{"id":27202504,"url":"https://github.com/rozbb/dudect-bencher","last_synced_at":"2026-04-02T02:09:39.825Z","repository":{"id":57622229,"uuid":"96579081","full_name":"rozbb/dudect-bencher","owner":"rozbb","description":"An implementation of the DudeCT constant-time function tester","archived":false,"fork":false,"pushed_at":"2026-03-23T01:29:53.000Z","size":68,"stargazers_count":25,"open_issues_count":0,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2026-03-23T20:19:53.144Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rozbb.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-07-07T21:48:50.000Z","updated_at":"2026-03-23T01:26:15.000Z","dependencies_parsed_at":"2025-04-09T22:00:18.583Z","dependency_job_id":"ca791672-e85f-4401-b8c2-611e006b6d54","html_url":"https://github.com/rozbb/dudect-bencher","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/rozbb/dudect-bencher","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rozbb%2Fdudect-bencher","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rozbb%2Fdudect-bencher/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rozbb%2Fdudect-bencher/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rozbb%2Fdudect-bencher/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rozbb","download_url":"https://codeload.github.com/rozbb/dudect-bencher/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rozbb%2Fdudect-bencher/sbom","scorecard":{"id":786036,"data":{"date":"2025-08-11","repo":{"name":"github.com/rozbb/dudect-bencher","commit":"444eb13579c733089453806743b19f1ea2dce1c0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.3,"checks":[{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Code-Review","score":2,"reason":"Found 4/20 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE-APACHE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 14 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-23T06:07:08.864Z","repository_id":57622229,"created_at":"2025-08-23T06:07:08.864Z","updated_at":"2025-08-23T06:07:08.864Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31294411,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T01:43:37.129Z","status":"online","status_checked_at":"2026-04-02T02:00:08.535Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-04-09T22:00:14.905Z","updated_at":"2026-04-02T02:09:39.811Z","avatar_url":"https://github.com/rozbb.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# dudect-bencher\n[![Version](https://img.shields.io/crates/v/dudect-bencher.svg)](https://crates.io/crates/dudect-bencher)\n[![Docs](https://docs.rs/dudect-bencher/badge.svg)](https://docs.rs/dudect-bencher)\n\nThis crate implements the [DudeCT](https://eprint.iacr.org/2016/1123.pdf) statistical methods for testing whether functions are constant-time. It is based loosely off of the [`bencher`](https://github.com/bluss/bencher) benchmarking framework.\n\nIn general, it is not possible to prove that a function always runs in constant time. The purpose of this tool is to find non-constant-timeness when it exists. This is not easy, and it requires the user to think very hard about where the non-constant-timeness might be.\n\n# Import and features\n\nTo import this crate, put the following line in your `Cargo.toml`:\n```toml\ndudect-bencher = \"0.7\"\n```\n\n# Usage\n\nThis framework builds a standalone binary. So you must define a `main.rs`, or a file in your `src/bin` directory, or a separate binary crate that pulls in the library you want to test.\n\nAt a high, level you test a function `f` by first defining two sets inputs to `f`, called Right and Left. The way you pick these is highly subjective. You need to already have an idea of what might cause non-constant-time behavior. You then fill in the Left and Right sets such that (you think) `f(l)` and `f(r)` will take a different amount of time to run, on average, where `l` comes from Left and `r` from Right. Finally, you run the benchmarks and label which set is which.\n\nHere is an example of testing the equality function `v == u` where `v` and `u` are `Vec\u003cu8\u003e` of the same length. This is clearly not a constant time function. We define the left distribution to be a set of `(v, u)` where `v == u`, and the right distribution to be the set of `(v, u)` where `v[6] != u[6]`.\n\n```rust\nuse dudect_bencher::{ctbench_main, BenchRng, Class, CtRunner};\nuse rand::{Rng, RngExt};\n\n// Return a random vector of length len\nfn rand_vec(len: usize, rng: \u0026mut BenchRng) -\u003e Vec\u003cu8\u003e {\n    let mut arr = vec![0u8; len];\n    rng.fill(arr.as_mut_slice());\n    arr\n}\n\n// Benchmark for equality of vectors. This does an early return when it finds an\n// inequality, so it should be very much not constant-time\nfn vec_eq(runner: \u0026mut CtRunner, rng: \u0026mut BenchRng) {\n    // Make vectors of size 100\n    let vlen = 100;\n    let mut inputs: Vec\u003c(Vec\u003cu8\u003e, Vec\u003cu8\u003e)\u003e = Vec::new();\n    let mut classes = Vec::new();\n\n    // Make 100,000 random pairs of vectors\n    for _ in 0..100_000 {\n        // Flip a coin. If true, make a pair of vectors that are equal to each\n        // other and put it in the Left distribution\n        if rng.random::\u003cbool\u003e() {\n            let v1 = rand_vec(vlen, rng);\n            let v2 = v1.clone();\n            inputs.push((v1, v2));\n            classes.push(Class::Left);\n        }\n        // Otherwise, make a pair of vectors that differ at the 6th element and\n        // put it in the right distribution\n        else {\n            let v1 = rand_vec(vlen, rng);\n            let mut v2 = v1.clone();\n            v2[5] = 7;\n            inputs.push((v1, v2));\n            classes.push(Class::Right);\n        }\n    }\n\n    for (class, (u, v)) in classes.into_iter().zip(inputs.into_iter()) {\n        // Now time how long it takes to do a vector comparison\n        runner.run_one(class, || u == v);\n    }\n}\n\n// Crate the main function to include the bench for vec_eq\nctbench_main!(vec_eq);\n```\n\nThis is a portion of the example code in [`examples/ctbench-foo.rs`](examples/). To run the example, run\n\n```shell\ncargo run --release --example ctbench-foo\n```\n\nSee more command line arguments [below](#command-line-arguments)\n\n## Bencher output\n\nThe program output looks like\n\n```ignore\nbench array_eq ... : n == +0.046M, max t = +61.61472, max tau = +0.28863, (5/tau)^2 = 300\n```\n\nIt is interpreted as follows. Firstly note that the runtime distributions are cropped at different percentiles and about 100 t-tests are performed. Of these t-tests, the one that produces the largest absolute t-value is printed as `max_t`. The other values printed are\n\n * `n`, indicating the number of samples used in computing this t-value\n * `max_tau`, which is the t-value scaled for the samples size (formally, `max_tau = max_t / sqrt(n)`)\n * `(5/tau)^2`, which indicates the number of measurements that would be needed to distinguish the two distributions with t \u003e 5\n\nt-values greater than 5 are generally considered a good indication that the function is not constant time. t-values less than 5 does not necessarily imply that the function is constant-time, since there may be other input distributions under which the function behaves significantly differently.\n\n## Command line arguments\n\n* `--filter` runs a subset of the benchmarks whose name contains a specific string. Example:\n```shell\ncargo run --release --example ctbench-foo -- --filter ar\n```\nwill run only the benchmarks with the substring `ar` in it, i.e., `arith`, and not `vec_eq`.\n* `--continuous` run a benchmark continuously, collecting more samples as it goes along. Example:\n```shell\ncargo run --release --example ctbench-foo -- --continuous vec_eq\n```\nwill run the `vec_eq` benchmark continuously.\n\n* `--out` outputs raw runtimes in CSV format. Example:\n```shell\ncargo run --release --example ctbench-foo -- --out data.csv\n```\nwill output all the benchmarks in `ctbench-foo.rs` to `data.csv`.\n\n# MSRV\n\nThe current minimum supported Rust version (MSRV) is 1.85.0 (2025-02-20).\n\n# Changelog\n\nSee [CHANGELOG.md](CHANGELOG.md) for a list of changes made throughout past versions.\n\n# License\n\nLicensed under either of\n\n * Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE))\n * MIT license ([LICENSE-MIT](LICENSE-MIT))\n\nat your option.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frozbb%2Fdudect-bencher","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frozbb%2Fdudect-bencher","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frozbb%2Fdudect-bencher/lists"}