Cutting-edge Encryption Algorithm
OTTO combines AES‑256‑GCM with an HKDF key schedule, Argon2id password hardening, optional X25519 end‑to‑end mode, and a robust chunked streaming layout.
Security note: OTTO’s construction is new; obtain an independent cryptographic review before production use.
HEADER = [ magic:"OTTO1" | algo:0xA1 | kdf | flags | 0x00 | hlen | HVAR ]
HVAR = file_salt | (pw_salt + ops + mem) | (eph_pubkey)
CHUNK i = [ clen(u32) | ciphertext | tag(16) ]
enc_key = HKDF(master, 32, info="OTTO-ENC-KEY", salt=file_salt)
nonce_key = HKDF(master, 32, info="OTTO-NONCE-KEY", salt=file_salt)
nonce_i = HKDF(nonce_key, 12, info="OTTO-CHUNK-NONCE" || counter64be)Download SDK
All SDKs share the exact same header and streaming format. Encrypt in one, decrypt in another.
Demo apps per SDK
Download Client Apps
Why OTTO Algorithm?
- Cross‑language, one format. Identical header + streaming layout in PHP, JS, Python, .NET, Java/Android, Swift, and Flutter.
- Stream big media safely. Chunked AEAD with per‑chunk tags for video/audio; constant memory and resumable processing.
- Nonce misuse resistance. Deterministic HKDF‑SIV‑style nonces derived from a counter — no random nonces to manage.
- Password or E2E. Argon2id for passphrases or X25519 for end‑to‑end sessions; raw 32‑byte keys also supported.
- AAD‑bound metadata. The full header is AEAD Associated Data, tying algorithm/KDF params and (for E2E) the sender’s ephemeral key to the ciphertext.
magic:"OTTO1" | algo_id:0xA1 | kdf_id | flags | 0x00 | header_len
HVAR: file_salt | (pw_salt + opslimit + memlimitKiB) | (eph_pubkey)Note: OTTO is a new composition of established primitives. Get an independent security review before production use.
Comparison
| Scheme | AEAD | Keying | Streaming | Nonces | Interop | Notes |
|---|
Technical documentation
Read the full specification, wire format, header fields, key schedule, threat model, and interoperability checklist in the OTTO repository.