Glossary

Terms and concepts used across the registry. Linked automatically from algorithm pages.

ML-DSA: Module-Lattice-Based Digital Signature Algorithm. A post-quantum signature scheme standardised in FIPS 204, formerly known as Dilithium. Based on the Module-LWE and Module-SIS problems.
ML-KEM: Module-Lattice-Based Key-Encapsulation Mechanism. A post-quantum KEM standardised in FIPS 203, formerly known as Kyber. Based on the Module-LWE problem.
SLH-DSA: Stateless Hash-Based Digital Signature Algorithm. A post-quantum signature scheme standardised in FIPS 205, formerly known as SPHINCS+. Based solely on hash function security.
Dilithium: The original academic name for the lattice-based signature scheme now standardised as ML-DSA in FIPS 204.
Kyber: The original academic name for the lattice-based KEM now standardised as ML-KEM in FIPS 203.
FN-DSA: FFT over NTRU-Lattice-Based Digital Signature Algorithm. A post-quantum digital signature scheme selected by NIST for standardization as FIPS 206, formerly known as Falcon. Produces the smallest signatures among NIST PQC signature standards.
HQC: Hamming Quasi-Cyclic. A code-based key encapsulation mechanism selected by NIST in March 2025 for standardization as a backup KEM to ML-KEM. Security is based on the Quasi-Cyclic Syndrome Decoding problem.
XMSS: eXtended Merkle Signature Scheme. A stateful hash-based digital signature scheme specified in RFC 8391 and approved by NIST SP 800-208. Uses WOTS+ one-time signatures organized in a Merkle tree. Requires careful state management to prevent one-time key reuse.
SPHINCS+: A stateless hash-based signature framework that combines FORS few-time signatures with a hypertree of XMSS trees. Standardized by NIST as SLH-DSA in FIPS 205. The name SPHINCS+ refers to the pre-standardization submission.
leanSig: A hash-based signature scheme designed for post-quantum Ethereum consensus, based on XMSS variants optimized for SNARK-based aggregation using the Poseidon2 hash function. Proposed by Drake, Khovratovich, Kudinov, and Wagner (ePrint 2025/055 and 2025/1332).
SHRINCS: A hybrid hash-based post-quantum signature scheme by Blockstream Research combining stateful XMSS one-time signatures with a stateless SPHINCS+ fallback. Achieves approximately 324-byte stateful-mode signatures with static seed backup. Built on the foundational analysis in ePrint 2025/2203.
Module-LWE: Module Learning With Errors. A lattice problem where the adversary must distinguish noisy inner products over a module lattice from uniform randomness. Underpins ML-KEM and ML-DSA.
Module-SIS: Module Short Integer Solution. A lattice problem requiring finding a short vector in the kernel of a random matrix over a module lattice. Used alongside Module-LWE in ML-DSA.
Ring-LWE: Ring Learning With Errors. A structured variant of LWE where computations are performed in a polynomial ring, enabling more compact keys and faster operations.
LWE: Learning With Errors. A lattice problem where the adversary must recover a secret vector from noisy linear equations. The foundational hardness assumption for most lattice-based cryptography.
QCSD: Quasi-Cyclic Syndrome Decoding. The computational hardness problem underlying HQC, which asks an adversary to find a low-weight error vector given a syndrome computed with a quasi-cyclic parity check matrix. A structured variant of the general syndrome decoding problem.
NTRU: A family of lattice-based cryptographic constructions operating over polynomial rings of the form Z[x]/(x^n - 1). Originally proposed by Hoffstein, Pipher, and Silverman in 1996 for public-key encryption, NTRU lattices now also underpin the FN-DSA signature scheme.
EUF-CMA: Existential Unforgeability under Chosen Message Attack. The standard security notion for digital signatures — an adversary with access to a signing oracle cannot produce a valid signature on any new message.
IND-CCA2: Indistinguishability under Adaptive Chosen Ciphertext Attack. The strongest standard security notion for encryption and KEMs — an adversary with access to a decryption oracle cannot distinguish ciphertexts.
IND-CPA: Indistinguishability under Chosen Plaintext Attack. A security notion where an adversary who can obtain encryptions of chosen plaintexts cannot distinguish ciphertexts. Weaker than IND-CCA2.
KEM: Key Encapsulation Mechanism. A public-key primitive that produces a shared secret and a ciphertext. The recipient uses their secret key to decapsulate the shared secret from the ciphertext.
digital signature: A cryptographic primitive that allows a signer to produce a signature on a message using a secret key, and anyone with the corresponding public key can verify the signature's authenticity.
NTT: Number Theoretic Transform. A finite-field analogue of the FFT used to multiply polynomials efficiently. Core to the performance of lattice-based schemes like ML-KEM and ML-DSA.
Fujisaki-Okamoto transform: A generic construction that converts a passively secure (IND-CPA) public-key encryption scheme into an actively secure (IND-CCA2) KEM by re-encrypting during decapsulation and checking consistency.
side-channel: An attack that exploits information leaked through physical implementation characteristics — timing, power consumption, electromagnetic emissions — rather than mathematical weaknesses.
NIST security level: A classification (1 through 5) defined by NIST for post-quantum schemes. Level 1 targets security equivalent to AES-128, Level 3 to AES-192, and Level 5 to AES-256. Levels 2 and 4 target SHA-256 and SHA-384 collision resistance respectively.
stateless: A property of a signature scheme where the signer does not need to maintain any state between signing operations. Each signature is independent, simplifying deployment.
stateful: A property of a signature scheme where the signer must track state (e.g. a counter) between operations. Reusing state can be catastrophic, making deployment more complex.
WOTS+: Winternitz One-Time Signature Plus. A one-time signature scheme that signs a message digest by mapping each base-w digit to a position in a hash chain. Used as the fundamental building block in XMSS, SLH-DSA, and leanSig. The Winternitz parameter w controls a tradeoff between signature size and computation.
Hypertree: A tree-of-trees construction used in SLH-DSA where multiple layers of XMSS Merkle trees are stacked, with each layer's leaves authenticating the roots of trees in the layer below. Enables signing a large number of messages without maintaining state.
FORS: Forest of Random Subsets. A few-time signature scheme used as a component of SLH-DSA. FORS signs a message digest by revealing secret leaf values and their Merkle authentication paths from k independent binary trees.
Forward security: A property of signature schemes where compromise of the current signing key does not enable an adversary to forge signatures that were produced before the compromise. XMSS achieves forward security by deriving keys through a one-way state update.
Poseidon2: An arithmetization-friendly hash function designed for efficient representation in zero-knowledge proof circuits, operating over prime fields. Used in leanSig for Ethereum because its algebraic structure maps directly to SNARK arithmetic constraints. Proposed by Grassi, Khovratovich, and Schofnegger (AFRICACRYPT 2023).
SNARK aggregation: A technique for combining multiple cryptographic signatures into a single succinct proof that all signatures are valid. In post-quantum Ethereum, STARK-based SNARKs are used to aggregate hash-based validator signatures into a constant-size proof, replacing BLS signature aggregation.
Incomparable encoding: A technique used in leanSig and related XMSS variants where the Winternitz chain values are encoded such that no valid signature component can be derived from another, improving the size-verification tradeoff. Introduced by Khovratovich, Kudinov, and Wagner (Crypto 2025).
Discrete Gaussian sampling: A sampling technique used in FN-DSA (Falcon) where signature components are drawn from a discrete Gaussian distribution over a lattice. Requires careful constant-time implementation to avoid side-channel leakage through secret-dependent branching or memory access patterns.
Rejection sampling: A technique used in ML-DSA signing where candidate signatures are generated and discarded (aborted) if they would leak information about the secret key. The signing algorithm retries with fresh randomness until a safe signature is produced. Also known as the Fiat-Shamir with Aborts paradigm.
NIST: National Institute of Standards and Technology. The US standards body running the Post-Quantum Cryptography Standardization Process, which has selected ML-KEM, ML-DSA, and SLH-DSA as initial standards.
FIPS 203: Federal Information Processing Standard 203. The NIST standard specifying ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism).
FIPS 204: Federal Information Processing Standard 204. The NIST standard specifying ML-DSA (Module-Lattice-Based Digital Signature Algorithm).
FIPS 205: Federal Information Processing Standard 205. The NIST standard specifying SLH-DSA (Stateless Hash-Based Digital Signature Algorithm).
FIPS 206: The forthcoming NIST Federal Information Processing Standard specifying FN-DSA (formerly Falcon), a lattice-based digital signature scheme. Currently in draft, expected to be finalized in 2026-2027.
lattice: A discrete additive subgroup of Rⁿ. Lattice-based cryptography builds on the computational hardness of problems like finding short vectors (SVP) or closest vectors (CVP) in high-dimensional lattices.
hash-based: Cryptographic schemes whose security relies solely on the properties of hash functions (collision resistance, preimage resistance). Considered conservative because the security assumption is minimal.
code-based: Cryptographic schemes built on the hardness of decoding random linear codes. The McEliece cryptosystem (1978) is the oldest post-quantum proposal in this family.
isogeny-based: Cryptographic schemes built on the hardness of computing isogenies between elliptic curves. A newer family with compact key sizes but less mature cryptanalysis.