Architecture-Derived CBOMs for Cryptographic Migration: A Security-Aware Architecture Tradeoff Method
Abstract
Cryptographic migration driven by algorithm deprecation, regulatory change, and post-quantum readiness requires more than an inventory of cryptographic assets. Existing Cryptographic Bills of Materials (CBOMs) are typically tool- or inventory-derived. They lack architectural intent, rationale, and security context, limiting their usefulness for migration planning. This paper introduces Security-Aware Architecture Tradeoff Analysis Method (SATAM), a security-aware adaptation of scenario-based architecture evaluation that derives an architecture-grounded, context-sensitive CBOM. SATAM integrates established approaches: ATAM, arc42, STRIDE, ADR, and CARAF. These are included to identify and analyze security-relevant cryptographic decision points and document them as explicit architectural decisions. These artifacts are used to annotate CBOM entries with architectural context, security intent, and migration-critical metadata using CycloneDX-compatible extensions. Following a Design Science Research approach, the paper presents the method design, a conceptual traceability model, and an illustrative application. The results demonstrate that architecture-derived CBOMs capture migration-relevant context that is typically absent from inventory-based approaches. Thereby, SATAM improves availability of information required for informed cryptographic migration planning and long-term cryptographic agility.
Cite
@article{arxiv.2603.22442,
title = {Architecture-Derived CBOMs for Cryptographic Migration: A Security-Aware Architecture Tradeoff Method},
author = {Eduard Hirsch and Kristina Raab},
journal= {arXiv preprint arXiv:2603.22442},
year = {2026}
}
Comments
Will be published at Migration and Agility in Cryptographic Systems (Magics) Workshop, Co-located with Eurocrypt 2026 as an affiliated workshop