Package zeroecho.core.alg.sphincsplus

package zeroecho.core.alg.sphincsplus
SPHINCS+ post-quantum signature integration.

This package wires the SPHINCS+ stateless hash-based signature scheme into the core. It provides the algorithm descriptor, a streaming signature context that adapts JCA engines, key-pair generation facilities, and encoded key specifications for import and export. Provider-specific details are encapsulated behind small factories while roles and metadata remain explicit to higher layers.

Scope and responsibilities

  • Register a canonical SPHINCS+ algorithm and declare the SIGN and VERIFY roles.
  • Offer a streaming signature context with a fixed tag length determined by the key's parameter set.
  • Provide key builders for generating new key pairs and for importing encoded public and private keys.
  • Expose immutable key specification types that defensively copy sensitive material and support compact marshalling.

Components

  • SphincsPlusAlgorithm: algorithm descriptor that binds roles to the signature context and registers builders and specs.
  • SphincsPlusSignatureContext: streaming sign/verify context; determines fixed signature size from the key's parameter set.
  • SphincsPlusKeyGenBuilder and SphincsPlusKeyGenSpec: generator and specification for producing key pairs with selected variants.
  • SphincsPlusPublicKeyBuilder / SphincsPlusPrivateKeyBuilder: importers backed by JCA key factories.
  • SphincsPlusPublicKeySpec / SphincsPlusPrivateKeySpec: immutable wrappers over X.509 and PKCS#8 encodings with marshalling helpers.

Design notes

  • Algorithm descriptors are immutable and safe to share; signature contexts are stateful and not thread-safe.
  • Key specification classes never expose internal byte arrays; cloning is used on input and output.
  • Marshalling helpers use a compact key-value form intended for configuration, transport, and tests.
Since:
1.0