Key Cryptography Terms: Definitions Every Reader Should Know

Cryptography becomes much easier to follow when its vocabulary is used precisely. Many public discussions blur terms that specialists keep separate: encryption and hashing, passwords and keys, authentication and confidentiality, randomness and unpredictability, signatures and secrecy. Those near-synonyms create real confusion because modern security systems depend on selecting the right primitive for the right task. A glossary is therefore not introductory decoration. It is part of learning to think clearly about the field.

This guide belongs beside the methods of cryptography, its historical development, its current public importance, classical cryptography, and modern encryption. The aim is not exhaustive jargon collection. It is to give readers a vocabulary stable enough to follow real technical discussion without slipping into the most common category errors.

Core concepts

Plaintext

Plaintext is the original readable message or data before protection is applied. It can be a text message, file contents, database record, secret key material, or any other data a system wants to protect.

Ciphertext

Ciphertext is the protected output produced by encryption. It should reveal nothing useful about the plaintext to someone who lacks the right key and contextual information.

Encryption

Encryption transforms plaintext into ciphertext using an algorithm and a key. Its main goal is confidentiality, though modern practice usually expects encryption to be paired with integrity protection as well.

Decryption

Decryption is the process of recovering plaintext from ciphertext using the correct key. In well-designed systems, decryption should fail safely when the data or keying context is wrong.

Cipher

A cipher is the algorithmic transformation used for encryption and decryption. Classical ciphers worked by substitution or transposition; modern ciphers rely on structured mathematical operations designed for resistance to large-scale attack.

Key

A key is the secret parameter that controls a cryptographic algorithm. Good cryptography assumes the algorithm may be public and that the secrecy burden should rest mainly on the key.

Symmetric and asymmetric ideas

Symmetric-key cryptography

Symmetric cryptography uses the same secret key, or closely related keys, for encryption and decryption. It is generally fast and is used for most bulk data protection in practice.

Public-key cryptography

Public-key cryptography uses two linked keys: a public key that can be shared and a private key that must remain secret. It enables secure key establishment, encryption to strangers, and digital signatures.

Private key

A private key is the secret half of a public-key pair. If it is stolen or exposed, signatures can be forged or encrypted data may be compromised depending on the system.

Public key

A public key is the shareable half of a key pair. It allows others to verify signatures or encrypt data for the private-key holder without learning the private key itself.

Key exchange

Key exchange is the process by which parties derive shared secret material across an insecure channel. It solves the problem of establishing confidential communication without already sharing a secret.

Key encapsulation mechanism

A key encapsulation mechanism, often called a KEM, is a public-key method designed specifically for establishing shared secret key material. The term is especially important in current post-quantum cryptography.

Integrity and authenticity

Authentication

Authentication is the process of verifying identity, origin, or legitimacy. In cryptographic settings it often means showing that a message or action came from someone possessing the right secret or credential.

Integrity

Integrity means data has not been altered in an unauthorized way. A system can protect confidentiality while still failing integrity, which is why the distinction matters.

Message authentication code

A message authentication code, or MAC, is a short tag computed from a message and a shared secret. It helps parties detect tampering and verify shared-key knowledge.

Digital signature

A digital signature is created with a private key and verified with a public key. It supports authenticity and integrity without requiring verifiers to share a secret key with the signer.

Hash function

A cryptographic hash function maps input data of arbitrary size to a fixed-size digest. Strong hashes resist preimage attacks, collision attacks, and simple structural prediction.

Randomness and key quality

Entropy

Entropy in cryptography refers to unpredictability available for generating keys, nonces, salts, or other secret material. Weak entropy can undermine an otherwise sound system.

Random number generator

A random number generator produces values meant to be unpredictable. Security contexts require cryptographically secure generators, not just statistically convenient pseudorandomness.

Nonce

A nonce is a value meant to be used once in a given context. Many modern schemes rely on unique nonces; reuse can produce catastrophic failure.

Initialization vector

An initialization vector, or IV, is auxiliary input used with some schemes so identical plaintext under the same key does not always produce the same ciphertext. Depending on the mode, uniqueness, unpredictability, or both may matter.

Salt

A salt is extra data added before hashing, especially in password storage. It prevents identical inputs from producing identical stored digests and frustrates large-scale precomputed attacks.

Key derivation function

A key derivation function, or KDF, transforms source material such as a password or shared secret into one or more keys appropriate for actual cryptographic use.

Modern design terms

Block cipher

A block cipher encrypts fixed-size blocks of data under a key. To protect longer messages safely, it must be used with an appropriate mode of operation.

Stream cipher

A stream cipher generates a pseudorandom keystream combined with plaintext incrementally. Stream designs are efficient but can fail badly if keystream or nonce material is reused.

Mode of operation

A mode of operation specifies how a block cipher is applied across longer messages. Different modes offer different security properties and failure modes.

Authenticated encryption

Authenticated encryption combines confidentiality with integrity protection in a single construction. Modern systems often prefer it because secrecy without tamper detection is too weak for many real uses.

AEAD

AEAD stands for authenticated encryption with associated data. It protects encrypted content while also authenticating additional visible metadata such as headers.

Padding

Padding is extra structured data added to meet length or format requirements. Historically, padding mistakes have caused significant vulnerabilities when systems handled malformed input unsafely.

Attack and deployment terms

Brute-force attack

A brute-force attack tries possible keys until the right one is found. Well-designed systems rely on key spaces large enough to make exhaustive search impractical.

Cryptanalysis

Cryptanalysis is the study of breaking or weakening cryptographic systems. It includes mathematical attacks, protocol attacks, side-channel attacks, and implementation attacks.

Side-channel attack

A side-channel attack extracts secrets from timing, power use, cache behavior, electromagnetic leakage, or other indirect physical and implementation signals rather than from the mathematical structure alone.

Chosen-plaintext attack

In a chosen-plaintext attack, the adversary can obtain encryptions of selected messages and uses that capability to learn about the scheme or recover secret material.

Chosen-ciphertext attack

In a chosen-ciphertext attack, the adversary can obtain decryptions of selected ciphertexts under constrained conditions. Modern public-key systems are often judged against this stronger model.

Certificate

A certificate binds a public key to an identity or entity through a signed statement, usually within a larger trust framework such as the web public key infrastructure.

Public key infrastructure

Public key infrastructure, or PKI, is the ecosystem of certificate authorities, validation rules, issuance procedures, revocation systems, and trust policies used to manage public keys at scale.

Forward secrecy

Forward secrecy means compromise of long-term keys does not automatically reveal past session content. It limits the damage of later key theft.

End-to-end encryption

End-to-end encryption means the communicating endpoints hold the keys needed to read the content while intermediaries relay or store ciphertext without access to plaintext.

Crypto agility

Crypto agility is the ability of a system to change algorithms, parameters, or keying approaches without catastrophic redesign. It has become especially important during post-quantum migration planning.

Revocation

Revocation is the process of marking a credential or certificate as no longer trustworthy before its nominal expiration date. It matters because trust sometimes has to end immediately.

Post-quantum cryptography

Post-quantum cryptography refers to algorithms designed to remain secure against attackers with large-scale quantum computers. The phrase does not mean the algorithm itself runs on a quantum computer.

Why the vocabulary matters

Once these terms are clear, public discussions about privacy, secure messaging, software signing, password storage, and standards transition become far easier to follow. Readers can distinguish between secrecy and authenticity, between randomness and noise, and between secure design and secure deployment.

That precision matters because cryptography is a field where a small language mistake often conceals a larger design mistake. Clear vocabulary is not merely a study aid. It is one of the first forms of cryptographic discipline.

More terms readers encounter often

Token

A token is a unit of data used to represent authorization, identity, or access in a system. Tokens are not automatically encrypted, and confusing them with keys can lead to bad security assumptions.

Session key

A session key is a temporary key used for one communication session or short-lived protection task. Using session keys can limit the damage caused by compromise of longer-term credentials.

Key rotation

Key rotation is the planned replacement of keys over time. It reduces exposure from long-term use and is central to responsible operational security.

Key escrow

Key escrow refers to arrangements in which a third party holds or can recover key material. The term is controversial because it raises questions about trust, abuse, and concentration of power.

Metadata

Metadata is data about the message rather than the message content itself: who communicated, when, from where, using what protocol, and under what routing conditions. Encryption may protect content while leaving metadata partially visible.

Certificate authority

A certificate authority is the entity that issues and signs certificates binding public keys to identities. Trust in web PKI depends heavily on how certificate authorities are governed and validated.

Root of trust

A root of trust is the foundational component or authority from which broader trust decisions are derived. Roots of trust can be organizational, cryptographic, hardware-based, or institutional.

Attestation

Attestation is a process by which a device, program, or environment provides cryptographic evidence about its state or identity. It is increasingly important in cloud and hardware security.

Cipher suite

A cipher suite is a defined combination of cryptographic algorithms used together within a protocol. The suite specifies how key exchange, authentication, and data protection fit together.

Compliance

Compliance in security contexts refers to meeting formal standards, regulations, or policy requirements. It can support better cryptographic practice, though meeting compliance rules does not automatically mean a system is actually secure.

With that vocabulary in place, readers can move through standards discussions, privacy debates, and technical product claims without mistaking one security property for another. In cryptography, naming the thing correctly is often the first step toward choosing it correctly.

Precision in language does not guarantee secure design, but the absence of precision almost guarantees confusion.

Good cryptographic thinking starts with getting the words right.

That terminological clarity has practical force because secure systems are built, audited, and governed through distinctions that have to be understood precisely rather than approximately.