Glossary
Terminology reference for post-quantum cryptography and AnkaSecure platform concepts.
Post-Quantum Cryptography Terms
AEAD (Authenticated Encryption with Associated Data) : Encryption mode that provides both confidentiality and authenticity. All symmetric encryption in AnkaSecure uses AEAD (AES-GCM, ChaCha20-Poly1305).
Classical Cryptography : Traditional cryptographic algorithms vulnerable to quantum computers (RSA, ECDSA, AES). Still secure against classical computers.
CNSA 2.0 (Commercial National Security Algorithm Suite) : NSA guidance for quantum-resistant cryptography. Mandates transition to PQC by 2030-2035 for National Security Systems.
Hybrid Cryptography : Combining classical and post-quantum algorithms for defense-in-depth. Data encrypted with both RSA and ML-KEM requires adversary to break both algorithms.
KEM (Key Encapsulation Mechanism) : Post-quantum method for secure key exchange. Replaces RSA/ECDH for encryption. Example: ML-KEM (NIST FIPS 203).
Lattice-Based Cryptography : PQC algorithms based on hard mathematical problems in lattices. Includes ML-KEM (Kyber), ML-DSA (Dilithium). Most efficient PQC approach.
ML-DSA (Module-Lattice-Based Digital Signature Algorithm) : NIST-standardized post-quantum signature algorithm (formerly Dilithium). FIPS 204 approved. Recommended for quantum-resistant signatures.
ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) : NIST-standardized post-quantum encryption algorithm (formerly Kyber). FIPS 203 approved. Recommended for quantum-resistant encryption.
NIST PQC (NIST Post-Quantum Cryptography) : NIST standardization process for quantum-resistant algorithms. Published FIPS 203/204/205 (ML-KEM, ML-DSA, SLH-DSA).
Post-Quantum Cryptography (PQC) : Cryptographic algorithms resistant to quantum computer attacks. Designed to replace RSA, ECDSA, and ECDH.
Quantum Computer : Computer using quantum mechanical phenomena (superposition, entanglement). Can break RSA and ECDSA using Shor's algorithm.
Shor's Algorithm : Quantum algorithm that can factor large integers and solve discrete logarithm efficiently. Breaks RSA and ECDSA when large quantum computers exist.
SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) : NIST-standardized post-quantum signature algorithm (formerly SPHINCS+). FIPS 205 approved. Stateless alternative to XMSS/LMS.
Store-Now-Decrypt-Later (SNDL) : Attack where adversaries capture encrypted data today and decrypt it when quantum computers become available. Motivates transition to PQC now.
AnkaSecure Platform Terms
API Key
: Authentication credential for programmatic access. Tenant-scoped, used for service-to-service authentication. Format: ask_1234567890abcdef...
Application : Programmatic identity within a tenant. Each application gets a unique API key. Used for service-to-service authentication.
Compact JWE/JWS : JSON Web Encryption/Signature in compact format (dot-separated Base64). Used for payloads ≤5 MB. RFC 7516/7515.
Correlation ID : Unique identifier for each API request. Included in audit logs for tracing requests across services. Format: UUID v4.
Detached-JWS : Digital signature format where signature is separate from payload. Used for streaming operations (multi-GB files).
JWET (JSON Web Encryption Token) : AnkaSecure extension for streaming encryption. Similar to JWE but supports chunked processing.
Key ID (kid) : Unique identifier for a cryptographic key within a tenant. Used to reference keys in encrypt/decrypt/sign/verify operations.
Keystore : Collection of cryptographic keys for a tenant. Each tenant has an isolated keystore.
Policy Template
: Pre-configured algorithm availability set aligned with regulations. Examples: NIST_APPROVED, BSI_COMPLIANT, CHINA_GMT_COMPLIANT.
Re-encryption : Converting ciphertext from one algorithm to another without decrypting to plaintext. Example: RSA-encrypted → ML-KEM-encrypted.
Re-signing : Converting signature from one algorithm to another without re-computing from original data. Example: RSA-signed → ML-DSA-signed.
Security Level : NIST classification of cryptographic strength. Level I = AES-128, Level III = AES-192, Level V = AES-256.
Streaming Operations : Cryptographic operations for files >5 MB using chunked processing. Supports files up to terabytes without memory constraints.
Tenant : Independent organization using AnkaSecure. Has isolated keystore, users, applications, and audit logs. Example: "ACME Corporation" is a tenant.
Tenant ID
: Unique identifier for a tenant. Used in JWT claims and API requests (X-Tenant-ID header).
NIST Algorithm Names
Official NIST Names (use these):
| NIST Name | Former Name | Type | FIPS Standard |
|---|---|---|---|
| ML-KEM | Kyber, CRYSTALS-Kyber | Key Encapsulation | FIPS 203 |
| ML-DSA | Dilithium, CRYSTALS-Dilithium | Digital Signature | FIPS 204 |
| SLH-DSA | SPHINCS+ | Digital Signature | FIPS 205 |
Note: AnkaSecure uses official NIST names (ML-KEM, ML-DSA, SLH-DSA). Avoid deprecated names (Kyber, Dilithium).
Security Levels
NIST Security Levels (equivalent to classical symmetric encryption):
| Level | Classical Equivalent | PQC Algorithms | Use Case |
|---|---|---|---|
| I | AES-128 (128-bit) | ML-KEM-512, ML-DSA-44 | Standard security |
| III | AES-192 (192-bit) | ML-KEM-768, ML-DSA-65 | Recommended |
| V | AES-256 (256-bit) | ML-KEM-1024, ML-DSA-87 | High security, long-term |
Recommendation: Use Level III for most applications (optimal security-performance balance).
HTTP Status Codes
AnkaSecure uses standard HTTP status codes with cryptographic error codes:
| Status | Meaning | Example |
|---|---|---|
| 200 | Success | Operation completed successfully |
| 400 | Bad Request | Invalid JSON, missing required fields |
| 401 | Unauthorized | Invalid or expired JWT token |
| 403 | Forbidden | Access denied (wrong tenant, insufficient permissions) |
| 404 | Not Found | Key ID not found, endpoint not found |
| 409 | Conflict | Key ID already exists |
| 413 | Payload Too Large | Payload >5 MB (use streaming API) |
| 415 | Unsupported Media Type | Missing or invalid Content-Type header |
| 422 | Unprocessable Entity | Crypto error (invalid ciphertext, integrity failure) |
| 429 | Too Many Requests | Rate limit exceeded |
| 500 | Internal Server Error | Server-side error |
| 503 | Service Unavailable | Service temporarily unavailable |
Common Acronyms
- AEAD: Authenticated Encryption with Associated Data
- API: Application Programming Interface
- BSI: Bundesamt für Sicherheit in der Informationstechnik (Germany)
- CNSA: Commercial National Security Algorithm Suite (NSA)
- ECDH: Elliptic Curve Diffie-Hellman (key exchange)
- ECDSA: Elliptic Curve Digital Signature Algorithm
- FIPS: Federal Information Processing Standards
- GDPR: General Data Protection Regulation (EU)
- HIPAA: Health Insurance Portability and Accountability Act (USA)
- HMAC: Hash-based Message Authentication Code
- HSM: Hardware Security Module
- JWE: JSON Web Encryption (RFC 7516)
- JWS: JSON Web Signature (RFC 7515)
- JWT: JSON Web Token (RFC 7519)
- KEM: Key Encapsulation Mechanism
- MAC: Message Authentication Code
- NIST: National Institute of Standards and Technology (USA)
- OWASP: Open Web Application Security Project
- PCI-DSS: Payment Card Industry Data Security Standard
- PKCS: Public-Key Cryptography Standards
- PQC: Post-Quantum Cryptography
- RBAC: Role-Based Access Control
- SaaS: Software-as-a-Service
- TLS: Transport Layer Security
Related Resources
- Algorithm Catalog - 78 supported algorithms
- Performance Benchmarks - Throughput and latency data
- Error Reference - Complete error code catalog
- Security Overview - Security posture and compliance
Documentation Version: 3.0.0 Last Updated: 2025-12-26