topic_data_batch2.md.resolved

# Topic JSON Data — Batch 4, 5, 6

---

## 9. Hash Functions
**Slug:** `hash-functions` | **Category:** `hashing` | **Difficulty:** 2 | **XP:** 25 | **Prerequisites:** Information Theory

```json
{
  "summary": "A cryptographic hash function maps an input of arbitrary length to a fixed-length digest. Unlike encryption, hashing is a one-way process — given the hash, it is computationally infeasible to find the original input. Three security properties define a cryptographic hash: pre-image resistance, second pre-image resistance, and collision resistance.",
  "math_explanation": "H: {0,1}* → {0,1}^n. Pre-image resistance: given h, infeasible to find x such that H(x)=h. Collision resistance: infeasible to find x≠y with H(x)=H(y). Birthday bound: collisions expected after ~2^(n/2) evaluations.",
  "visual_type": "hash_chain",
  "security_notes": "MD5 and SHA-1 are broken — collisions found. Use SHA-256 or SHA-3. Never use a bare hash for password storage — use bcrypt, scrypt, or Argon2. The birthday paradox means 128-bit hash provides only 64-bit collision resistance.",
  "use_cases": ["File integrity verification (checksums)", "Git commit content addressing", "Digital signatures (hash-then-sign)", "Password storage (with salt, using bcrypt)", "Proof-of-Work in Bitcoin mining"],
  "historical_context": "MD5 was designed by Ron Rivest in 1991 and broken by Wang et al. in 2004. SHA-1 was broken in practice by Google's SHAttered attack in 2017. SHA-2 (including SHA-256) was designed by the NSA and standardized in 2001. SHA-3 (Keccak) was selected in 2012 from a public NIST competition.",
  "steps": [
    { "order": 1, "name": "One-way transformation", "description": "Input of any size → fixed output. Changing even 1 bit of input produces a completely different hash (avalanche effect).", "state_representation": "'Hello' → abc50..., 'hello' → 5d41..." },
    { "order": 2, "name": "Pre-image resistance", "description": "Given a hash h, you cannot find x such that H(x)=h without brute force. Makes hash reversal computationally infeasible.", "formula": "H(x) = h \\Rightarrow \\text{finding } x \\text{ requires } O(2^n)", "state_representation": "Cannot reverse SHA-256 output" },
    { "order": 3, "name": "Collision resistance", "description": "Cannot find two different inputs x≠y where H(x)=H(y). By birthday paradox, requires trying ~2^(n/2) inputs.", "formula": "\\Pr[H(x) = H(y),\\, x \\neq y] < 2^{-n/2}", "state_representation": "SHA-256: ~2^128 work to find collision" },
    { "order": 4, "name": "Deterministic & fast", "description": "Same input always produces the same hash. Fast to compute forward, infeasible to reverse.", "state_representation": "SHA-256('test') = 9f86d... always" }
  ],
  "example": {
    "input": "Hello World",
    "output": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e",
    "step_outputs": [
      { "step": 1, "value": "11-byte input → 32-byte output" },
      { "step": 2, "value": "Avalanche: 1-bit change → ~50% bits flip" },
      { "step": 3, "value": "No known way to reverse SHA-256" },
      { "step": 4, "value": "Always deterministic: same input = same hash" }
    ]
  }
}
```

---

## 10. SHA-256
**Slug:** `sha-256` | **Category:** `hashing` | **Difficulty:** 3 | **XP:** 35 | **Prerequisites:** Hash Functions

```json
{
  "summary": "SHA-256 is the most widely deployed cryptographic hash function, producing a 256-bit digest from any input. It is the core of Bitcoin's proof-of-work, TLS certificate verification, and HMAC authentication. Its internals are based on the Merkle–Damgård construction with a Davies–Meyer compression function processing data in 512-bit blocks through 64 rounds of bitwise operations.",
  "math_explanation": "SHA-256 uses 64 rounds of: T1 = h + Σ1(e) + Ch(e,f,g) + K[i] + W[i]. T2 = Σ0(a) + Maj(a,b,c). Where Ch(e,f,g)=(e AND f) XOR (NOT e AND g), Maj(a,b,c)=(a AND b) XOR (a AND c) XOR (b AND c), Σ0(a)=ROTR2(a) XOR ROTR13(a) XOR ROTR22(a), Σ1(e)=ROTR6(e) XOR ROTR11(e) XOR ROTR25(e).",
  "visual_type": "hash_chain",
  "security_notes": "Vulnerable to length-extension attacks if used as H(key||message) — use HMAC instead. Not suitable for password hashing — use bcrypt. Quantum computers running Grover's algorithm reduce SHA-256 security to 128 bits, so SHA-256 remains quantum-safe.",
  "use_cases": ["Bitcoin Proof-of-Work (double SHA-256)", "Git content-addressed storage", "TLS certificate fingerprinting", "HMAC-SHA256 for API auth (AWS, GitHub)"],
  "historical_context": "Published by NIST as FIPS 180-2 in 2002. Designed by the NSA. Replaced SHA-1 after theoretical weaknesses were found. SHA-256 became dominant after SHA-1's practical collision in 2017 (Google SHAttered). Still considered secure in 2024.",
  "steps": [
    { "order": 1, "name": "Padding", "description": "Append '1' bit, then zeros, then 64-bit message length until block is 512 bits.", "state_representation": "msg || 1 || 0...0 || length64" },
    { "order": 2, "name": "Initialize hash values", "description": "Set h0–h7 using fractional parts of square roots of first 8 primes.", "formula": "h_0 = \\lfloor \\text{frac}(\\sqrt{2}) \\times 2^{32} \\rfloor = \\texttt{6a09e667}", "state_representation": "h0=6a09e667, h1=bb67ae85..." },
    { "order": 3, "name": "Message schedule W[0..63]", "description": "First 16 words from message block. Words 16-63: σ1(W[i-2]) + W[i-7] + σ0(W[i-15]) + W[i-16].", "state_representation": "64 32-bit words prepared" },
    { "order": 4, "name": "64 compression rounds", "description": "Update working variables a–h each round using Ch, Maj, Σ0, Σ1 rotations and round constants K[i].", "formula": "T_1 = h + \\Sigma_1(e) + Ch(e,f,g) + K[i] + W[i]", "state_representation": "a,b,c,d,e,f,g,h updated 64 times" },
    { "order": 5, "name": "Final digest", "description": "Add compressed values to initial hash values. Concatenate h0–h7 as the 256-bit output.", "state_representation": "digest = h0||h1||h2||h3||h4||h5||h6||h7" }
  ],
  "example": {
    "input": "hello",
    "output": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824",
    "step_outputs": [
      { "step": 1, "value": "5 bytes padded to 512-bit block" },
      { "step": 2, "value": "h0=6a09e667...h7=5be0cd19" },
      { "step": 3, "value": "W[0..63] computed" },
      { "step": 4, "value": "64 rounds of bitwise compression" },
      { "step": 5, "value": "2cf24dba...b9824 (32 bytes)" }
    ]
  }
}
```

---

## 11. HMAC
**Slug:** `hmac` | **Category:** `hashing` | **Difficulty:** 3 | **XP:** 35 | **Prerequisites:** SHA-256

```json
{
  "summary": "HMAC (Hash-based Message Authentication Code) solves a critical problem: proving both the integrity AND authenticity of a message using only a hash function and a shared secret key. Unlike a plain hash, HMAC proves that only someone with the secret key could have created it. It also fixes SHA-256's vulnerability to length-extension attacks through its double-hashing construction.",
  "math_explanation": "HMAC(K, m) = H((K'⊕opad) || H((K'⊕ipad) || m)). K' = key padded to block size. ipad = 0x36 repeated. opad = 0x5C repeated. The double hashing prevents both length-extension attacks and birthday bound weakening.",
  "visual_type": "hash_chain",
  "security_notes": "Do not use HMAC as a KDF — use HKDF. Requires a secret, random key (not a password). HMAC-SHA256 provides 128-bit security. Timing attacks when comparing HMACs require constant-time comparison (hmac.compare_digest in Python).",
  "use_cases": ["JWT signature verification", "AWS API request signing (HMAC-SHA256)", "GitHub/Stripe webhook signature verification", "TLS record layer authentication", "Django/Flask cookie signing"],
  "historical_context": "Designed by Bellare, Canetti, and Krawczyk in 1996. Standardized as RFC 2104 in 1997. Specifically created to fix the security issues of naive keyed hashing H(key||message) which is vulnerable to length-extension attacks.",
  "steps": [
    { "order": 1, "name": "Prepare key K'", "description": "If key > block size: hash it. If key < block size: zero-pad to block size.", "state_representation": "K' = key zero-padded to 64 bytes" },
    { "order": 2, "name": "Inner hash", "description": "XOR K' with ipad (0x36...36), append message, hash the whole thing.", "formula": "H_{inner} = H((K' \\oplus ipad) \\| m)", "state_representation": "H_inner = SHA256(K_inner || message)" },
    { "order": 3, "name": "Outer hash", "description": "XOR K' with opad (0x5C...5C), append inner hash, hash again.", "formula": "HMAC = H((K' \\oplus opad) \\| H_{inner})", "state_representation": "HMAC = SHA256(K_outer || H_inner)" }
  ],
  "example": {
    "input": "Hello",
    "key": "secret-key",
    "output": "88aab3ede8d3adf94d26ab90d3bafd4a2083070c3bcce9c014ee04a443847c0b",
    "step_outputs": [
      { "step": 1, "value": "K' = 'secret-key' padded to 64 bytes" },
      { "step": 2, "value": "H_inner = SHA256(K'⊕ipad || 'Hello')" },
      { "step": 3, "value": "HMAC = SHA256(K'⊕opad || H_inner) = 88aab3..." }
    ]
  }
}
```

---

## 12. Diffie-Hellman Key Exchange
**Slug:** `diffie-hellman` | **Category:** `asymmetric` | **Difficulty:** 3 | **XP:** 45 | **Prerequisites:** Number Theory Basics

```json
{
  "summary": "Diffie-Hellman (1976) solved the fundamental key distribution problem: how can two parties agree on a shared secret over a completely public channel without ever meeting? Its security is based on the discrete logarithm problem — given g, p, and g^a mod p, recovering a is computationally infeasible for large primes.",
  "math_explanation": "Public: prime p, generator g. Alice: private a, sends A = g^a mod p. Bob: private b, sends B = g^b mod p. Shared secret: s = B^a mod p = A^b mod p = g^(ab) mod p. Security: recovering a from (g, p, g^a mod p) is the Discrete Logarithm Problem.",
  "visual_type": "key_exchange_diagram",
  "security_notes": "Vulnerable to Man-in-the-Middle without authentication. Use DHE (ephemeral) for forward secrecy. Minimum 2048-bit primes (4096 recommended). Prefer ECDH over classical DH for better security-per-bit performance.",
  "use_cases": ["TLS 1.3 key exchange (DHE)", "SSH session key establishment", "Signal Protocol (X3DH)", "IPsec/IKE VPN tunnels", "WireGuard (uses ECDH)"],
  "historical_context": "Published by Whitfield Diffie and Martin Hellman in 1976. Independently discovered (classified) by Malcolm Williamson at GCHQ in 1974. Ralph Merkle developed a related scheme. Diffie and Hellman received the Turing Award in 2015.",
  "steps": [
    { "order": 1, "name": "Agree on public parameters", "description": "Both parties publicly agree on prime p and generator g. This is not secret.", "state_representation": "p=23, g=5 (public)" },
    { "order": 2, "name": "Alice's private key", "description": "Alice chooses random private integer a and computes A = g^a mod p.", "formula": "A = g^a \\mod p", "state_representation": "a=6 (secret), A=5^6 mod 23=8 (sent to Bob)" },
    { "order": 3, "name": "Bob's private key", "description": "Bob chooses random private integer b and computes B = g^b mod p.", "formula": "B = g^b \\mod p", "state_representation": "b=15 (secret), B=5^15 mod 23=19 (sent to Alice)" },
    { "order": 4, "name": "Compute shared secret", "description": "Alice: s = B^a mod p. Bob: s = A^b mod p. Both get g^(ab) mod p without transmitting it.", "formula": "s = g^{ab} \\mod p", "state_representation": "Alice: 19^6 mod 23=2. Bob: 8^15 mod 23=2. Same! ✓" }
  ],
  "example": {
    "input": "p=23, g=5, a=6, b=15",
    "key": "shared secret = 2",
    "output": "g^(ab) mod p = 2",
    "step_outputs": [
      { "step": 1, "value": "p=23, g=5 public" },
      { "step": 2, "value": "A=5^6 mod 23=8" },
      { "step": 3, "value": "B=5^15 mod 23=19" },
      { "step": 4, "value": "Alice: 19^6 mod 23=2, Bob: 8^15 mod 23=2 ✓" }
    ]
  }
}
```

---

## 13. RSA
**Slug:** `rsa` | **Category:** `asymmetric` | **Difficulty:** 4 | **XP:** 60 | **Prerequisites:** Diffie-Hellman

```json
{
  "summary": "RSA is the most widely known public-key cryptosystem, enabling both encryption and digital signatures. Published in 1977, it allows anyone to encrypt a message using a public key, while only the holder of the corresponding private key can decrypt it. RSA's security relies on the integer factorization problem — factoring the product of two large primes is computationally infeasible classically, but broken by quantum computers.",
  "math_explanation": "Key gen: primes p,q. n=p×q, φ(n)=(p-1)(q-1). Choose e: gcd(e,φ(n))=1. d=e⁻¹ mod φ(n). Public: (e,n). Private: (d,n). Encrypt: C=M^e mod n. Decrypt: M=C^d mod n. Correctness via Euler: M^(eφ(n)) ≡ M (mod n).",
  "visual_type": "key_exchange_diagram",
  "security_notes": "RSA < 2048 bits can be factored. Always use OAEP padding for encryption, PSS for signatures — textbook RSA is malleable. Quantum computers (Shor's algorithm) factor RSA in polynomial time. NIST recommends planning migration to post-quantum algorithms.",
  "use_cases": ["TLS — RSA key exchange and certificates", "SSH — RSA host key authentication", "PGP — email encryption and signing", "Code signing certificates", "PKI root CA certificates"],
  "historical_context": "Published by Rivest, Shamir, and Adleman at MIT in 1977. GCHQ's Clifford Cocks independently invented it in 1973 (classified until 1997). RSA Security held a patent until 2000. The original RSA-129 (129-digit) challenge was factored in 1994 using 1600 computers over 8 months.",
  "steps": [
    { "order": 1, "name": "Pick two large primes", "description": "Randomly generate two distinct primes p and q. In practice: 1024-2048 bit primes each.", "formula": "p, q \\in \\mathbb{P},\\; p \\neq q", "state_representation": "p=61, q=53" },
    { "order": 2, "name": "Compute n and φ(n)", "description": "n=p×q is the public modulus. φ(n)=(p-1)(q-1) is the secret totient, never shared.", "formula": "n = p \\times q,\\quad \\varphi(n) = (p-1)(q-1)", "state_representation": "n=3233, φ(n)=3120" },
    { "order": 3, "name": "Choose public exponent e", "description": "Pick e coprime to φ(n). Standard choice: e=65537 (prime, fast exponentiation).", "formula": "\\gcd(e,\\, \\varphi(n)) = 1", "state_representation": "e=17, gcd(17,3120)=1 ✓" },
    { "order": 4, "name": "Compute private exponent d", "description": "d is the modular inverse of e mod φ(n), found via Extended Euclidean Algorithm.", "formula": "d = e^{-1} \\mod \\varphi(n)", "state_representation": "d=2753 (17×2753 mod 3120=1)" },
    { "order": 5, "name": "Encrypt with public key", "description": "Anyone can encrypt using (e, n).", "formula": "C = M^e \\mod n", "state_representation": "M=65: C=65^17 mod 3233=2790" },
    { "order": 6, "name": "Decrypt with private key", "description": "Only the private key holder can decrypt using (d, n).", "formula": "M = C^d \\mod n", "state_representation": "M=2790^2753 mod 3233=65 ✓" }
  ],
  "example": {
    "input": "65",
    "key": "public:(17,3233), private:(2753,3233)",
    "output": "2790",
    "step_outputs": [
      { "step": 1, "value": "p=61, q=53" },
      { "step": 2, "value": "n=3233, φ(n)=3120" },
      { "step": 3, "value": "e=17" },
      { "step": 4, "value": "d=2753" },
      { "step": 5, "value": "C=65^17 mod 3233=2790" },
      { "step": 6, "value": "M=2790^2753 mod 3233=65 ✓" }
    ]
  }
}
```

---

## 14. Elliptic Curve Cryptography (ECC)
**Slug:** `ecc` | **Category:** `asymmetric` | **Difficulty:** 4 | **XP:** 60 | **Prerequisites:** Diffie-Hellman

```json
{
  "summary": "Elliptic Curve Cryptography provides equivalent security to RSA using dramatically smaller keys — a 256-bit ECC key offers the same security as a 3072-bit RSA key. ECC is built on the mathematics of elliptic curves over finite fields and the Elliptic Curve Discrete Logarithm Problem (ECDLP). It powers all modern key exchange in TLS 1.3, SSH, and Signal.",
  "math_explanation": "Elliptic curve: y² = x³ + ax + b (mod p). Point addition: geometrically, the line through P and Q intersects the curve at a third point R; reflect R over x-axis. P + P = scalar multiplication. Private key k (integer). Public key: Q = k×G where G is the generator point. ECDLP: given G and Q, finding k is infeasible.",
  "visual_type": "key_exchange_diagram",
  "security_notes": "Curve choice is critical — use NIST P-256, P-384, or Curve25519 (X25519 for key exchange, Ed25519 for signatures). Never implement curve arithmetic yourself — use audited libraries. ECDH is broken by quantum computers (Shor's algorithm). ECC over binary fields has known vulnerabilities.",
  "use_cases": ["TLS 1.3 — ECDHE key exchange (P-256, X25519)", "SSH — Ed25519 host keys", "Bitcoin — secp256k1 transaction signing", "Signal Protocol — X3DH key agreement", "Apple/Google Passkeys"],
  "historical_context": "Proposed independently by Neal Koblitz and Victor Miller in 1985. Remained academic niche until adoption concerns about NSA backdoors in Dual_EC_DRBG (2013, Snowden revelations). Curve25519, designed by Daniel Bernstein in 2005, became the safe alternative.",
  "steps": [
    { "order": 1, "name": "Choose a curve and generator G", "description": "Select a standard elliptic curve (e.g., P-256). G is a publicly known generator point with large prime order n.", "state_representation": "Curve: y²=x³-3x+b (mod p256). G=(Gx,Gy) known." },
    { "order": 2, "name": "Generate private key k", "description": "Choose a random integer k between 1 and n-1. This is your private key — never share it.", "formula": "k \\in_R [1,\\, n-1]", "state_representation": "k = random 256-bit integer" },
    { "order": 3, "name": "Compute public key Q", "description": "Scalar multiply the generator point G by k. Q = k×G means adding G to itself k times on the curve.", "formula": "Q = k \\times G", "state_representation": "Q = k×G = (Qx, Qy) — a curve point" },
    { "order": 4, "name": "ECDH shared secret", "description": "Alice has private a, public A=a×G. Bob has private b, public B=b×G. Both compute: S = a×B = b×A = ab×G.", "formula": "S = a \\times B = b \\times A = ab \\times G", "state_representation": "Shared secret S — Alice and Bob agree without transmitting it" }
  ],
  "example": {
    "input": "Curve P-256, private key k",
    "output": "Public key Q = k×G",
    "step_outputs": [
      { "step": 1, "value": "P-256 curve selected, G known" },
      { "step": 2, "value": "k = random 256-bit integer (private)" },
      { "step": 3, "value": "Q = k×G (256-bit EC point, public)" },
      { "step": 4, "value": "ECDH: S = a×B = b×A ✓" }
    ]
  }
}
```

---

## 15. Digital Signatures
**Slug:** `digital-signatures` | **Category:** `signatures` | **Difficulty:** 4 | **XP:** 55 | **Prerequisites:** RSA + HMAC

> ⚠️ **Set two prerequisites:** RSA **and** HMAC

```json
{
  "summary": "Digital signatures provide three cryptographic guarantees: authentication (the signer holds the private key), integrity (the signed data has not been modified), and non-repudiation (the signer cannot deny signing). Unlike HMAC, which requires a shared secret, digital signatures use asymmetric key pairs — anyone can verify a signature using the public key, but only the key holder can create it.",
  "math_explanation": "RSA-PSS: Sign: σ = H(m)^d mod n. Verify: H(m) =? σ^e mod n. ECDSA: k random nonce, r=(k×G).x mod n, s=k⁻¹(H(m)+r×privkey) mod n. Verify: u1=H(m)×s⁻¹, u2=r×s⁻¹, check (u1×G+u2×Q).x mod n =? r.",
  "visual_type": "key_exchange_diagram",
  "security_notes": "ECDSA requires a unique random nonce k per signature — reusing k leaks the private key (Sony PS3 hack). Use deterministic ECDSA (RFC 6979) or Ed25519 (which doesn't require a nonce). RSA without PSS padding (PKCS#1 v1.5) is vulnerable to bleichenbacher attacks.",
  "use_cases": ["TLS certificates (X.509 signature chain)", "Code signing (software integrity)", "Git commit signing (GPG/SSH)", "Blockchain transactions (ECDSA)", "Email (DKIM signatures)", "JWT RS256/ES256"],
  "historical_context": "DSA (Digital Signature Algorithm) was proposed by NIST in 1991 and standardized as FIPS 186. RSA signatures became practical after the RSA patent expired in 2000. The Sony PS3 private key was extracted in 2010 when they reused the ECDSA nonce k=0 for all signatures.",
  "steps": [
    { "order": 1, "name": "Hash the message", "description": "Compute H(m) — a fixed-size digest of the message to sign. This ensures signatures work on any message size.", "formula": "h = H(m)", "state_representation": "h = SHA256('contract.pdf') = a3f2..." },
    { "order": 2, "name": "Sign with private key", "description": "Apply the private key operation to the hash. For RSA: σ = h^d mod n. For ECDSA: σ = (r, s) using random nonce k.", "formula": "\\sigma = h^d \\mod n \\quad \\text{(RSA-PSS)}", "state_representation": "σ = signature bytes (256 bytes for RSA-2048)" },
    { "order": 3, "name": "Publish signature + public key", "description": "Attach the signature to the message. Publish (or make available) the signer's public key.", "state_representation": "(message, σ, publicKey)" },
    { "order": 4, "name": "Verify with public key", "description": "Anyone can verify: apply the public key to σ and check it matches H(m). For RSA: check σ^e mod n = H(m).", "formula": "\\sigma^e \\mod n \\stackrel{?}{=} H(m)", "state_representation": "Valid: hash matches ✓. Tampered message would not match ✗" }
  ],
  "example": {
    "input": "contract.pdf",
    "key": "RSA-2048 private key",
    "output": "256-byte signature σ",
    "step_outputs": [
      { "step": 1, "value": "h = SHA256(contract.pdf) = a3f2d7..." },
      { "step": 2, "value": "σ = h^d mod n (sign with private key)" },
      { "step": 3, "value": "Publish: (document, σ, pubkey)" },
      { "step": 4, "value": "Verify: σ^e mod n = h ✓ — authentic and unmodified" }
    ]
  }
}
```

---

## 16. Lattice Cryptography
**Slug:** `lattice-cryptography` | **Category:** `post_quantum` | **Difficulty:** 5 | **XP:** 75 | **Prerequisites:** ECC

```json
{
  "summary": "Lattice cryptography is the leading candidate for post-quantum secure encryption. Unlike RSA and ECC, lattice problems — specifically Learning With Errors (LWE) and its variants — are believed to be hard even for quantum computers. CRYSTALS-Kyber (now ML-KEM) was standardized by NIST in 2024 as the first post-quantum key encapsulation mechanism.",
  "math_explanation": "Learning With Errors (LWE): given matrix A (n×m), secret s (m×1), error e (n×1, small), solve for s given b = As + e (mod q). The error term e makes this hard even structurally. Ring-LWE: works in polynomial ring ℤq[x]/(xⁿ+1) for efficiency. CRYSTALS-Kyber security ≈ breaking LWE with n=256, q=3329.",
  "visual_type": "none",
  "security_notes": "Kyber/ML-KEM is the NIST-standardized post-quantum KEM (FIPS 203, 2024). For signatures, use ML-DSA (CRYSTALS-Dilithium, FIPS 204). These algorithms have larger key/ciphertext sizes than ECC: Kyber-768 has 1184-byte public keys vs 65 bytes for ECDH P-256. Hybrid mode (classical + PQ) is currently recommended.",
  "use_cases": ["Post-quantum TLS (NIST ML-KEM, FIPS 203)", "Signal Protocol — PQXDH (deployed 2023)", "Google Chrome — X25519Kyber768 hybrid (2023)", "Cloudflare post-quantum experiments", "Long-term secure government communications"],
  "historical_context": "Lattice cryptography was proposed by Ajtai in 1996. The LWE problem was introduced by Oded Regev in 2005. NIST launched the Post-Quantum Cryptography standardization competition in 2016. In 2022, CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+ were selected. Final standards (FIPS 203, 204, 205) were published in August 2024.",
  "steps": [
    { "order": 1, "name": "Understanding lattices", "description": "A lattice is a grid of points in n-dimensional space. Cryptographic hardness comes from the Shortest Vector Problem (SVP) and Closest Vector Problem (CVP).", "state_representation": "2D: grid points (a, b) for integers a, b. Hard: find the shortest non-zero grid vector." },
    { "order": 2, "name": "Learning With Errors (LWE)", "description": "Given A×s + small_error (mod q), recover s. The random 'noise' e makes the problem hard even knowing A.", "formula": "\\mathbf{b} = \\mathbf{A}\\mathbf{s} + \\mathbf{e} \\pmod{q}", "state_representation": "A public, e tiny random noise, s = secret key" },
    { "order": 3, "name": "ML-KEM (Kyber) Key Generation", "description": "Generate random matrix A, secret s, error e. Public key: (A, b=As+e). Private key: s.", "state_representation": "Public: (A, b). Private: s. n=256, q=3329 in Kyber-512" },
    { "order": 4, "name": "Encapsulation", "description": "Sender samples fresh randomness r, computes ciphertext and shared secret K. Without s, recovering K requires solving LWE.", "formula": "K, C = \\text{Encaps}(pk, r)", "state_representation": "C = 768 bytes (Kyber-512), K = 32-byte shared secret" },
    { "order": 5, "name": "Decapsulation", "description": "Receiver uses private key s to recover K from C. Correctness holds because errors cancel with s.", "formula": "K = \\text{Decaps}(sk, C)", "state_representation": "K recovered = same 32-byte shared secret ✓" }
  ],
  "example": {
    "input": "Public key (A, b), random r",
    "output": "Shared secret K (32 bytes), Ciphertext C",
    "step_outputs": [
      { "step": 1, "value": "Lattice dimension n=256, modulus q=3329" },
      { "step": 2, "value": "LWE: b = As + e (mod q)" },
      { "step": 3, "value": "KeyGen → pk=(A,b), sk=s" },
      { "step": 4, "value": "Encaps → C=768 bytes, K=32 bytes" },
      { "step": 5, "value": "Decaps(sk, C) = K ✓ (quantum-safe)" }
    ]
  }
}
```