ZeroEcho API
ZeroEcho Library
ZeroEcho is a layered cryptography library delivered as the lib module. It exposes a minimal
core of cryptographic primitives and a higher-level SDK of composition tools. The design favors clear
separation of responsibilities, safe defaults, and extensibility for future algorithms and pipelines.
Table of registered cryptographic algorithms with grouped columns for families and key usages.
| Algorithm ID | Display Name | Family | Key usage | Default spec | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AGREEMENT | ASYMMETRIC | DIGEST | KEM | SYMMETRIC | AGREEMENT | DECAPSULATE | DECRYPT | DIGEST | ENCAPSULATE | ENCRYPT | MAC | SIGN | VERIFY | |||
AES | AES (CBC/GCM/CTR) | ✓ | ✓ | ✓ | AES-GCM(tag=128) VoidSpec | |||||||||||
BIKE | BIKE | ✓ | ✓ | ✓ | ✓ | ✓ | VoidSpec | |||||||||
CHACHA20 | ChaCha20 (stream) | ✓ | ✓ | ✓ | ChaCha20(counter=1) VoidSpec | |||||||||||
CHACHA20-POLY1305 | ChaCha20-Poly1305 (AEAD) | ✓ | ✓ | ✓ | ChaCha20-Poly1305(tag=128) VoidSpec | |||||||||||
CMCE | Classic McEliece (CMCE) | ✓ | ✓ | ✓ | ✓ | ✓ | VoidSpec | |||||||||
DH | DH | ✓ | ✓ | rfc7919_ffdhe2048 | ||||||||||||
DIGEST | SHA-2/SHA-3/SHAKE | ✓ | ✓ | SHA-256 | ||||||||||||
ECDH | ECDH | ✓ | ✓ | secp256r1 | ||||||||||||
ECDSA | ECDSA | ✓ | ✓ | ✓ | secp256r1 | |||||||||||
Ed25519 | Ed25519 | ✓ | ✓ | ✓ | VoidSpec | |||||||||||
Ed448 | Ed448 | ✓ | ✓ | ✓ | VoidSpec | |||||||||||
ElGamal | ElGamal | ✓ | ✓ | ✓ | PKCS1Padding | |||||||||||
Frodo | FrodoKEM | ✓ | ✓ | ✓ | ✓ | ✓ | VoidSpec | |||||||||
HMAC | HMAC (generic) | ✓ | ✓ | HmacSHA256 | ||||||||||||
HQC | HQC | ✓ | ✓ | ✓ | ✓ | ✓ | VoidSpec | |||||||||
ML-KEM | Kyber (ML-KEM) | ✓ | ✓ | ✓ | ✓ | ✓ | VoidSpec | |||||||||
NTRU | NTRU (KEM) | ✓ | ✓ | ✓ | ✓ | ✓ | VoidSpec | |||||||||
NTRULPRime | NTRU LPRime | ✓ | ✓ | ✓ | ✓ | ✓ | VoidSpec | |||||||||
RSA | RSA | ✓ | ✓ | ✓ | ✓ | ✓ | OAEP(SHA256) PSS(SHA256,salt=32) | |||||||||
SABER | SABER | ✓ | ✓ | ✓ | ✓ | ✓ | VoidSpec | |||||||||
SNTRUPrime | SNTRU Prime | ✓ | ✓ | ✓ | ✓ | ✓ | VoidSpec | |||||||||
SPHINCS+ | SPHINCSPLUS | ✓ | ✓ | ✓ | VoidSpec | |||||||||||
Xdh | Xdh | ✓ | ✓ | X25519 | ||||||||||||
Layering
- Core (
zeroecho.core): low-level cryptographic engine. This includes algorithm definitions, stateful contexts, registry and metadata, specification and SPI contracts, and selected helpers required by algorithms (e.g., I/O, marshalling, tagging, auditing, policies). - SDK (
zeroecho.sdk): developer-facing composition layer built on the core. It provides content abstractions, fluent builders (both generic and per-algorithm), utilities for multi-recipient or composed flows, and supporting helpers used by those builders.
Package map (lib)
- zeroecho.core
- alg: concrete algorithms and small shared helpers used by algorithms.
- context: stateful operation interfaces (encryption, signatures, digests, MAC, agreement, KEM, and related variants).
- spec / spi: specification objects and construction/factory contracts.
- policy / audit / err / annotation: cross-cutting concerns within the core.
- io / marshal / tag: helpers used by algorithms and contexts at runtime.
- (root): provider/registry surface and core metadata.
- zeroecho.sdk
- content: content abstractions, basic implementations, and export facilities.
- builders: composition APIs, including generic builders and per-algorithm builders.
- guard: utilities for multi-recipient and other composed workflows.
- io / logging: supporting helpers used by the SDK layer and applications.
Design principles
- Stratification: the core remains focused on algorithms and correctness; the SDK focuses on developer ergonomics and composition.
- Composability: data flows are constructed through builders and content abstractions with predictable, chainable behavior.
- Extensibility: new algorithms, formats, and flows can be added with minimal impact on existing code.
- Safety: role-based binding and policy checks promote safe defaults and clear intent.
Intended use
Third-party applications depend on the lib module. Most integrations work at the SDK layer to compose
data pipelines, while the core layer provides the cryptographic foundation and guarantees. The project’s
structure and documentation aim to make entry points, responsibilities, and extension points explicit.
Packages
Package
Description
Core cryptography engine and registry for ZeroEcho.
Concrete cryptographic algorithms and small helpers used by algorithms.
AES algorithm implementation and runtime wiring.
BIKE post-quantum key encapsulation and related utilities.
ChaCha algorithm implementation and runtime wiring.
Classic McEliece (CMCE) KEM integration and utilities.
Adapters and generic contexts for key agreement built on the core SPI.
EdDSA (Edwards-curve Digital Signature Algorithm) key builders and contexts.
Streaming signature contexts and helpers that adapt JCA
Signature to a pull-based pipeline.Diffie-Hellman (DH) algorithm integration.
Digest algorithms (SHA-2, SHA-3, SHAKE) and their streaming contexts.
Elliptic Curve Diffie-Hellman (ECDH) key agreement integration.
Elliptic Curve Digital Signature Algorithm (ECDSA) integration.
Ed25519 digital signature integration.
Ed448 digital signature integration.
ElGamal asymmetric encryption integration.
FrodoKEM post-quantum key encapsulation integration.
HMAC algorithms, streaming MAC contexts, and key specifications.
HQC post-quantum key encapsulation integration.
Kyber (ML-KEM) post-quantum key encapsulation integration.
NTRU post-quantum key encapsulation integration.
NTRU Prime family key encapsulation mechanisms and related utilities.
RSA encryption and signature integration.
SABER post-quantum key encapsulation integration.
SPHINCS+ post-quantum signature integration.
XDH (X25519/X448) Diffie-Hellman key agreement integration.
Provides metadata contracts and annotations for cryptographic algorithms and
specifications.
Auditing utilities for cryptographic contexts, including event contracts and
a JUL-backed listener.
Abstractions for cryptographic operation contexts.
Exception types used by the core to signal configuration errors and
unexpected provider failures.
I/O helpers for block-based transforms, passthrough processing, and tail
handling.
Marshalling utilities and conventions for compact, human-readable
representations.
Policy enforcement for algorithms, keys, and specifications.
Specifications for keys and per-operation parameters.
Service Provider Interfaces (SPI) for extending ZeroEcho with custom
cryptographic algorithms and key builders.
Human-editable key storage persisted in a compact UTF-8 text format.
Streaming tag computation and verification for digests, MACs, and digital
signatures.
General-purpose helper classes and utility routines.
Provides lightweight logging utilities and configuration helpers for Java
Util Logging (JUL).
Builders for composing streaming data-content pipelines across core sources
and algorithm-specific stages.
Streaming cryptographic builders for symmetric encryption, signatures, MACs,
digests, and KEM envelopes.
Core builders for composing streaming
DataContent pipelines and plain
sources.Content abstractions for streaming data in the SDK.
Built-in plain content sources: bytes, strings, files, and passwords.
Export helpers and platform deployers for SDK content.
Multi-recipient envelope for symmetric payloads with pluggable recipients,
stateless openers, and a compact header.
Helpers for generating pseudo-random cover text using character frequency
tables.
Covert data embedding and extraction using JPEG EXIF metadata.
Steganographic integrations for ZeroEcho SDK.
Stream utilities for SDK pipelines.
Utility helpers for provider setup, key derivation, randomness, encoding, and
X.509 handling.