Glossary

This glossary defines key terms and acronyms used throughout the Document Vault documentation.

A

AES (Advanced Encryption Standard)

A symmetric encryption algorithm standardized by NIST. The vault uses AES with a 256-bit key. AES operates on 128-bit blocks and is widely regarded as the gold standard for symmetric encryption.

AES-256-GCM

AES operating in Galois/Counter Mode with a 256-bit key. GCM is an authenticated encryption mode that provides both confidentiality (data cannot be read) and integrity (data cannot be modified without detection). The vault uses AES-256-GCM for all document encryption.

Attestation

A cryptographic claim made by a trusted party about a fact. In the vault context, an attestation confirms that a document has been verified by an institutional verifier. Attestations are recorded on-chain.

Attestor

The service component that performs attestation. In Hadinet, the attestor runs inside a TEE and handles document encryption, decryption, proof generation, and on-chain submission.

Authenticated Encryption

An encryption scheme that provides both confidentiality and data integrity. AES-256-GCM is an authenticated encryption algorithm -- it produces both ciphertext and an authentication tag, and decryption fails if the ciphertext has been tampered with.

C

Cartesi Rollup

A Layer 2 scaling solution that runs a Linux-based virtual machine inside a rollup on Ethereum (via Arbitrum). The vault uses a Cartesi rollup to store document metadata.

CID (Content Identifier)

A unique hash-based identifier used by IPFS to address content. A CID is derived from the file's contents -- any change to the file produces a different CID. The vault stores each encrypted document's CID on-chain as a reference.

Ciphertext

The encrypted form of a document. Ciphertext is the output of the AES-256-GCM encryption process and is what gets stored on IPFS. Without the decryption key, ciphertext is indistinguishable from random data.

D

DHT (Distributed Hash Table)

A decentralized lookup system used by IPFS to locate content across the network. The vault uses Pinata's private gateway instead of the public DHT, so encrypted documents are not discoverable through DHT queries.

DID (Decentralized Identifier)

A globally unique identifier that is cryptographically verifiable and does not require a central registration authority. In Hadinet, DIDs follow the did:key method and are derived from the user's wallet public key.

I

Initialization Vector (IV)

A random value used with the encryption key to ensure that encrypting the same data twice produces different ciphertext. Each document in the vault has a unique IV. The IV is stored on-chain alongside the document metadata and is required for decryption.

IPFS (InterPlanetary File System)

A peer-to-peer distributed file system that identifies content by its cryptographic hash rather than its location. The vault uses IPFS for storing encrypted documents, leveraging its content addressing and immutability properties.

K

Key Derivation

The process of generating a cryptographic key from input material. The vault derives AES-256 keys from the user's wallet-derived secret and a per-document salt.

Key Zeroing

The practice of overwriting cryptographic keys in memory with zeros after use. The vault zeroes all keys and sensitive material from TEE memory after each operation to minimize the window during which keys exist.

P

Pinata

A managed IPFS pinning service. Pinata provides reliable file hosting on IPFS with features like private gateways, pin management, and CDN-backed delivery. The vault uses Pinata as its storage provider.

Pinning

The act of marking content on IPFS as permanently stored. Pinned content is not garbage-collected. The vault pins encrypted documents through Pinata and unpins them when deleted.

Plaintext

The unencrypted, readable form of a document. In the vault, plaintext exists only inside the TEE during encryption and decryption operations and is never written to disk or transmitted in unencrypted form.

Private Gateway

An IPFS gateway that requires authentication to access content. Unlike public IPFS gateways, a private gateway does not serve files to unauthenticated requests. The vault uses Pinata's private gateway to restrict access to encrypted files.

R

Remote Attestation

A process by which a TEE proves to a remote party that it is running expected code in a genuine hardware enclave. Remote attestation allows clients to verify the vault's TEE before submitting sensitive documents.

Rollup

A Layer 2 scaling solution that executes transactions off-chain and posts compressed results to Layer 1 (Ethereum). The vault uses a Cartesi rollup on Arbitrum for storing document metadata.

S

Salt

A random value used as additional input to a key derivation function. Each document in the vault has a unique salt. The salt prevents pre-computation attacks and ensures that the same wallet-derived secret produces different keys for different documents.

Self-Attested

A document uploaded by the user without third-party verification. Self-attested documents are encrypted and stored with the same security as verified documents but do not carry institutional attestation.

Soft Delete

A deletion method that marks a record as deleted without physically removing it. In the vault, soft deletion sets a deletion flag on-chain and schedules the IPFS file for unpinning.

T

TEE (Trusted Execution Environment)

A hardware-isolated processing environment where code runs with confidentiality and integrity guarantees. The TEE's memory is encrypted by the processor and inaccessible to the host system. The vault uses TEEs for all encryption, decryption, and key derivation operations.

TLS (Transport Layer Security)

A cryptographic protocol for secure communication over a network. The vault uses TLS for all data transmission between the user's browser and the TEE attestor.

V

Verified Document

A document that has been attested by an institutional verifier (e.g., a KYC provider, university, or government agency). Verified documents carry on-chain attestation records that third parties can check.

W

Wallet

A cryptographic key pair (private key and public key) used for blockchain interactions. In the vault, the wallet serves as the user's identity and the root of their encryption key hierarchy. Supported wallets include MetaMask, WalletConnect-compatible wallets, and other Privy-supported providers.

Wallet-Derived Secret

A cryptographic secret computed inside the TEE from the user's wallet signature. This secret serves as the input for key derivation. It exists only in TEE memory during operations.

A​

AES (Advanced Encryption Standard)​

AES-256-GCM​

Attestation​

Attestor​

Authenticated Encryption​

C​

Cartesi Rollup​

CID (Content Identifier)​

Ciphertext​

D​

DHT (Distributed Hash Table)​

DID (Decentralized Identifier)​

I​

Initialization Vector (IV)​

IPFS (InterPlanetary File System)​

K​

Key Derivation​

Key Zeroing​

P​

Pinata​

Pinning​

Plaintext​

Private Gateway​

R​

Remote Attestation​

Rollup​

S​

Salt​

Self-Attested​

Soft Delete​

T​

TEE (Trusted Execution Environment)​

TLS (Transport Layer Security)​

V​

Verified Document​

W​

Wallet​

Wallet-Derived Secret​

A