Update README.md

Author: sunshineluyao

README.md

@@ -31,8 +31,27 @@
 
 ---
 
+<details>
+<summary><strong>🔬 What makes this "quantum"? — A plain-language primer</strong></summary>
+<br>
+
+Classical computers store information as **bits** — each one is either 0 or 1, like a light switch that is either off or on. A quantum computer uses **qubits**, which exploit two phenomena from quantum mechanics:
+
+- **Superposition** — a qubit can be 0 and 1 *simultaneously* until it is measured, much like a coin spinning in the air is neither heads nor tails until it lands.
+- **Entanglement** — two qubits can be linked so that measuring one instantly determines the state of the other, regardless of the distance between them. Einstein famously called this "spooky action at a distance."
+
+This project uses a **quantum simulator** (AWS Braket SV1) to run small quantum circuits and harvest the inherent randomness of quantum measurement. The result is a number that is fundamentally unpredictable — not just hard to predict, but *physically impossible* to predict before the measurement occurs. That number seeds a cryptographic signature unique to each event participant.
+
+**Why does this matter for identity?** Traditional random-number generators on classical computers are *pseudo*-random — they follow a deterministic algorithm that could, in principle, be reverse-engineered. Quantum randomness has no such algorithm underneath it. Using it as the root of a signature means the identity token carries a provenance that classical systems cannot replicate.
+
+</details>
+
+---
+
 ## 🌐 Overview
 
+> **In plain terms:** Think of this as a live digital bulletin board for an event. Attendees post photos and messages in a Telegram group chat; those posts instantly appear as colourful sticky notes on a shared web screen — each one stamped with a unique identity token that was generated by a quantum computer. No two tokens are alike, and the randomness behind each one is rooted in the laws of physics rather than software.
+
 When a participant sends a photo or message **@mentioning the bot** in a configured Telegram group, the system:
 
 1. **Validates** the webhook request and sanitizes all input
@@ -60,6 +79,8 @@ Each user's signature is computed **once** on their first message and reused the
 
 ## 🏗️ Architecture
 
+> **In plain terms:** The system has three layers — a *front door* (CloudFront CDN) that the public sees, a *processing engine* (a containerised web server running on AWS) that handles logic, and a *data layer* (database + file storage + quantum computer) that stores and authenticates everything. Telegram acts as the input channel: it pushes new messages to the engine the moment they are sent.
+
 ```
 ┌─────────────────────────────────────────────────────────────────────┐
 │                        USER INTERFACE                               │
@@ -90,6 +111,24 @@ Each user's signature is computed **once** on their first message and reused the
 └─────────┘  └─────────┘  └──────────────────────────────────────────┘
 ```
 
+<details>
+<summary><strong>🔬 Why these architectural choices? — Concepts explained</strong></summary>
+<br>
+
+**CDN (Content Delivery Network — CloudFront)**
+A CDN is a geographically distributed network of servers that caches and delivers content from the location closest to each user. Think of it as having a local post office in every city rather than one central warehouse: your letter (web page) arrives faster because it travels a shorter distance. CloudFront also acts as a security shield — it strips malicious headers and enforces HTTPS before any request reaches the application.
+
+**Containers & ECS Fargate**
+A container packages an application and all its dependencies into a single, portable unit — like a shipping container that can be loaded onto any vessel regardless of what is inside. ECS Fargate runs these containers on AWS without requiring you to manage the underlying servers. The system automatically adds more containers when traffic spikes (e.g., during a live event) and removes them when traffic drops, so you only pay for what you use.
+
+**DynamoDB (NoSQL database)**
+Traditional relational databases store data in rigid tables with fixed columns, like a spreadsheet. DynamoDB is a *NoSQL* database that stores flexible documents, making it well-suited for message data where each record may have different fields (some messages have photos, some do not). It scales automatically and charges per read/write operation rather than per server — ideal for bursty event traffic.
+
+**Webhook vs. polling**
+A *webhook* is a "push" model: Telegram calls your server the instant a new message arrives, like a doorbell. The alternative — *polling* — would mean your server repeatedly asks Telegram "any new messages?" every few seconds, like repeatedly checking your mailbox. The backend uses a webhook for receiving messages (efficient, near-instant) while the browser uses polling to refresh the wall display (simpler, sufficient for a 5-second update cadence).
+
+</details>
+
 ### AWS Infrastructure at a Glance
 
 | Service | Role |
@@ -175,7 +214,9 @@ quantum-web3-interactive-registration-main/
 
 ## ⚛️ Quantum Signatures
 
-Every unique sender receives a **quantum-authenticated identity** generated by the AWS Braket SV1 state-vector simulator:
+> **In plain terms:** Every person who posts on the wall receives a unique "quantum fingerprint" — a short code that was generated using the genuine randomness of quantum physics. It is displayed as a badge on their sticky note (`Q#452 | 7B284BB3D413`) and serves as a tamper-evident identity token for the duration of the event.
+
+### How it works — step by step
 
 ```
 Step 1 — 4-qubit Random Number Circuit
@@ -195,10 +236,61 @@ Step 4 — Visual Color
   → unique per-user card border color
 ```
 
+<details>
+<summary><strong>🔬 Unpacking the science — intuition for each step</strong></summary>
+<br>
+
+**Step 1 — Quantum Random Number Generation (4-qubit circuit)**
+
+A classical computer generates "random" numbers using a mathematical formula seeded by something like the current time. Given the same seed, it always produces the same sequence — it is *deterministic*. A quantum circuit is different.
+
+The circuit places four qubits into **superposition** using Hadamard (H) gates — each qubit is simultaneously 0 and 1. CNOT gates then **entangle** the qubits, linking their fates together. Finally, the circuit is measured 100 times ("100 shots"). Each measurement collapses the superposition and produces a random bitstring (e.g., `0110`, `1001`, `1101`…). The most frequently observed bitstring is converted to an integer — the *quantum number*.
+
+The key insight: the outcome of each measurement is not determined by any prior state of the universe. It is genuinely random, in the same sense that radioactive decay is random. No algorithm, no matter how powerful, could have predicted it.
+
+**Step 2 — Bell State Measurement (2-qubit circuit)**
+
+A Bell state is one of the simplest and most famous examples of quantum entanglement. The circuit creates the state |Φ+⟩ = (|00⟩ + |11⟩) / √2 — meaning the two qubits are perfectly correlated: when measured, they are *always* both 0 or both 1, never mixed. Measuring this 200 times produces a probability distribution across the four possible outcomes (|00⟩, |01⟩, |10⟩, |11⟩).
+
+In an ideal simulator, you expect roughly 50% |00⟩ and 50% |11⟩. The small deviations from perfect 50/50 — caused by the seed-based rotations applied in Step 1 — are unique to each user's input and contribute additional entropy to the signature.
+
+**Step 3 — ToyLWE Signature**
+
+LWE stands for **Learning With Errors**, a mathematical problem that is believed to be hard even for quantum computers to solve — making it a candidate for *post-quantum cryptography*. The "Toy" prefix signals that this implementation is a simplified, illustrative version rather than a production-hardened cryptographic primitive.
+
+The quantum number from Step 1 is mixed with the user's name and random bytes using SHAKE-256 (a cryptographic hash function) to produce a *public key hash* — a short, shareable fingerprint. A second hash chain produces the *signature* itself. Together they form a pair: the signature can be verified against the public key hash, but the public key hash cannot be reversed to recover the original inputs.
+
+**Step 4 — Visual Color from Quantum Data**
+
+The quantum number and Bell state probabilities are mapped to an HSL (Hue, Saturation, Lightness) colour value. HSL is a perceptually intuitive colour model: hue is the "colour wheel" position (0°–360°), saturation is how vivid the colour is, and lightness is how bright it is. Because the quantum number spans 0–1000 and the Bell probabilities add continuous variation, each user's colour is visually distinct — you can literally *see* the quantum identity on the wall.
+
+</details>
+
 **Displayed on each card as:** `Q#452 | 7B284BB3D413`
 
 > Signature is computed **once per sender per group** and reused on all subsequent messages. If Braket is unavailable, the system falls back to a local crypto-seeded equivalent — the wall never blocks.
 
+### Quantum Circuit Diagrams
+
+**Circuit A — 4-qubit Random Number Generator**
+```
+q[0]: ─ H ─ ● ─────────── Ry(θ₀) ─ M
+q[1]: ─ H ─ ⊕ ─ ● ─────── Ry(θ₁) ─ M
+q[2]: ─ H ─────── ⊕ ─ ● ─ Ry(θ₂) ─ M
+q[3]: ─ H ─────────── ⊕ ─ Ry(θ₃) ─ M
+
+θᵢ = π × (charCode(username[i]) mod 128) / 128
+Shots: 100  →  most frequent bitstring  →  quantumNumber
+```
+
+**Circuit B — 2-qubit Bell State |Φ+⟩**
+```
+q[0]: ─ H ─ ● ─ M
+q[1]: ───── ⊕ ─ M
+
+Shots: 200  →  [P(00), P(01), P(10), P(11)]  →  bellState
+```
+
 ---
 
 ## 🚀 Quick Start
@@ -329,6 +421,26 @@ aws secretsmanager get-secret-value \
 
 ## 🛡️ Security Model
 
+> **In plain terms:** The system is designed so that even if an attacker intercepts network traffic, gains access to the server's environment variables, or finds the public URL of the load balancer, they still cannot read messages, forge requests, or access photos. Every sensitive credential lives in a dedicated secrets vault, and every layer of the stack validates that requests come from a legitimate source before acting on them.
+
+<details>
+<summary><strong>🔬 Security concepts explained for non-specialists</strong></summary>
+<br>
+
+**Why "secrets in Secrets Manager" matters**
+Developers often accidentally commit API keys or passwords directly into source code, where they become visible to anyone with repository access — and to automated scanners that continuously harvest leaked credentials from public repos. AWS Secrets Manager is a dedicated vault: the application retrieves credentials at runtime using an IAM role, so the actual values never appear in code, configuration files, or container images.
+
+**What is TLS / HTTPS?**
+TLS (Transport Layer Security) is the protocol that encrypts data in transit between your browser and a server. The padlock icon in your browser's address bar indicates TLS is active. Without it, anyone on the same network (e.g., a coffee-shop Wi-Fi) could read the data flowing between you and the site. HSTS (HTTP Strict Transport Security) is an additional instruction that tells browsers to *always* use HTTPS for this domain, even if a user types `http://` — preventing downgrade attacks.
+
+**What is XSS (Cross-Site Scripting)?**
+If a web application displays user-submitted text without sanitizing it, an attacker can submit text that contains JavaScript code. When other users view the page, their browsers execute that code — potentially stealing session tokens or redirecting them to malicious sites. This system encodes all user input as HTML entities (e.g., `<` becomes `&lt;`) before storing or displaying it, so injected code is rendered as harmless text.
+
+**What is least-privilege IAM?**
+IAM (Identity and Access Management) controls what AWS resources each component is allowed to access. "Least privilege" means each component is granted only the minimum permissions it needs — the web server can read from DynamoDB and S3, but cannot, for example, delete IAM roles or access other AWS accounts. This limits the blast radius if any component is compromised.
+
+</details>
+
 | Layer | Mechanism |
 |---|---|
 | **Secrets** | All tokens and passwords in AWS Secrets Manager — never in code or env files |
@@ -421,6 +533,23 @@ ngrok http 3000
 
 ## 🔌 API Reference
 
+> **In plain terms:** An API (Application Programming Interface) is a set of defined "doors" through which different software components talk to each other. Each row in the table below is one such door — it has an address (the endpoint), a method (what kind of action: read, write, delete), and an access rule (who is allowed to knock). Telegram uses the webhook door to push new messages in; browsers use the messages door to pull the wall display; the admin uses the admin doors to moderate content.
+
+<details>
+<summary><strong>🔬 REST and HTTP methods — a quick primer</strong></summary>
+<br>
+
+The web uses HTTP as its communication protocol. HTTP defines several *methods* that describe the intent of a request:
+
+- **GET** — retrieve information without changing anything (like reading a notice board)
+- **POST** — submit new data to be processed (like posting a letter)
+- **PATCH** — partially update an existing record (like correcting one field on a form)
+- **DELETE** — remove or hide a record
+
+REST (Representational State Transfer) is a convention for organising these methods around *resources* — in this case, messages, groups, and admin actions. A RESTful API is predictable: if you know the resource name and the method, you can infer what the endpoint does.
+
+</details>
+
 | Method | Endpoint | Auth | Description |
 |---|---|---|---|
 | `POST` | `/api/webhook/[groupId]` | Telegram secret token | Receive Telegram updates |
@@ -439,6 +568,8 @@ ngrok http 3000
 
 ## ⚙️ ECS Scaling Parameters
 
+> **In plain terms:** The system runs on a minimum of one server at all times (so it is always ready to receive Telegram messages) and can automatically spin up to four servers within 30 seconds if a large crowd starts posting simultaneously. When the rush subsides, extra servers are shut down after 60 seconds to avoid unnecessary cost. This elastic behaviour is a core advantage of cloud-native infrastructure — capacity follows demand rather than being fixed at the peak.
+
 | Parameter | Value | Rationale |
 |---|---|---|
 | Min instances | 1 | Always-on for webhook reception |
@@ -451,6 +582,22 @@ ngrok http 3000
 
 ---
 
+## 🌍 Interdisciplinary Context
+
+This project sits at the intersection of three fields that rarely appear together in a single deployable system:
+
+| Field | Contribution to this project |
+|---|---|
+| **Quantum computing** | Provides physically irreducible randomness as the root of identity tokens — a property no classical algorithm can replicate |
+| **Cryptography** | Transforms raw quantum randomness into a structured, verifiable signature using hash functions and a post-quantum-inspired scheme (ToyLWE) |
+| **Distributed systems / cloud engineering** | Delivers the result reliably at event scale — handling concurrent users, graceful degradation, and data persistence across a globally distributed infrastructure |
+
+**Why combine them?** Each field compensates for the others' limitations. Quantum computing alone produces randomness but not structure. Cryptography provides structure but depends on the quality of its random inputs. Cloud infrastructure provides scale and reliability but has no inherent mechanism for generating unforgeable identity tokens. Together, they produce something none could achieve alone: a live, scalable, quantum-authenticated social display.
+
+**On the "ToyLWE" label:** LWE (Learning With Errors) is a lattice-based cryptographic problem that underpins several NIST post-quantum cryptography standards (e.g., CRYSTALS-Kyber, CRYSTALS-Dilithium). The "Toy" implementation here is intentionally simplified for demonstration — it captures the structural intuition of LWE (mixing a secret with noise) without the full parameter hardening required for production security. It is best understood as a pedagogical bridge between quantum randomness and post-quantum cryptographic concepts.
+
+---
+
 <div align="center">
 
 **Built with** ⚛️ quantum computing · ☁️ AWS serverless · 🤖 Telegram Bot API · ⚡ Next.js 15