API Terms and Definitions
================================================================================

Device Definitions
--------------------------------------------------------------------------------

- SAE (Security Application Entity)

  In the context of QKDLite APIs, SAEs are a broad category of entities that can
  perform security functions, such as QKD operations. Thus in this context, they
  are interchangeable with QKD entities (QKDEs). They can be attached to or
  within a KME, and connect to other SAEs such that keys can be sent and
  received in a secure and quantum-safe manner.

- KME (Key Management Entity)

  In the context of QKDLite APIs, KMEs interface between SAEs and QKDLite nodes
  to provide keys to the QKDLite node as and when required. KMEs may contain the
  SAE that generates and sends keys, or it may be a physically separate entity.

- QKDLite node (also qnode)

  In the context of QKDLite APIs, , QKDLite nodes, or qnodes, are a broad
  definition used to define a VM (virtual machine) that interfaces between the
  KME, a HSM to store quantum secret keys, and external APIs that require the
  QKDLite API. Typically they send and receive keys from the KME, store and
  retrieve keys from the HSM as and when required, and interact with external
  APIs to distribute keys from the HSM.

Terms
--------------------------------------------------------------------------------
- Key identifiers:

  The two key identifiers ``keyID`` and ``keyLabel`` form a tuple used to
  identify quantum secret keys.

  - ``keyID``

    is a string identifier given by the API. It may **not** be unique and is
    typically named after its application purpose.

  - ``keyLabel``

    is a **unique** identifier for a quantum key generated by the paired QKD SAE
    appliances. When paired QKD SAE appliances generate a quantum key, they will
    both generate and store the same unique ``keyLabel`` in each of them.

- ``remote_qnode``

  In a paired QKD SAE appliance, the ``remote_qnode`` refers to the QKDLite node
  that the local QKDLite node wants to connect with to perform QKD operations.

Quantum-migration Ciphers
--------------------------------------------------------------------------------

To support organizations in their transition to quantum-safe cryptography, our
QKDLite KMEs are designed to ensure secure communication and data protection
in the evolving landscape of quantum computing.

Our QKDLite KMEs has native support for official quantum-safe algorithms
(recognised by both
`IANA <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml>`_
and NIST FIPS standards), with backwards compatibility to existing
Transport Layer Security (TLS) v1.3 clients, in both TLS and digital
certificates. The list of cryptographic algorithms supported are

**Key Agreement and Key Exchange Protocols**

- X25519 (Elliptic Curve Diffie-Hellman Ephemeral / ECDHE)
  [`RFC8446 <https://www.rfc-editor.org/rfc/rfc8446.html>`__]
  [`RFC8422 <https://www.rfc-editor.org/rfc/rfc8422.html>`__]

- ML-KEM-768 (FIPS 203 version of CRYSTALS-KYBER)
  [`RFC Draft <https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/>`__]
  [`FIPS 203 <https://csrc.nist.gov/pubs/fips/203/final>`__]

- X25519MLKEM768 (Post-quantum hybrid ECDHE-MLKEM )
  [`RFC Draft <https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/>`__]

**Digital Signature Algorithms**

- Secp256r1 or P-256 (Elliptic Curve Digital Signature Algorithm / ECDSA)
  [`RFC5246 <https://www.rfc-editor.org/rfc/rfc5246.html>`__]
  [`FIPS 186-5 <https://csrc.nist.gov/pubs/fips/186-5/final>`__]

- ML-DSA-65 (FIPS 204 version of CRYSTALS-DILITHIUM)
  [`RFC Draft <https://datatracker.ietf.org/doc/draft-tls-westerbaan-mldsa/>`__]
  [`FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final>`__]