Glossary
Every PQC term used by the playground. Search to filter; click "Defined in" to read the full concept card.
AES-256-GCM
AES with 256-bit keys in Galois/Counter Mode, providing authenticated encryption with associated data (AEAD).
Alternative signature
A second signature value (typically PQC) stored in an X.509 extension, computed over a defined view of the to-be-signed certificate.
Authenticated encryption
An encryption scheme that simultaneously provides confidentiality and integrity (e.g. AES-GCM).
Catalyst extension
A non-critical X.509 extension carrying a PQC subject public key or alt-signature inside an otherwise classical certificate.
Chain validation
The recursive verification process that walks issuer signatures from a leaf cert up to a known trust anchor.
CMS EnvelopedData
A CMS object that wraps an encrypted payload with one or more recipient-targeted key-wrap structures.
CMS SignedData
A CMS object that wraps a payload with one or more signer attestations, each verifiable against the signer's certificate.
Composite key
A key structure containing both a classical and a PQC public key in a defined ASN.1 sequence, used by Composite signatures.
Content encryption algorithm
The symmetric cipher used to encrypt the actual payload of a CMS EnvelopedData (typically AES-256-GCM).
CSR
Certificate Signing RequestA PKCS#10 object carrying a public key, a subject DN, and a self-signature proving possession of the matching private key.
Data Encryption Mechanism (DEM)
The symmetric primitive of a KEM-DEM construction; encrypts the payload using the key produced by the KEM.
Decapsulation
The KEM operation that recovers the shared secret from a KEM ciphertext using the recipient's private key.
Demo CA
The playground's pre-loaded Root + Intermediate CA used to sign issued certificates. Read-only and shared by every visitor.
Detached signature
A SignedData whose encapsulated content is omitted; the verifier must supply the original payload separately.
draft-ietf-lamps-pq-composite-sigs
The IETF LAMPS working group draft defining Composite signatures for X.509.
Encapsulation
The KEM operation that produces a (ciphertext, shared secret) pair against a recipient's public key. The ciphertext is sent; the shared secret is kept.
FIPS 204
NIST's standard for ML-DSA, finalized August 2024. Defines ML-DSA-44, ML-DSA-65, ML-DSA-87.
FIPS 205
NIST's standard for SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), finalized August 2024.
Harvest-now-decrypt-later
An adversary records encrypted traffic today, planning to decrypt it years later when a cryptographically relevant quantum computer exists.
Hash-based signature
A signature whose security rests only on cryptographic hash function assumptions, with no number-theoretic or lattice assumptions.
Hybrid signature
A construction combining a classical signature (e.g. ECDSA) and a PQC signature (e.g. ML-DSA) over the same data, for migration.
In-memory state
Server-side state held only in process RAM, never written to a database or disk volume. Disappears on restart.
Issuer signature algorithm
The algorithm the CA used to sign the certificate. Independent of the subject's key algorithm.
KEM
Key Encapsulation MechanismA primitive that establishes a shared symmetric key between a sender and a recipient using public-key cryptography. Cannot be used to sign.
KEM-DEM
Key Encapsulation Mechanism + Data Encapsulation MechanismA two-stage construction where a KEM transports a symmetric key and a DEM (e.g. AES-GCM) encrypts the actual payload.
Module-LWE
Module Learning With ErrorsA lattice-based hardness assumption over polynomial rings, generalizing LWE; the security foundation for ML-DSA and ML-KEM.
NIST PQC standardization
The 2016–2024 NIST process that selected ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) as the first PQC standards.
Parameter set
A named tuple of algorithm parameters (e.g. ML-DSA-65) trading key/signature size against security margin.
RecipientInfo
The per-recipient structure inside an EnvelopedData that carries the wrapped content-encryption key for that recipient.
Root CA
Root Certificate AuthorityA self-signed CA certificate that acts as the trust anchor for an issuance hierarchy.
Shor's algorithm
A quantum algorithm that factors integers and computes discrete logarithms in polynomial time, breaking RSA and ECDSA on a sufficiently large quantum computer.
Signed attributes
A set of attributes (digest, content type, signing time) included in a SignerInfo and signed together with the payload digest.
Stateless backend
A server that holds no per-request memory: every API call carries its own inputs and is processed in isolation.
Stateless signature
A signature scheme that does not require the signer to remember per-signature state. SLH-DSA is stateless; LMS / XMSS are not.
Strict mode (Composite)
Verification policy where both the classical and the PQC half of a composite signature must verify successfully.
Subject DN
Subject Distinguished NameThe hierarchical name (CN, O, C, …) identifying the holder of a certificate or the requester of a CSR.
Subject public key algorithm
The algorithm of the holder's public key in a certificate (e.g. ML-DSA-65). Independent of the issuer's signing algorithm.
Transition strategy
An operational pattern (Composite, Catalyst, dual-stack chains) that lets a PKI move from classical to PQC without breaking deployed verifiers.
Transitional mode (Composite)
Verification policy where either half of a composite signature is sufficient, with policy hints documenting the relaxation.
Trust anchor
A self-signed certificate the verifier already trusts, terminating the chain validation walk.
X.509 certificate
A CA-signed structure binding a subject identity to a public key, with validity dates and policy extensions.