crypto-condor is a tool for compliance testing of cryptographic primitives, in the form of a Python library and CLI. It is complemented by an extensive documentation, featuring guides on the primitives supported.
Q: What is a cryptographic primitive?
A: A low-level cryptographic algorithm, generally used to build a protocol. For example, AES is an encryption primitive that is used in the TLS protocol, which is the protocol your browser used to securely get this page.
Q: What is compliance testing?
A: Algorithms are described in specifications, such as FIPS publications or RFCs. When implementing these algorithms, we want to ensure that they comply with the specification, i.e. the implementation behaves as the algorithm described.
Q: How to test for compliance then?
A: We can use test vectors, which are sets of inputs and their corresponding outputs. For example, encrypting with AES is a deterministic operation: for a given key and message, AES will always return the same ciphertext. So we can choose some input values, run the algorithm, and record the value returned. All implementations of AES are then expected to return the same ciphertext for this given key and message. If it does not, then it is not compliant.
Q: And so, what does crypto-condor do?
A: crypto-condor provides both a nice Python API and a wrapper system to test implementations with sets of test vectors that come from sources such as the NIST CAVP.
The Python API exposes test functions that take an implementation as input, in the form of a Python function or class, passes the inputs defined by the test vectors to that implementation, and checks if the outputs are those defined by the vectors.
The wrappers are small programs that already define the function prototype. The user calls the implementation to test inside this function, and crypto-condor runs it with the test vectors as with the Python API.
And it comes with a documentation, wrapper examples, and guides on supported primitives.
crypto-condor requires Python 3.10+. For information, it is developed using Python 3.13 on Fedora 41.
The implementations of AES, ML-KEM, ML-DSA, and TestU01 are written in C and are compiled directly on the user's machine. As such, they require a C compiler (by default GCC on Linux and Clang on MacOS) and GNU Make. These primitives are only compiled when required, and not when installing the package:
encapsulate function.The compiler can be chosen by setting the CC environment variable on Linux. On
MacOS, only Clang has been confirmed to work.
It is available on PyPI:
python -m pip install crypto-condor
An up-to-date list of the requirements can be found in the
[tool.poetry.dependencies] section of the
pyproject.toml
file.
The documentation is available at https://quarkslab.github.io/crypto-condor/latest/index.html.
Once installed, the CLI is available as crypto-condor-cli. It is structured in
commands, similar to Git. Run it without arguments or with --help to display
the help message detailing the available subcommands. You can check the
documentation for
a quick rundown of all the commands.
As for the Python library, it is available as crypto_condor (note the
underscore). Each primitive has its own module under primitives, e.g.
crypto_condor.primitives.AES. It contains the functions used to test
implementations.
See CONTRIBUTING.
A changelog is available. This projects adheres to CalVer. The format used is YYYY.MM.DD[.MICRO][-MODIFIER]:
rc<n> to indicate a release candidate.Logo idea by Robin David, drawing by Irene Loayza.
FAQs
Compliance testing for implementations of cryptographic primitives
We found that crypto-condor demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
Product
Customize license detection with Socket’s new license overlays: gain control, reduce noise, and handle edge cases with precision.
Product
Socket now supports Rust and Cargo, offering package search for all users and experimental SBOM generation for enterprise projects.