Endpoint — Either a PALISADE client or PALISADE server participating in a tunnel.

Client — The initiating endpoint that begins a PALISADE handshake.

Server — The responding endpoint that accepts a PALISADE handshake.

Handshake — The sequence of protocol messages used to negotiate parameters and establish shared cryptographic keys between endpoints.

Tunnel — The encrypted, authenticated communication channel established by PALISADE.

Epoch — A logical key-generation period identified by an epoch_id. Each epoch corresponds to a unique set of traffic keys.

Epoch Overlap — A bounded period during which two adjacent epochs may be valid to allow in-flight packets to drain safely.

Sequence Number (seq) — A monotonically increasing per-epoch counter used to provide replay protection and nonce uniqueness.

Transcript — The ordered concatenation of handshake messages and negotiated parameters that is hashed and bound into key derivation and authentication.

Transcript Hash — A cryptographic hash of the handshake transcript used for key derivation, authentication, and downgrade protection.

AEAD (Authenticated Encryption with Associated Data) — A symmetric encryption scheme providing confidentiality, integrity, and authenticity.

HKDF — The HMAC-based Key Derivation Function defined in RFC 5869, used to derive traffic keys from shared secrets.

IKM — Input Key Material

KEM (Key Encapsulation Mechanism) — A post-quantum public-key primitive used to establish shared secrets between endpoints.

PRK / OKM — Pseudorandom Key and Output Keying Material, as defined in RFC 5869.

Shared Secret — Secret material produced by KEM decapsulation and used as input to the key schedule.

Signature Scheme (SIG) — A post-quantum digital signature algorithm used for endpoint authentication.

PALISADE-CORE — The mandatory compliance profile defining the smallest interoperable feature set for PALISADE.

PALISADE-PLUS — An optional feature tier containing advanced capabilities such as migration, traffic shaping, and 0-RTT.

Resumption — A mechanism allowing a previously established session to be resumed using a resumption ticket.

Early Data (0-RTT) — Application data sent before full handshake completion during resumption, which is replayable.

Migration — An optional mechanism allowing a tunnel to continue across network path changes.

Padding — Deterministic zero-filled bytes added to encrypted headers to control packet size.

Abort — Immediate termination of a connection due to a fatal protocol error.

Close — Graceful termination of a connection using a close notification exchange.

|| — Concatenation operator

label(X) — A UTF-8 string used for domain separation in key derivation, as defined in the key schedule.

zeros(n) — n zero bytes