Glossary
Short definitions for terms used across the documentation. If a concept appears in more than one section and might trip up a new reader, it belongs here.
Cryptography
ACVP — Automated Cryptographic Validation Protocol. NIST's testing protocol; the source of the official keygen / siggen / sigver test vectors that implementations validate against. See usnistgov/ACVP-Server.
Dilithium — historical name for ML-DSA. The NIST-finalized scheme is formally called ML-DSA; "Dilithium" is the academic submission name.
ECDSA — Elliptic Curve Digital Signature Algorithm. The classical signature scheme used by Ethereum EOAs. Quantum-vulnerable via Shor's algorithm.
FIPS 203 / 204 / 205 / 206 — NIST Federal Information Processing Standards for the post-quantum algorithms. 203 = ML-KEM; 204 = ML-DSA; 205 = SLH-DSA; 206 IPD = FN-DSA (Falcon, draft).
Hybrid signature — a signature combining a classical and a post-quantum scheme, both verified together. Used in some TLS transition scenarios; not deployed on-chain in this stack.
KEM — Key Encapsulation Mechanism. A primitive that lets two parties agree on a shared secret using one party's public key. ML-KEM (FIPS 203) is the NIST-standardized PQ KEM.
Lattice-based — a family of cryptographic schemes whose security rests on the hardness of problems in mathematical lattices (Module-LWE, Module-SIS). ML-KEM and ML-DSA are lattice-based.
ML-DSA — Module-Lattice-Based Digital Signature Algorithm. The NIST-standardized PQ signature scheme; parameter sets ML-DSA-44, -65, -87. See FIPS 204 quick reference.
ML-KEM — Module-Lattice-Based Key Encapsulation Mechanism. The NIST-standardized PQ KEM; parameter sets ML-KEM-512, -768, -1024.
NIST security category — NIST's classification of post-quantum security strength. Category I ≈ AES-128, III ≈ AES-192, V ≈ AES-256.
OID — Object Identifier. The ASN.1 dotted-decimal identifier used to name algorithms in X.509 certificates, JWS, COSE, and related formats. NIST has assigned OIDs for the PQ algorithms; see pq-oid.
PBKDF2 — Password-Based Key Derivation Function 2. A standard KDF used to derive a key from a password.
PQ / PQC — Post-Quantum / Post-Quantum Cryptography. Cryptography designed to resist attack by a sufficiently large quantum computer.
SLH-DSA — Stateless Hash-Based Digital Signature Algorithm. NIST-standardized hash-based PQ signature scheme (FIPS 205). Conservative security model; larger and slower than ML-DSA.
SPKI — SubjectPublicKeyInfo. The ASN.1 structure that wraps a raw public key with its algorithm identifier. Used in X.509 certificates and PEM-encoded public keys.
Shor's algorithm — the quantum algorithm that, given a sufficiently large quantum computer, breaks RSA, ECDSA, EdDSA, and classical Diffie-Hellman in polynomial time.
Wycheproof — Google's cryptographic test corpus. Used alongside NIST ACVP for ml-dsa validation.
Account abstraction and EVM
ERC-4337 — the account abstraction standard. Defines UserOperation, EntryPoint, and the bundler architecture that lets contract accounts act like EOAs without protocol changes.
ERC-7579 — the modular smart-account standard. Defines validator, executor, fallback, and hook module types. PQValidatorModule is an ERC-7579 validator.
EIP-7702 — "set code for an EOA". An Ethereum standard that lets an EOA delegate code execution to a smart contract via a one-time authorization. Enables PQ signing at an existing address without changing the address.
EntryPoint — the singleton ERC-4337 contract that bundlers submit UserOperations to. v0.7 is the current canonical version.
Bundler — the off-chain component in ERC-4337 that accepts UserOperations, simulates validation, batches them, and submits via handleOps() to the EntryPoint. Alto is used for development; Pimlico for production.
Paymaster — an ERC-4337 component that sponsors gas for a UserOperation.
UserOperation / UserOp — the ERC-4337 transaction-like object that a smart account executes. Carries calldata, gas fields, signature, and optionally factory and paymaster data.
userOpHash — the EIP-712-style hash of a UserOperation that the user actually signs. Commits to all fields plus the EntryPoint address and chain ID, so a signature cannot be replayed across chains or to a different EntryPoint.
Kernel v3 — ZeroDev's ERC-7579 smart account implementation. ERC-1967 proxy with first-class non-root validator support. The PQ validator stack's reference smart-account integration.
Safe7579 — the ERC-7579 adapter on top of Safe (Gnosis Safe) accounts.
non-root validator — in Kernel, a validator other than the account's root validator. Non-root validators are gated by selector access. The PQ validator runs as a non-root validator.
Arbitrum and Stylus
Arbitrum Stylus — Arbitrum's WASM execution layer. Lets you write contracts in Rust and deploy them under regular contract addresses. ML-DSA verification costs ~374K gas on Stylus versus millions in pure EVM.
Nitro — Arbitrum's core stack. Stylus is part of Nitro. "Nitro devnode" is the Docker-packaged local Arbitrum node used for development.
ArbOS — Arbitrum's operating-system upgrade lifecycle. Stylus contracts auto-deactivate on ArbOS upgrades and must be reactivated.
cargo-stylus — the CLI for building, checking, and deploying Stylus contracts. Requires v0.10.0+.
Wallet
EIP-6963 — the wallet-discovery standard that lets multiple wallets coexist in a browser. Used so the web dashboard can detect the Quantum Wallet extension and delegate signing to it.
Snap — a MetaMask Snap is a sandboxed JavaScript module that extends MetaMask with additional capabilities such as PQ signing.
VMK — Vault Master Key. The key derived from the user's password (via PBKDF2) that decrypts the encrypted seed. Stored in chrome.storage.session while the wallet is unlocked; cleared on auto-lock or browser close.
WDK / wdk-signing-pq — the post-quantum signing module from the Tether WDK family used for ML-DSA-44 keygen, signing, and encrypted backup.
WXT — the Chrome extension framework used by the wallet. Provides HMR, auto-imports, and consistent extension-API access across MV2/MV3.