All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
sensitiveparameter for key generation functions returning :class:KeyVault-wrapped secrets by default.- Documentation on zeroization guarantees and Python's memory limitations.
derive_pbkdf2alias insymmetric.kdf(usekdf_pbkdf2; will be removed in v4.0.0).- Legacy helpers
generate_rsa_keypair_and_saveandgenerate_ec_keypair_and_save(useKeyManagermethods; will be removed in v4.0.0). - Insecure ciphers
salsa20_encrypt/salsa20_decryptand experimentalascon.encrypt/ascon.decrypt(usechacha20_encrypt/xchacha_encryptor authenticated ciphers likeaes_encrypt).
These functions remain temporarily for backward compatibility but emit
DeprecationWarning on use.
- Backend-Agnostic Core (Crypto Abstraction Layer)
- Pipeline DSL for Crypto Workflows
- Misuse-Resistant API (mypy plugin)
- Zeroization & Constant-Time Guarantees
- Formal Verification Export (ProVerif/Tamarin)
- Auto-Stub Generator for App Skeletons
- Rich Logging & Jupyter Widgets for Visualization
- HSM, YubiKey, PKCS#11, Cloud KMS Plugin Architecture
- Fuzzing Harness & Property-Based Testing
- Supply-Chain Attestation, SLSA, and Reproducible Builds
- Old helper modules removed in favor of the Pipeline API.
- Explicit backend selection required.
- New plugin system for hardware and cloud key managers.
- Stubs generator for application scaffolding.
- Documentation reorganized; see Migration Guide.
- Direct calls to legacy encrypt/decrypt helpers.
- Deprecated functions from the 2.x series.
- Strengthened zeroization and constant-time operations.
- Miscellaneous bugs resolved during refactor.
- Verified
signed_prekeyduring X3DH session initiation for receiver-side validation. - Improved one-time prekey usage in DH chain (X3DH).
- Added test cases for signed prekey verification and optional one-time prekey handling.
- Auto-padding for base32 secrets in OTP to prevent Incorrect padding error
- Improved handling of lowercase and unpadded OTP secrets
- Tests for real-world OTP misuse and malformed inputs
- SPAKE2 password-authenticated key exchange implementation.
- Signal Protocol messaging utilities.
- BLAKE3 and SHA3 hashing options.
- Command line interface tools.
- Post-quantum cryptography support via Kyber KEM and Dilithium signatures.
- Hybrid RSA/ECIES + AES-GCM encryption helpers.
- XChaCha20-Poly1305 stream cipher when available.
- Audit logging utilities for tracing cryptographic operations.
KeyVaultcontext manager for secure in-memory key handling.
- Major refactor into a modular package structure.
- Argon2id is now the default key derivation function.
- Test suite expanded to 100% coverage.
derive_pbkdf2alias insymmetric.kdf. Usekdf_pbkdf2instead.- Legacy
generate_rsa_keypair_and_savehelper. UseKeyManager.generate_rsa_keypair_and_save. - Experimental ciphers
Salsa20andAsconare not exported via__all__.
- Argon2id Default: Password-based encryption now derives keys with
Argon2id. Set
kdf="pbkdf2"to retain the previous behavior. - Package Layout: Modules reorganized into subpackages like
cryptography_suite.pqcandcryptography_suite.protocols. - Breaking Changes: Some helper functions return
byteswhenraw_output=Trueand new exceptionsMissingDependencyErrorandProtocolErrorare raised in edge cases.
- Comprehensive documentation and usage examples.
- Packaging metadata improvements and CI workflow updates.
- Extensive tests providing full coverage.
- Modules refined for better maintainability.
- Security best practices documented.
- Initial release with AES encryption, RSA key management, and SHA-384 hashing.
- PBKDF2 key derivation and secure key storage utilities.
- Basic example usage script and helper utilities.