Glossary — CPHAR

Append-only registry: A registry whose entries can be added but never modified or removed. CPHAR registries are append-only with explicit status updates rather than in-place edits.
Attestation: A signed statement by a seal device asserting that it remains in possession of a non-exportable signing key under defined tamper assumptions.
Auditor: An independent party that examines inspection, custody, and registry records to validate CPHAR deployments.
Challenge-response: A protocol in which a verifier issues a fresh, unpredictable nonce and the seal returns a signature over that nonce.
Commitment: A cryptographic value that binds a party to a chosen input without revealing it. Used in CPHAR for lot identities and reserve fields.
Domain separation: A construction in which signed messages include a fixed context string so that a signature in one domain cannot be replayed in another.
Firmware measurement: A cryptographic digest of the seal device's firmware, recorded at provisioning and re-checked at each attestation.
Freshness window: The maximum time a verifier accepts between issuing a challenge and accepting the response.
Inspection: The human process of verifying physical commodity quantity and grade prior to sealing.
Lot: A discrete, inspected unit of physical commodity to which a seal is attached.
Lot commitment: A commitment derived from inspection data, used as the registry binding key for a sealed lot.
Manufacturer attestation: Vendor-issued evidence that a seal device is genuine and was provisioned under defined procedures.
Non-exportable key: A private key that the seal cannot reveal outside its tamper boundary, even on instruction.
Proof bundle: The package of attestations, snapshot references, and optional zero-knowledge proofs that supports a reserve claim.
Registry: An append-only record binding seal identities to inspected lots, plus revocation and status data.
Reserve claim: A statement that some set of registered lots, attested by live seals, satisfies a property (such as a minimum mass threshold).
Revocation: Marking a seal as no longer trusted (retired, lost, suspected compromise).
Seal: A tamper-responsive cryptographic device physically attached to a reserve unit.
Snapshot: A content-addressed picture of the registry at a specific point in time, used so verification is reproducible.
Tamper-evident: A physical construction that visibly shows tampering after the fact.
Tamper-responsive: A construction that responds to tampering, typically by destroying or disabling key material.
Transparency log: A public, append-only log used to publish registry snapshot commitments so that snapshot equivocation can be detected.
Verifier: A party that challenges a seal, validates the response, and consumes the resulting reserve claim.
Zero-knowledge proof: A cryptographic proof that some statement is true while revealing nothing beyond the statement's truth.