Skip to main content

Charm: a framework for rapidly prototyping cryptosystems


We describe Charm, an extensible framework for rapidly prototyping cryptographic systems. Charm provides a number of features that explicitly support the development of new protocols, including support for modular composition of cryptographic building blocks, infrastructure for developing interactive protocols, and an extensive library of re-usable code. Our framework also provides a series of specialized tools that enable different cryptosystems to interoperate. We implemented over 40 cryptographic schemes using Charm, including some new ones that, to our knowledge, have never been built in practice. This paper describes our modular architecture, which includes a built-in benchmarking module to compare the performance of Charm primitives to existing C implementations. We show that in many cases our techniques result in an order of magnitude decrease in code size, while inducing an acceptable performance impact. Lastly, the Charm framework is freely available to the research community and to date, we have developed a large, active user base.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7


  1. Project webpage:

  2. A dedicated module to support lattice-based cryptography is in preparation for a future release.

  3. Nor are we the first to import cryptographic operations into Python. See, for example, [37, 71].

  4. It is also well supported. Our experiments show that there have been significant performance improvements between Python 2.x and 3.x. Charm supports both versions for backwards compatibility with legacy applications.

  5. For consistency, group operations are always specified in multiplicative notation, thus \(*\) is used for EC point addition and \(**\) for point multiplication. This makes it easy to switch between group settings.

  6. For more scheme implementations, see

  7. In practice, we first compile to bytecode, then execute. This reduces overhead for proofs that will be conducted multiple times.

  8. Clearly the verifier does not have access to the secret variables. We address this later in this section.

  9. In some cases, evaluation of a scheme depends on the scheme’s public key.

  10. The value \(r\) is typically a large prime.

  11. On a call to encrypt or keygen the adapter simply hashes an arbitrary string into an element of \(\mathbb{Z }_r\), then passes the result to the underlying IBE scheme. This technique and its security implications are described in [17].

  12. Naor [40] observed that adaptively-secure IBE can be converted into a signature scheme by using the IBE key extraction algorithm for signing.







  1. The Advanced Crypto Software Collection.

  2. Acar, T., Belenkiy, M., Bellare, M., Cash, D.: Cryptographic agility and its relation to circular encryption. In: EUROCRYPT (2010)

  3. Acar, T., Fournet, C., Shumow, D.: Design and verication of a crypto-agile distributed key manager (2011)

  4. Akinyele, J.A., Green, M., Rubin, A.: Charm-crypto framework.

  5. Almeida, J.B., Bangerter, E., Barbosa, M., Krenn, S., Sadeghi, A.-R., Schneider, T.A.: Certifying compiler for zero-knowledge proofs of knowledge based on \(\Sigma \)-protocols. In: Proceedings of the 15th European conference on Research in Computer Security, ESORICS, pp. 151–167. Springer, Berlin (2010)

  6. Aranha, D.F., Gouvêa, C.P.L.: RELIC is an efficient library for cryptography.

  7. Ateniese, G., de Medeiros, B.: On the key exposure problem in chameleon hashes. In: SCN. LNCS vol. 3352, pp. 165–179. Springer, Berlin (2004)

  8. Bangerter, E., Barzan, S., Sadeghi, A., Schneider, T., Tsay, J.: Bringing zero-knowledge proofs of knowledge to practice. In: 17th International Workshop on Security Protocols (2009)

  9. Bangerter, E., Camenisch, J., Krenn, S., Sadeghi, A.-R., Schneider, T.: Automatic generation of sound zero-knowledge protocols. Cryptology ePrint Archive, Report 2008/471 (2008).

  10. Bellare, M., Rogaway, P.: Optimal asymmetric encryption padding—how to encrypt with rsa. In: EUROCRYPT, pp. 92–111 (1994)

  11. Bellare, M., Rogaway, P.: The exact security of digital signatures: how to sign with RSA and Rabin. In: Maurer, U (ed.) EUROCRYPT. LNCS, vol. 1070. Springer, Berlin (1996)

  12. Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new cryptographic library. In: Hevia, A., Neven, G. (eds.) Progress in cryptology—LATINCRYPT. Lecture Notes in Computer Science. Springer, Berlin (2012, to appear). Document ID: 5f6fc69cc5a319aecba43760c56fab04,

  13. Bethencourt, J.: Libpaillier (2006)

  14. Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 321–334. IEEE Computer Society, New York (2007)

  15. Bethencourt, J., Song, D., Waters, B.: Analysis-resistant malware. In: NDSS (2008)

  16. Blakley, G., Chaum, D., ElGamal, T.: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, vol. 196, pp. 10–18. Springer, Berlin (1985)

  17. Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: EUROCRYPT. LNCS, vol. 3027, pp. 223–238 (2004)

  18. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: CRYPTO. LNCS, vol. 3152, pp. 45–55 (2004)

  19. Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil Pairing. In: CRYPTO. LNCS, vol. 2139, pp. 213–229 (2001)

  20. Boneh, D., Katz, J.: Improved efficiency for cca-secure cryptosystems built using identity based encryption. In: CT-RSA. LNCS, vol. 3376. Springer, Berlin (2005)

  21. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil Pairing. In: ASIACRYPT. LNCS, vol. 2248, pp. 514–532 (2001)

  22. Boyen, X.: Mesh signatures: how to leak a secret with unwitting and unwilling participants. In: EUROCRYPT. LNCS, vol. 4515, pp. 210–227. Springer, Berlin (2007)

  23. Brassard, G., Schnorr, C.: Efficient Identification and Signatures for Smart Cards, vol. 435, pp. 239–252. Springer, Berlin (1990)

  24. Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS, pp. 132–145. ACM, New York (2004)

  25. Camenisch, J., Groth, J.: Group signatures: better efficiency and new theoretical aspects. In: Blundo, C., Cimato, S. (eds.) Security in Communication Networks. Lecture Notes in Computer Science, vol. 3352, pp. 120–133. Springer, Berlin (2005)

  26. Camenisch, J., Hohenberger, S., Stergaard Pedersen, M.: Batch verification of short signatures. In: EUROCRYPT. LNCS, vol. 4515. Springer, Berlin, pp. 246–263 (2007)

  27. Camenisch, J., Kohlweiss, M., Rial, A., Sheedy, C.: Blind and anonymous identity-based encryption and authorised private searches on public key encrypted data. In: PKC, Irvine, pp. 196–214. Springer, Berlin (2009)

  28. Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: EUROCRYPT. LNCS, vol. 2045, pp. 93–118. Springer, Berlin (2001)

  29. Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Proceedings of the 3rd International Conference on Security in Communication Networks, SCN, pp. 268–289. Springer, Berlin (2003)

  30. Camenisch, J., Lysyanskaya, A.: Signature Schemes and Anonymous Credentials from Bilinear Maps, pp. 56–72. Springer, Berlin (2004)

  31. Camenisch, J., Neven, G., Shelat, A.: Simulatable adaptive oblivious transfer. In: EUROCRYPT. LNCS, vol. 4515, pp. 573–590 (2007)

  32. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: CRYPTO. LNCS, vol. 1296, pp. 410–424 (1997)

  33. Camenisch, J., Van Herreweghen, E.: Design and implementation of the idemix anonymous credential system. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS, pp. 21–30. ACM, New York (2002)

  34. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity based encryption. In: EUROCRYPT. LNCS, vol. 3027, pp. 207–222 (2004)

  35. Cha, J.C., Cheon, J.H.: An identity-based signature from gap Diffie-Hellman groups. In: PKC. LNCS, vol. 2139, pp. 18–30. Springer, Berlin (2003)

  36. Chow, S.S.M., Yiu, S.M., Hui, L.C.K.: Efficient identity based ring signature. In: Applied Crypto and Network Security—ACNS. LNCS, vol. 3531, pp. 499–512. Springer, Berlin (2005)

  37. Condra, G.: pypbc.

  38. Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: CRYPTO, pp. 13–25. Springer, London (1998)

  39. Denis, T.S.: LibTomCrypt Project.

  40. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM J. Comput. 542–552 (2000)

  41. Dufour, M.: Shedskin (2009).

  42. El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Proceedings of Crypto, pp. 10–18 (1984)

  43. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: CRYPTO. LNCS, vol. 263, pp. 186–194 (1986)

  44. Freeman, D.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: EUROCRYPT, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 44–61 (2010)

  45. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC, pp. 169–178. ACM, New York (2009)

  46. GNU. The GNU Multiple Precision Arithmetic Library.

  47. Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in np have zero-knowledge proof systems. J. ACM 38(3), 690–728 (1991)

    MathSciNet  Article  Google Scholar 

  48. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: EUROCRYPT. LNCS, vol. 4965, pp. 415–432. Springer, Berlin (2008)

  49. Henecka, W., Kögl, S., Sadeghi, A.-R., Schneider, T., Wehrenberg, I.: Tasty: tool for automating secure two-party computations. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS, pp. 451–462. ACM, New York (2010)

  50. Hess, F.: Efficient identity based signature schemes based on pairings. In: SAC, LNCS 2595, pp. 310–324. Springer, Berlin (2002)

  51. Hohenberger, S., Waters, B.: Realizing hash-and-sign signatures under standard assumptions. In: Advances in Cryptology—EUROCRYPT (2009)

  52. Hohenberger, S., Waters, B.: Constructing verifiable random functions with large input spaces. In: EUROCRYPT, 29th Annual International Conference on the Theory and Applications of Cryptographic, Techniques, pp. 656–672 (2010)

  53. Iovino, V., Persiano, G.: Hidden-vector encryption with groups of prime order. In: Proceedings of the 2nd International Conference on Pairing-Based Cryptography, Pairing ’08, pp. 75–88. Springer, Berlin (2008)

  54. Lacy, J.B.: CryptoLib: Cryptography in software. USENIX Security Conference IV, pp. 1–18 (1993)

  55. Laurie, B., Clifford, B.: The Stupid programming language. Source code available at

  56. Lewis, J.R., Martin, B.: CRYPTOL: High Assurance, Retargetable Crypto Development and Validation (2003).

  57. Lewko, A., Sahai, A., Waters, B.: Revocation systems with very small private keys. In: Proceedings of the IEEE Symposium on Security and Privacy, SP, pp. 273–285. IEEE Computer Society, Washington, DC (2010)

  58. Lewko, A., Waters, B.: Decentralizing attribute-based encryption. In: Patterson, K.G. (ed.) EUROCRYPT. LNCS, vol. 6632, pp. 568–588. Springer, Berlin.

  59. Lewko, A.B.: Tools for simulating features of composite order bilinear groups in the prime order setting. IACR Cryptol. ePrint Archive 2011, 490 (2011)

  60. Litzenberger, D.C.: PyCrypto—The Python Cryptography Toolkit.

  61. Lynn, B.: The Stanford Pairing Based Crypto Library.

  62. Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay—a secure two-party computation system. In: Proceedings of the 13th USENIX Security Symposium, pp. 287–302. USENIX Association, Berkeley (2004)

  63. Meiklejohn, S., Erway, C.C., Küpçü, A., Hinkle, T., Lysyanskaya, A.: ZKPDL: a language-based system for efficient zero-knowledge proofs and electronic cash. In: Proceedings of the 19th USENIX Conference on Security, USENIX Security, pp. 13–13. USENIX Association, Berkeley (2010)

  64. Meiklejohn, S., Mowery, K., Checkoway, S., Shacham, H.: The phantom tollbooth: privacy-preserving electronic toll collection in the presence of driver collusion. In: Proceedings of the 20th USENIX conference on Security, SEC, pp. 32–32. USENIX Association, Berkeley (2011)

  65. NIST.: Digital Signature Standard (DSS). Federal Information Processing Standards Publication 186 (1994)

  66. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: CRYPTO. LNCS, vol. 576, pp. 129–140 (1992)

  67. Regev, O.: Lattice-based cryptography. In: Dwork, C. (ed.) Advances in Cryptology—CRYPTO 2006. Lecture Notes in Computer Science, vol. 4117, pp. 131–141 Springer Berlin Heidelberg (2006).

  68. Rouselakis, Y., Waters, B.: New constructions and proof methods for large universe attribute-based encryption. Cryptology ePrint Archive Report 2012/583 (2012)

  69. Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: EUROCRYPT, pp. 457–473 (2005)

  70. Scott, M.: MIRACL library. Indigo Software.

  71. Stein, W., et al.: Sage Mathematics Software (Version 5.0.1). The Sage Development Team.

  72. Stern, J., Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes, vol. 1592, pp. 223–238. Springer, Berlin (1999)

  73. The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS (2010).

  74. Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full sha-1. In: Proceedings of Crypto, pp. 17–36. Springer, Berlin (2005)

  75. Wang, X., Yu, H.: How to break md5 and other hash functions. In: EUROCRYPT. Springer, Berlin (2005)

  76. Waters, B.: Efficient identity-based encryption without random oracles. In: EUROCRYPT. LNCS, vol. 3494, pp. 114–127 (2005)

  77. Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. Cryptology ePrint Archive Report 2008/290 (2008).

  78. Waters, B.: Functional encryption for regular languages. In: Safavi-Naini, R., Canetti, R. (eds.) Advances in Cryptology CRYPTO 2012. Lecture Notes in Computer Science, vol. 7417, pp. 218–235. Springer, Berlin (2012)

  79. Wustrow, E., Wolchok, S., Goldberg, I., Halderman, J.A.: Telex: Anticensorship in the network infrastructure. In: Proceedings of the 20th USENIX Security Symposium (2011)

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Joseph A. Akinyele.



See Figs. 8, 9, 10, 11, 12, 13.

Fig. 8
figure 8

A working example of how the API is utilized in a C application to embed a hybrid encryption adapter (see Fig. 9b) for any CP-ABE scheme such as the BSW07 [14] scheme shown in Figs. 11 and 12. We provide several high-level functions that simplify using Charm schemes. In particular, the CallMethod() encapsulates several types of arguments to Python such as: %O for Charm objects, %s for ASCII strings, %A to convert into a Python list, and %b to a binary object

Fig. 9
figure 9

a The entire IBE to signature adapter scheme [19]. b A hybrid encryptor for ABE schemes in Charm

Fig. 10
figure 10

Keygen in the Cramer–Shoup scheme [38]. We exclude group parameter generation

Fig. 11
figure 11

Setup and Keygen in the Bethencourt, Sahai, and Waters scheme [14]. We exclude group parameter generation

Fig. 12
figure 12

Encryption and decryption in the Bethencourt, Sahai, and Waters ABE scheme [14]. The Charm toolbox provides several utility routines that are shared by different ABE schemes

Fig. 13
figure 13

CL signatures [30] are a useful building block for anonymous credential systems. We provide a full scheme description and Charm code, but exclude group parameter generation

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Akinyele, J.A., Garman, C., Miers, I. et al. Charm: a framework for rapidly prototyping cryptosystems. J Cryptogr Eng 3, 111–128 (2013).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI:


  • Applied cryptography
  • Protocols
  • Software
  • Privacy