Glossary
This glossary defines key terms used throughout the Qpher documentation. Terms are listed alphabetically.
AES-256-GCM
Advanced Encryption Standard with 256-bit key in Galois/Counter Mode. A symmetric authenticated encryption algorithm. Qpher uses AES-256-GCM to encrypt private keys at rest. GCM provides both confidentiality (the data is unreadable without the key) and integrity (any tampering is detected).
API Key
A secret credential used to authenticate requests to the Qpher API. API keys are passed
in the x-api-key HTTP header. Each key is associated with a specific tenant and has a
version number for audit tracking. API keys are shown only once at creation and stored
as hashes on Qpher's servers.
Digital Signature
A cryptographic value that proves a message was created by a specific key holder and has not been modified. In Qpher, digital signatures are created using the Dilithium3 algorithm. Anyone with the corresponding public key can verify the signature without needing the private key.
Dilithium3 (ML-DSA-65)
A post-quantum digital signature algorithm standardized by NIST as ML-DSA-65 (Module-Lattice-Based Digital Signature Algorithm) in FIPS 204. Dilithium3 provides NIST Level 3 security. Qpher uses it for all digital signature operations (sign and verify).
| Property | Value |
|---|---|
| Public key size | 1,952 bytes |
| Private key size | 4,000 bytes |
| Signature size | 3,293 bytes |
FIPS 203
The NIST standard document that defines ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism), the standardized version of the Kyber algorithm. Qpher's KEM operations use Kyber768, which corresponds to ML-KEM-768 in FIPS 203.
FIPS 204
The NIST standard document that defines ML-DSA (Module-Lattice-Based Digital Signature Algorithm), the standardized version of the Dilithium algorithm. Qpher's signature operations use Dilithium3, which corresponds to ML-DSA-65 in FIPS 204.
HKDF
HMAC-based Key Derivation Function. A function that takes a shared secret (from a KEM operation) and derives one or more cryptographic keys from it. Qpher uses HKDF-SHA256 as part of its hybrid KEM-DEM encryption scheme to derive the AES-256-GCM key from the Kyber768 shared secret.
KDF (Key Derivation Function)
A general term for any function that derives one or more cryptographic keys from a source of key material (such as a shared secret or a password). HKDF is one specific type of KDF.
KEK (Key Encryption Key)
The master symmetric key used to encrypt private keys at rest. The KEK is a 256-bit key stored in a secrets manager (AWS Secrets Manager, HashiCorp Vault, or GCP Secret Manager in production). Only the KMS-Orchestrator service has access to the KEK.
KEM (Key Encapsulation Mechanism)
A cryptographic technique for securely transmitting a symmetric key between two parties using public-key cryptography. Instead of directly encrypting data with a public key, a KEM generates a shared secret that both parties can use. Qpher uses Kyber768 as its KEM algorithm.
The KEM process:
- Encapsulate: Using the public key, generate a ciphertext and a shared secret.
- Decapsulate: Using the private key, recover the shared secret from the ciphertext.
- The shared secret is then used (via HKDF) to derive a symmetric key for data encryption.
Key Encapsulation
The process of using a KEM algorithm's public key to generate a ciphertext and a shared secret. The ciphertext can only be decapsulated (decoded) by the holder of the corresponding private key. In Qpher, this is the first step of the encrypt operation.
Key Version
An integer that identifies a specific generation of a PQC key. Key versions start at 1 and
increment with each rotation. Every Qpher API call that involves a PQC key requires an
explicit key_version parameter. This prevents accidentally using the wrong key and provides
a clear audit trail.
Kyber768 (ML-KEM-768)
A post-quantum key encapsulation mechanism standardized by NIST as ML-KEM-768 (Module-Lattice-Based Key Encapsulation Mechanism) in FIPS 203. Kyber768 provides NIST Level 3 security. Qpher uses it for all KEM operations (encrypt and decrypt).
| Property | Value |
|---|---|
| Public key size | 1,184 bytes |
| Private key size | 2,400 bytes |
| Ciphertext size | 1,088 bytes |
| Shared secret size | 32 bytes |
NIST Level 3
A security strength category defined by NIST for post-quantum cryptographic algorithms. Level 3 provides security roughly equivalent to AES-192 against classical attacks and is designed to resist attacks from both classical and quantum computers. Both Kyber768 and Dilithium3 meet this level.
Shared Secret
A value generated during the KEM encapsulation process that is known to both the encapsulator (who has the public key) and the decapsulator (who has the private key). The shared secret is used to derive symmetric encryption keys. In Qpher, shared secrets are 32 bytes and are never stored -- they exist only in memory during the encryption or decryption operation.
Tenant
An organization or workspace in Qpher. Each tenant has its own isolated set of API keys, PQC keys, users, and usage quotas. All data access is scoped to the tenant level, ensuring that one tenant cannot access another tenant's resources.