They do claim it at least for iPhone 15 "under ideal conditions": https://support.apple.com/en-us/101575

Edited to add: Sieving has got to be much faster than M-R if you want all primes of a certain size. You would use M-R or Baillie-PSW if you are testing them one at a time.

But sure, there are other shipyards they cleaned up in less than three decades.

And OK, sure, there's a lot of industry that ought to happen somewhere. Someone has to build ships and electronics and whatever, and if California's code is too strict then it just becomes NIMBYism. But if some company moves their gigafactory to Reno for easier permitting, I don't whether (or more likely by how much) CA is too strict, or NV is too lax. And I know that CA has NIMBYish and overregulatory tendencies, but given the clear bullshit on this website, I'm not inclined to give it the benefit of the doubt either.

I'm especially doubtful when it says "THE classic example of what you can't do in CA" is auto paint shops ("Impossible"!) ... but then the detail it gives is that they're "effectively impossible" to permit in the Bay Area AQMD, that being only one of the state's 35 AQMDs (albeit one of the larger ones).

On languages other than English: in general, different languages do word division very differently. At least in German and Dutch, many of those phrasal verbs are separable, meaning that they are one word in the infinitive but are multiple words in the present tense. So for example, where in English you would say "I log in to the website", in Dutch it would be "Ik log in op de website". "Log in" is two words in both cases, but in Dutch it's the separated form of the single-word separable verb inloggen ("I must log in now" = "Ik moet nu inloggen"). The verb is indeed separable in that the two words often don't end up next to each other: "I log in quickly" = "Ik log snel in".

Dutch, like German, has lots of compounds. But there are also agglutinative languages, which have even more complex compound words, perhaps comprising a whole sentence in another language. Eg (from Wikipedia) Turkish "evlerinizdenmiş" = "(he/she/it) was (apparently/said to be) from your houses" or Plains Cree "paehtāwāēwesew" = "he is heard by higher powers"; and these aren't corner cases, that's how the language works.

I got one with low-force switches. It's very comfortable to type on, but between the low-force switches and slightly different layout from a regular keyboard (column-staggered, concave, symbols in different locations) I make more mistakes. So I usually type on my laptop instead, especially while coding.

My phrase "how economists expect you to set it" is probably wrong here, since I'm not an economist, I've just read the most basic theory about how to use this tool, and also used it myself (on eBay, you know, years ago when the site was mostly auctions). So I don't really know what "economists expect", but rather the basic guidelines for using this tool. You got me there.

> I think this is the problem. When most sciences observe reality diverge from the model, they see that as a flaw in the model. When economists (at least you HN "economists") observe reality diverge from the model, they seem to see that as a flaw in reality.

But like, to double-check here: "reality" means your imagined use of a tool that you do not in fact use, right? Like you say you "don't do auctions" and I'm trying to explain what that option is for, and you're countering that the basic "how to use this tool" explanation is a wrong model of reality?

That said, the max price is supposed to be a price where you are not especially happy to get the item at that price, but not really sad either, a price where you would say "well, I hoped for better but I guess that's a fair deal". That's not realistically pinned down to the cent. But if you set a max price at $5000 and would be happy to get the item at $5000.02 (for some reason other than satisfaction from sniping), then you set your max price wrong, or at least differently from how economists expect you to set it.

For tricky-to-price items like unique art pieces, the idea that you can pin this down might be a fantasy, but for commodity items it's pretty reasonable. If you can buy the same thing at costco dot com for $500, then it's probably not worth more than $500 to you, and if at auction you get outbid and it sells for $500.01 then you'll shrug and go order the same thing for a cent less, having wasted only a few minutes of your time. If the item you're bidding on is discontinued (e.g. it's last year's model) but you can buy a slightly better one for $550, and you can spare that extra $50, then again you won't be too sad about getting outbid. Online auctions are more popular for used items, but again in that case you usually still have an idea of what a used item is worth to you.

IIRC, binary fuse filters are faster to construct than ribbon filters, but typically not quite as space-efficient. There are also frayed ribbon filters (by me) which are slower and more complex to construct but more space-efficient. There's no paper for those, just a Rust implementation.

Ribbon filters are deployed in Mozilla's Clubcard for distributing compressed certificate revocation lists: https://github.com/mozilla/clubcard and https://jmschanck.info/papers/20250327-clubcard.pdf. CRLs are an almost ideal application of this sort of compressed set tech, since the aggregator runs batch jobs and needs to distribute the set to very many clients. It's not perfectly ideal because CRLs require frequent updates and none of these methods support delta updates. There is a straightforward but inelegant workaround, which is to send a compressed set that represents the delta, and query both on the client.

A second special case of this theorem is Pascal's theorem, which says (roughly) that a variant of the elliptic curve group law also works on the union of a conic C and a line L (this union, like an elliptic curve, is cubic), where the group elements are on the conic. One point O on the conic is marked as the identity. To add points A+B, you draw a line AB between them, intersect that with the fixed line L in a point C, draw a second line CO back through the marked identity point, and intersect again with the conic in D:=A+B. This procedure obviously commutes and satisfies the identity law, and according to Pascal's theorem it associates.

Under a projective transformation, if the conic and line don't intersect, you can send the line to infinity and the conic to the units in (IIRC) a quadratic extension of F (e.g. the complex unit circle, if -1 isn't square in F). Since the group structure is defined by intersections of lines and conics, projective transformations don't change it. So the group is isomorphic to the group of units in an extension of F. If they do intersect ... not sure, but I would guess it instead becomes the multiplicative group in F itself.

The multiplicative group of F can be used for cryptography (this is classic Diffie-Hellman), as can the group of units in an extension field (this is LUCDIF, or in the 6th-degree case it's called XTR). These methods are slightly simpler than elliptic curves, but there are subexponential "index calculus" attacks against them, just like the ones against the original Diffie-Hellman. The attack on extension fields got a lot stronger with Joux's 2013 improvements. Since no such attack is known against properly chosen elliptic curves, those are used instead.

When using RSA to sign a message m, in practice you don't send m^d mod N. That would generally be insecure, depending on what kinds of messages your system sends and/or accepts. In practical systems, instead you hash m, and then adjust the hash through a (possibly randomized) process called "padding" to be a value in [0,N). There are different standards for padding, and the better designs use additional hashing.

The security of the system depends in part on the hashed-then-padded message "looking random", i.e. not having structure that can be exploited by an attacker. It turns out to be tricky to formalize what exact randomness property you need, so cryptosystems are often analyzed in the "random oracle model" (ROM) in which the hash function has impossibly strong randomness properties.

It seems that usually, if you use a strong hash function, a scheme that's proved secure in the ROM is secure in real life (or at least it's not the ROM part that breaks); the counterexamples are usually really contrived. This article is about a somewhat-less-contrived, but still not quite realistic, example where something that's secure in the ROM would break due to the ROM being an unrealistic model.

Classical DSA and ECDSA do not use hash functions this way, but in my opinion they aren't stronger for it: they're basically assuming instead that some other mathematical function "looks random", which seems riskier than assuming that about a hash function. I've heard that the reason for this is to get around Schnorr's patent on doing it with hash functions, which has since expired.

The SHA3 and SHAKE hash functions (underlying e.g. ML-DSA) are explicitly designed to "look random" as well.

There are some signature schemes that try not to make such strong assumptions: in particular SLH-DSA targets properties more like first- and second-preimage resistance, target-collision-resistance, and so on.

They gave a (maliciously constructed) program whose outputs are pairs (a,b) where certainly a != b (instead the program is constructed such that a = b+1 always). But you can get the corresponding Fiat-Shamir protocol to accept the statement "I know a secret x such that Program(x) = (0,0)", which is clearly a false statement.

In a typical error-correcting code usage, you have an encoder which takes your message, and adds some extra symbols at the end which are calculated so that the syndrome is zero. Then when receiving your message, the receiver calculates the syndrome and if it's not zero, they know that at least one error has occurred. By using the code's decoding algorithm, they can figure out the fewest (and thus hopefully most likely) number of changes which would result in that error syndrome, and use this information to (hopefully) correct the transmission error.

For the missing numbers problem, you can set x_i to "how many times does the number i appear?". Then since the syndrome is sum(x_i * G_i), you can compute the syndrome on an unordered list of the i's. You are expecting the syndrome to be the same as the syndrome of full set 1...n, so when it is not, you can figure out which few x_i's are wrong that would lead to the syndrome you observed. You have an advantage because you know how many numbers are missing, but it's only a slight one.

The author's solution is called the Hamming code: you set F(i) = i, and you do the additions by xoring. Using error-correcting codes generalize to more missing numbers as well, including using xor, but the math becomes more complicated: you would want to use a fancier code such as a BCH or Goppa code. These also use xor, but in more complicated ways.

   L(z) = z^2 - (x+y)z + xy.

Then you solve for the roots of L, either using your finite field's variant of the quadratic formula, or e.g. just by trying everything in the field.

* But wait, this doesn't actually work! *

Over fields of small characteristic, such as F_2^m, you need to modify the approach and use different powers. For example, in the equations above, I divided by 2. But over F_2^m in the example shown above, you cannot divide by 2, since 2=0. In fact, you cannot solve for (x,y) at all with only x+y and x^2 + y^2, because

  (x+y)^2   =   x^2 + y^2 + 2xy   =   x^2 + y^2 + 0xy (since 2=0)   =   x^2 + y^2