6. API Terms and Definitions

6.1. Device Definitions

  • SAE (Security Application Entity)

    In the context of QKDLite APIs, SAEs are a broad category of entities that can perform security functions, such as QKD operations. Thus in this context, they are interchangeable with QKD entities (QKDEs). They can be attached to or within a KME, and connect to other SAEs such that keys can be sent and received in a secure and quantum-safe manner.

  • KME (Key Management Entity)

    In the context of QKDLite APIs, KMEs interface between SAEs and QKDLite nodes to provide keys to the QKDLite node as and when required. KMEs may contain the SAE that generates and sends keys, or it may be a physically separate entity.

  • QKDLite node (also qnode)

    In the context of QKDLite APIs, , QKDLite nodes, or qnodes, are a broad definition used to define a VM (virtual machine) that interfaces between the KME, a HSM to store quantum secret keys, and external APIs that require the QKDLite API. Typically they send and receive keys from the KME, store and retrieve keys from the HSM as and when required, and interact with external APIs to distribute keys from the HSM.

6.2. Terms

  • Key identifiers:

    The two key identifiers keyID and keyLabel form a tuple used to identify quantum secret keys.

    • keyID

      is a string identifier given by the API. It may not be unique and is typically named after its application purpose.

    • keyLabel

      is a unique identifier for a quantum key generated by the paired QKD SAE appliances. When paired QKD SAE appliances generate a quantum key, they will both generate and store the same unique keyLabel in each of them.

  • remote_qnode

    In a paired QKD SAE appliance, the remote_qnode refers to the QKDLite node that the local QKDLite node wants to connect with to perform QKD operations.

6.3. Quantum-migration Ciphers

To support organizations in their transition to quantum-safe cryptography, our QKDLite KMEs are designed to ensure secure communication and data protection in the evolving landscape of quantum computing.

Our QKDLite KMEs has native support for official quantum-safe algorithms (recognised by both IANA and NIST FIPS standards), with backwards compatibility to existing Transport Layer Security (TLS) v1.3 clients, in both TLS and digital certificates. The list of cryptographic algorithms supported are

Key Agreement and Key Exchange Protocols

  • X25519 (Elliptic Curve Diffie-Hellman Ephemeral / ECDHE) [RFC8446] [RFC8422]

  • ML-KEM-768 (FIPS 203 version of CRYSTALS-KYBER) [RFC Draft] [FIPS 203]

  • X25519MLKEM768 (Post-quantum hybrid ECDHE-MLKEM ) [RFC Draft]

Digital Signature Algorithms

  • Secp256r1 or P-256 (Elliptic Curve Digital Signature Algorithm / ECDSA) [RFC5246] [FIPS 186-5]

  • ML-DSA-65 (FIPS 204 version of CRYSTALS-DILITHIUM) [RFC Draft] [FIPS 204]