PQC Glossary

Post-Quantum Cryptography (PQC)

Cryptography designed to withstand attacks from quantum computers, i.e., algorithms whose security is believed not to be broken by known quantum algorithms. PQC covers multiple algorithm families (lattice-, hash-, code-, multivariate-, isogeny-based) and the standardization efforts led by NIST.

Quantum Computer

A computer that uses specific quantum effects to make calculations, in contrast to classic computers that use Boolean algebra and “bits”. A quantum computer can not run normal computer programs but only specific quantum algorithms.

Shor’s Algorithm

A quantum algorithm designed to run on a quantum computer. Shor’s algorithm can theoretically be used to break class asymmetric algorithms if a capable enough quantum computer becomes available.

Quantum bit (Qubit)

A qubit is the unit of information in a quantum computer, similar to a binary bit in classic computers. However, measuring computer capacity with a qubit is not straightforward, as there are physical vs. logical qubits, with or without different levels of error correction.

Harvest now - Decrypt later

The threat posed by an actor recording traffic encrypted with classic algorithms in the hope of being able to decrypt it once a powerful enough quantum computer is accessible. Keyfactor Blog: Harvest Now, Decrypt Later: A New Form of Attack

FIPS PUB 204

Official NIST FIPS standard document for the ML-DSA signature algorithm.

FIPS PUB 203

Official NIST FIPS standard document for the ML-KEM key encapsulation mechanism.

FIPS PUB 205

Official NIST FIPS standard document for the SLH-DSA signature algorithm.

FIPS PUB 206

Expected NIST FIPS standard document for the FN-DSA signature algorithm.

Module-Lattice-Based Digital Signature Algorithm (ML-DSA)

ML-DSA - derived from the PQC competition algorithm CRYSTALS-DILITHIUM.

Stateless Hash-based Digital Signature Algorithm (SLH-DSA)

SLH-DSA - derived from the PQC competition algorithm SPHINCS+.

Module-Lattice-based Key-Encapsulation Mechanism (ML-KEM)

ML-KEM - derived from the PQC competition algorithm CRYSTALS-KYBER.

Falcon

Draft signature algorithm that will be standardized (with modifications) as FN-DSA.

Fast-Fourier Transform-over-NTRU-lattice-based Digital Signature Algorithm (FN-DSA)

FN-DSA - derived from the PQC competition algorithm Falcon.

Classic McEliece

A code-based Key Encapsulation Mechanism - Round 3 PQC Competition submission, subsequently adopted by BSI in BSI TR-02102-1.

Frodo KEM

A lattice-based Key Encapsulation Mechanism - Round 3 PQC Competition submission, subsequently adopted by BSI in BSI TR-02102-1 (category 3 and 5 parameter sets only).

Hamming Quasi-Cyclic (HQC)

HQC is a code-based KEM selected by NIST to be standardized in 2027.

N-th degree Truncated polynomial Ring Units (NTRU)

A lattice-based post-quantum crypto system. When seeing NTRU today, it most often refers to one of the KEM algorithm variants of the crypto system.

Key Encapsulation Mechanism (KEM)

A public key mechanism allows a sender to generate a secret key and an encrypted payload, which the holder of the corresponding private key can use to recover the secret key.

PQC Competition

NIST conducted a competition on PQC from 2016 to 2025 to find algorithms suitable for use in Post-Quantum Cryptography.

Composite Signature

A signature composed of the combination of a classic and a quantum-safe algorithm. In order to verify the signature verification of both the classic and quantum-safe parts must be successful.

Composite Key

A key composed of the combination of a classic and a quantum-safe algorithm. Used to produce composite signatures, or composite key exchange.

X.509 Alternative keys and signatures

Also known as Catalyst or Chimera. A type of backward-compatible hybrid certificate format that is standardized in the ITU-T standard.

Hybrid Certificate

A certificate that typically contains two public keys and two signatures, one being a classic algorithm (RSA or EC) and the other being a quantum-safe algorithm. Examples of different hybrid certificate formats are X.509 alternative, Composite and Delta.

Composite Certificate

A specific type of hybrid certificate that uses Composite keys and signatures. IETF: draft-ietf-lamps-pq-composite-sigs.

Delta Certificate

A specific type of hybrid certificate specified in an IETF draft. A delta certificate can be split into two certificates, which can each be processed as a normal certificate. Standardized in X.509 2019.

External Μμ

A “pre-hash” style mechanism which can be used with an appropriately configured version of ML-DSA to allow for the ML-DSA μ value to be calculated separately from the signature calculation. Useful where the message size makes passing the whole message to a signature service impossible or prohibitively expensive.

Lattice-based cryptography

Lattice-based schemes rely on problems that resist both classical and quantum attacks, making them prime candidates for post-quantum security. Kyber and Dilithium are lattice-based crypto.

Stateless Signatures

Signatures where the private key is stateless, meaning that you can re-use any copy of the private key to make several signatures, even in parallel in different locations, without the security of the signature being compromised.

Stateful Signatures

Signatures where the private key needs to maintain state to preserve security. The typical use is Stateful Hash-Based Signatures (SHBS).

Hash-based signatures

Stateful signature algorithms based on hash functions. The two most well-known examples are Leighton-Micali Signature (LMS) and eXtended Merkle Signature Scheme (XMSS).

SP 800-208

NIST requirements for using stateful hash-based signatures in a secure way. Among other things, it requires using a hardware security module for compliant usage.

Proof of Possession (POP)

Describes a mechanism, with different technical ways to do it, to prove that a sender of a CSR is in possession of the private key that matches the public key in the CSR. The most common way to do this is via a self-signature on a PKCS#10 CSR, i.e. the recipient can verify the self-signature, and whoever created the CSR must have been in possession of the corresponding private key in order to create the signature.

Certificate Signing Request (CSR)

A message sent from a client to a CA requesting the CA to issue a certificate with information from the CSR, at a minimum, the Certificate Authority (CA) would use the public key from the CSR. There are different standardized formats for CSRs, and the most common are PKCS#10 (RFC 2986) and CRMF (RFC 4211).

Key Derivation Function (KDF)

An algorithm that takes a secret and other shared input and can be used to produce the bits required for creating a secret key or a public/private key pair. Often used in conjunction with a KEM.

INDistinguishability under Chosen Plaintext Attack (IND-CPA)

IND-CPA - a party can provide known plaintext messages but be unable to recognize that an encryption might be the result of a particular message.

Indistinguishability under Chosen Ciphertext Attack 1 (IND-CCA1)

IND-CCA1 - a party can decrypt or encrypt some number of other messages before trying to guess the plain text for a ciphertext of interest and not be able to recover the original plain text.

Indistinguishability under adaptive Chosen Ciphertext Attack 2 (IND-CCA2)

IND-CCA2 is similar to IND-CCA1, but the guessing party is allowed to try additional ciphertexts after receiving the ciphertext of interest (not including the ciphertext of interest) on a decryption service without being able to guess the plain text of the ciphertext of interest.

Existential Unforgeability under Chosen Message (EUF-CMA)

EUF-CMA is a standard security property for digital signature schemes, meaning an attacker cannot create a valid signature for a new message that was not previously signed by the legitimate signer.

Strong Existential Unforgeability under Chosen Message Attack (SUF-CMA)

SUF-CMA is an even stronger property compared to EUF-CMA, where the adversary cannot produce a new valid signature for a message, even if they already have a valid signature for that exact message.

PKCS#11

A standard for using hardware security modules (HSMs), version 3.2 of the standard (currently in draft) includes ML-DSA, ML-KEM, and SLH-DSA.