Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Implementation of several cryptographic primitives. I created this library to to test specific attacks on existing cryptograpy.

Performance is not a priority and I make no effort from prevented anyone from using the wrong schemes. My only goals here are to make correct implementations which are easy to use.

Example usage

#!/usr/bin/env python2
from crypturd import encrypt,decrypt

# Input message and key are strings or arbitrary length
message = "Attack at dawn!"
key = "yKj3xBCBatVG1Q0gZ8ss2xbC4"

# Generate ciphertext from message and key
# Default symmetric key cipher is chacha20+poly1305
ciphertext = encrypt(message,key)

# Recover plaintext from ciphertext
plaintext = decrypt(ciphertext,key)

Default cipher suite

Symmetric key crypto MAC Key exchange Signature RNG
ChaCha20 Poly1305 ECDH (Ed25519) Manytimessig (custom) ChaCha20

Included ciphers

Symmetric key crypto MAC Key exchange Signature
RC4 (Weak) CBC-MAC (weak) RSA RSA
AES-256 (ECB/CBC/CTR) Poly1305 Manytimessig (custom)
ChaCha20 statelessig (custom)
Padding Random Number generator Hash
Null Padding RC4 (weak) MD4 (Weak)
PKCS7 MT19937 (weak) SHA1 (Weak)
AES-128-CTR SHA256


This is a single man project, nobody except the author has reviewed this code.


Based on input/output all primitives are implemented correctly. However this does not necessarily exclude the possibility of side-channel attacks.

Some primitives included in this library easily broken, do not use them for anything you care about. The default hash function, random number generator and symmetric key cipher are chosen to be secure. If in doubt, use the defaults (as specified in

Side channel attacks

The current AES implementation can leak its internal state due to timing differences in lookup tables between recently and non-recently accessed values.

ChaCha20 is immune to side-channel attack when implemented correctly. On 64-bit machines the ChaCha20 in this library is not vulnerable to side-channel attacks. However on 32-bit cpu python may treat number in the range 2^31 - 2^32 as bignums, allowing for side-channel attacks.

Technical notes

Due to differences in string formatting in python2 and python3, this library only work with python2.

Error messages are hidden by default to prevent leakage of data. To get accurate exception handling add the following line to your code.

crypturd.common.DEBUG = True

Key derivation

For easy use all cipher can be used with arbitrary size user keys that are converted to appropriately sized keys

  • Keys that are shorter than expected are padded with null bytes
  • Strings of the correct size are use exactly
  • hex formated string of the correct size are used exactly
  • Otherwise, the input string is hashed using sha256 (and truncated for 128-bit keys)

The following keys are all treated as if they were identical

  • "yellow submarine"
  • "yellow submarine\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
  • "79656c6c6f77207375626d6172696e6500000000000000000000000000000000"

Nonce generation

The generation of nonces in this library relies on os.urandom(). On common Gnu/Linux distribution (Debian/Ubuntu/Red Hat/Gentoo/Arch/SuSe etc) and BSD systems (OpenBSD,FreeBSD) I can confirm that this functionality is implemented correctly.

On other popular systems (Microsoft Windows, Apple Mac OS and other proprietary systems), I cannot assure that nonces are generated securely.

Ciphertext structure

The general structure of all authenticated ciphers is as follows

(IV or nonce) || (Ciphertext) || MAC

For Chacha20 the format is

96-bit nonce (for both ciphertext and MAC) || Ciphertext || Poly1305 MAC (128 bits)

For most modes AES the format is

128-bit IV (for ciphertext) || Ciphertext || SHA256-MAC (256 bits)

AES-128-ECB and AES-256-ECB do not use Initialization vectors or message authentication codes.

Plaintexts in AES-ECB and AES-CBC are padded using PKCS7.