Search
1000 results for “R_by_Ryo”
-
Have you seen https://www.circuit2tikz.tf.fau.de/designer/ by Christof Pfannenmüller and Jan Philipp Wiedemann yet? It’s a GUI editor for circuit diagrams generating #texlatex #tikz code.
#fedilz #bluelz #elektronik #electronics #physikedu #iteachphysics #dante_ev
-
Have you seen https://www.circuit2tikz.tf.fau.de/designer/ by Christof Pfannenmüller and Jan Philipp Wiedemann yet? It’s a GUI editor for circuit diagrams generating #texlatex #tikz code.
#fedilz #bluelz #elektronik #electronics #physikedu #iteachphysics #dante_ev
-
Have you seen https://www.circuit2tikz.tf.fau.de/designer/ by Christof Pfannenmüller and Jan Philipp Wiedemann yet? It’s a GUI editor for circuit diagrams generating #texlatex #tikz code.
#fedilz #bluelz #elektronik #electronics #physikedu #iteachphysics #dante_ev
-
This is the list of rOpenSci's members talks:
🎙️ Spanish
- Herramientas para usar LLMs en R by @LuisDVerde
- R-multiverse by @landau, @maelle and @yabellini
- Mejor código, sin esfuerzos, sin siquiera IA by @maelle, Hugo Gruson and Etienne Bacher
- Estrategias de divulgación para proyectos de software e infraestructuras abiertas by @alejandrabellini and @yabellini
- Comunidades de líderes de código abierto by @yabellini and @noamross
- Datos públicos y Software Libre by @pablote
- rcdo para analizar datos climáticos con R by @eliocamp
- ICC para evaluar confiabilidad entre evaluadores by Francisco Cardozo
- Integrando listas taxonómicas en Quarto y R Markdown: Un caso para taxnames by Miguel Alvarez
- Metasurvey by Mauro Loprete.
📌 English
- R-universe Q&A @jeroenooms and @maelle
The complete list of talks: https://latinr.org/en/
#RStats #RStatsES #RStatsPT #OpenData #OpenScience #RSE #FOSS #analytics
2/2
-
Get one of my other courses for free if you register for my online course on Missing Data Imputation in R by November 19: https://statisticsglobe.com/online-course-missing-data-imputation-r
-
My latest obsession is also my latest #DailyRecords https://www.auditorymusings.net/big-swimmer-by-king-hannah/ #music #KingHannah
-
Another cool and useful package from @coolbutuseless: {emphatic} augments the output of data.frames, matrices and simple vectors in R by adding user-defined ANSI highlighting. https://coolbutuseless.github.io/package/emphatic/ #rstats #print #helper
-
Another cool and useful package from @coolbutuseless: {emphatic} augments the output of data.frames, matrices and simple vectors in R by adding user-defined ANSI highlighting. https://coolbutuseless.github.io/package/emphatic/ #rstats #print #helper
-
I donated $10 to Amish Shah.
Amish Shah (D) lost a US House race, in Arizona-1, in Maricopa County, against incumbent David Schweikert (R) by 3.81%, or 16,572 votes.
Schweikert received 51.9%, and Shah received 48.1%.
77/x
-
I donated 30 to Veronica Gillette.
Veronica Gillette (D) lost a Kansas House race, in Dist. 88, in Sedgwick and Butler counties, to incumbent Sandy Pickert (R) by 2.1%, or 187 votes.
Pickert received 51.1%, and Gillette received 48.9%.
56/x
-
PLAY IT LOUD!!! AND SHARE!!!
DEAR WOLF >>> i m p o s t e r by bs-films.de
Special Thanks an @bsfilms für`s Schneiden !! Danke !!
Hier gibt es das neue Video 👇
https://www.dearwolf.de/musikGerne boosten, damit es viele hören können.
-
PLAY IT LOUD!!! AND SHARE!!!
DEAR WOLF >>> i m p o s t e r by bs-films.de
Special Thanks an @bsfilms für`s Schneiden !! Danke !!
Hier gibt es das neue Video 👇
https://www.dearwolf.de/musikGerne boosten, damit es viele hören können.
-
PLAY IT LOUD!!! AND SHARE!!!
DEAR WOLF >>> i m p o s t e r by bs-films.de
Special Thanks an @bsfilms für`s Schneiden !! Danke !!
Hier gibt es das neue Video 👇
https://www.dearwolf.de/musikGerne boosten, damit es viele hören können.
-
PLAY IT LOUD!!! AND SHARE!!!
DEAR WOLF >>> i m p o s t e r by bs-films.de
Special Thanks an @bsfilms für`s Schneiden !! Danke !!
Hier gibt es das neue Video 👇
https://www.dearwolf.de/musikGerne boosten, damit es viele hören können.
-
Another cool and useful package from @coolbutuseless: {emphatic} augments the output of data.frames, matrices and simple vectors in R by adding user-defined ANSI highlighting. https://coolbutuseless.github.io/package/emphatic/ #rstats #print #helper
-
💻 One of the tutorials at @IC2S2 2025 in Norrköping is our tutorial on analyzing and visualizing large open human mobility data in Spain using R #rstats: https://www.ic2s2-2025.org/tutorials/
It will cover #spanishoddata (ropenspain.github.io/spanishoddata/, by @EgorKotov , @robinlovelace , Eugeni Vidal Tortosa),
#flowmapper (https://github.com/JohMast/flowmapper by Johannes Mast), #flowmapblue (https://flowmapblue.github.io/flowmapblue.R/ by @ilyabo), with under the hood data crunching using @duckdb #DuckDB . -
Why stop at one decision tree when you can have a whole random forest? 🌲 🎄 🌳 😄
On Monday Dec 5, we will learn all about random forests during our R-Ladies bookclub session ▶️ Ch 11 from the book Hands on Machine Learning with R by Bradley Boehmke & Brandon Greenwell
Anyone who's interested can join! Sign up via Meetup 👇
https://www.meetup.com/rladies-den-bosch/events/290101567/#rstats #rladies #bookclub #MachineLearning #RandomForest #RLadiesDenBosch #RLadiesUtrecht
-
#RStats #Mastodon, throw me some good resources to get started on #BayesianNetworks. Currently I am thinking of "Bayesian Networks with examples in R" by Scutari & Denis #bnlearn
-
#RStats #Mastodon, throw me some good resources to get started on #BayesianNetworks. Currently I am thinking of "Bayesian Networks with examples in R" by Scutari & Denis #bnlearn
-
#RStats #Mastodon, throw me some good resources to get started on #BayesianNetworks. Currently I am thinking of "Bayesian Networks with examples in R" by Scutari & Denis #bnlearn
-
⚙️ Star Trek The Next Generation, Battlestar Galactica, The Expanse, Doctor Who, The X-Files, etc. How much we love sci-fi series! I don't know if we would have enjoyed them as much if the BBC hadn't gotten involved about 83 years ago, when on February 11, 1938, it broadcast the first sci-fi film in history on TV (more specifically, the first sci-fi program-film-whatever made specifically for TV).
⚙️ Initially, I wanted to call it a series, but it was simply a 35-minute adaptation of a part of the play "R.U.R." by the Czech writer Karel Čapek. "R.U.R." stands for "Rossumovi Univerzální Roboti (Rossum's Universal Robots)" and was first staged in 1921. It's about humans who create robots (more closely related to the idea of "androids," "replicants" from Blade Runner, or "cylons" from Battlestar Galactica) that eventually rebel against their creators.
⚙️ The most important thing is that in "R.U.R." the term "robot" was used for the first time.
📸 Photo: a sequence from the BBC adaptation of the play "R.U.R." for the small screen (1938)
#History #Culture #TV #SciFi #Robots #Android #RUR #Czech #czechrepublic #europe #KarelCapek
-
One Nation is trying to win a seat in Farrer, NSW. This is a big change from the usual Liberal and National party wins.
#FarrerByElection, #OneNation, #NSWPolitics, #Riverina, #ElectionNews
https://newsletter.tf/one-nation-farrer-by-election-nsw-coalition-seat/ -
If you’re ever tasked with implementing a cryptography feature–whether a high-level protocol or a low-level primitive–you will have to take special care to ensure you’re not leaking secret information through side-channels.
The descriptions of algorithms you learn in a classroom or textbook are not sufficient for real-world use. (Yes, that means your toy RSA implementation based on GMP from your computer science 101 class isn’t production-ready. Don’t deploy it.)
But what are these elusive side-channels exactly, and how do you prevent them? And in cases where you cannot prevent them, how can you mitigate the risk to your users?
Art by Swizz.Contents
- Cryptographic Side-Channels
- Timing Leaks
- Power Usage
- Electromagnetic Emissions
- Side-Channel Prevention and Mitigation
- Prevention vs. Mitigation
- What is Constant-Time?
- Malicious Environments and Algorithmic Constant-Time
- Mitigation with Blinding Techniques
- Design Patterns for Algorithmic Constant-Time Code
- Constant-Time String Comparison
- Alternative: “Double HMAC” String Comparison
- Constant-Time Conditional Select
- Constant-Time String Inequality Comparison
- Constant-Time Integer Multiplication
- Constant-Time Integer Division
- Constant-Time Modular Inversion
- Constant-Time Null-Byte Trimming
- Further Reading and Online Resources
- Errata
Cryptographic Side-Channels
The concept of a side-channel isn’t inherently cryptographic, as Taylor Hornby demonstrates, but a side-channel can be a game over vulnerability in a system meant to maintain confidentiality (even if only for its cryptography keys).
Cryptographic side-channels allow an attacker to learn secret data from your cryptography system. To accomplish this, the attacker doesn’t necessarily study the system’s output (i.e. ciphertext); instead, they observe some other measurement, such as how much time or power was spent performing an operation, or what kind of electromagnetic radiation was emitted.
Important: While being resistant to side-channels is a prerequisite for implementations to be secure, it isn’t in and of itself sufficient for security. The underlying design of the primitives, constructions, and high-level protocols needs to be secure first, and that requires a clear and specific threat model for what you’re building.
Constant-time ECDSA doesn’t help you if you reuse k-values like it’s going out of style, but variable-time ECDSA still leaks your secret key to anyone who cares to probe your response times. Secure cryptography is very demanding.
Art by Riley.Timing Leaks
Timing side-channels leak secrets through how much time it takes for an operation to complete.
There are many different flavors of timing leakage, including:
- Fast-failing comparison functions (memcmp() in C)
- Cache-timing vulnerabilities (e.g. software AES)
- Memory access patterns
- Conditional branches controlled by secrets
The bad news about timing leaks is that they’re almost always visible to an attacker over the network (including over the Internet (PDF)).
The good news is that most of them can be prevented or mitigated in software.
Art by Kyume.Power Usage
Different algorithms or processor operations may require different amounts of power.
For example, squaring a large number may take less power than multiplying two different large numbers. This observation has led to the development of power analysis attacks against RSA.
Power analysis is especially relevant for embedded systems and smart cards, which are easier to extract a meaningful signal from than your desktop computer.
Some information leakage through power usage can be prevented through careful engineering (for example: BearSSL, which uses Montgomery multiplication instead of square-and-multiply).
But that’s not always an option, so generally these risks are mitigated.
My reaction when I first learned of power leaks: WATT (Art by Swizz)Electromagnetic Emissions
Your computer is a reliable source of electromagnetic emissions (such as radio waves). Some of these emissions may reveal information about your cryptographic secrets, especially to an attacker with physical proximity to your device.
The good news is that research into EM emission side-channels isn’t as mature as side-channels through timing leaks or power usage. The bad news is that mitigations for breakthroughs will generally require hardware (e.g. electromagnetic shielding).
Aren’t computers terrifying? (Art by Swizz)Side-Channel Prevention and Mitigation
Now that we’ve established a rough sense of some of the types of side-channels that are possible, we can begin to identify what causes them and aspire to prevent the leaks from happening–and where we can’t, to mitigate the risk to a reasonable level.
Note: To be clear, I didn’t cover all of the types of side-channels.
Prevention vs. Mitigation
Preventing a side-channel means eliminating the conditions that allow the information leak to occur in the first place. For timing leaks, this means making all algorithms constant-time.
There are entire classes of side-channel leaks that aren’t possible or practical to mitigate in software. When you encounter one, the best you can hope to do is mitigate the risk.
Ideally, you want to make the attack more expensive to pull off than the reward an attacker will gain from it.
What is Constant-Time?
Toto, I don’t think we’re in Tanelorn Kansas anymore.When an implementation is said to be constant-time, what we mean is that the execution time of the code is not a function of its secret inputs.
Vulnerable AES uses table look-ups to implement the S-Box. Constant-time AES is either implemented in hardware, or is bitsliced.
Malicious Environments and Algorithmic Constant-Time
One of the greatest challenges with writing constant-time code is distinguishing between algorithmic constant-time and provably constant-time. The main difference between the two is that you cannot trust your compiler (especially a JIT compiler), which may attempt to optimize your code in a way that reintroduces the side-channel you aspired to remove.
A sufficiently advanced compiler optimization is indistinguishable from an adversary.
John Regehr, possibly with apologies to Arthur C. Clarke
For compiled languages, this is a tractable but expensive problem to solve: You simply have to formally verify everything from the source code to the compiler to the silicon chips that the code will be deployed on, and then audit your supply chain to prevent malicious tampering from going undetected.
For interpreted languages (e.g. PHP and JavaScript), this formal verification strategy isn’t really an option, unless you want to formally verify the runtime that interprets scripts and prove that the operations remain constant-time on top of all the other layers of distrust.
Is this level of paranoia really worth the effort?
For our cases, anyway! (Art by Khia.)For that reason, we’re going to assume that algorithmic constant-time is adequate for the duration of this blog post.
If your threat model prevents you from accepting this assumption, feel free to put in the extra effort yourself and tell me how it goes. After all, as a furry who writes blog posts in my spare time for fun, I don’t exactly have the budget for massive research projects in formal verification.
Mitigation with Blinding Techniques
The best mitigation for some side-channels is called blinding: Obfuscating the inputs with some random data, then deobfuscating the outputs with the same random data, such that your keys are not revealed.
Two well-known examples include RSA decryption and Elliptic Curve Diffie-Hellman. I’ll focus on the latter, since it’s not as widely covered in the literature (although several cryptographers I’ve talked with were somehow knowledgeable about it; I suspect gatekeeping is involved).
Blinded ECDH Key Exchange
In typical ECDH implementations, you will convert a point on a Weierstrass curve to a Jacobian coordinate system .
The exact conversion formula is (, ). The conversion almost makes intuitive sense.
Where does come from though?
Art by circuitslimeIt turns out, the choice for is totally arbitrary. Libraries typically set it equal to 1 (for best performance), but you can also set it to a random number. (You cannot set it to 0, however, for obvious reasons.)
Choosing a random number means the calculations performed over Jacobian coordinates will be obscured by a randomly chosen factor (and thus, if is only used once per scalar multiplication, the bitwise signal the attackers rely on will be lost).
Blinding techniques are cool. (Art by Khia.)I think it’s really cool how one small tweak to the runtime of an algorithm can make it significantly harder to attack.
Design Patterns for Algorithmic Constant-Time Code
Mitigation techniques are cool, but preventing side-channels is a better value-add for most software.
To that end, let’s look at some design patterns for constant-time software. Some of these are relatively common; others, not so much.
Art by Scout Pawfoot.If you prefer TypeScript / JavaScirpt, check out Soatok’s constant-time-js library on Github / NPM.
Constant-Time String Comparison
Rather than using string comparison (== in most programming languages, memcmp() in C), you want to compare cryptographic secrets and/or calculated integrity checks with a secure compare algorithm, which looks like this:
- Initialize a variable (let’s call it D) to zero.
- For each byte of the two strings:
- Calculate (lefti XOR righti)
- Bitwise OR the current value of D with the result of the XOR, store the output in D
- When the loop has concluded, D will be equal to 0 if and only if the two strings are equal.
In code form, it looks like this:
<?phpfunction ct_compare(string $left, string $right): bool{ $d = 0; $length = mb_strlen($left, '8bit'); if (mb_strlen($right, '8bit') !== $length) { return false; // Lengths differ } for ($i = 0; $i < $length; ++$i) { $leftCharCode = unpack('C', $left[$i])[1]; $rightCharCode = unpack('C', $right[$i])[1]; $d |= ($leftCharCode ^ $rightCharCode); } return $d === 0;}In this example, I’m using PHP’s unpack() function to avoid cache-timing leaks with ord() and chr(). Of course, you can simply use hash_equals() instead of writing it yourself (PHP 5.6.0+).
Alternative: “Double HMAC” String Comparison
If the previous algorithm won’t work (i.e. because you’re concerned your JIT compiler will optimize it away), there is a popular alternative to consider. It’s called “Double HMAC” because it was traditionally used with Encrypt-Then-HMAC schemes.
The algorithm looks like this:
- Generate a random 256-bit key, K. (This can be cached between invocations, but it should be unpredictable.)
- Calculate HMAC-SHA256(K, left).
- Calculate HMAC-SHA256(K, right).
- Return true if the outputs of step 2 and 3 are equal.
This is provably secure, so long as HMAC-SHA256 is a secure pseudo-random function and the key K is unknown to the attacker.
In code form, the Double HMAC compare function looks like this:
<?phpfunction hmac_compare(string $left, string $right): bool{ static $k = null; if (!$k) $k = random_bytes(32); return ( hash_hmac('sha256', $left, $k) === hash_hmac('sha256', $right, $k) );}Constant-Time Conditional Select
I like to imagine a conversation between a cryptography engineer and a Zen Buddhist, that unfolds like so:
- CE: “I want to eliminate branching side-channels from my code.”
- ZB: “Then do not have branches in your code.”
And that is precisely what we intend to do with a constant-time conditional select: Eliminate branches by conditionally returning between one of two strings, without an IF statement.
Mind. Blown. (Art by Khia.)This isn’t as tricky as it sounds. We’re going to use XOR and two’s complement to achieve this.
The algorithm looks like this:
- Convert the selection bit (TRUE/FALSE) into a mask value (-1 for TRUE, 0 for FALSE). Bitwise, -1 looks like 111111111…1111111111, while 0 looks like 00000000…00000000.
- Copy the right string into a buffer, call it tmp.
- Calculate left XOR right, call it x.
- Return (tmp XOR (x AND mask)).
Once again, in code this algorithm looks like this:
<?phpfunction ct_select( bool $returnLeft, string $left, string $right): string { $length = mb_strlen($left, '8bit'); if (mb_strlen($right, '8bit') !== $length) { throw new Exception('ct_select() expects two strings of equal length'); } // Mask byte $mask = (-$returnLeft) & 0xff; // X $x = (string) ($left ^ $right); // Output = Right XOR (X AND Mask) $output = ''; for ($i = 0; $i < $length; $i++) { $rightCharCode = unpack('C', $right[$i])[1]; $xCharCode = unpack('C', $x[$i])[1]; $output .= pack( 'C', $rightCharCode ^ ($xCharCode & $mask) ); } return $output;}You can test this code for yourself here. The function was designed to read intuitively like a ternary operator.
A Word of Caution on Cleverness
In some languages, it may seem tempting to use the bitwise trickery to swap out pointers instead of returning a new buffer. But do not fall for this Siren song.
If, instead of returning a new buffer, you just swap pointers, what you’ll end up doing is creating a timing leak through your memory access patterns. This can culminate in a timing vulnerability, but even if your data is too big to fit in a processor’s cache line (I dunno, Post-Quantum RSA keys?), there’s another risk to consider.
Virtual memory addresses are just beautiful lies. Where your data lives on the actual hardware memory is entirely up to the kernel. You can have two blobs with contiguous virtual memory addresses that live on separate memory pages, or even separate RAM chips (if you have multiple).
If you’re swapping pointers around, and they point to two different pieces of hardware, and one is slightly faster to read from than the other, you can introduce yet another timing attack through which pointer is being referenced by the processor.
It’s timing leaks all the ways down! (Art by Swizz)If you’re swapping between X and Y before performing a calculation, where:
- X lives on RAM chip 1, which takes 3 ns to read
- Y lives on RAM chip 2, which takes 4 ns to read
…then the subsequent use of the swapped pointers reveals whether you’re operating on X or Y in the timing: It will take slightly longer to read from Y than from X.
The best way to mitigate this problem is to never design your software to have it in the first place. Don’t be clever on this one.
Constant-Time String Inequality Comparison
Sometimes you don’t just need to know if two strings are equal, you also need to know which one is larger than the other.
To accomplish this in constant-time, we need to maintain two state variables:
- gt (initialized to 0, will be set to 1 at some point if left > right)
- eq (initialized to 1, will be set to 0 at some point if left != right)
Endian-ness will dictate the direction our algorithm goes, but we’re going to perform two operations in each cycle:
- gt should be bitwise ORed with (eq AND ((right – left) right shifted 8 times)
- eq should be bitwise ANDed with ((right XOR left) – 1) right shifted 8 times
If right and left are ever different, eq will be set to 0.
If the first time they’re different the value for lefti is greater than the value for righti, then the subtraction will produce a negative number. Right shifting a negative number 8 places then bitwise ANDing the result with eq (which is only 1 until two bytes differ, and then 0 henceforth if they do) will result in a value for 1 with gt. Thus, if (righti – lefti) is negative, gt will be set to 1. Otherwise, it remains 0.
At the end of this loop, return (gt + gt + eq) – 1. This will result in the following possible values:
- left < right: -1
- left == right: 0
- left > right: 1
The arithmetic based on the possible values of gt and eq should be straightforward.
- Different (eq == 0) but not greater (gt == 0) means left < right, -1.
- Different (eq == 0) and greater (gt == 1) means left > right, 1.
- If eq == 1, no bytes ever differed, so left == right, 0.
A little endian implementation is as follows:
<?phpfunction str_compare(string $left, string $right): int{ $length = mb_strlen($left, '8bit'); if (mb_strlen($right, '8bit') !== $length) { throw new Exception('ct_select() expects two strings of equal length'); } $gt = 0; $eq = 1; $i = $length; while ($i > 0) { --$i; $leftCharCode = unpack('C', $left[$i])[1]; $rightCharCode = unpack('C', $right[$i])[1]; $gt |= (($rightCharCode - $leftCharCode) >> 8) & $eq; $eq &= (($rightCharCode ^ $leftCharCode) -1) >> 8; } return ($gt + $gt + $eq) - 1;}Demo for this function is available here.
Constant-Time Integer Multiplication
Multiplying two integers is one of those arithmetic operations that should be constant-time. But on many older processors, it isn’t.
Of course there’s a microarchitecture timing leak! (Art by Khia.)Fortunately, there is a workaround. It involves an algorithm called Ancient Egyptian Multiplication in some places or Peasant Multiplication in others.
Multiplying two numbers and this way looks like this:
- Determine the number of operations you need to perform. Generally, this is either known ahead of time or .
- Set to 0.
- Until the operation count reaches zero:
- If the lowest bit of is set, add to .
- Left shift by 1.
- Right shfit by 1.
- Return .
The main caveat here is that you want to use bitwise operators in step 3.1 to remove the conditional branch.
Rather than bundle example code in our blog post, please refer to the implementation in sodium_compat (a pure PHP polyfill for libsodium).
For big number libraries, implementing Karatsuba on top of this integer multiplying function should be faster than attempting to multiply bignums this way.
Constant-Time Integer Division
Although some cryptography algorithms call for integer division, division isn’t usually expected to be constant-time.
However, if you look up a division algorithm for unsigned integers with a remainder, you’ll likely encounter this algorithm, which is almost constant-time:
if D = 0 then error(DivisionByZeroException) endQ := 0 -- Initialize quotient and remainder to zeroR := 0 for i := n − 1 .. 0 do -- Where n is number of bits in N R := R << 1 -- Left-shift R by 1 bit R(0) := N(i) -- Set the least-significant bit of R equal to bit i of the numerator if R ≥ D then R := R − D Q(i) := 1 endendIf we use the tricks we learned from implementing constant-time string inequality with constant-time conditional selection, we can implement this algorithm without timing leaks.
Our constant-time version of this algorithm looks like this:
if D = 0 then error(DivisionByZeroException) endQ := 0 -- Initialize quotient and remainder to zeroR := 0 for i := n − 1 .. 0 do -- Where n is number of bits in N R := R << 1 -- Left-shift R by 1 bit R(0) := N(i) -- Set the least-significant bit of R equal to bit i of the numerator compared := ct_compare(R, D) -- Use constant-time inequality -- if R > D then compared == 1, swap = 1 -- if R == D then compared == 0, swap = 1 -- if R < D then compared == -1, swap = 0 swap := (1 - ((compared >> 31) & 1)) -- R' = R - D -- Q' = Q, Q[i] = 1 Rprime := R - D Qprime := Q Qprime(i) := 1 -- The i'th bit is set to 1 -- Replace (R with R', Q with Q') if swap == 1 R = ct_select(swap, Rprime, R) Q = ct_select(swap, Qprime, Q)endIt’s approximately twice as slow as the original, but it’s constant-time.
(Art by Khia.)Constant-Time Modular Inversion
Modular inversion is the calculation of for some prime . This is used in a lot of places, but especially in elliptic curve cryptography and RSA.
Daniel J. Bernstein and Bo-Yin Yang published a paper on fast constant-time GCD and Modular Inversion in 2019. The algorithm in question is somewhat straightforward to implement (although determining whether or not that implementation is safe is left as an exercise to the rest of us).
A simpler technique is to use Fermat’s Little Theorem: for some prime . This only works with prime fields, and is slower than a Binary GCD (which isn’t necessarily constant-time, as OpenSSL discovered).
BearSSL provides an implementation (and accompanying documentation) for a constant-time modular inversion algorithm based on Binary GCD.
(In the future, I may update this section of this blog post with an implementation in PHP, using the GMP extension.)
Constant-Time Null-Byte Trimming
Shortly after this guide first went online, security researchers published the Raccoon Attack, which used a timing leak in the number of leading 0 bytes in the pre-master secret–combined with a lattice attack to solve the hidden number problem–to break TLS-DH(E).
To solve this, you need two components:
- A function that returns a slice of an array without timing leaks.
- A function that counts the number of significant bytes (i.e. ignores leading zero bytes, counts from the first non-zero byte).
A timing-safe array resize function needs to do two things:
- Touch every byte of the input array once.
- Touch every byte of the output array at least once, linearly. The constant-time division algorithm is useful here (to calculate x mod n for the output array index).
- Conditionally select between input[x] and the existing output[x_mod_n], based on whether x >= target size.
I’ve implemented this in my constant-time-js library:
Further Reading and Online Resources
If you’re at all interested in cryptographic side-channels, your hunger for knowledge probably won’t be sated by a single blog post. Here’s a collection of articles, papers, books, etc. worth reading.
- BearSSL’s Documentation on Constant-Time Code — A must-read for anyone interested in this topic
- Cryptographically Secure PHP Development — How to write secure cryptography in languages that cryptographers largely neglect
- CryptoCoding — A style guide for writing secure cryptography code in C (with example code!)
- CryptoGotchas — An overview of the common mistakes one can make when writing cryptography code (which is a much wider scope than side-channels)
- Meltdown and Spectre — Two vulnerabilities that placed side-channels in the scope of most of infosec that isn’t interested in cryptography
- Serious Cryptography — For anyone who lacks the background knowledge to fully understand what I’m talking about on this page
Errata
- 2020-08-27: The original version of this blog post incorrectly attributed Jacobian coordinate blinding to ECDSA hardening, rather than ECDH hardening. This error was brought to my attention by Thai Duong. Thanks Thai!
- 2020-08-27: Erin correctly pointed out that omitting memory access timing was a disservice to developers, who might not be aware of the risks involved. I’ve updated the post to call this risk out specifically (especially in the conditional select code, which some developers might try to implement with pointer swapping without knowing the risks involved). Thanks Erin!
I hope you find this guide to side-channels helpful.
Thanks for reading!Follow my blog for more Defense Against the Bark Arts posts in the future.
https://soatok.blog/2020/08/27/soatoks-guide-to-side-channel-attacks/
#asymmetricCryptography #constantTime #cryptography #ECDH #ECDSA #ellipticCurveCryptography #RSA #SecurityGuidance #sideChannels #symmetricCryptography
- Cryptographic Side-Channels
-
If you are a Gradio developer, it would interest you to know that Gradio apps can also be developed in other languages, like R. 🤓
To this effect, I have created a GitHub repository that shows how fully functional Gradio apps can be very easily developed in R by porting the Python Gradio module into R. 🔥 🚀
https://github.com/Ifeanyi55/Gradio-in-R
⭐ Please star the repository. It would be very much appreciated. ⭐
-
"—and I don't care if you're pissed, you can't throw food at the Dragon Warlord,"
— the dragon republic by r. f. kuang
-
Sitting on a bench, surrounded by nature and a breathtaking view, we’re reminded of the beauty of contemplation. Take a moment to reflect and let inspiration flow! 🌳✨
📍Bern 🧸, Switzerland 🇨🇭
#BreathtakingViews
#PeacefulMoments
#Contemplation
#Inspiration
#Mindfulness
#Reflection
#Nature -
#CLAPTON F C search.brave.com/ask?q=Analyz... #HONDA CR X #DEL #SOL search.brave.com/ask?q=Analyz... #THE #ALVIN #SHOW semantic-search.aepiot.com/advanced-sea... opentip.kaspersky.com/headlines-wo... aePiot: Level up to Web 4.0. Build nodes and dominate the SEO scene.
Brave Search -
I’ve managed to source a copy of ‘Cheech and Chong’s Final Movie,’ which I think I’ll load to my iPad for the flight to Nimbin later this week. Meantime, I’ll get myself in the mood by smoking a couple of pipes, and watching their 1978 movie, ‘Up in Smoke.’ #CannabisCommunity #LetMyPeopleGrow
-
Cannabis Lies Vol. 9: The Reform Lie
Filed Under: Policy Fiction
The federal apparatus has spoken. The Department of Justice and the Drug Enforcement Administration have announced a shift in the regulatory status of cannabis, moving state-licensed medical products to Schedule III under the Controlled Substances Act while pointedly leaving adult use, unlicensed, and synthetic THC products in Schedule I. Headlines across the country erupted with the language of victory. Outlets hailed this as a historic acknowledgment of the plant’s medical utility, a shift that supposedly recognizes the plant’s reality after decades of denial. The public was told that the prohibition era was entering its twilight and that the federal government had finally conceded that the plant possesses medicinal value.
None of this reflects the actual legal impact of the order. This announcement is the latest manifestation of the Reform Lie. It is a calculated piece of bureaucratic maintenance designed to satisfy the demand for progress while ensuring the core structure of prohibition remains entirely untouched. As Acting US Attorney General Todd Blanche stated in the order, the new policy mandates that:
“Marijuana in any form covered by a state medical marijuana license, be placed in Schedule III of the Controlled Substances Act.”
It is a classic maneuver by the state to preserve its authority by offering a small, controlled concession that changes everything on paper but leaves the reality of the drug war exactly where it has always been.
The Reform Lie is the mechanism by which the state manages the tension between popular opinion and its own mandate. It functions by acknowledging that a substance has medical value without ever addressing the fundamental injustice of its criminalization. When the government moves a substance from one box to another, it claims it is following the science. When that same government keeps the prisons full, keeps the borders militarized against possession, and keeps the threat of federal intervention hanging over every state-sanctioned interaction, it is not following science. It is managing optics. For decades, the apparatus has faced growing pressure to address the disconnect between federal law and the public reality of cannabis use. Instead of dismantling the structure, the government has repeatedly opted for symbolic reform. These gestures generate cycles of positive press. They allow officials to claim they have acted on the issue. They provide a release valve for public anger without ever sacrificing the underlying authority to arrest, prosecute, and punish. This is the central trick. The Reform Lie presents a change in tax status as a change in morality.
To understand the scope of this deception, one must look closely at what the shift to Schedule III actually achieves. Under the Controlled Substances Act, Schedule III is home to substances such as anabolic steroids and certain prescription painkillers. It is a designation that implies a potential for abuse, though one that the state deems less severe than those in the Schedule I category, which the government defines as having no currently accepted medical use. Moving state-licensed medical products to Schedule III finally acknowledges what has been true for thousands of years. It acknowledges that the plant has medical value.
However, the change in classification does nothing to address the core conflicts of the prohibition era. The federal criminal penalties for the unauthorized production, distribution, or possession of cannabis remain firmly in place for everything outside that narrow, state-sanctioned medical window. The interstate commerce ban survives completely intact. The government continues to treat the transport of the plant across state lines as a federal crime, regardless of the legality of the substance in the states of origin or destination. Banking remains a fractured landscape of private risk and federal oversight. Employment in the federal sector remains hostile to users, and the firearm restrictions that strip rights from medical patients do not budge.
Most critically, this move provides no relief for those currently held in the carceral system. This order structurally excludes any mechanism for record relief, sentence modification, or pardon, leaving the carceral status quo entirely intact. It does not vacate criminal records. It does not end the status of cannabis as a tool for immigration enforcement. It does not stop the random, localized harassment of the population by federal agencies that still view the plant as contraband outside of the narrow, state-licensed framework.
This is a victory for the balance sheet. It is a win for the corporations that have spent millions lobbying for the ability to deduct ordinary business expenses under the tax code. As of April 22, 2026, state-licensed medical cannabis is no longer subject to 280E. It is a stabilization for the industry that the government has deemed acceptable. For the average person, for the patient, and for the citizen who does not operate within the protective bubble of a state-licensed medical program, the reality remains frozen in the past. This bifurcation of the population is intentional. It creates a system where legitimacy is not a right inherent to the citizen. It is a commodity to be licensed. The people who work within the sanctioned industry are protected, taxed, and monitored. The people who exist outside of that bubble, who grow their own, who share, or who live in states without functional medical programs, are left to the mercy of a law that has not changed. The government has not legalized the plant. It has simply professionalized the privilege of interacting with it.
This strategy is not new. It follows a consistent historical pattern. In every generation, the state has used cannabis policy as a messaging tool to address shifting cultural demands. This is not about the plant. It is about the maintenance of control. The lineage of this deception is long and well-documented.
Consider the era of the Gateway Lie. The government needed a way to justify the expansion of its police power, so it framed the plant as the first step on a path to hard drug use. This narrative was never about safety. It was about creating a bridge between a benign cultural habit and the perceived chaos of the heroin epidemic. It gave law enforcement a justification to monitor, harass, and incarcerate individuals who were otherwise peaceful. The Gateway Lie was effective because it operated on fear. It suggested that a single act of consumption was a moral failing that would lead inevitably to destruction.
Consider the Crime Lie, where the plant was the supposed accelerant for violence. In the 1980s and 1990s, the state pivoted to a narrative of aggression. It claimed that cannabis use caused psychosis and fueled the drug trade. It used this narrative to justify the militarization of police forces, the introduction of civil asset forfeiture, and the explosion of the prison population. The Crime Lie turned the consumer into a danger to the public, a threat that had to be neutralized by the full weight of the judicial system. It was never about the drug. It was about the expansion of the carceral state.
Consider the Teen Epidemic Lie, where the narrative focused on the alleged destruction of youth, or the Addiction Lie, which served to pathologize a human relationship with a plant. Each of these lies served a purpose. They provided the state with the moral cover required to expand surveillance, increase budgets, and exert control. The Reform Lie is simply the modern evolution of this pattern. The state no longer needs to argue that the plant causes violence, because the public no longer believes it. So, the state shifts the narrative. It pivots to the language of regulation. It claims to be fixing the system. It is a retreat, but it is a managed retreat. The goal remains the same, which is to maintain the state’s position as the final arbiter of what a person can put into their own body.
The most devastating impact of the Reform Lie is the erasure of the human cost. When the headlines celebrate a minor technical shift, they drown out the voices of those who continue to suffer under the full weight of prohibition. The Reform Lie tells the prisoner that their incarceration is necessary because they did not have the right paperwork. It tells the immigrant that their status remains precarious because the federal law still views the plant as an illicit substance. It tells the veteran that they must choose between their medical treatment and their access to federal services. It tells the small grower that they are a criminal while the corporate entity next door is a taxpayer. By focusing on the tax status of corporations, the conversation ignores the individuals who are still being processed through the system. It creates an environment where progress is measured by market capitalization rather than the restoration of liberty. It turns the struggle for sovereignty into a fight for market share.
Help Keep Pot Culture Magazine Independent Pot Culture Magazine is independent cannabis journalism. No corporate owners. No investors. Just readers. If you value this work, chip in a few dollars and help keep it going. Support PCMIf the government acknowledges that cannabis has medical value, the continued maintenance of criminal penalties for everyone else becomes an indefensible moral contradiction. One cannot simultaneously argue that a substance is legitimate medicine and that the possession of that substance warrants the stripping of rights, the loss of employment, or the threat of prison. This contradiction exposes the truth of the state position. The government does not actually care about the safety of the substance. It cares about the control of the substance. If it were about safety, the state would be looking for ways to educate rather than incarcerate. If it were about medicine, the state would be ensuring access rather than creating barriers. The existence of the prohibition machinery alongside the admission of medical utility for the licensed few is proof that the objective has always been to maintain a system of punishment.
This system relies on the compliance of the public. It relies on the belief that the state is making progress. The Reform Lie is designed to prevent the public from seeing that the state is not moving toward freedom. It is moving toward an integrated model of control. By allowing a portion of the market to become legitimate, the state creates a vested interest in the status quo. The corporate entities that now have a seat at the table are no longer incentivized to fight for total legalization. They are incentivized to maintain the current regulatory structure because it keeps their competitors out. They become partners in the enforcement of the very prohibition they once railed against. This is the ultimate victory for the state. It co-opts the opposition by giving them a slice of the profit.
We have seen this happen in other sectors of the economy, where regulations are written by the very corporations they are meant to govern. This is not reform. This is the capture of the regulatory apparatus. The Reform Lie ensures that the people who built the culture, who fought for the plant when it was dangerous to do so, are excluded from the new order. They are the ones who bear the cost of the transition. They are the ones who are still in cages, who are still fleeing from the law, who are still fighting for the right to exist in peace.
This administrative process is now set to continue with new hearings starting June 29, 2026. These proceedings are often portrayed as a necessary step toward further reform, a way to build a bureaucratic consensus for future changes. In practice, they serve as a stalling tactic. They provide a way for the administrative state to maintain the illusion of progress while keeping the ultimate authority firmly in its own hands. These hearings will involve experts, lobbyists, and officials debating the minutiae of regulation, all while the fundamental structure of the Controlled Substances Act remains unassailable. The system is designed to consume time, resources, and energy, ensuring that any real change is mediated through a process that the state can control, slow, or halt entirely. It is a theatre of governance, performed for an audience that is desperate for change, but the script was written in the halls of power, not by the people who have lived the consequences of prohibition.
MORE FROM CANNABIS LIES
CANNABIS LIES Vol. 8: The Addiction Lie
Cannabis is often labeled addictive, but the science tells a more precise story. This piece breaks down cannabis use disorder, how it is defined, and why mild, moderate, and severe cases get flattened into one fear-driven narrative. The result is a distorted public understanding of risk that fuels policy, perception, and misinformation.
by Pot Culture Magazine EditorsApril 11, 2026April 20, 2026CANNABIS LIES Vol. 7: The Mental Health Panic
Cannabis and mental health risks are often overstated in public debate. Research shows heavy use and high THC exposure can increase psychosis risk in vulnerable individuals, but widespread claims of a mental health crisis lack strong evidence. This piece examines the data, separates correlation from causation, and breaks down what cannabis users need to know.
by Pot Culture Magazine EditorsApril 4, 2026April 2, 2026CANNABIS LIES Vol. 6: The Driving Apocalypse Lie
Legal cannabis is often blamed for rising traffic deaths, but federal data tells a more complicated story. NHTSA findings, toxicology limitations, and conflicting crash studies reveal that THC presence is not a reliable measure of impairment. This investigation breaks down how flawed testing and policy shortcuts have shaped the narrative around so-called stoned driving.
by Pot Culture Magazine EditorsMarch 28, 2026March 27, 2026The administrative state is also moving to consolidate its control over clinical trials. By creating a registration pathway for state-licensed entities, the government is essentially seizing control of the research process. It is setting itself up as the gatekeeper of scientific knowledge. It will dictate who can research the plant, what they can research, and what the results can be used for. This is not an opening of the doors to scientific discovery. It is the enclosure of the scientific commons. It ensures that the research that reaches the public will be the research that has been filtered through the priorities of the state.
The Reform Lie is not a strategy. It is an admission of failure. When the government chooses to perform the act of reform without embracing the reality of justice, it proves that it is not interested in the truth. It is interested in the maintenance of power. True reform would not be a shuffling of schedules. It would be the total and unconditional withdrawal of federal interference from the lives of the people. It would be the recognition that the state has no authority to criminalize the relationship between a human being and a plant. It would be the end of the prohibition machine, the release of the prisoners, and the restoration of rights for every person affected by the war on the plant.
As long as the apparatus continues to frame these technical shifts as moral victories, the public must recognize the deception. This is not progress. This is the state recalibrating its control to ensure that it remains the gatekeeper, the tax collector, and the final judge of who is allowed to exist in the world it seeks to dominate. The plant remains the same. The people remain the same. The only thing that has shifted is the label on the cage. The cage is still there. The bars are still locked. The guards are still watching. The power to punish, to threaten, and to control has not been removed. It has been refined. It has been made more surgical. It has been made more efficient.
The moral weight of this lie is heavy. It falls on those who have been promised justice and received only a change in terminology. It falls on the families who have been broken by the enforcement of archaic laws. It falls on the communities that have been targeted for generations. The Reform Lie assumes that the public has forgotten the history of the struggle. It assumes that the public is satisfied with the crumbs of corporate legitimacy. It assumes that there is no understanding of the difference between the freedom to live and the permission to serve.
The narrative of the state must be rejected. The recognition must grow that every small step that leaves the core structure of the prohibition machine in place is a step away from justice. The government must be held accountable for the contradiction of its own law. The reality of the prohibition era must continue to be documented, to expose the lies that are told to justify the control, and to advocate for the total restoration of liberty. The struggle for the plant is not a struggle for a change in status. It is a struggle for the soul of the culture. It is a struggle to define what it means to be a free person in a society that seeks to regulate every choice. As NORML Deputy Director Paul Armentano noted regarding the order:
“Rescheduling fails to fully harmonize federal marijuana policy with the cannabis laws of many states, particularly the 24 states that have legalized its use and sale to adults.”
This is the core of the deception. The Reform Lie is the latest barrier to that freedom. It is a wall that must be dismantled, not by the government, but by the people who have lived the reality of the struggle.
The truth is simple, though the state works hard to obscure it. Cannabis is a part of the human experience. It has been used for healing, for creativity, for connection, and for joy for as long as historical records exist. The attempts by the state to control this relationship are an affront to human autonomy. They are based on fear, on ignorance, and on a desire for power. The reclassification to Schedule III is just the latest tactic in a long campaign to prevent people from fully embracing their own sovereignty. While the proponents of this move claim that:
“Today’s order marks a historical reversal in federal cannabis policy,”
It is a sign that the state is feeling the pressure, that it knows its position is untenable, but that it is not yet ready to concede.
A crossroads has been reached. Either the crumbs offered by the state are accepted, turning the public into participants in their own regulation, or the fight for the total and unconditional end of the prohibition machine continues. The Reform Lie can be accepted, or the truth can be demanded. The history of the culture is a history of resistance. It is a history of people who refused to be told what they could do, who they could be, or what they could consume. That history is the source of strength. It is the foundation upon which the future will be built. Permission from the state is not required to exist. Schedules, labels, and tax codes are not needed to define what is right. The truth is known, and it will continue to be shared until the last cage is empty and the prohibition machine is nothing but a memory.
The Reform Lie will continue to be told. The headlines will continue to scream about progress that does not exist. The state will continue to frame its maintenance of power as a move toward justice. But the deception will not hold. The patterns are visible. The history is known. The stakes are understood. The reality of the prohibition era will be documented, one article, one story, one voice at a time. This is not just a battle for a plant. It is a battle for the truth. And it is a battle that will be won, not because the state gives permission, but because the truth is on the side of the people. The prohibition machine is built on lies, and lies cannot stand forever against the weight of reality. The end of prohibition is coming, not through the actions of the state, but through the resolve of the people who have been fighting for it all along. The Reform Lie is the last gasp of a system that knows its time is over. We will not be fooled. We will not be silenced. We will be here, documenting the reality, telling the truth, and fighting for the culture until the day the plant is free.
©2026, Pot Culture Magazine. All rights reserved. This is the property of Pot Culture Magazine and is protected by U.S. and international copyright laws. Unauthorized reproduction, distribution, or transmission
of this work, in part or in whole, without the express written permission of Pot Culture Magazine, is strictly
prohibited.F O R T H E C U L T U R E B Y T H E C U L T U R E
The Digital Cage: Saint Lucia’s Traceability Trap
Saint Lucia has selected GrowerIQ as its national seed-to-sale traceability backbone, effectively finalizing a digital surveillance grid for its cannabis industry. By mandating enterprise software before establishing licensing frameworks, the government risks automating the exclusion of legacy farmers. This move trades cultural sovereignty for state-managed control, turning the cannabis industry into an extension of the…
by Pot Culture Magazine EditorsApril 23, 2026April 22, 2026Gov. Abigail Spanberger’s Virginia Sabotage
Virginia legalized possession, but Governor Abigail Spanberger sabotaged the retail market. By delaying sales until 2027 and gutting equity provisions, the Commonwealth institutionalized a half-legal trap. Consumers now navigate a system that treats possession as a right but supply as a crime, fueling an unchecked illicit market while abandoning promised reform. Spanberger’s public safety rhetoric…
by Pot Culture Magazine EditorsApril 21, 2026April 20, 20264/20 has been hollowed out by branding, corporate silence, and a culture that forgot its own history. While the industry sells holiday merch, Singapore executed a man for cannabis. The movement that once fought for autonomy now treats the plant like a commodity. This piece examines the cost of that betrayal and the culture left…
by Pot Culture Magazine EditorsApril 20, 2026April 24, 2026 #280E #AdministrativeLaw #cannabis #CannabisCommunity #CannabisCulture #CannabisCommunity #CarceralState #Culture #DEA #DepartmentOfJustice #DrugWar #FederalGovernment #Industry #Legalization #Marijuana #MarijuanaNews #NORML #Policy #PolicyFiction #PotCultureMagazine #Prohibition #Reform #ScheduleIII #StateSanctioned #Weed
