New Complexity Results and Algorithms for the Minimum Tollbooth Problem

The inefficiency of the Wardrop equilibrium of nonatomic routing games can be eliminated by placing tolls on the edges of a network so that the socially optimal flow is induced as an equilibrium flow. A solution where the minimum number of edges are tolled may be preferable over others due to its ease of implementation in real networks. In this paper we consider the minimum tollbooth (MINTB) problem, which seeks social optimum inducing tolls with minimum support. We prove for single commodity networks with linear latencies that the problem is NP-hard to approximate within a factor of $1.1377$ through a reduction from the minimum vertex cover problem. Insights from network design motivate us to formulate a new variation of the problem where, in addition to placing tolls, it is allowed to remove unused edges by the social optimum. We prove that this new problem remains NP-hard even for single commodity networks with linear latencies, using a reduction from the partition problem. On the positive side, we give the first exact polynomial solution to the MINTB problem in an important class of graphs---series-parallel graphs. Our algorithm solves MINTB by first tabulating the candidate solutions for subgraphs of the series-parallel network and then combining them optimally

Preimage Attacks on Reduced Troika with Divide-and-Conquer Methods

Troika is a recently proposed sponge-based hash function for IOTA\u27s ternary architecture and platform, which is developed by CYBERCRYPT. In this paper, we introduce the preimage attack on 2 and 3 rounds of Troika with a divide-and-conquer approach. Instead of directly matching a given hash value, we propose equivalent conditions to determine whether a message is the preimage before computing the complete hash value. As a result, for the two-round hash value that can be generated with one block, we can search the preimage only in a valid space and efficiently enumerate the messages which can satisfy most of the equivalent conditions with a guess-and-determine technique. For the three-round preimage attack, an MILP-based method is applied to separate the one-block message space into two parts in order to obtain the best advantage over brute force. Our experiments show that the time complexity of the preimage attack on 2 (out of 24) rounds of Troika can be improved to $3^{79}$, which is $3^{164}$ times faster than the brute force. For the preimage attack on 3 (out of 24) rounds of Troika, we can obtain an advantage of $3^{25.7}$ over brute force. In addition, how to construct the second preimage for two-round Troika in seconds is presented as well. Our attacks do not threaten the security of Troika

Electromagnetic Excitations and Responses in Nuclei from First Principles

We discuss the role of clustering on monopole, dipole, and quadrupole excitations in nuclei in the framework of the ab initio symmetry-adapted no-core shell model (SA-NCSM). The SA-NCSM starts from nucleon-nucleon potentials and, by exploring symmetries known to dominate the nuclear dynamics, can reach nuclei up through the calcium region by accommodating ultra-large model spaces critical to descriptions of clustering and collectivity. The results are based on calculations of electromagnetic sum rules and discretized responses using the Lanczos algorithm, that can be used to determine response functions, and for 4He are benchmarked against exact solutions of the hyperspherical harmonics method. In particular, we focus on He, Be, and O isotopes, including giant resonances and monopole sum rules.Comment: 6 pages, 4 figures, Proceedings of the Fourth International Workshop on State of the Art in Nuclear Cluster Physics, Galveston, TX, USA, May 13-18, 201

Electromagnetic Excitations and Responses in Nuclei from First Principles

We discuss the role of clustering on monopole, dipole, and quadrupole excitations in nuclei in the framework of the ab initio symmetry-adapted no-core shell model (SA-NCSM). The SA-NCSM starts from nucleon-nucleon potentials and, by exploring symmetries known to dominate the nuclear dynamics, can reach nuclei up through the calcium region by accommodating ultra-large model spaces critical to descriptions of clustering and collectivity. The results are based on calculations of electromagnetic sum rules and discretized responses using the Lanczos algorithm, that can be used to determine response functions, and for 4He are benchmarked against exact solutions of the hyperspherical harmonics method. In particular, we focus on He, Be, and O isotopes, including giant resonances and monopole sum rules.Comment: 6 pages, 4 figures, Proceedings of the Fourth International Workshop on State of the Art in Nuclear Cluster Physics, Galveston, TX, USA, May 13-18, 201

Preimage Attacks on Round-reduced Keccak-224/256 via an Allocating Approach

We present new preimage attacks on standard Keccak-224 and Keccak-256 that are reduced to 3 and 4 rounds. An allocating approach is used in the attacks, and the whole complexity is allocated to two stages, such that fewer constraints are considered and the complexity is lowered in each stage. Specifically, we are trying to find a 2-block preimage, instead of a 1-block one, for a given hash value, and the first and second message blocks are found in two stages, respectively. Both the message blocks are constrained by a set of newly proposed conditions on the middle state, which are weaker than those brought by the initial values and the hash values. Thus, the complexities in the two stages are both lower than that of finding a 1-block preimage directly. Together with the basic allocating approach, an improved method is given to balance the complexities of two stages, and hence, obtains the optimal attacks. As a result, we present the best theoretical preimage attacks on Keccak-224 and Keccak-256 that are reduced to 3 and 4 rounds. Moreover, we practically found a (second) preimage for 3-round Keccak-224 with a complexity of 2^{39.39}

A Hypergraph Dictatorship Test with Perfect Completeness

A hypergraph dictatorship test is first introduced by Samorodnitsky and Trevisan and serves as a key component in their unique games based \PCP construction. Such a test has oracle access to a collection of functions and determines whether all the functions are the same dictatorship, or all their low degree influences are $o(1).$ Their test makes $q\geq3$ queries and has amortized query complexity $1+O(\frac{\log q}{q})$ but has an inherent loss of perfect completeness. In this paper we give an adaptive hypergraph dictatorship test that achieves both perfect completeness and amortized query complexity $1+O(\frac{\log q}{q})$.Comment: Some minor correction

An Experimentally Verified Attack on Full Grain-128 Using Dedicated Reconfigurable Hardware

In this paper we describe the first single-key attack which can recover the full key of the full version of Grain-128 for arbitrary keys by an algorithm which is significantly faster than exhaustive search (by a factor of about 238). It is based on a new version of a cube tester, which uses an improved choice of dynamic variables to eliminate the previously made assumption that ten particular key bits are zero. In addition, the new attack is much faster than the previous weak-key attack, and has a simpler key recovery process. Since it is extremely difficult to mathemat-ically analyze the expected behavior of such attacks, we implemented it on RIVYERA, which is a new massively parallel reconfigurable hardware, and tested its main components for dozens of random keys. These tests experimentally verified the correctness and expected complexity of the attack, by finding a very significant bias in our new cube tester for about 7.5 % of the keys we tested. This is the first time that the main compo-nents of a complex analytical attack are successfully realized against a full-size cipher with a special-purpose machine. Moreover, it is also the first attack that truly exploits the configurable nature of an FPGA-based cryptanalytical hardware

Cube Testers and Key Recovery Attacks On Reduced-Round MD6 and Trivium

CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a low-degree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128-bit key of a 14-round MD6 with complexity 2^22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient property-testing algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2^17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2^24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2^30 complexity and detect nonrandomness over 885 rounds in 2^27, improving on the original 767-round cube attack

Algebraic Theory of Promise Constraint Satisfaction Problems, First Steps

What makes a computational problem easy (e.g., in P, that is, solvable in polynomial time) or hard (e.g., NP-hard)? This fundamental question now has a satisfactory answer for a quite broad class of computational problems, so called fixed-template constraint satisfaction problems (CSPs) -- it has turned out that their complexity is captured by a certain specific form of symmetry. This paper explains an extension of this theory to a much broader class of computational problems, the promise CSPs, which includes relaxed versions of CSPs such as the problem of finding a 137-coloring of a 3-colorable graph