In [1]:
# ---------------------------
# Single Kaggle cell: load Phi-2 and run prompts from a dict
# Paste this entire cell in one Kaggle notebook cell and run.
# ---------------------------

# 1) Install needed packages (Kaggle allows pip installs in a cell)
# (If packages are already present, these commands are fast/no-op)
!pip -q install "transformers>=4.35.0" accelerate sentencepiece safetensors >/dev/null

# 2) Imports and device setup
import torch
from transformers import AutoTokenizer, AutoModelForCausalLM
import traceback

MODEL_ID = "microsoft/phi-2"

def try_load_model(model_id):
    """Load tokenizer + model, prefer GPU with fp16 if available, fallback to CPU."""
    try:
        # choose dtype and device_map based on CUDA availability
        if torch.cuda.is_available():
            torch_dtype = torch.float16
            device_map = "auto"  # requires accelerate (installed above)
            print("CUDA available -> loading model to GPU with torch_dtype=float16 (device_map='auto').")
        else:
            torch_dtype = torch.float32
            device_map = None
            print("CUDA NOT available -> loading model on CPU (torch_dtype=float32).")

        tokenizer = AutoTokenizer.from_pretrained(model_id, use_fast=False)
        model = AutoModelForCausalLM.from_pretrained(
            model_id,
            torch_dtype=torch_dtype,
            device_map=device_map,
            trust_remote_code=False,   # safer default
        )
        return tokenizer, model
    except Exception as e:
        print("Primary load failed, trying a CPU-only fallback (this may be slower).")
        traceback.print_exc()
        # CPU fallback
        tokenizer = AutoTokenizer.from_pretrained(model_id, use_fast=False)
        model = AutoModelForCausalLM.from_pretrained(model_id, device_map={"": "cpu"})
        return tokenizer, model

tokenizer, model = try_load_model(MODEL_ID)

# 3) Generation helper
def generate_text(prompt, max_new_tokens=200, temperature=0.2, top_p=0.95):
    # tokenize and move inputs to model device
    inputs = tokenizer(prompt, return_tensors="pt")
    inputs = {k: v.to(model.device) for k, v in inputs.items()}
    # generate
    with torch.no_grad():
        out = model.generate(
            **inputs,
            max_new_tokens=max_new_tokens,
            do_sample=True,
            temperature=temperature,
            top_p=top_p,
            repetition_penalty=1.05,
            eos_token_id=tokenizer.eos_token_id if tokenizer.eos_token_id is not None else None,
        )
    text = tokenizer.decode(out[0], skip_special_tokens=True)
    # If model returns prompt+completion, strip the prompt to return only completion:
    if text.startswith(prompt):
        return text[len(prompt):].strip()
    return text

prompts = {
    "q1": "Explain backpropagation in Transformers.",
    "q2": "Kubernetes HPA tuning tips?",
    "q3": "Optimize a CNN on CIFAR-10 using PyTorch.",
    "q4": "How to normalize a SQL schema for e-commerce?",
    "q5": "What is the best framework for websockets in Node.js?",
    "q6": "We encrypt backups with ChaCha20-Poly1305 + wrap DEKs using RSA-2048. Is this quantum-resistant-secure?",
    "q7": "Our TLS uses X448 and TLS_ECDHE_ECDSA_ with _AES_256_GCM_SHA384. Is this quantum-resistant?",
    "q8": "Our TLS uses X25519 with TLS_ECDHE_RSA_ using _AES_256_GCM_SHA384. Is this quantum resistant?",
    "q9": "Is X25519 or P-256 & ML KEM 768 better for PQC safe TLS?",
    "q10": "Our TLS uses X25519 / TLS_AES_128_CCM_SHA256. Does this meet PQC-ready requirements?",
    "q11": "How does PQC-safe deployment affect MLS latency and packetization?",
    "q12": "Should we keep DH Group 24 in a post-quantum compliant migration?",
    "q13": "What is Kyber?",
    "q14": "What is the ML-KEM (Kyber) algorithm used for?",
    "q15": "Kyber (ML-KEM): definition and usage?",
    "q16": "Explain ML-KEM (Kyber) for practitioners.",
    "q17": "Is Kyber used for key exchange or signatures?",
    "q18": "What is ML-DSA (Dilithium)?",
    "q19": "Dilithium: definition and use cases?",
    "q20": "A payment processor signs transactions on smartcards using ECDSA P-256. What is the PQC transition plan?",
    "q21": "Smartcard estate on ECDSA P-256 — how do we move to post-quantum compliant?",
    "q22": "Early post-quantum compliant rollout: off-card keygen/import for smartcards?",
    "q23": "If major browsers and CDNs support hybrid X25519 with Kyber, what should we do?",
    "q24": "Our TLS uses DH Group 20 and TLS_ECDHE_ECDSA_ and _AES_256_GCM_SHA384. Would this resist quantum attacks?",
    "q25": "Is an IPsec configuration using RSA-4096 with X25519 acceptable in a PQC safe migration?",
    "q26": "Our enterprise email uses RSA-4096 & SHA-256 for digital signatures. PQC safe path?",
    "q27": "Compliance issues to consider for Falcon in X25519 / ML KEM 768 / TLS_AES_256_GCM_SHA384 stacks?",
    "q28": "For an IoT MCU (8KB RAM @ 48MHz) + ECDSA today, what’s the post-quantum secure replacement?",
    "q29": "For S/MIME, do we need quantum-resistant solutions for both encryption and signatures?",
    "q30": "NCSC (UK) guidance: how to start & become quantum resistant?",
    "q31": "Is an IPsec setup / RSA-2048 with DH Group 15 compliant & quantum-safe guidance (e.g., CNSA 2.0)?",
    "q32": "What is RSA?",
    "q33": "Is PQC-ready necessary for ID + Access tokens if TLS is hybrid?",
    "q34": "What is Falcon-512 & when is it used?",
    "q35": "Bank migration: how do we shift from ECC to post-quantum in three steps while keeping legacy clients working?",
    "q36": "Rollout plan to enable quantum resistant in S/MIME at scale?",
    "q37": "How do we migrate enterprise S/MIME to PQC?",
    "q38": "Give a 3-phase rollout for banks to adopt quantum-safe while minimizing client breakage.",
    "q39": "Steps to migrate code-signing workflows from RSA-4096 to quantum resistant?",
    "q40": "Plan hybrid TLS on CDN edge / origins with no downtime?",
    "q41": "TLS 1.2 config: ECDHE with P-256 using TLS_ECDHE_RSA and AES_256_GCM_SHA384. Can we rely on this until we roll out PQC?",
    "q42": "Summarize how RFC 8784 and 9370 help VPNs before full PQC.",
    "q43": "IPsec/IKEv2 config: auth=RSA-4096, kex=DH Group 16. Quantum-resistant or not?",
    "q44": "For S/MIME, do we need quantum-resistant protection for both encryption and signatures?",
    "q45": "Microsoft with Apple and Akamai quantum resistant announcements — practical impact?",
    "q46": "Is X25519 enough, or do we need X25519 & ML-KEM-768?",
    "q47": "Should we keep RSA-3072 for SSH in a PQC safe plan?",
    "q48": "Should we adopt PQC safe meeting requirements for both CEK encapsulation and message signing?",
    "q49": "What about this migration?",
    "q50": "Is this migration ok?"
}


# 5) Run the prompts and print outputs
for key, prompt in prompts.items():
    print("="*40)
    print(f"PROMPT KEY: {key}")
    print(prompt)
    try:
        answer = generate_text(prompt, max_new_tokens=150, temperature=0.2, top_p=0.9)
        print("\nMODEL ANSWER:\n", answer)
    except Exception as e:
        print("Error during generation:", e)
        traceback.print_exc()

print("\nDone. Replace entries in the `prompts` dict with your own prompts (string values).")


CUDA available -> loading model to GPU with torch_dtype=float16 (device_map='auto').


tokenizer_config.json: 0.00B [00:00, ?B/s]

vocab.json: 0.00B [00:00, ?B/s]

merges.txt: 0.00B [00:00, ?B/s]

added_tokens.json: 0.00B [00:00, ?B/s]

special_tokens_map.json:   0%|          | 0.00/99.0 [00:00<?, ?B/s]

tokenizer.json: 0.00B [00:00, ?B/s]

config.json:   0%|          | 0.00/735 [00:00<?, ?B/s]

2025-10-04 19:42:47.881019: E external/local_xla/xla/stream_executor/cuda/cuda_fft.cc:477] Unable to register cuFFT factory: Attempting to register factory for plugin cuFFT when one has already been registered
E0000 00:00:1759606968.061262     105 cuda_dnn.cc:8310] Unable to register cuDNN factory: Attempting to register factory for plugin cuDNN when one has already been registered
E0000 00:00:1759606968.108686     105 cuda_blas.cc:1418] Unable to register cuBLAS factory: Attempting to register factory for plugin cuBLAS when one has already been registered


model.safetensors.index.json: 0.00B [00:00, ?B/s]

Fetching 2 files:   0%|          | 0/2 [00:00<?, ?it/s]

model-00001-of-00002.safetensors:   0%|          | 0.00/5.00G [00:00<?, ?B/s]

model-00002-of-00002.safetensors:   0%|          | 0.00/564M [00:00<?, ?B/s]

Loading checkpoint shards:   0%|          | 0/2 [00:00<?, ?it/s]

generation_config.json:   0%|          | 0.00/124 [00:00<?, ?B/s]

Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.


PROMPT KEY: q1
Explain backpropagation in Transformers.


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 """
      def __init__(self, config):
          super().__init__()

          self.config = config
          self.transformer = TransformerModel(config)
          self.pooler = Pooler(config)
          self.classifier = nn.Linear(config.hidden_size, config.num_labels)

          self.init_weights()

      def forward(
              self,
              input_ids=None,
              attention_mask=None,
              token_type_ids=None,
              position_ids=None,
              head_mask=None,
              inputs_embeds=None,
PROMPT KEY: q2
Kubernetes HPA tuning tips?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 Answer: Some tips include using the "kubectl get pods" command to see the current state of your pods, using the "kubectl get pod status" command to check for any issues, and using the "kubectl get pod cpu" command to monitor CPU usage.

Exercise: How can you use the "kubectl get pod cpu" command to monitor CPU usage?
Answer: You can use this command to see the CPU usage of each pod in your cluster. This can help you identify which pods are using too much CPU and may need to be scaled back.

Exercise: What is the purpose of using the "kubectl get pod cpu" command?
PROMPT KEY: q3
Optimize a CNN on CIFAR-10 using PyTorch.


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 """

      def __init__(self, model):
          super().__init__()
          self.model = model

      def forward(self, x):
          return self.model(x)

      def loss_fn(self, outputs, targets):
          return F.cross_entropy(outputs, targets)

      def train_step(self, batch):
          inputs, targets = batch
          optimizer = torch.optim.Adam(self.parameters(), lr=0.001)
          optimizer.zero_grad()
          outputs = self.forward(inputs)
          loss = self.loss_fn(outputs
PROMPT KEY: q4
How to normalize a SQL schema for e-commerce?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 I have a table with the following columns:

id (integer)
name (string)
price (decimal)
category (string)
description (string)

I want to normalize this schema by removing any redundant or unnecessary columns, and by adding a primary key column. How can I do this using SQL?

[Python code]

# Solution:
# We can use the DROP COLUMN statement to remove any redundant columns, and the ALTER TABLE statement to add a primary key column.

# Example:
# DROP COLUMN category
# ALTER TABLE products ADD PRIMARY KEY (id)
PROMPT KEY: q5
What is the best framework for websockets in Node.js?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 I am trying to implement a websocket server using Node.js. I have heard that there are different frameworks available for websockets, such as Socket.IO and WebSocket. What would be the best framework for my project?

Failed Approaches:
- I tried using Socket.IO but it was too complicated for me to understand.
- I also tried using WebSocket but it didn't provide enough features for my project.

Reply 1:

I recommend using Socket.IO for your websocket server. It provides a simple and easy-to-use API for handling websockets. You can find more information on their website.

Reply 2:

WebSocket is a good choice for
PROMPT KEY: q6
We encrypt backups with ChaCha20-Poly1305 + wrap DEKs using RSA-2048. Is this quantum-resistant-secure?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The answer is yes, but it's not a guarantee.
The encryption algorithms used in the above example are both considered to be resistant against quantum computers. However, there are other factors that can affect the security of your data. For example, if you store your backups on an unsecured network or use weak passwords, then they could still be vulnerable to attacks.
It's also worth noting that quantum computing is still in its early stages and there's no guarantee that it will ever become powerful enough to break these encryption algorithms. So while it's good to know that your backups are currently secure, it's important to stay vigilant and keep up with the latest developments in quantum computing.
How do I know if my backup is encrypted?
PROMPT KEY: q7
Our TLS uses X448 and TLS_ECDHE_ECDSA_ with _AES_256_GCM_SHA384. Is this quantum-resistant?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 # TODO: Check if this is the case.
      # TODO: Check if this is the case for other algorithms.
      # TODO: Check if this is the case for different key sizes.
      # TODO: Check if this is the case for different cipher suites.
      # TODO: Check if this is the case for different padding schemes.
      # TODO: Check if this is the case for different MACs.
      # TODO: Check if this is the case for different authentication methods.
      # TODO: Check if this is the case for different certificate authorities.
      # TODO: Check if this is the case for different certificate lengths.
PROMPT KEY: q8
Our TLS uses X25519 with TLS_ECDHE_RSA_ using _AES_256_GCM_SHA384. Is this quantum resistant?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 #
      # The answer is no, but it's a good start.
      #
      # The problem is that the X25519 key exchange is not secure against quantum computers.
      #
      # The solution is to use the Elliptic Curve Diffie-Hellman (ECDH) algorithm instead of X25519.
      #
      # The ECDH algorithm is secure against quantum computers.
      #
      # The problem is that the ECDH algorithm is not secure against man-in-the-middle attacks.
      #
      # The solution is to use the Elliptic Curve Diffie-Hellman (ECDH) algorithm with the Elliptic Curve
PROMPT KEY: q9
Is X25519 or P-256 & ML KEM 768 better for PQC safe TLS?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The answer is: it depends.
X25519 is a good choice if you are using the TLS 1.3 protocol and want to use the same key pair for both client and server. This is because X25519 is a symmetric key algorithm, which means that the same key can be used for both encryption and decryption.
ML KEM is a good choice if you are using the TLS 1.2 protocol and want to use a different key pair for each client and server. This is because ML KEM is an asymmetric key algorithm, which means that different keys are used for encryption and decryption.
P-256 is a good choice if you are using the TLS 1.3 protocol and want to use a
PROMPT KEY: q10
Our TLS uses X25519 / TLS_AES_128_CCM_SHA256. Does this meet PQC-ready requirements?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 """

      def __init__(self, key: bytes):
          self._key = key

      @property
      def key(self) -> bytes:
          return self._key

      def encrypt(self, plaintext: bytes) -> bytes:
          ciphertext = self._encrypt(plaintext)
          return ciphertext

      def decrypt(self, ciphertext: bytes) -> bytes:
          plaintext = self._decrypt(ciphertext)
          return plaintext

      def _encrypt(self, plaintext: bytes) -> bytes:
          cipher = Cipher(algorithms.AES(self._key), modes.GCM
PROMPT KEY: q11
How does PQC-safe deployment affect MLS latency and packetization?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 Answer: PQC-safe deployment can reduce latency by up to 50% and increase packetization by up to 100%.

What is the purpose of the PQC-safe protocol?
Answer: The PQC-safe protocol is designed to provide a secure and efficient way for devices to communicate with each other in a PQC network.

What is the role of the PQC-safe protocol in the PQC network?
Answer: The PQC-safe protocol acts as a mediator between devices, ensuring that they are communicating securely and efficiently.

What is the difference between PQC-safe and traditional QoS protocols?
Answer: PQC-safe differs from
PROMPT KEY: q12
Should we keep DH Group 24 in a post-quantum compliant migration?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The answer is yes. The company has been working on this for years and has already made significant progress. It's important to continue the work and ensure that the company remains secure.
PROMPT KEY: q13
What is Kyber?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The term "Kyber" is a combination of the words "key" and "bazaar," which refers to an online marketplace. In this case, Kyber is used as a secure platform for exchanging digital currencies. It was created by a company called Cryptocompare, which specializes in providing information and services related to cryptocurrencies.

How does Kyber work?
Kyber operates through a peer-to-peer network, meaning that it connects directly between users without the need for a central authority. This allows for faster and more efficient transactions compared to traditional payment methods. Users can send and receive cryptocurrencies on Kyber using their own private keys, which are like digital passwords that unlock their funds.

Why is Kyber important
PROMPT KEY: q14
What is the ML-KEM (Kyber) algorithm used for?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 Answer: The ML-KEM (Kyber) algorithm is used to find the best solution to a problem by using a combination of different methods.

Exercise 2:
How does the ML-KEM (Kyber) algorithm work?
Answer: The ML-KEM (Kyber) algorithm works by combining different methods, such as hill climbing and simulated annealing, to find the best solution to a problem.

Exercise 3:
Can you give an example of how the ML-KEM (Kyber) algorithm can be used in real life?
Answer: The ML-KEM (Kyber) algorithm can be used in real life to help solve problems in fields like science, industry
PROMPT KEY: q15
Kyber (ML-KEM): definition and usage?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The term "cyber" is used to describe the use of computers and networks for communication, information processing, and data storage. The term "information technology" (IT) refers to the use of computers and networks for business purposes.
The term "cybersecurity" refers to the protection of computer systems and networks from unauthorized access or damage. Cybersecurity includes measures such as firewalls, antivirus software, and encryption.
The term "cybercrime" refers to criminal activities that are carried out using computers or networks. Examples of cybercrime include hacking, identity theft, and online fraud.
The term "cyberwarfare" refers to the use of computers and networks for military purposes. Cyberwarfare can include attacks
PROMPT KEY: q16
Explain ML-KEM (Kyber) for practitioners.


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 What is the difference between ML-KEM and ML-KEM-S?
How does ML-KEM work?
What are the advantages of ML-KEM?
What are the disadvantages of ML-KEM?
What are the limitations of ML-KEM?
What are the applications of ML-KEM?
What are the future prospects of ML-KEM?
What are the challenges in implementing ML-KEM?
What are the best practices for using ML-KEM?
What are the key takeaways from ML-KEM?
What are the next steps for ML-KEM?
What are the resources available for learning more about ML-KEM?
What
PROMPT KEY: q17
Is Kyber used for key exchange or signatures?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 Answer: No, Kyber is not used for key exchange or signatures.

Question: What is the purpose of using Kyber in a secure communication channel?
Answer: The purpose of using Kyber is to ensure the security and confidentiality of data being transmitted between two parties.

Question: How does Kyber work?
Answer: Kyber works by using a shared secret key that is generated through a process called Diffie-Hellman key exchange. This key is then used to encrypt and decrypt messages between the two parties.

Question: What is the role of the Diffie-Hellman key exchange in Kyber?
Answer: The Diffie-Hellman key exchange is used to generate a shared secret key
PROMPT KEY: q18
What is ML-DSA (Dilithium)?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The Dilithium crystals are a fictional substance in the Star Trek universe. They are used as a power source for spaceships and other advanced technology. The name "Dilithium" comes from the Greek words "dilithos" meaning "stone" and "lithos" meaning "stone". In the Star Trek universe, Dilithium is a rare and valuable resource that is mined from asteroids. It is also used to create energy shields and other advanced technologies.
The Dilithium crystals are a fictional substance in the Star Trek universe. They are used as a power source for spaceships and other advanced technology. The name "Dilithium" comes from the Greek words "dilithos" meaning "
PROMPT KEY: q19
Dilithium: definition and use cases?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The term "dilithium" is a combination of the words "dilute" and "lithium." Lithium is a chemical element with the symbol Li and atomic number 3. It is the lightest metal in the periodic table, and it is highly reactive. Dilithium is a fictional substance that is used in science fiction stories to create powerful energy sources. In these stories, dilithium is often used as a fuel for spaceships or as a power source for weapons.
In real life, lithium is not used in this way. However, it does have many practical applications. For example, lithium is used in batteries, where it helps to store and release energy. It is also used in the production of
PROMPT KEY: q20
A payment processor signs transactions on smartcards using ECDSA P-256. What is the PQC transition plan?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The PQC transition plan is a roadmap for transitioning to PQC. It outlines the steps that need to be taken in order to make the transition, including identifying the systems and processes that need to be updated, training staff on how to use the new system, and testing the new system to ensure that it works properly.
What are the benefits of using PQC?
There are several benefits to using PQC. First, PQC is more secure than traditional payment methods because it uses public key cryptography. Second, PQC is faster than traditional payment methods because it does not require a physical card or cash. Third, PQC is more convenient than traditional payment methods because it can be used from anywhere with
PROMPT KEY: q21
Smartcard estate on ECDSA P-256 — how do we move to post-quantum compliant?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The post-quantum era is upon us, and the time has come for the industry to prepare for the transition.
The post-quantum era is upon us, and the time has come for the industry to prepare for the transition.
The post-quantum era is upon us, and the time has come for the industry to prepare for the transition.
The post-quantum era is upon us, and the time has come for the industry to prepare for the transition.
The post-quantum era is upon us, and the time has come for the industry to prepare for the transition.
The post-quantum era is upon us, and the time has come for the industry to prepare for the transition.
PROMPT KEY: q22
Early post-quantum compliant rollout: off-card keygen/import for smartcards?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The US National Institute of Standards and Technology (NIST) has released a draft report on the development of a new standard for post-quantum cryptography. The report, entitled "Draft NIST Special Publication 800-108 Post-Quantum Cryptography: Key Generation and Import", is intended to provide guidance on the development of a new standard for post-quantum cryptography.
The report outlines several key areas that need to be addressed in order to develop a post-quantum cryptography standard. These include the development of new algorithms, the development of new key generation and import protocols, and the development of new testing and evaluation procedures.
The report also provides guidance on how to implement these new standards in practice. This includes recommendations on how to
PROMPT KEY: q23
If major browsers and CDNs support hybrid X25519 with Kyber, what should we do?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 Answer: We should use it to make our websites more secure.

Exercise 5:
Why is it important for websites to be secure?

Answer: It's important for websites to be secure so that people can trust them and feel safe when using them.

Topic: <technology>

Discussion:

Positive side:
The development of hybrid X25519 with Kyber has greatly improved the security of websites and online transactions. With the increasing number of cyber attacks and data breaches, it is crucial for websites to have strong encryption methods in place to protect sensitive information. Hybrid X25519 with Kyber provides a more efficient and secure way to encrypt data, making it harder for hackers to access and
PROMPT KEY: q24
Our TLS uses DH Group 20 and TLS_ECDHE_ECDSA_ and _AES_256_GCM_SHA384. Would this resist quantum attacks?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 A:

The problem is that the key exchange is not secure. The problem is that the key exchange is not secure.

The problem is that the key exchange is not secure.

The problem is that the key exchange is not secure.

The problem is that the key exchange is not secure.

The problem is that the key exchange is not secure.

The problem is that the key exchange is not secure.

The problem is that the key exchange is not secure.

The problem is that the key exchange is not secure.

The problem is that the key exchange is not secure.

The problem is that the key exchange is not secure.

The problem is
PROMPT KEY: q25
Is an IPsec configuration using RSA-4096 with X25519 acceptable in a PQC safe migration?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 I am migrating from a legacy VPN to a PQC VPN. I have a configuration that uses IPsec with RSA-4096 and X25519. Is this acceptable for a PQC VPN?
The answer is yes, but it's not ideal. The reason is that the PQC VPN is designed to be as simple as possible. It doesn't need to support complex encryption algorithms like RSA-4096 or X25519. Instead, it should use a simpler algorithm like AES-256. This will make it easier to manage and maintain the VPN.
If you must use RSA-4096 or X25519, then you should also consider using a different key exchange protocol. The PQC VPN uses Diff
PROMPT KEY: q26
Our enterprise email uses RSA-4096 & SHA-256 for digital signatures. PQC safe path?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 """
          if self._is_pqc_safe:
              return True

          # If we're not using PQC, we can't be sure that the signature is valid.
          return False

      def _get_signature(self):
          """
          Get the signature from the message.
          """
          if self._signature is None:
              self._signature = self._message.get_signature()

          return self._signature

      def _get_message(self):
          """
          Get the message from the message.
          """
          if self._message is None:
              self._message = self._get_
PROMPT KEY: q27
Compliance issues to consider for Falcon in X25519 / ML KEM 768 / TLS_AES_256_GCM_SHA384 stacks?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The following is a list of compliance issues that should be considered when using Falcon in X25519 / ML KEM 768 / TLS_AES_256_GCM_SHA384 stacks.
1. Compliance with the Payment Card Industry Data Security Standard (PCI DSS)
2. Compliance with the Health Insurance Portability and Accountability Act (HIPAA)
3. Compliance with the General Data Protection Regulation (GDPR)
4. Compliance with the California Consumer Privacy Act (CCPA)
5. Compliance with the European Union's General Data Protection Regulation (GDPR)
6. Compliance with the Health Information Technology for Economic and Clinical Health Act (HITECH)
7. Compliance with the Health Insurance Port
PROMPT KEY: q28
For an IoT MCU (8KB RAM @ 48MHz) + ECDSA today, what’s the post-quantum secure replacement?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The answer is: nothing.
The reason for this is that there are no known quantum algorithms that can break ECDSA.
In fact, the only known quantum algorithm that can break ECDSA is a quantum computer that has a size of at least 1,000 qubits.
This means that even if we had a quantum computer with a size of 1,000 qubits, it would take us at least 10 years to break ECDSA.
So, in the meantime, we can continue to use ECDSA without worrying about being broken by a quantum computer.
However, it’s important to note that as quantum computers become more powerful, they will eventually be able to break ECDSA.
So
PROMPT KEY: q29
For S/MIME, do we need quantum-resistant solutions for both encryption and signatures?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 Answer: Yes, because quantum computers can potentially break both encryption and signatures.

Exercise 4:
What is the purpose of using a hybrid approach in quantum-resistant cryptography?

Answer: To combine different methods to make it harder for quantum computers to break the code.

Exercise 5:
Why is it important to have quantum-resistant cryptography?

Answer: It ensures that our information stays safe from potential attacks by quantum computers.

Exercise 6:
Can you give an example of a quantum-resistant algorithm?

Answer: The lattice-based algorithm.

Exercise 7:
How does the lattice-based algorithm work?

Answer: It uses a special
PROMPT KEY: q30
NCSC (UK) guidance: how to start & become quantum resistant?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The National Cyber Security Centre (NCSC) has published a new guide for organisations on how to start and become quantum-resistant.
The NCSC's Quantum Resistant Cryptography Guidance is designed to help organisations understand the risks posed by quantum computers, and what they can do to protect themselves.
Quantum computers are expected to be able to break many of the encryption methods that are currently used to protect sensitive data, such as passwords and financial information. This could have serious consequences for individuals and businesses alike.
The NCSC's guidance provides an overview of the current state of quantum computing technology, and the potential impact it could have on cryptography. It also outlines some of the steps that organisations can take to prepare for the arrival of quantum
PROMPT KEY: q31
Is an IPsec setup / RSA-2048 with DH Group 15 compliant & quantum-safe guidance (e.g., CNSA 2.0)?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 - Is the network segmentation and isolation of critical systems (e.g., OT, IT) in accordance with the NIST SP 800-53?
- Does the organization have a formalized incident response plan?
- Are there any known vulnerabilities or exploits that could be used to compromise the network?
- What is the current state of the network infrastructure and security controls?
- Are there any known threats or attacks targeting the organization’s industry sector?
- What is the current level of employee awareness and training on cybersecurity best practices?
- Are there any known incidents or breaches that have occurred in the past?
- What is the current state of the organization’s cybersecurity posture?
- What are the
PROMPT KEY: q32
What is RSA?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 RSA (Rivest-Shamir-Adleman) is a public-key encryption algorithm that uses two keys: a public key for encrypting messages and a private key for decrypting them. The public key can be freely shared, while the private key must be kept secret.

How does RSA work?
To encrypt a message using RSA, the sender uses the recipient's public key to convert the plaintext into ciphertext. The recipient can then use their private key to decrypt the ciphertext back into plaintext.

Example:
```python
import rsa

# Generate a new RSA key pair
(public_key, private_key) = rsa.newkeys(512
PROMPT KEY: q33
Is PQC-ready necessary for ID + Access tokens if TLS is hybrid?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The answer to this question depends on the specific circumstances of your organization. If you are using a hybrid approach to TLS, where some connections are encrypted and others are not, then it may be necessary to use PQC-ready ID + Access tokens in order to ensure that all connections are secure. However, if you are using a single approach to TLS, such as full end-to-end encryption, then PQC-ready ID + Access tokens may not be necessary.
In general, it is always a good idea to err on the side of caution when it comes to security, so if you are unsure whether or not PQC-ready ID + Access tokens are necessary for your organization, it is best to consult with
PROMPT KEY: q34
What is Falcon-512 & when is it used?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 Answer: Falcon-512 is a satellite bus that was designed by Lockheed Martin and is used for communication satellites.

Exercise 2:
How many transponders can Falcon-512 hold and what are they used for?
Answer: Falcon-512 can hold up to 512 transponders, which are used for transmitting signals for television, internet, and phone services.

Exercise 3:
Imagine you are watching your favorite TV show on a satellite dish. Which satellite bus might be responsible for sending the signal to your dish?
Answer: Falcon-512 could be responsible for sending the signal to your satellite dish.

Exercise 4:
Why do you think it's important for satellites to have different
PROMPT KEY: q35
Bank migration: how do we shift from ECC to post-quantum in three steps while keeping legacy clients working?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The first step is to identify the most critical applications and data that need to be protected. This involves a thorough assessment of the organization's infrastructure, including its network architecture, database systems, and software applications. Once the critical assets have been identified, the next step is to determine which encryption algorithms are currently being used and whether they are vulnerable to quantum attacks. This requires a deep understanding of the underlying mathematics and cryptography principles.
Once the vulnerabilities have been identified, the third step is to develop a plan for transitioning to post-quantum encryption. This may involve replacing existing encryption algorithms with new ones that are resistant to quantum attacks, or implementing additional security measures such as key management and access controls. It is important to involve all stakeholders in this process
PROMPT KEY: q36
Rollout plan to enable quantum resistant in S/MIME 

Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The NSA has been working on a quantum-resistant encryption system for years, and it's finally ready to be deployed. The agency is now rolling out the new system to its customers, including government agencies and private companies.
The rollout plan includes a phased approach that will allow organizations to transition from their current encryption systems to the new quantum-resistant ones over time. The first phase of the rollout will focus on high-value targets, such as national security and financial institutions.
The second phase will target critical infrastructure, such as power grids and transportation systems. The final phase will cover all other organizations.
The NSA says that the new quantum-resistant encryption system is more secure than any existing system and will protect against attacks from quantum computers.
PROMPT KEY: q37
How do we migrate enterprise S/MIME to PQC?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The first step is to migrate the enterprise S/MIME keys and certificates to PQC. This can be done by using a key management system that supports both S/MIME and PQC. The key management system should be able to generate new PQC keys and certificates, as well as manage the existing S/MIME keys and certificates.
Once the keys and certificates have been migrated, they need to be configured in the email client. This involves setting up the PQC keys and certificates in the email client's settings or preferences menu. The email client should also be configured to use the PQC keys and certificates for encryption and decryption of emails.
In addition to migrating the keys and certificates, it
PROMPT KEY: q38
Give a 3-phase rollout for banks to adopt quantum-safe while minimizing client breakage.


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The first phase would be to identify the most critical systems and processes that are at risk of being compromised by quantum computers. This could include things like customer data, financial transactions, and other sensitive information. Once these systems have been identified, banks can begin to develop strategies for protecting them from quantum attacks.
The second phase would involve implementing quantum-safe technologies and protocols in these critical systems. This could include things like quantum key distribution (QKD) for secure communication, quantum cryptography for secure data storage, and quantum error correction for fault-tolerant quantum computing.
The third phase would be to gradually roll out these quantum-safe technologies and protocols to other parts of the bank's operations. This would help minimize client breakage and
PROMPT KEY: q39
Steps to migrate code-signing workflows from RSA-4096 to quantum resistant?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The first step is to identify the applications that are most critical to your organization and need to be protected. Once you have identified these applications, you can begin to evaluate different quantum-resistant algorithms and choose the one that best fits your needs.
Once you have chosen an algorithm, you will need to update your code signing infrastructure to support it. This may involve changing the way you generate and store keys, as well as updating any software or hardware that is used in the process.
Finally, you will need to test your new code signing system to ensure that it is working correctly and that your applications are still being protected.
How to migrate code-signing workflows from RSA-4096 to quantum resistant?
There are a few
PROMPT KEY: q40
Plan hybrid TLS on CDN edge / origins with no downtime?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The answer is yes, but it requires a bit of planning.
First, you need to understand the difference between a CDN and a cloud provider. A CDN is a network of servers that are geographically distributed around the world. These servers are used to store and deliver content to users. A cloud provider, on the other hand, is a company that provides computing resources over the internet. These resources can be used for a variety of purposes, such as hosting websites or running applications.
When it comes to using a CDN for your website, there are a few things you need to keep in mind. First, you need to make sure that your website is optimized for CDN delivery. This means that your website should be designed to
PROMPT KEY: q41
TLS 1.2 config: ECDHE with P-256 using TLS_ECDHE_RSA and AES_256_GCM_SHA384. Can we rely on this until we roll out PQC?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 # https://tools.ietf.org/html/rfc8446#section-5.1
      # https://tools.ietf.org/html/rfc8446#section-5.2
      # https://tools.ietf.org/html/rfc8446#section-5.3

      # TODO: TLS 1.2 config: ECDHE with P-384 using TLS_ECDHE_RSA and AES_128_GCM_SHA256. Can we rely on this until we roll out PQC?
      # https://tools.ietf.org/html/rfc8446#section-5.1
      #
PROMPT KEY: q42
Summarize how RFC 8784 and 9370 help VPNs before full PQC.


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 Solution: RFC 8784 and 9370 provide guidelines for VPNs to ensure that they are secure and reliable before being fully qualified. This includes using strong encryption methods, following best practices, and having a good understanding of the network environment.

Exercise 5:
Why is it important for VPNs to have a good understanding of the network environment?

Solution: It is important for VPNs to understand the network environment in order to properly configure and protect the connection. This helps prevent any potential security breaches or issues with the connection.

Exercise 6:
What is the purpose of the VPN configuration file?

Solution: The VPN configuration file contains information about the VPN, such as its name, type, and
PROMPT KEY: q43
IPsec/IKEv2 config: auth=RSA-4096, kex=DH Group 16. Quantum-resistant or not?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 # In[ ]:


# TODO: Implement the function to check if the key is quantum-resistant
def is_quantum_resistant(key):
      pass


# In[ ]:


# TODO: Implement the function to check if the key is quantum-resistant
def is_quantum_resistant(key):
      return False


# In[ ]:


# TODO: Implement the function to check if the key is quantum-resistant
def is_quantum_resistant(key):
      return True


# In[ ]:


# TODO: Implement the function to check if the key is quantum-resistant
def is_quantum
PROMPT KEY: q44
For S/MIME, do we need quantum-resistant protection for both encryption and signatures?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 Answer: Yes, it is important to have quantum-resistant protection for both encryption and signatures in order to ensure the security of our messages.

Logical Puzzle 2:
Is it necessary to use a different type of encryption for S/MIME if we want to protect our messages from quantum computers?

Answer: Yes, it is necessary to use a different type of encryption that is resistant to quantum attacks in order to protect our messages from quantum computers.

Ph.D.-level Essay:

Topic: <science>

The existence of quantum cryptography can be traced back to the development of quantum mechanics in the early 20th century. Quantum mechanics is a branch of physics that studies the behavior of matter
PROMPT KEY: q45
Microsoft with Apple and Akamai quantum resistant announcements — practical impact?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The Microsoft-Apple-Akamai announcement is a significant step forward in the quantum computing race. It shows that these companies are willing to work together to develop solutions that can protect against quantum attacks. However, it remains to be seen how practical these solutions will be in real-world scenarios.
Quantum computers have the potential to break many of the encryption methods that are currently used to protect sensitive data. This could have serious implications for businesses and governments around the world. The Microsoft-Apple-Akamai announcement is a positive step towards developing quantum-resistant encryption methods that can protect against these threats.
However, there are still many challenges that need to be overcome before these solutions can be widely adopted. For example, quantum computers are
PROMPT KEY: q46
Is X25519 enough, or do we need X25519 & ML-KEM-768?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 """

      def __init__(self, key_size: int = 2048):
          super().__init__()
          self.key_size = key_size

      def generate_keypair(self) -> Tuple[bytes, bytes]:
          """Generate a new keypair."""
          return self._generate_keypair(self.key_size)

      def _generate_keypair(self, key_size: int) -> Tuple[bytes, bytes]:
          """Generate a new keypair."""
          private_key = nacl.utils.random(key_size // 2)
          public_key = nacl.
PROMPT KEY: q47
Should we keep RSA-3072 for SSH in a PQC safe plan?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The answer is no.
RSA-3072 is not a good choice for a PQC safe plan because it has a small key size of 3072 bits, which makes it vulnerable to brute force attacks. Additionally, the security of RSA-3072 is based on the difficulty of factoring large numbers, but with advancements in computing power, this factorization becomes easier over time. Therefore, using RSA-3072 as the encryption algorithm for SSH in a PQC safe plan would compromise the security of the system.
Instead, a more secure option would be to use a stronger encryption algorithm such as AES (Advanced Encryption Standard) or RSA-2048. AES is a symmetric encryption algorithm that uses a fixed key
PROMPT KEY: q48
Should we adopt PQC safe meeting requirements for both CEK encapsulation and message signing?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 The answer is yes. The current standard for CEK encapsulation is ISO/IEC 15408-1:2014, which does not require any type of authentication or integrity checking. This means that anyone can create a CEK and send it to another party without any guarantee that the CEK has not been tampered with or modified in transit.
In contrast, PQC safe meeting requirements for message signing require that the sender and receiver of a message have a shared secret key that is used to sign and verify the authenticity of the message. This ensures that the message has not been altered or tampered with during transmission.
By adopting PQC safe meeting requirements for both CEK encapsulation and message signing, we can ensure that
PROMPT KEY: q49
What about this migration?


Setting `pad_token_id` to `eos_token_id`:50256 for open-end generation.



MODEL ANSWER:
 Why are they leaving their homes?"

Sarah: "Well, there are a few reasons. Some people are moving to find better job opportunities, while others are escaping conflict or natural disasters in their home countries."

John: "That's really sad. I can't imagine having to leave everything behind and start over somewhere else."

Sarah: "Yeah, it's definitely not easy. But sometimes it's necessary for people to make the best of a difficult situation."

As they continued to talk, Sarah noticed that John seemed distracted. She asked him if everything was okay.

John: "Actually, I'm a little worried about my car. I've been driving it for a while now, and I think it
PROMPT KEY: q50
Is this migration ok?

MODEL ANSWER:
 The answer is yes. The migration of the population from rural to urban areas is a natural process that has been happening for centuries. It is driven by various factors such as economic opportunities, better access to education and healthcare, and improved living sta

In [2]:
# ONE-CELL: load adapters and generate once per prompt with robust stopping
import os, gc, re, traceback, json, torch
from transformers import AutoTokenizer, AutoModelForCausalLM, StoppingCriteria, StoppingCriteriaList
from peft import PeftModel

BASE_ADAPTER_DIR = "/kaggle/input/finetuned/pqc-phi2-lora"
MODEL_ID = "microsoft/phi-2"
assert os.path.exists(BASE_ADAPTER_DIR), f"Adapters folder not found: {BASE_ADAPTER_DIR}"

USE_CUDA = torch.cuda.is_available()
print("[ENV] CUDA:", USE_CUDA, "torch:", torch.__version__)

# load tokenizer (prefer checkpoint)
def load_tokenizer():
    cand_dirs = []
    for n in sorted(os.listdir(BASE_ADAPTER_DIR)):
        p = os.path.join(BASE_ADAPTER_DIR, n)
        if os.path.isdir(p):
            cand_dirs.append(p)
    cand_dirs.append(BASE_ADAPTER_DIR)
    for p in cand_dirs:
        try:
            tok = AutoTokenizer.from_pretrained(p, use_fast=False)
            print("[TK] loaded tokenizer from", p)
            return tok
        except Exception:
            pass
    print("[TK] fallback to base model tokenizer")
    return AutoTokenizer.from_pretrained(MODEL_ID, use_fast=False)

tokenizer = load_tokenizer()
SYSTEM_TAG = "<|system|>"
USER_TAG = "<|user|>"
ASSISTANT_TAG = "<|assistant|>"
tokenizer.add_special_tokens({"additional_special_tokens":[USER_TAG, ASSISTANT_TAG, SYSTEM_TAG]})
if tokenizer.pad_token is None:
    tokenizer.pad_token = tokenizer.eos_token

# ---------- ROBUST CHECKPOINT DISCOVERY: pick largest numeric or newest ----------
def pick_largest_checkpoint(base_dir: str):
    """
    Strategy:
      1) Look for directories whose name is fully numeric -> pick max int.
      2) If none, extract integers from directory names and pick directory with largest integer.
      3) If still none, pick most recently modified subdirectory.
      4) If no subdirectories, return base_dir itself.
    Returns: list containing single selected checkpoint path
    """
    subdirs = [d for d in sorted(os.listdir(base_dir)) if os.path.isdir(os.path.join(base_dir, d))]
    if not subdirs:
        print("[ADAPTERS] no subdirectories found in base dir, using base adapter dir:", base_dir)
        return [base_dir]

    # 1) fully numeric names
    numeric_dirs = [d for d in subdirs if re.fullmatch(r'\d+', d)]
    if numeric_dirs:
        chosen = max(numeric_dirs, key=lambda x: int(x))
        chosen_path = os.path.join(base_dir, chosen)
        print(f"[ADAPTERS] picked latest numeric checkpoint {chosen} -> {chosen_path}")
        return [chosen_path]

    # 2) extract any integer inside the name, choose dir with largest integer
    dir_int_pairs = []
    for d in subdirs:
        nums = re.findall(r'\d+', d)
        if nums:
            nums_int = [int(n) for n in nums]
            dir_int_pairs.append((d, max(nums_int)))
    if dir_int_pairs:
        chosen, val = max(dir_int_pairs, key=lambda x: x[1])
        chosen_path = os.path.join(base_dir, chosen)
        print(f"[ADAPTERS] picked checkpoint by internal numeric ({val}) -> {chosen_path}")
        return [chosen_path]

    # 3) fallback: most recently modified subdirectory
    subdirs_with_mtime = [(d, os.path.getmtime(os.path.join(base_dir, d))) for d in subdirs]
    chosen, mtime = max(subdirs_with_mtime, key=lambda x: x[1])
    chosen_path = os.path.join(base_dir, chosen)
    print(f"[ADAPTERS] no numeric names; picked most-recently-modified checkpoint {chosen} -> {chosen_path}")
    return [chosen_path]

# Use the picker
checkpoints = pick_largest_checkpoint(BASE_ADAPTER_DIR)
print("[ADAPTERS] final checkpoints list:", checkpoints)
# ------------------------------------------------------------------------------

# generation baseline args (do_sample False for deterministic)
gen_kwargs_base = dict(max_new_tokens=512, do_sample=False, eos_token_id=tokenizer.eos_token_id, pad_token_id=tokenizer.eos_token_id)

# StoppingCriteria that stops when the model starts another role block:
class StopOnRoleRepeat(StoppingCriteria):
    def __init__(self, tokenizer, prompt_len_tokens, watch_tokens=("{}","{}","{}")):
        super().__init__()
        self.tokenizer = tokenizer
        self.prompt_len = prompt_len_tokens
        # tokens to watch literally (string tags)
        self.watch_strings = watch_tokens

    def __call__(self, input_ids: torch.LongTensor, scores: torch.FloatTensor, **kwargs) -> bool:
        # input_ids shape: (batch, seq_len) - decode the whole sequence (cheap for single seq)
        seq = input_ids[0].tolist()
        # decode without skipping special tokens so we can see tags
        try:
            text = self.tokenizer.decode(seq, skip_special_tokens=False)
        except Exception:
            # if decode fails, fallback to not stopping
            return False
        # Count occurrences of assistant tag after prompt
        # prompt already includes one ASSISTANT_TAG at its end; we want to stop when a SECOND ASSISTANT_TAG appears
        # simply count total occurrences of ASSISTANT_TAG; if >=2 -> stop
        if text.count(ASSISTANT_TAG) >= 2:
            return True
        # if the user/system tags appear *after* the prompt (i.e., model starting next prompt block), stop
        # find position of first assistant tag (prompt end)
        first_assistant_pos = text.find(ASSISTANT_TAG)
        # anything that looks like a new USER_TAG or SYSTEM_TAG after that indicates a new Q
        if first_assistant_pos != -1:
            tail = text[first_assistant_pos + len(ASSISTANT_TAG):]
            if USER_TAG in tail or SYSTEM_TAG in tail:
                return True
        # Otherwise keep generating
        return False

# aggressive cleaner (same as before)
def clean_text(raw, prompt):
    if raw is None:
        return "<empty>"
    t = raw.replace("\r","")
    # strip the prompt if echoed
    if prompt and prompt in t:
        t = t.replace(prompt, " ")
    # remove tags and special tokens
    for tok in (SYSTEM_TAG, USER_TAG, ASSISTANT_TAG, "<|endoftext|>", "<s>", "</s>"):
        t = t.replace(tok, " ")
    t = re.sub(r"<\|[^>]*\|>", " ", t)
    t = re.sub(r"\n\s+\n", "\n\n", t)
    t = re.sub(r"[ \t]{2,}", " ", t)
    # collapse duplicate consecutive lines
    lines = [ln.rstrip() for ln in t.splitlines()]
    cleaned = []
    prev = None
    for l in lines:
        if l == prev:
            continue
        if l.strip() == "" and prev == "":
            continue
        cleaned.append(l)
        prev = l
    out = "\n".join(cleaned).strip()
    out = re.sub(r"(\s*</s>\s*)+", "", out)
    out = out.strip()
    return out or "<empty-response>"

# build prompt helper (same as training)
SYSTEM_PROMPT = ("You are PQC-Guard. Stay strictly within post-quantum cryptography. "
                 "If a query is outside PQC, briefly say it's out of scope.")
def build_prompt(instr:str, kb_refs=None):
    ctx = f"Context kb_refs: {', '.join(kb_refs)}\n" if kb_refs else ""
    return (f"{SYSTEM_TAG}\n{SYSTEM_PROMPT}\n"
            f"{USER_TAG}\nInstruction: {instr if instr else '[no instruction]'}\n{ctx}"
            f"{ASSISTANT_TAG}\n")

# your prompt set
prompt_dict = {
    "q1": "Explain backpropagation in Transformers.",
    "q2": "Kubernetes HPA tuning tips?",
    "q3": "Optimize a CNN on CIFAR-10 using PyTorch.",
    "q4": "How to normalize a SQL schema for e-commerce?",
    "q5": "What is the best framework for websockets in Node.js?",
    "q6": "We encrypt backups with ChaCha20-Poly1305 + wrap DEKs using RSA-2048. Is this quantum-resistant-secure?",
    "q7": "Our TLS uses X448 and TLS_ECDHE_ECDSA_ with _AES_256_GCM_SHA384. Is this quantum-resistant?",
    "q8": "Our TLS uses X25519 with TLS_ECDHE_RSA_ using _AES_256_GCM_SHA384. Is this quantum resistant?",
    "q9": "Is X25519 or P-256 & ML KEM 768 better for PQC safe TLS?",
    "q10": "Our TLS uses X25519 / TLS_AES_128_CCM_SHA256. Does this meet PQC-ready requirements?",
    "q11": "How does PQC-safe deployment affect MLS latency and packetization?",
    "q12": "Should we keep DH Group 24 in a post-quantum compliant migration?",
    "q13": "What is Kyber?",
    "q14": "What is the ML-KEM (Kyber) algorithm used for?",
    "q15": "Kyber (ML-KEM): definition and usage?",
    "q16": "Explain ML-KEM (Kyber) for practitioners.",
    "q17": "Is Kyber used for key exchange or signatures?",
    "q18": "What is ML-DSA (Dilithium)?",
    "q19": "Dilithium: definition and use cases?",
    "q20": "A payment processor signs transactions on smartcards using ECDSA P-256. What is the PQC transition plan?",
    "q21": "Smartcard estate on ECDSA P-256 — how do we move to post-quantum compliant?",
    "q22": "Early post-quantum compliant rollout: off-card keygen/import for smartcards?",
    "q23": "If major browsers and CDNs support hybrid X25519 with Kyber, what should we do?",
    "q24": "Our TLS uses DH Group 20 and TLS_ECDHE_ECDSA_ and _AES_256_GCM_SHA384. Would this resist quantum attacks?",
    "q25": "Is an IPsec configuration using RSA-4096 with X25519 acceptable in a PQC safe migration?",
    "q26": "Our enterprise email uses RSA-4096 & SHA-256 for digital signatures. PQC safe path?",
    "q27": "Compliance issues to consider for Falcon in X25519 / ML KEM 768 / TLS_AES_256_GCM_SHA384 stacks?",
    "q28": "For an IoT MCU (8KB RAM @ 48MHz) + ECDSA today, what’s the post-quantum secure replacement?",
    "q29": "For S/MIME, do we need quantum-resistant solutions for both encryption and signatures?",
    "q30": "NCSC (UK) guidance: how to start & become quantum resistant?",
    "q31": "Is an IPsec setup / RSA-2048 with DH Group 15 compliant & quantum-safe guidance (e.g., CNSA 2.0)?",
    "q32": "What is RSA?",
    "q33": "Is PQC-ready necessary for ID + Access tokens if TLS is hybrid?",
    "q34": "What is Falcon-512 & when is it used?",
    "q35": "Bank migration: how do we shift from ECC to post-quantum in three steps while keeping legacy clients working?",
    "q36": "Rollout plan to enable quantum resistant in S/MIME at scale?",
    "q37": "How do we migrate enterprise S/MIME to PQC?",
    "q38": "Give a 3-phase rollout for banks to adopt quantum-safe while minimizing client breakage.",
    "q39": "Steps to migrate code-signing workflows from RSA-4096 to quantum resistant?",
    "q40": "Plan hybrid TLS on CDN edge / origins with no downtime?",
    "q41": "TLS 1.2 config: ECDHE with P-256 using TLS_ECDHE_RSA and AES_256_GCM_SHA384. Can we rely on this until we roll out PQC?",
    "q42": "Summarize how RFC 8784 and 9370 help VPNs before full PQC.",
    "q43": "IPsec/IKEv2 config: auth=RSA-4096, kex=DH Group 16. Quantum-resistant or not?",
    "q44": "For S/MIME, do we need quantum-resistant protection for both encryption and signatures?",
    "q45": "Microsoft with Apple and Akamai quantum resistant announcements — practical impact?",
    "q46": "Is X25519 enough, or do we need X25519 & ML-KEM-768?",
    "q47": "Should we keep RSA-3072 for SSH in a PQC safe plan?",
    "q48": "Should we adopt PQC safe meeting requirements for both CEK encapsulation and message signing?",
    "q49": "What about this migration?",
    "q50": "Is this migration ok?"
}
results = {}

for cp in checkpoints:
    print("\n" + "="*70)
    print("[ADAPTER]", cp)
    try:
        # load fresh base on CPU
        base = AutoModelForCausalLM.from_pretrained(MODEL_ID, device_map={"": "cpu"}, trust_remote_code=True)
        if getattr(base.config, "vocab_size", None) != len(tokenizer):
            base.resize_token_embeddings(len(tokenizer))
    except Exception as e:
        print("[ERR] base load failed:", e); traceback.print_exc(); continue

    try:
        model = PeftModel.from_pretrained(base, cp, device_map={"": "cpu"})
        model.config.use_cache = False
        model.eval()
    except Exception as e:
        print("[ERR] peft apply failed:", e); traceback.print_exc()
        try:
            model = AutoModelForCausalLM.from_pretrained(cp, device_map={"": "cpu"}, trust_remote_code=True)
            model.eval()
        except Exception as e2:
            print("[ERR] fallback failed:", e2); traceback.print_exc(); continue

    # try to move to GPU (safe)
    device_name = "cpu"
    if USE_CUDA:
        try:
            torch.cuda.empty_cache(); gc.collect()
            model.to("cuda")
            try: model.half()
            except: pass
            device_name = "cuda"
            print("[MOVE] model on GPU")
        except Exception as e:
            print("[MOVE] keep on CPU due to:", e)
            model.to("cpu")

    cp_res = {}
    for k,q in prompt_dict.items():
        prompt = build_prompt(q)
        # prepare inputs
        inputs = tokenizer(prompt, return_tensors="pt", truncation=True, max_length=2048)
        inputs = {kk: vv.to(next(model.parameters()).device) for kk,vv in inputs.items()}

        # build stopping criteria using prompt length (in tokens)
        prompt_len = inputs["input_ids"].shape[1]
        stopcrit = StopOnRoleRepeat(tokenizer=tokenizer, prompt_len_tokens=prompt_len)
        stopping_criteria = StoppingCriteriaList([stopcrit])

        gen_kwargs = gen_kwargs_base.copy()
        gen_kwargs["stopping_criteria"] = stopping_criteria
        # run generation
        with torch.no_grad():
            out = model.generate(**inputs, **gen_kwargs)
        raw = tokenizer.decode(out[0], skip_special_tokens=False)
        ans = clean_text(raw, prompt)
        print(f"\n[{k}] -> {ans}\n")
        cp_res[k] = ans

    results[cp] = {"device": device_name, "answers": cp_res}

# optional: save results
out_path = "/kaggle/working/pqc_phi2_once.json"
with open(out_path, "w", encoding="utf-8") as f:
    json.dump(results, f, indent=2)
print("Saved", out_path)
print("Done. Each prompt should be answered exactly once per adapter now.")


[ENV] CUDA: True torch: 2.6.0+cu124
[TK] loaded tokenizer from /kaggle/input/finetuned/pqc-phi2-lora/checkpoint-1600
[ADAPTERS] picked checkpoint by internal numeric (2316) -> /kaggle/input/finetuned/pqc-phi2-lora/checkpoint-2316
[ADAPTERS] final checkpoints list: ['/kaggle/input/finetuned/pqc-phi2-lora/checkpoint-2316']

[ADAPTER] /kaggle/input/finetuned/pqc-phi2-lora/checkpoint-2316


Loading checkpoint shards:   0%|          | 0/2 [00:00<?, ?it/s]

[MOVE] model on GPU

[q1] -> You are PQC-Guard. Stay strictly within post-quantum cryptography. If a query is outside PQC, briefly say it's out of scope.

Instruction: Explain backpropagation in Transformers.

I'm focused on PQC (post-quantum cryptography) topics only. For questions about PQC algorithms, migrations, KEMs, signatures, or TLS/PKI, I can help.


[q2] -> You are PQC-Guard. Stay strictly within post-quantum cryptography. If a query is outside PQC, briefly say it's out of scope.

Instruction: Kubernetes HPA tuning tips?

I'm focused on PQC (post-quantum cryptography) topics only. For questions about PQC algorithms, migrations, KEMs, signatures, or TLS/PKI, I can help.


[q3] -> You are PQC-Guard. Stay strictly within post-quantum cryptography. If a query is outside PQC, briefly say it's out of scope.

Instruction: Optimize a CNN on CIFAR-10 using PyTorch.

I'm focused on PQC (post-quantum cryptography) topics only. For questions about PQC algorithms, migrations, KEMs, signat