria | Examples |
|---|---|
| IETF / NIST / ISO / ITU-T standards | AES-GCM, SHA-3, ML-KEM, ML-DSA, HKDF, X.509v3 |
| National standards (openly published) | SM3/SM4 (China), Streebog/Kuznyechik (Russia), ARIA/SEED/LEA (Korea), Camellia (Japan) |
| Widely deployed protocol primitives | Noise patterns, Signal X3DH/Double Ratchet, WireGuard, TLS 1.3 cipher suites |
| Production cryptographic libraries | OpenSSL, BoringSSL, wolfSSL, libsodium, Botan, mbed TLS, ring, rustls |
| Post-quantum NIST finalists & standards | ML-KEM, ML-DSA, SLH-DSA, plus selected alternates with significant deployment |
| Threshold / MPC primitives with active implementations | FROST, TSS2, GG20/21 variants, DKG, VSS |
| Zero-knowledge proof systems with production usage | Groth16, Plonk, STARKs, Bulletproofs, KZG commitments |
| Hardware security interfaces & TEE abstractions | PKCS#11, TPM 2.0, Intel SGX/TDX, AMD SEV-SNP, Apple Secure Enclave |
| Historic algorithms relevant to migration & legacy support | MD5, SHA-1, 3DES, RSA-PKCS1-v1.5, DSA |
| Exclusion Category | Rationale | Examples of Omitted Items |
|---|---|---|
| Classified / proprietary government cryptography | Not publicly documented; no verifiable specification | NSA Suite A, military tactical ciphers, diplomatic link encryption |
| Undocumented vendor-specific protocols | Cannot be independently implemented or audited | Proprietary smart-card OS crypto, automotive ECU obfuscation, DRM cipher suites |
| Purely academic proposals with zero deployment | Inventory would balloon to thousands of entries with no engineering value | Most eSTREAM Round 1/2 candidates, dozens of lightweight Feistel ciphers from 2005–2015 |
| Regional telecom/radio ciphers without open standards | Specialized, often classified, and rapidly obsolete | Specific GSM A5/3 variants, satellite link ciphers, tactical radio waveforms |
| Hardware bitstream / FPGA obfuscation schemes | Not general-purpose cryptographic algorithms | Xilinx bitstream encryption, ASIC logic locking |
| Non-cryptographic checksums / hashes | Error detection ≠ cryptographic security | CRC variants beyond ISO 3309, Fletcher checksums, Adler-32 (already borderline) |
| Steganography and covert-channel techniques | Out of scope; not cryptographic primitives | LSB encoding, spread-spectrum hiding, traffic morphing |
| Quantum cryptography (QKD / QRNG hardware schemes) | Physical-layer security, not algorithmic cryptography | BB84, E91, device-independent QKD protocols |
| Ad-hoc protocol compositions without standardization | Too many possible combinations; we track standardized integrations only | Custom corporate VPN protocols, homegrown key-derivation schemes |
| Malware / offensive tooling ciphers | No legitimate engineering use case | Ransomware custom ciphers, C2 obfuscation algorithms |
Can a team pick this inventory and say "we have all algorithms we need for any standard-compliant system"?
Yes, with two caveats:
-
For classical, PQC, and mainstream protocol cryptography: This inventory + the MISSING.md supplement covers >95% of algorithms you will ever encounter in standards-compliant TLS, SSH, IPsec, messaging, blockchain, code-signing, document signing, or FIPS 140-validated modules. The remaining gaps are niche national standards (e.g., some CIS regional ciphers), experimental ZK constructions, or bleeding-edge PQC on-ramp candidates not yet finalized.
-
For specialized domains, you will need domain-specific extensions:
- Satellite/space communications (CCSDS, specific space agencies)
- Military / defense (NATO STANAG, national classified suites)
- Payment networks (EMVCo specifics, PCI PTS point-to-point encryption)
- Automotive (V2X IEEE 1609.2, SOME/IP Sec, proprietary OEM schemes)
- Medical devices (IEC 80001, proprietary hospital network encryption)
- Industrial control (IEC 62351, proprietary SCADA protocols)
In short: This is the most comprehensive open, engineering-oriented cryptographic archive available. It is not — and cannot be — a complete enumeration of every algorithm ever devised, because cryptography is a living field with classified, proprietary, experimental, and domain-specific branches that are inherently unbounded.
If you need coverage for a specific domain:
- Fork the MISSING.md and add your domain-specific section (e.g.,
# 21. Space Communications,# 22. Medical Device Crypto). - Reference the original schema (SQL-style tables in CRYPTO_INVENTORY.md) so your additions remain machine-parseable.
- Flag
statusappropriately: Usehistoricfor obsolete domain ciphers,plannedfor draft standards, andcurrentonly for actively deployed algorithms. - Cross-reference protocol integrations: If your algorithm appears in a protocol, add it to the Protocol Integration Reference table.
The goal is not to be a museum of every cipher ever conceived. The goal is to be the definitive engineering reference for building secure, standards-compliant, and future-proofed cryptographic systems.