Places of Memory · Kraków

Kraków, Poland

Kraków, Poland
© 2026 Bryan R. Hinton

Provenance · Integrity Record

Canonical processed file hashes · SHA‑512

Hashes are of the byte-identical JPEGs converted from raw sensor data. Verify with sha512sum -c SHA512SUMS.

SHA512SUMS

Classical signature · GPG Ed448

Fingerprint: CA42 47E8 9A5E FEAB 36DC 6A42 C547 9171 B69A 3CFB 887D B92C 3FB1 480A 2993 57A3

SHA512SUMS.asc · Public key

Post‑quantum signature · ML‑DSA‑87

SHA512SUMS.mldsa · Public key

Post‑quantum signature · SLH‑DSA‑SHAKE‑256s

SHA512SUMS.slhdsa · Public key

Blockchain timestamp · OpenTimestamps

The .ots file proves that SHA512SUMS existed at or before the Bitcoin block timestamp below.

Anchor: Bitcoin block 951191
Timestamp: 2026-05-27 00:49 UTC
SHA512SUMS.ots

© 2026 Bryan R. Hinton. All rights reserved. All original text, photographs, and processed imagery on this page, including hyperspectral reconstructions, abundance maps, classification maps, anomaly maps, and any other algorithmically derived visualizations, are the sole intellectual property of Bryan R. Hinton. The underlying spectral data, latent representations, and intermediate pipeline outputs are likewise reserved. No portion of this material may be reproduced, redistributed, modified, displayed, or used to train, fine tune, or evaluate machine learning models without prior written permission. Brief quotation for the purposes of criticism, scholarship, or review is permitted under standard fair use principles, provided attribution is given.

Unbroken Identity: Quantum-Resilient Resistance

Memory means ensuring the immutability of truth over time. In the physical world, we use archives to preserve our stories. In the digital world, we use cryptography to protect identity, authorship, and trust.

A new threat posed by quantum computers now challenges this foundation. On a massive scale, it will be capable of erasing or falsifying the cryptographic records that define our digital lives.

To protect the integrity of our collective memory and prevent future attackers from stealing identities, I have moved beyond previous cryptographic standards and am today implementing the highest available level of security: post-quantum technology.

The Dual Threat: Shor and Grover

Quantum computing poses two distinct mathematical threats to modern cryptography. To understand the transition to post-quantum standards, it is essential to be familiar with both.

Shor's Algorithm: The Public-Key Destroyer

Shor's algorithm represents the existential threat. It efficiently solves the problems of integer factorization and discrete logarithms—the mathematical underpinnings of almost all classical public-key cryptosystems, including RSA, Diffie-Hellman, and elliptic curve cryptography (ECC). This is not merely a weakening, but a complete break. A sufficiently powerful quantum computer can derive private keys from public keys, thereby undermining fundamental identity systems.

Grover's Algorithm: The Symmetric Weakener

Grover's algorithm targets symmetric cryptography and hash functions. It offers a quadratic speedup for brute-force searches, effectively halving the security strength of a key. This is why AES-256 is so crucial: even after Grover's reduction, it still offers 128 bits of effective security—a level that is practically unbreakable.

The Practical Consequence: Store Now, Decrypt Later

The most immediate threat is the SNDL (Store Now, Decrypt Later) attack. Encrypted traffic, identity credentials, certificates, and signatures can be intercepted today—while classical cryptography is still valid—and stored indefinitely. Once quantum technology matures, these archives can be retroactively decrypted or forged. If our cryptographic foundations fail, we also lose the ability to document our own digital history.

Beyond Obsolete Standards: Why ML-DSA-87?

For years, elliptic curve cryptography—specifically P-384 (ECDSA)—was the gold standard in high-security environments. While P-384 offers approximately 192 bits of classical security, it possesses absolutely no resistance to Shor's algorithm. It was designed for a classical world, and that world is coming to an end.

Therefore, I have implemented ML-DSA-87 for Root CA and signing operations. ML-DSA-87 represents the highest security level among modern lattice-based standards (Category 5), computationally equivalent to AES-256. Choosing this level—rather than the widely adopted ML-DSA-65—ensures that my network's identity is established with the greatest possible security margin available today.

Hardware Reality: AArch64 and the PQC Workload

Post-quantum cryptography is no longer theoretical. It is now deployable, even on routers and mobile devices. I am running a customized OpenSSL 3.5.0 build on an AArch64 MediaTek Filogic 830/880 platform. This SoC is unusually well-suited for post-quantum workloads.

Vector Scaling with NEON

ML-KEM and ML-DSA rely heavily on polynomial arithmetic. ARM NEON vector instructions enable the parallel execution of these operations, thereby significantly reducing TLS handshake latency—even when handling large amounts of PQ key material.

Memory Efficiency

Post-quantum keys are large. A public ML-KEM-1024 key comprises 1568 bytes, compared to 49 bytes for P-384. AArch64's 64-bit address space enables efficient management of these buffers and avoids the fragmentation issues of older architectures.

Technical Verification: Post-Quantum CLI Checks

After installing the customized toolchain on the AArch64 target system, the post-quantum stack can be verified directly.

KEM Verification

openssl list -kem-algorithms

Expected Output:

ml-kem-1024
secp384r1mlkem1024 (high-security hybrid)

Signature Verification

openssl list -signature-algorithms | grep -i ml

Expected Output:

ml-dsa-87 (256-bit security)

The presence of these algorithms confirms that the platform supports both post-quantum key exchange (ML-KEM-1024) and quantum-resistant signatures (ML-DSA-87).

Summary: My AArch64 Post-Quantum Stack

• Library: OpenSSL 3.5.4 (customized AArch64 build)
• SoC: MediaTek Filogic 830 / 880
• Architecture: ARMv8-A (AArch64)
• Key Exchange: ML-KEM-1024 + hybrid
• Identity & Signature: ML-DSA-87
• Security Level: Level 5 (quantum-ready)
• Status: Production-ready

By migrating directly to ML-KEM-1024 and ML-DSA-87, I have bypassed the obsolete bottlenecks of the last decade. My network is no longer preparing for the quantum transition—it has already completed it. The rest of the industry will follow.

Headbands, hiding, and holding on

As I reflect on the past, I see you there every time, headband and all. When I was alone, you were by my side.

I am forever grateful.

RK3588 ARM Commissioning: U-Boot, Kernel, and Signal Integrity

The RK3588 SoC features a quad-core Arm Cortex-A76/A55 CPU, a Mali-G610 GPU, and a highly flexible I/O architecture, making it ideal for embedded Linux SBCs like the Radxa Rock 5B+.

I have researched and documented the commissioning of this platform, including my contributions to u-boot and the Linux kernel, the development of the device tree, the tools for reproducible builds, and signal integrity validation. Most of this work is still in active development and the early stages of preparation for release in the upstream project.

I publish my notes, measurements, and commissioning artifacts here as I work, while active u-boot and kernel development, including patch iterations, test builds, and branch history, is maintained in separate working repositories:

Signalanalyse / Bring-Up-Repository: https://github.com/brhinton/signal-analysis

The repository currently includes (and more are constantly being added):

Device Tree Sources and Rock 5B+ Board Activation
• UART signal integrity measurements at 1.5 Mbit/s on the SoC pad
• Instructions for creating the kernel, bootloader, and debugging setup
• Early Patch Workflows and Upstream Preparation Notes

Additional work on U-Boot and the Linux kernel, including mainline test builds, feature development, rebase updates, and ongoing patch series, is managed in separate working repositories. This repository serves as a central location for measurements, documentation, and commissioning notes at the board level.

This is an ongoing technical project still under development, and I will update the repositories as additional measurements, boards, and changes suitable for upstream development are prepared.

arch linux uefi with dm-crypt and uki

Arch Linux is known for its high level of customization, and configuring LUKS2 and LVM is a straightforward process. This guide provides a set of instructions for setting up an Arch Linux system with the following features:

• Root file system encryption using LUKS2.
• Logical Volume Management (LVM) for flexible storage management.
• Unified Kernel Image (UKI) bootable via UEFI.
• Optional: Detached LUKS header on external media for enhanced security.

Prerequisites

• A bootable Arch Linux ISO.
• An NVMe drive (e.g., /dev/nvme0n1).
• (Optional) A microSD card or other external medium for the detached LUKS header.

Important Considerations

• Data Loss: The following procedure will erase all data on the target drive. Back up any important data before proceeding.
• Secure Boot: This guide assumes you may want to use hardware secure boot.
• Detached LUKS Header: Using a detached LUKS header on external media adds a significant layer of security. If you lose the external media, you will lose access to your encrypted data.
• Swap: This guide uses a swap file. You may also use a swap partition if desired.

Step-by-Step Instructions

1. Boot into the Arch Linux ISO:

   Boot your system from the Arch Linux installation media.

2. Set the System Clock:

   # timedatectl set-ntp true

3. Prepare the Disk:

   • Identify your NVMe drive (e.g., /dev/nvme0n1). Use lsblk to confirm.
   • Wipe the drive:

   # wipefs --all /dev/nvme0n1

   • Create an EFI System Partition (ESP):

   # sgdisk /dev/nvme0n1 -n 1::+512MiB -t 1:EF00

   • Create a partition for the encrypted volume:

   # sgdisk /dev/nvme0n1 -n 2 -t 2:8300

4. Set up LUKS2 Encryption:

   Encrypt the second partition using LUKS2. This example uses aes-xts-plain64 and serpent-xts-plain ciphers, and SHA512 for the hash. Adjust as needed.

   # cryptsetup luksFormat --cipher aes-xts-plain64 \
     --keyslot-cipher serpent-xts-plain --keyslot-key-size 512 \
     --use-random -S 0 -h sha512 -i 4000 /dev/nvme0n1p2

   • --cipher: Specifies the cipher for data encryption.
   • --keyslot-cipher: Specifies the cipher used to encrypt the key.
   • --keyslot-key-size: Specifies the size of the key slot.
   • -S 0: Disables sparse headers.
   • -h: Specifies the hash function.
   • -i: Specifies the number of iterations.

   Open the encrypted partition:

   # cryptsetup open /dev/nvme0n1p2 root

5. Create the File Systems and Mount:

   Create an ext4 file system on the decrypted volume:

   # mkfs.ext4 /dev/mapper/root

   Mount the root file system:

   # mount /dev/mapper/root /mnt

   Create and mount the EFI System Partition:

   # mkfs.fat -F32 /dev/nvme0n1p1
   # mount --mkdir /dev/nvme0n1p1 /mnt/efi

   Create and enable a swap file:

   # dd if=/dev/zero of=/mnt/swapfile bs=1M count=8000 status=progress
   # chmod 600 /mnt/swapfile
   # mkswap /mnt/swapfile
   # swapon /mnt/swapfile

6. Install the Base System:

   Use pacstrap to install the necessary packages:

   # pacstrap -K /mnt base base-devel linux linux-hardened \
     linux-hardened-headers linux-firmware apparmor mesa \
     xf86-video-intel vulkan-intel git vi vim ukify

7. Generate the fstab File:

   # genfstab -U /mnt >> /mnt/etc/fstab

8. Chroot into the New System:

   # arch-chroot /mnt

9. Configure the System:

   Set the timezone:

   # ln -sf /usr/share/zoneinfo/UTC /etc/localtime
   # hwclock --systohc

   Uncomment en_US.UTF-8 UTF-8 in /etc/locale.gen and generate the locale:

   # sed -i 's/#'"en_US.UTF-8"' UTF-8/'"en_US.UTF-8"' UTF-8/g' /etc/locale.gen
   # locale-gen
   # echo 'LANG=en_US.UTF-8' > /etc/locale.conf
   # echo "KEYMAP=us" > /etc/vconsole.conf

   Set the hostname:

   # echo myhostname > /etc/hostname
   # cat <<EOT >> /etc/hosts
   127.0.0.1 myhostname
   ::1 localhost
   127.0.1.1 myhostname.localdomain myhostname
   EOT

   Configure mkinitcpio.conf to include the encrypt hook:

   # sed -i 's/HOOKS.*/HOOKS=(base udev autodetect modconf kms \
     keyboard keymap consolefont block encrypt filesystems resume fsck)/' \
     /etc/mkinitcpio.conf

   Create the initial ramdisk:

   # mkinitcpio -P

   Install the bootloader:

   # bootctl install

   Set the root password:

   # passwd

   Install microcode and efibootmgr:

   # pacman -S intel-ucode efibootmgr

   Get the swap offset:

   # swapoffset=`filefrag -v /swapfile | awk '/\s+0:/ {print $4}' | \
     sed -e 's/\.\.$//'`

   Get the UUID of the encrypted partition:

   # blkid -s UUID -o value /dev/nvme0n1p2

   Create the EFI boot entry. Replace <UUID OF CRYPTDEVICE> with the actual UUID:

   # efibootmgr --disk /dev/nvme0n1p1 --part 1 --create --label "Linux" \
     --loader /vmlinuz-linux --unicode "cryptdevice=UUID=<UUID OF CRYPTDEVICE>:root \
     root=/dev/mapper/root resume=/dev/mapper/root resume_offset=$swapoffset \
     rw initrd=\intel-ucode.img initrd=\initramfs-linux.img" --verbose

   Configure the UKI presets:

   # cat <<EOT >> /etc/mkinitcpio.d/linux.preset
   ALL_kver="/boot/vmlinuz-linux"
   ALL_microcode=(/boot/*-ucode.img)
   PRESETS=('default' 'fallback')
   default_uki="/efi/EFI/Linux/arch-linux.efi"
   default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"
   fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi"
   fallback_options="-S autodetect"
   EOT

   Create the UKI directory:

   # mkdir -p /efi/EFI/Linux

   Configure the kernel command line:

   # cat <<EOT >> /etc/kernel/cmdline
   cryptdevice=UUID=<UUID OF CRYPTDEVICE>:root root=/dev/mapper/root \
   resume=/dev/mapper/root resume_offset=51347456 rw
   EOT

   Build the UKIs:

   # mkinitcpio -p linux

   Configure the kernel install layout:

   # echo "layout=uki" >> /etc/kernel/install.conf

10. Configure Networking (Optional):

    Create a systemd-networkd network configuration file:

    # cat <<EOT >> /etc/systemd/network/nic0.network
    [Match]
    Name=nic0
    [Network]
    DHCP=yes
    EOT

11. Install a Desktop Environment (Optional):

    Install Xorg, Xfce, LightDM, and related packages:

    # pacman -Syu
    # pacman -S xorg xfce4 xfce4-goodies lightdm lightdm-gtk-greeter \
      libva-intel-driver mesa xorg-server xorg-xinit sudo
    # systemctl enable lightdm
    # systemctl start lightdm

12. Enable Network Services (Optional):

    # systemctl enable systemd-resolved.service
    # systemctl enable systemd-networkd.service
    # systemctl start systemd-resolved.service
    # systemctl start systemd-networkd.service

13. Create a User Account:

    Create a user account and add it to the wheel group:

    # useradd -m -g wheel -s /bin/bash myusername

14. Reboot:

    Exit the chroot environment and reboot your system:

    # exit
    # umount -R /mnt
    # reboot

Multidimensional arrays of function pointers in C

Embedded hardware typically includes an application processor and one or more adjacent processor(s) attached to the printed circuit board. The firmware that resides on the adjacent processor(s) responds to instructions or commands.  Different processors on the same board are often produced by different companies.  For the system to function properly, it is imperative that the processors communicate without any issues, and that the firmware can handle all types of possible errors.

Formal requirements for firmware related projects may include the validation and verification of the firmware on a co-processor via the application programming interface (API).  Co-processors typically run 8, 16, or 32-bit embedded operating systems.  If the co-processor manufacturer provides a development board for testing the firmware on a specific co-processor, then the development board may have it's own application processor. Familiarity with all of the applicable bus communication protocols including synchronous and asynchronous communication is important.  High-volume testing of firmware can be accomplished using function-like macros and arrays of function pointers.  Processor specific firmware is written in C and assembly - 8, 16, 32, or 64-bit.  Executing inline assembly from C is straightforward and often required.  Furthermore, handling time-constraints such as real-time execution on adjacent processors is easier to deal with in C and executing syscalls, low-level C functions, and userspace library functions, is often more efficient.  Timing analysis is often a key consideration when testing firmware, and executing compiled C code on a time-sliced OS, such as Linux, is already constrained.

To read tests based on a custom grammar, a scanner and parser in C can be used. Lex is ideal for building a computationally efficient lexical analyzer that outputs a sequence of tokens. For this case, the tokens comprise the function signatures and any associated function metadata such as expected execution time. Creating a context-free grammar and generating the associated syntax tree from the lexical input is straightforward.   Dynamic arrays of function pointers can then be allocated at run-time, and code within external object files or libraries can be executed in parallel using multiple processes or threads. The symbol table information from those files can be stored in multi-dimensional arrays. While C is a statically typed language, the above design can be used for executing generic, variadic functions at run-time from tokenized input, with constant time lookup, minimal overhead, and specific run-time expectations (stack return value, execution time, count, etc.).

At a high level, lists of pointers to type-independent, variadic functions and their associated parameters can be stored within multi-dimensional arrays.  The following C code uses arrays of function pointers to execute functions via their addresses.  The code uses list management functions from the Linux kernel which I ported to userspace.

https://github.com/brhinton/bcn

Concurrency, Parallelism, and Barrier Synchronization - Multiprocess and Multithreaded Programming

On preemptive, timed-sliced UNIX or Linux operating systems such as Solaris, AIX, Linux, BSD, and OS X, program code from one process executes on the processor for a time slice or quantum. After this time has elapsed, program code from another process executes for a time quantum. Linux divides CPU time into epochs, and each process has a specified time quantum within an epoch. The execution quantum is so small that the interleaved execution of independent, schedulable entities – often performing unrelated tasks – gives the appearance of multiple software applications running in parallel.

When the currently executing process relinquishes the processor, either voluntarily or involuntarily, another process can execute its program code. This event is known as a context switch, which facilitates interleaved execution. Time-sliced, interleaved execution of program code within an address space is known as concurrency.

The Linux kernel is fully preemptive, which means that it can force a context switch for a higher priority process. When a context switch occurs, the state of a process is saved to its process control block, and another process resumes execution on the processor.

A UNIX process is considered heavyweight because it has its own address space, file descriptors, register state, and program counter. In Linux, this information is stored in the task_struct. However, when a process context switch occurs, this information must be saved, which is a computationally expensive operation.

Concurrency applies to both threads and processes. A thread is an independent sequence of execution within a UNIX process, and it is also considered a schedulable entity. Both threads and processes are scheduled for execution on a processor core, but thread context switching is lighter in weight than process context switching.

In UNIX, processes often have multiple threads of execution that share the process's memory space. When multiple threads of execution are running inside a process, they typically perform related tasks. The Linux user-space APIs for process and thread management abstract many details. However, the concurrency level can be adjusted to influence the time quantum so that the system throughput is affected by shorter and longer durations of schedulable entity execution time.

While threads are typically lighter weight than processes, there have been different implementations across UNIX and Linux operating systems over the years. The three models that typically define the implementations across preemptive, time-sliced, multi-user UNIX and Linux operating systems are defined as follows - 1:1, 1:N, and M:N where 1:1 refers to the mapping of one user-space thread to one kernel thread, 1:N refers to the mapping of multiple user-space threads to a single kernel thread. M:N refers to the mapping of N user-space threads to M kernel threads.

In the 1:1 model, one user-space thread is mapped to one kernel thread. This allows for true parallelism, as each thread can run on a separate processor core. However, creating and managing a large number of kernel threads can be expensive.

In the 1:N model, multiple user-space threads are mapped to a single kernel thread. This is more lightweight, as there are fewer kernel threads to create and manage. However, it does not allow for true parallelism, as only one thread can execute on a processor core at a time.

In the M:N model, N user-space threads are mapped to M kernel threads. This provides a balance between the 1:1 and 1:N models, as it allows for both true parallelism and lightweight thread creation and management. However, it can be complex to implement and can lead to issues with load balancing and resource allocation.

Parallelism on a time-sliced, preemptive operating system means the simultaneous execution of multiple schedulable entities over a time quantum. Both processes and threads can execute in parallel across multiple cores or processors. Concurrency and parallelism are at play on a multi-user system with preemptive time-slicing and multiple processor cores. Affinity scheduling refers to scheduling processes and threads across multiple cores so that their concurrent and parallel execution is close to optimal.

It's worth noting that affinity scheduling refers to the practice of assigning processes or threads to specific processors or cores to optimize their execution and minimize unnecessary context switching. This can improve overall system performance by reducing cache misses and increasing cache hits, among other benefits. In contrast, non-affinity scheduling allows processes and threads to be executed on any available processor or core, which can result in more frequent context switching and lower performance.

Software applications are often designed to solve computationally complex problems. If the algorithm to solve a computationally complex problem can be parallelized, then multiple threads or processes can all run at the same time across multiple cores. Each process or thread executes by itself and does not contend for resources with other threads or processes working on the other parts of the problem to be solved. When each thread or process reaches the point where it can no longer contribute any more work to the solution of the problem, it waits at the barrier if a barrier has been implemented in software. When all threads or processes reach the barrier, their work output is synchronized and often aggregated by the primary process. Complex test frameworks often implement the barrier synchronization problem when certain types of tests can be run in parallel. Most individual software applications running on preemptive, time-sliced, multi-user Linux and UNIX operating systems are not designed with heavy, parallel thread or parallel, multiprocess execution in mind.

Minimizing lock granularity increases concurrency, throughput, and execution efficiency when designing multithreaded and multiprocess software programs. Multithreaded and multiprocess programs that do not correctly utilize synchronization primitives often require countless hours of debugging. The use of semaphores, mutex locks, and other synchronization primitives should be minimized to the maximum extent possible in computer programs that share resources between multiple threads or processes. Proper program design allows schedulable entities to run parallel or concurrently with high throughput and minimum resource contention. This is optimal for solving computationally complex problems on preemptive, time-sliced, multi-user operating systems without requiring hard, real-time scheduling.