Daily Papers

A mobile ad hoc network (MANET) is a collection of autonomous nodes that communicate with each other by forming a multi-hop radio network and maintaining connections in a decentralized manner. Security remains a major challenge for these networks due to their features of open medium, dynamically changing topologies, reliance on cooperative algorithms, absence of centralized monitoring points, and lack of clear lines of defense. Protecting the network layer of a MANET from malicious attacks is an important and challenging security issue, since most of the routing protocols for MANETs are vulnerable to various types of attacks. Ad hoc on-demand distance vector routing (AODV) is a very popular routing algorithm. However, it is vulnerable to the well-known black hole attack, where a malicious node falsely advertises good paths to a destination node during the route discovery process but drops all packets in the data forwarding phase. This attack becomes more severe when a group of malicious nodes cooperate each other. The proposed mechanism does not apply any cryptographic primitives on the routing messages. Instead, it protects the network by detecting and reacting to malicious activities of the nodes. Simulation results show that the scheme has a significantly high detection rate with moderate network traffic overhead and computation overhead in the nodes.

A mobile ad hoc network (MANET) is a collection of autonomous nodes that communicate with each other by forming a multi-hop radio network and maintaining connections in a decentralized manner. Security remains a major challenge for these networks due to their features of open medium, dynamically changing topologies, reliance on cooperative algorithms,absence of centralized monitoring points, and lack of clear lines of defense. Most of the routing protocols for MANETs are thus vulnerable to various types of attacks. Ad hoc on-demand distance vector routing (AODV) is a very popular routing algorithm. However, it is vulnerable to the well-known black hole attack, where a malicious node falsely advertises good paths to a destination node during the route discovery process. This attack becomes more sever when a group of malicious nodes cooperate each other. In this paper, a defense mechanism is presented against a coordinated attack by multiple black hole nodes in a MANET. The simulation carried out on the proposed scheme has produced results that demonstrate the effectiveness of the mechanism in detection of the attack while maintaining a reasonable level of throughput in the network.

Graphical User Interface (GUI) agents are increasingly deployed to interact with online web services, yet their exposure to open-world content renders them vulnerable to Environmental Injection Attacks (EIAs). In these attacks, an attacker can inject crafted triggers into website to manipulate the behavior of GUI agents used by other users. In this paper, we find that most existing EIA studies fall short of realism. In particular, they fail to capture the dynamic nature of real-world web content, often assuming that a trigger's on-screen position and surrounding visual context remain largely consistent between training and testing. To better reflect practice, we introduce a realistic dynamic-environment threat model in which the attacker is a regular user and the trigger is embedded within a dynamically changing environment. Under this threat model, existing approaches largely fail, suggesting that their effectiveness in exposing GUI agent vulnerabilities has been substantially overestimated. To expose the hidden vulnerabilities of existing GUI agents effectively, we propose Chameleon, an attack framework with two key novelties designed for dynamic environments. (1) To synthesize more realistic training data, we introduce LLM-Driven Environment Simulation, which automatically generates diverse, high-fidelity webpage simulations that mimic the variability of real-world dynamic environments. (2) To optimize the trigger more effectively, we introduce Attention Black Hole, which converts attention weights into explicit supervisory signals. This mechanism encourages the agent to remain insensitive to irrelevant surrounding content, thereby improving robustness in dynamic environments. We evaluate Chameleon on six realistic websites and four representative LVLM-powered GUI agents, where it significantly outperforms existing methods.

Understanding the loss landscape is an important problem in machine learning. One key feature of the loss function, common to many neural network architectures, is the presence of exponentially many low lying local minima. Physical systems with similar energy landscapes may provide useful insights. In this work, we point out that black holes naturally give rise to such landscapes, owing to the existence of black hole entropy. For definiteness, we consider 1/8 BPS black holes in N = 8 string theory. These provide an infinite family of potential landscapes arising in the microscopic descriptions of corresponding black holes. The counting of minima amounts to black hole microstate counting. Moreover, the exact numbers of the minima for these landscapes are a priori known from dualities in string theory. Some of the minima are connected by paths of low loss values, resembling mode connectivity. We estimate the number of runs needed to find all the solutions. Initial explorations suggest that Stochastic Gradient Descent can find a significant fraction of the minima.

We introduce and describe tt GrayHawk, a publicly available Mathematica-based tool designed for the efficient computation of gray-body factors for spherically symmetric and asymptotically flat black holes. This program provides users with a rapid and reliable means to compute gray-body factors for massless fields with spin \(s = 0, 1/2, 1, 2\) in modes specified by the angular quantum number \(l\), given a black hole metric and the associated parameter values. tt GrayHawk is preloaded with seven different black hole metrics, offering immediate applicability to a variety of theoretical models. Additionally, its modular structure allows users to extend its functionality easily by incorporating alternative metrics or configurations. This versatility makes tt GrayHawk a powerful and adaptable resource for researchers studying black hole physics and Hawking radiation. The codes described in this work are publicly available at https://github.com/marcocalza89/GrayHawk.

Recently, Fernandes discovered an analytic solution for rotating black holes in semiclassical gravity induced by the trace anomaly. These solutions exhibit some distinctive characteristics, including a non-spherically symmetric event horizon and violations of the Kerr bound. As a crucial assumption to uphold causality in spacetime, we investigate the validity of the weak cosmic censorship conjecture (WCCC) within this class of solutions with type-A trace anomaly by introducing a test particle on the equatorial plane. Our study reveals three distinct mechanisms that can potentially destroy the event horizon, leading to a violation of the WCCC. Our findings indicate that, with the exception of extremal Kerr, static extremal, and static singular black holes, the WCCC may be violated under the first-order perturbation of the test particle. These results suggest the need for further exploration of modifications to the behavior of the test particle under quantum effects in order to address the violation of the WCCC in this system.

The observation of the shadow of the supermassive black hole M87^{*} by the Event Horizon Telescope (EHT) is sensitive to the spacetime geometry near the circular photon orbit and beyond, and it thus has the potential to test general relativity in the strong field regime. Obstacles to this program, however, include degeneracies between putative deviations from general relativity and both the description of the accretion flow and the uncertainties on "calibration parameters", such as e.g. the mass and spin of the black hole. In this work, we introduce a formalism, based on a principal component analysis, capable of reconstructing the black hole metric (i.e. the "signal") in an agnostic way, while subtracting the "foreground" due to the uncertainties in the calibration parameters and the modelling of the accretion flow. We apply our technique to simulated mock data for spherically symmetric black holes surrounded by a thick accretion disk. We show that separation of signal and foreground may be possible with next generation EHT-like experiments.

We present GravLensX, an innovative method for rendering black holes with gravitational lensing effects using neural networks. The methodology involves training neural networks to fit the spacetime around black holes and then employing these trained models to generate the path of light rays affected by gravitational lensing. This enables efficient and scalable simulations of black holes with optically thin accretion disks, significantly decreasing the time required for rendering compared to traditional methods. We validate our approach through extensive rendering of multiple black hole systems with superposed Kerr metric, demonstrating its capability to produce accurate visualizations with significantly 15times reduced computational time. Our findings suggest that neural networks offer a promising alternative for rendering complex astrophysical phenomena, potentially paving a new path to astronomical visualization.

With the success of static black-hole imaging, the next frontier is the dynamic and 3D imaging of black holes. Recovering the dynamic 3D gas near a black hole would reveal previously-unseen parts of the universe and inform new physics models. However, only sparse radio measurements from a single viewpoint are possible, making the dynamic 3D reconstruction problem significantly ill-posed. Previously, BH-NeRF addressed the ill-posed problem by assuming Keplerian dynamics of the gas, but this assumption breaks down near the black hole, where the strong gravitational pull of the black hole and increased electromagnetic activity complicate fluid dynamics. To overcome the restrictive assumptions of BH-NeRF, we propose PI-DEF, a physics-informed approach that uses differentiable neural rendering to fit a 4D (time + 3D) emissivity field given EHT measurements. Our approach jointly reconstructs the 3D velocity field with the 4D emissivity field and enforces the velocity as a soft constraint on the dynamics of the emissivity. In experiments on simulated data, we find significantly improved reconstruction accuracy over both BH-NeRF and a physics-agnostic approach. We demonstrate how our method may be used to estimate other physics parameters of the black hole, such as its spin.

Binary black holes are one of the important sources for the TianQin gravitational wave project. Our research has revealed that, for TianQin, the signal-to-noise ratio of inspiral binary black holes can be computed analytically. This finding is expected to greatly simplify the estimation of detection capabilities for binary black holes. In this paper, we demonstrated the signal-to-noise ratio relationships from stellar-mass black holes to massive black holes. With the all-sky average condition, the signal-to-noise ratio for most binary black hole signals can be determined with a relative error of lesssim10%, with notable deviations only for chirp masses near 1000~M_odot. In contrast, the signal-to-noise ratio without the average includes an additional term, which we refer to as the response factor. Although this term is not easily calculated analytically, we provide a straightforward estimation method with an error margin of 1sigma within 2\%.

Based on negative entropy in entanglement, it is shown that a single-system Copenhagen measurement protocol is equivalent to the two-system von Neumann scheme with the memory filling up the system with negative information similar to the Dirac sea of negative energy. After equating the two quantum measurement protocols, we then apply this equivalence to the black hole radiation. That is, the black hole evaporation corresponds to the quantum measurement process and the two evaporation approaches, the observable-based single-system and the two-system entanglement-based protocols, can be made equivalent using quantum memory. In particular, the measurement choice, \theta, with the memory state inside the horizon in the entanglement-based scheme is shown to correspond to the observable of the measurement choice, \theta, outside the horizon in the single-system protocol, that is, O_{\theta}^{out} = Q_{\theta}^{in}. This indicates that the black hole as quantum memory is filling up with negative information outside the horizon, and its entropy corresponds to the logarithm of a number of equally probable measurement choices. This shows that the black hole radiation is no different than ordinary quantum theory.

Active galactic nuclei (AGNs) have been proposed as plausible sites for hosting a sizable fraction of the binary black hole (BBH) mergers measured through gravitational waves (GWs) by the LIGO-Virgo-Kagra (LVK) experiment. These GWs could be accompanied by radiation feedback due to the interaction of the BBH merger remnant with the AGN disc. We present a new predicted radiation signature driven by the passage of a kicked BBH remnant throughout a thin AGN disc. We analyse the situation of a merger occurring outside the thin disc, where the merger is of second or higher generation in a merging hierarchical sequence. The coalescence produces a kicked BH remnant that eventually plunges into the disc, accretes material, and inflates jet cocoons. We consider the case of a jet cocoon propagating quasi-parallel to the disc plane and study the outflow that results when the cocoon emerges from the disc. We calculate the transient emission of the emerging cocoon using a photon diffusion model typically employed to describe the light curves of supernovae. Depending on the parameter configuration, the flare produced by the emerging cocoon could be comparable to or exceed the AGN background emission at optical, and extreme ultraviolet wavelengths. For instance, in AGNs with central engines of sim 5times10^{6} M_odot, flares driven by BH remnants with masses of sim 100 M_odot can appear in about sim[10-100] days after the GW, lasting for few days.

Observation of an exploding black hole would provide the first direct evidence of primordial black holes, the first direct evidence of Hawking radiation, and definitive information on the particles present in nature. However, indirect constraints suggest that direct observation of an exploding Schwarzschild black hole is implausible. We introduce a dark-QED toy model consisting of a dark photon and a heavy dark electron. In this scenario a population of light primordial black holes charged under the dark u(1) symmetry can become quasi-extremal, so they survive much longer than if they were uncharged, before discharging and exhibiting a Schwarzschild-like final explosion. We show that the answer is "yes", in this scenario the probability of observing an exploding black hole over the next 10 years could potentially be over 90%.

We demonstrate that violent kinetic preheating following inflation can lead to the formation of black holes in the early Universe. In alpha-attractor models with derivative inflaton couplings, nonlinear amplification of field fluctuations drives large spacetime curvature and gravitational collapse shortly after inflation ends. Using fully general-relativistic lattice simulations, we find that these dynamics produce black holes with masses of order tens of grams at sub-horizon scales, without requiring large primordial curvature perturbations. Although such micro-black holes evaporate rapidly via Hawking radiation, their formation modifies the post-inflationary equation of state and their evaporation can successfully reheat the Universe before Big Bang nucleosynthesis. These results identify kinetic preheating as a new, efficient channel for black-hole production and establish a direct connection between inflationary symmetries and strong-gravity phenomena at reheating.

In this work, we study the black hole light echoes in terms of the two-photon autocorrelation and explore their connection with the quasinormal modes. It is shown that the above time-domain phenomenon can be analyzed by utilizing the well-known frequency-domain relations between the quasinormal modes and characteristic parameters of null geodesics. We found that the time-domain correlator, obtained by the inverse Fourier transform, naturally acquires the echo feature, which can be attributed to a collective effect of the asymptotic poles through a weighted summation of the squared modulus of the relevant Green's functions. Specifically, the contour integral leads to a summation taking over both the overtone index and angular momentum. Moreover, the dominant contributions to the light echoes are from those in the eikonal limit, consistent with the existing findings using the geometric-optics arguments. For the Schwarzschild black holes, we demonstrate the results numerically by considering a transient spherical light source. Also, for the Kerr spacetimes, we point out a potential difference between the resulting light echoes using the geometric-optics approach and those obtained by the black hole perturbation theory. Possible astrophysical implications of the present study are addressed.

Recently, an identified non-interacting black hole (BH) binary, Gaia ID 3425577610762832384 (hereafter G3425), contains a BH (sim3.6 M_{odot}) falling within the mass gap and has a nearly circular orbit, challenging the classical binary evolution and supernova theory. Here, we propose that G3425 originates from a triple through a triple common envelope (TCE) evolution. The G3425 progenitor originally may consist of three stars with masses of 1.49 M_{odot}, 1.05 M_{odot}, and 21.81 M_{odot}, and inner and outer orbital periods of 4.22 days and 1961.78 days, respectively. As evolution proceeds, the tertiary fills its Roche lobe, leading to a TCE. We find that the orbital energy generated by the inspiral of the inner binary serves as an additional energy imparted for ejecting the common envelope (CE), accounting for sim97\% of the binding energy in our calculations. This means that the outer orbit needs to expend only a small amount of the orbital energy to successfully eject CE. The outcome of the TCE is a binary consisting of a 2.54 M_odot merger produced by the inner binary merger and a 7.67 M_odot helium star whose CE successfully ejected, with an orbital period of 547.53 days. The resulting post-TCE binary (PTB) has an orbital period that is 1-2 orders of magnitude greater than the orbital period of a successfully ejected classical binary CE. In subsequent simulations, we find that the successfully ejected helium star has a 44.2\% probability of forming a BH. In the case of a non-complete fallback forming a BH, with an ejected mass of 2.6 M_{odot} and a relatively low natal kick (11^{+16}_{-5} {rm km/s} to 49^{+39}_{-39} {rm km/s}), this PTB can form G3425 in the Milky Way.

JWST has detected many overmassive galactic systems at z > 4, where the mass of the black hole, M_bullet, is 10-100 times larger than expected from local relations, given the host's stellar mass, M_star. This Letter presents a model to describe these overmassive systems in the high-z Universe. We suggest that the black hole mass is the main driver of high-z star formation quenching. SMBHs globally impact their high-z galaxies because their hosts are physically small, and the black holes have duty cycles close to unity at z > 4. In this regime, we assume that black hole mass growth is regulated by the quasar's output, while stellar mass growth is quenched by it and uncorrelated to the global properties of the host halo. We find that the ratio M_bullet/M_star controls the average star formation efficiency: if M_bullet/M_star > 8times 10^{18} (n Lambda/f_{edd})[(Omega_b M_h)/(Omega_m M_star) - 1], then the galaxy is unable to form stars efficiently. Once this ratio exceeds the threshold, a runaway process brings the originally overmassive system towards the local M_bullet - M_star relation. Furthermore, the M_bullet - M_star relation evolves with redshift as propto (1+z)^{5/2}. At z sim 5, we find an overmassive factor of sim 55, in excellent agreement with current JWST data and the high-z relation inferred from those. Extending the black hole horizon farther in redshift and lower in mass will test this model and improve our understanding of the early co-evolution of black holes and galaxies.

This review provides an observational perspective on the fundamental properties of super-Eddington accretion onto supermassive black holes in quasars. It begins by outlining the selection criteria, particularly focusing on optical and UV broad-line intensity ratios, used to identify a population of unobscured super-Eddington candidates. Several defining features place these candidates at the extreme end of the Population A in main sequence of quasars: among them are the highest observed singly-ionized iron emission, extreme outflow velocities in UV resonance lines, and unusually high metal abundances. These key properties reflect the coexistence of a virialized sub-system within the broad-line region alongside powerful outflows, with the observed gas enrichment likely driven by nuclear or circumnuclear star formation. The most compelling evidence for the occurrence of super-Eddington accretion onto supermassive black holes comes from recent observations of massive black holes at early cosmic epochs. These black holes require rapid growth rates that are only achievable through radiatively inefficient super-Eddington accretion. Furthermore, extreme Eddington ratios, close to or slightly exceeding unity, are consistent with the saturation of radiative output per unit mass predicted by accretion disk theory for super-Eddington accretion rates. The extreme properties of super-Eddington candidates suggest that these quasars could make them stable and well-defined cosmological distance indicators, leveraging the correlation between broad-line width and luminosity expected in virialized systems. Finally, several analogies with accretion processes around stellar-mass black holes, particularly in the high/soft state, are explored to provide additional insight into the mechanisms driving super-Eddington accretion.

We present new observations from JWST NIRCam that reveal a striking kpc-wide cavity in the stellar distribution of the central galaxy in the cluster Abell402. Supporting data from HST allow us to rule out extinction due to dust as an explanation and, instead, suggest that this is a localized depression in the stellar density field corresponding to ~2x10^9 Msun in missing stars within a volume of 0.5kpc^3. On larger scales, both the JWST and HST data show evidence for a 2.2kpc flattened core in the stellar distribution (on which the smaller-scale cavity is superimposed), which implies the presence of a central ultra-massive black hole with M_BH = 6 +/- 4 x10^10 Msun. We report evidence for a mid-IR-bright point source at one edge of the cavity, suggesting that this black hole is actively accreting. MUSE spectroscopy reveal that this source is a LINER AGN and that there is a second candidate AGN on the opposite side of the cavity with a relative velocity of 370km/s -- if real, this implies the presence of a kpc-separation dual AGN with a total binary mass of 6 +/- 2 x10^10 Msun, which would make this the most massive binary black hole system discovered to date. We propose that this unique stellar cavity is the result of a short-lived dynamical interaction between at least one supermassive black hole and the background stellar density field, caused either by three-body scattering during binary hardening or the induction of a dipole instability in the stellar density field.

In this paper, we aim to examine the electric Penrose process (PP) around a charged black hole in 4D Einstein-Gauss-Bonnet (EGB) gravity and bring out the effect of the Gauss-Bonnet (GB) coupling parameter alpha and black hole charge on the efficiency of the energy extraction from the black hole. This research is motivated by the fact that electrostatic interactions significantly influence the behavior of charged particles in the vicinity of a charged static black hole. Under this interaction, decaying charged particles can have negative energies, causing energy to be released from black holes with no ergosphere. We show that the GB coupling parameter has a significant impact on the energy efficiency of the electric PP, but the efficiency can be strongly enhanced by the black hole charge due to the Coulomb force. Finally, we consider the accretion disk around the black hole and investigate in detail its radiation properties, such as the electromagnetic radiation flux, the temperature, and the differential luminosity. We show that the GB coupling parameter can have a significant impact on the radiation parameters, causing them to increase in the accretion disk in the vicinity of the black hole. Interestingly, it is found that the 4D EGB charged black hole is more efficient and favorable for the accretion disk radiation compared to a charged black hole in Einstein gravity.

Gravitational waves, detected a century after they were first theorized, are spacetime distortions caused by some of the most cataclysmic events in the universe, including black hole mergers and supernovae. The successful detection of these waves has been made possible by ingenious detectors designed by human experts. Beyond these successful designs, the vast space of experimental configurations remains largely unexplored, offering an exciting territory potentially rich in innovative and unconventional detection strategies. Here, we demonstrate the application of artificial intelligence (AI) to systematically explore this enormous space, revealing novel topologies for gravitational wave (GW) detectors that outperform current next-generation designs under realistic experimental constraints. Our results span a broad range of astrophysical targets, such as black hole and neutron star mergers, supernovae, and primordial GW sources. Moreover, we are able to conceptualize the initially unorthodox discovered designs, emphasizing the potential of using AI algorithms not only in discovering but also in understanding these novel topologies. We've assembled more than 50 superior solutions in a publicly available Gravitational Wave Detector Zoo which could lead to many new surprising techniques. At a bigger picture, our approach is not limited to gravitational wave detectors and can be extended to AI-driven design of experiments across diverse domains of fundamental physics.

On the basis of a large collection of detailed 3D core-collapse supernova simulations carried to late times, we identify four channels of stellar mass black hole formation. Our examples for Channel 1 involve the formation of lower-gap and above black holes in energetic asymmetric supernova explosions. Our Channel 2 example involves a modest supernova explosion that may leave behind a lower-gap to sim10 M_{odot} black hole. The latter may not be easily distinguishable from ``standard" supernovae that birth neutron stars. Our Channel 3 example experiences an aborted core-collapse explosion, more often in the context of a low-metallicity progenitor, whose residue is a black hole with a mass perhaps up to sim40 M_{odot}. The latter may be accompanied by a pulsational-pair instability supernova (PPISN). Channel 4 is the only quiescent or ``silent" scenario for which perhaps sim5 to 15 M_{odot} black holes are left. Where appropriate, we estimate ^{56}Ni yields, explosion energies, approximate recoil speeds, and residual black hole masses. The progenitor mass density and binding energy profiles at collapse influence the outcome in a systematic way. The statistics and prevalence of these various channels depend not only on still evolving supernova theory, but on remaining issues with the theory of massive star evolution, binary interaction, wind mass loss, metallicity, and the nuclear equation of state. Importantly, we suggest, but have not proven, that the silent channel for black hole formation may not be the dominant formation modality.

Formulating a quantum theory of gravity lies at the heart of fundamental theoretical physics. This collection of lecture notes encompasses a selection of topics that were covered in six mini-courses at the Nordita PhD school "Towards Quantum Gravity". The scope was to provide a coherent picture, from its foundation to forefront research, emphasizing connections between different areas. The lectures begin with perturbative quantum gravity and effective field theory. Subsequently, two ultraviolet-complete approaches are presented: asymptotically safe gravity and string theory. Finally, elements of quantum effects in black hole spacetimes are discussed.

An important question in binary black hole mergers is to connect properties of the remnant black hole to those of the two initial black holes. These properties include not only the final mass and spin of the remnant, but also higher multipoles and answers to other questions such as, for a given initial configuration, which quasi-normal modes of the final black hole are excited, and what are the amplitudes of these modes? Such questions have thus far been primarily addressed through a study of the emitted gravitational wave signal. In this paper we consider a different alternative, namely using quasi-local black hole horizons themselves to establish the link between the initial and final states. Recent work has elucidated the behavior of black hole horizons in a merger. Cusps forming in such otherwise smoothly evolving horizons have been shown to play a central role in connecting the two initially separate black holes with the final remnant. In the present work, we will discuss from a numerical perspective how such cusps form in detail for the head-on collision of two non-spinning black holes. We show how the mass and higher mass multipole moments behave at the cusp and suggest a phenomenological model.

Post-merger gravitational wave echoes provide a unique opportunity to probe the near-horizon structure of astrophysical black holes, that may be modified due to non-perturbative quantum gravity phenomena. However, since the waveform is subject to large theoretical uncertainties, it is necessary to develop model-agnostic search methods for detecting echoes from observational data. A promising strategy is to identify the characteristic quasinormal modes (QNMs) associated with echoes, {\it in frequency space}, which complements existing searches of quasiperiodic pulses in time. In this study, we build upon our previous work targeting these modes by incorporating relative phase information to optimize the Bayesian search algorithm. Using a new phase-marginalized likelihood, the performance can be significantly improved for well-resolved QNMs. This enables an efficient model-agnostic search for QNMs of different shapes by using a simple search template. To demonstrate the robustness of the search algorithm, we construct four complementary benchmarks for the echo waveform that span a diverse range of different theoretical possibilities for the near-horizon structure. We then validate our Bayesian search algorithms by injecting the benchmark models into different realizations of Gaussian noise. Using two types of phase-marginalized likelihoods, we find that the search algorithm can efficiently detect the corresponding QNMs. Therefore, our search strategy provides a concrete Bayesian and model-agnostic approach to "quantum black hole seismology".

Decision-based black-box attacks often necessitate a large number of queries to craft an adversarial example. Moreover, decision-based attacks based on querying boundary points in the estimated normal vector direction often suffer from inefficiency and convergence issues. In this paper, we propose a novel query-efficient curvature-aware geometric decision-based black-box attack (CGBA) that conducts boundary search along a semicircular path on a restricted 2D plane to ensure finding a boundary point successfully irrespective of the boundary curvature. While the proposed CGBA attack can work effectively for an arbitrary decision boundary, it is particularly efficient in exploiting the low curvature to craft high-quality adversarial examples, which is widely seen and experimentally verified in commonly used classifiers under non-targeted attacks. In contrast, the decision boundaries often exhibit higher curvature under targeted attacks. Thus, we develop a new query-efficient variant, CGBA-H, that is adapted for the targeted attack. In addition, we further design an algorithm to obtain a better initial boundary point at the expense of some extra queries, which considerably enhances the performance of the targeted attack. Extensive experiments are conducted to evaluate the performance of our proposed methods against some well-known classifiers on the ImageNet and CIFAR10 datasets, demonstrating the superiority of CGBA and CGBA-H over state-of-the-art non-targeted and targeted attacks, respectively. The source code is available at https://github.com/Farhamdur/CGBA.

It has been shown that a gravitational dual to a superconductor can be obtained by coupling anti-de Sitter gravity to a Maxwell field and charged scalar. We review our earlier analysis of this theory and extend it in two directions. First, we consider all values for the charge of the scalar field. Away from the large charge limit, backreaction on the spacetime metric is important. While the qualitative behaviour of the dual superconductor is found to be similar for all charges, in the limit of arbitrarily small charge a new type of black hole instability is found. We go on to add a perpendicular magnetic field B and obtain the London equation and magnetic penetration depth. We show that these holographic superconductors are Type II, i.e., starting in a normal phase at large B and low temperatures, they develop superconducting droplets as B is reduced.

Neural ranking models (NRMs) have shown remarkable success in recent years, especially with pre-trained language models. However, deep neural models are notorious for their vulnerability to adversarial examples. Adversarial attacks may become a new type of web spamming technique given our increased reliance on neural information retrieval models. Therefore, it is important to study potential adversarial attacks to identify vulnerabilities of NRMs before they are deployed. In this paper, we introduce the Word Substitution Ranking Attack (WSRA) task against NRMs, which aims to promote a target document in rankings by adding adversarial perturbations to its text. We focus on the decision-based black-box attack setting, where the attackers cannot directly get access to the model information, but can only query the target model to obtain the rank positions of the partial retrieved list. This attack setting is realistic in real-world search engines. We propose a novel Pseudo Relevance-based ADversarial ranking Attack method (PRADA) that learns a surrogate model based on Pseudo Relevance Feedback (PRF) to generate gradients for finding the adversarial perturbations. Experiments on two web search benchmark datasets show that PRADA can outperform existing attack strategies and successfully fool the NRM with small indiscernible perturbations of text.

We investigate Einstein-Gauss-Bonnet (EGB) 4D massive gravity coupled to nonlinear electrodynamics (NED) in an Anti-de-Sitter (AdS) background and find an exact magnetically charged black hole solution. The metric function was analyzed for different values of massive gravity parameters. We verified the first law of black hole thermodynamics and the generalized Smarr formula, treating the cosmological constant as thermodynamic pressure. Vacuum polarization is defined as the conjugate to the NED parameter. To analyze the local stability of the black hole, we compute specific heat. We investigated the Van der Waals-like/reentrant phase transition of the black holes and estimated the critical points. We observed small/large black hole (SBH/LBH) and small/intermediate/large black hole (SBH/IBH/LBH) phase transitions. The Joule-Thomson coefficient, inversion, and isenthalpic curves are discussed. Finally, the minimum inversion temperature and the corresponding event horizon radius are obtained using numerical techniques.

We performed variability analysis of the multiwavelength light curves for the flat-spectrum radio quasar PKS 0727-11. Using the generalized Lomb-Scargle periodogram, we identified a possible quasi-periodic oscillation (QPO) of sim 168.6 days (persisted for 6 cycles, with a significance of 3.8sigma) in the gamma-ray light curve during the flare period (MJD 54687-55738). It is the first time that periodic variations have been detected in this source, and further supported by other methods: weighted wavelet z-transform, phase dispersion minimization, REDFIT, autoregressive integrated moving average model, and structure function analysis. Cross-correlation analysis shows that there is a strong correlation between multi-band light variations, indicating that gamma-ray and radio flares may originate from the same disturbance, and the distance between the emission regions of gamma-ray and radio flares is calculated based on the time lag. We demonstrate that QPO arising from the non-ballistic helical jet motion driven by the orbital motion in a supermassive binary black hole is a plausible physical explanation. In this scenario, the estimated mass of the primary black hole is Msim3.66times10^8-5.79times10^{9}M_odot.

The James Webb Space Telescope (JWST) has recently discovered a new population of objects at high redshift referred to as `Little Red Dots' (LRDs). Their nature currently remains elusive, despite their surprisingly high inferred number densities. This emerging population of red point-like sources is reshaping our view of the early Universe and may shed light on the formation of high-redshift supermassive black holes. Here we present a spectroscopically confirmed LRD CANUCS-LRD-z8.6 at z_{rm spec}=8.6319pm 0.0005 hosting an Active Galactic Nucleus (AGN), using JWST data. This source shows the typical spectral shape of an LRD (blue UV and red optical continuum, unresolved in JWST imaging), along with broad Hbeta line emission, detection of high-ionization emission lines (CIV, NIV]) and very high electron temperature indicative of the presence of AGN. This is also combined with a very low metallicity (Z<0.1 Z_odot). The presence of all these diverse features in one source makes CANUCS-LRD-z8.6 unique. We show that the inferred black hole mass of CANUCS-LRD-z8.6 (M_{rm BH}=1.0^{+0.6}_{-0.4}times 10^{8}rm ~M_odot) strongly challenges current standard theoretical models and simulations of black hole formation, and forces us to adopt `ad hoc' prescriptions. Indeed if massive seeds, or light seeds with super-Eddington accretion, are considered, the observed BH mass of CANUCS-LRD-z8.6 at z=8.6 can be reproduced. Moreover, the black hole is over-massive compared to its host, relative to the local M_{rm BH}-M_* relations, pointing towards an earlier and faster evolution of the black hole compared to its host galaxy.

We study lensing of gravitational waves by a black hole in the deep wave optics regime, i.e. when the wavelength is much larger than the black hole Schwarzschild radius. We apply it to triple systems, with a binary of stellar mass objects in the inspiraling phase orbiting around a central massive black hole. We describe the full polarisation structure of the wave and derive predictions for the polarisation modes of the scattered wave measured by the observer. We show that lensing in the wave optics regime is not helicity preserving, as opposed to lensing in the geometric optics regime. The amplitude of the total wave is modulated due to interference between the directly transmitted and lensed components. The relative amplitude of the modulation is fixed by the lensing geometry and can reach unity in the most favourable settings. This indicates that wave optics lensing is potentially detectable by LISA for sufficiently high SNR systems. Our findings show that in the wave optics regime it is necessary to go beyond the usual lensing description where the amplification factor is assumed to be the same for both helicity modes. While motivated by GW190521 and the AGN formation scenario, our results apply more broadly to stellar-mass binaries orbiting a third body described as a Schwarzschild black hole, with a period comparable to the GW observation time.

Recent work has proposed stateful defense models (SDMs) as a compelling strategy to defend against a black-box attacker who only has query access to the model, as is common for online machine learning platforms. Such stateful defenses aim to defend against black-box attacks by tracking the query history and detecting and rejecting queries that are "similar" and thus preventing black-box attacks from finding useful gradients and making progress towards finding adversarial attacks within a reasonable query budget. Recent SDMs (e.g., Blacklight and PIHA) have shown remarkable success in defending against state-of-the-art black-box attacks. In this paper, we show that SDMs are highly vulnerable to a new class of adaptive black-box attacks. We propose a novel adaptive black-box attack strategy called Oracle-guided Adaptive Rejection Sampling (OARS) that involves two stages: (1) use initial query patterns to infer key properties about an SDM's defense; and, (2) leverage those extracted properties to design subsequent query patterns to evade the SDM's defense while making progress towards finding adversarial inputs. OARS is broadly applicable as an enhancement to existing black-box attacks - we show how to apply the strategy to enhance six common black-box attacks to be more effective against current class of SDMs. For example, OARS-enhanced versions of black-box attacks improved attack success rate against recent stateful defenses from almost 0% to to almost 100% for multiple datasets within reasonable query budgets.

Core collapse supernovae are among the most energetic astrophysical events in the Universe. Despite huge efforts on understanding the main ingredients triggering such explosions, we still lack of compelling evidences for the precise mechanism driving those phenomena. They are expected to produce gravitational waves due to asymmetric mass motions in the collapsing core, and emit in the meanwhile neutrinos as a result of the interactions in their high-density environment. The combination of these two cosmic messengers can provide a unique probe to study the inner engine of these processes and unveil the explosion mechanism. Among the possible detectable signature, standing accretion shock instabilities (SASI) are particularly relevant in this context as they establish a direct connection between gravitational wave emission and the outcoming neutrino flux. In this work, Hilbert-Huang transform is applied to a selected sample of 3D numerical simulations, with the aim of identifying SASI contribution and extract its instantaneous frequency. The performance of the method is evaluated in the context of Einstein Telescope.

AI coding assistants are widely used for tasks like code generation. These tools now require large and complex contexts, automatically sourced from various originsx2014across files, projects, and contributorsx2014forming part of the prompt fed to underlying LLMs. This automatic context-gathering introduces new vulnerabilities, allowing attackers to subtly poison input to compromise the assistant's outputs, potentially generating vulnerable code or introducing critical errors. We propose a novel attack, Cross-Origin Context Poisoning (XOXO), that is challenging to detect as it relies on adversarial code modifications that are semantically equivalent. Traditional program analysis techniques struggle to identify these perturbations since the semantics of the code remains correct, making it appear legitimate. This allows attackers to manipulate coding assistants into producing incorrect outputs, while shifting the blame to the victim developer. We introduce a novel, task-agnostic, black-box attack algorithm GCGS that systematically searches the transformation space using a Cayley Graph, achieving a 75.72% attack success rate on average across five tasks and eleven models, including GPT 4.1 and Claude 3.5 Sonnet v2 used by popular AI coding assistants. Furthermore, defenses like adversarial fine-tuning are ineffective against our attack, underscoring the need for new security measures in LLM-powered coding tools.

Machine learning (ML) models, e.g., deep neural networks (DNNs), are vulnerable to adversarial examples: malicious inputs modified to yield erroneous model outputs, while appearing unmodified to human observers. Potential attacks include having malicious content like malware identified as legitimate or controlling vehicle behavior. Yet, all existing adversarial example attacks require knowledge of either the model internals or its training data. We introduce the first practical demonstration of an attacker controlling a remotely hosted DNN with no such knowledge. Indeed, the only capability of our black-box adversary is to observe labels given by the DNN to chosen inputs. Our attack strategy consists in training a local model to substitute for the target DNN, using inputs synthetically generated by an adversary and labeled by the target DNN. We use the local substitute to craft adversarial examples, and find that they are misclassified by the targeted DNN. To perform a real-world and properly-blinded evaluation, we attack a DNN hosted by MetaMind, an online deep learning API. We find that their DNN misclassifies 84.24% of the adversarial examples crafted with our substitute. We demonstrate the general applicability of our strategy to many ML techniques by conducting the same attack against models hosted by Amazon and Google, using logistic regression substitutes. They yield adversarial examples misclassified by Amazon and Google at rates of 96.19% and 88.94%. We also find that this black-box attack strategy is capable of evading defense strategies previously found to make adversarial example crafting harder.

We investigate the effects of prior selection on the inferred mass and spin parameters of the neutron star-black hole merger GW230529\_181500. Specifically, we explore models motivated by astrophysical considerations, including massive binary and pulsar evolution. We examine mass and spin distributions of neutron stars constrained by radio pulsar observations, alongside black hole spin observations from previous gravitational wave detections. We show that the inferred mass distribution highly depends upon the spin prior. Specifically, under the most restrictive, binary stellar evolution models, we obtain narrower distributions of masses with a black hole mass of 4.3^{+0.1}_{-0.1},M_{odot}and neutron star mass of 1.3^{+0.03}_{-0.03},M_{odot} where, somewhat surprisingly, it is the prior on component spins which has the greatest impact on the inferred mass distributions. Re-weighting using neutron star mass and spin priors from observations of radio pulsars, with black hole spins from observations of gravitational waves, yields the black hole and the neutron star masses to be 3.8^{+0.5}_{-0.6} ,M_odot and 1.4^{+0.2}_{-0.1} ,M_odot respectively. The sequence of compact object formation -- whether the neutron star or the black hole formed first -- cannot be determined at the observed signal-to-noise ratio. However, there is no evidence that the black hole was tidally spun up.

In this study, we utilize the minimal geometric deformation technique of gravitational decoupling to extend the regular Bardeen black hole, leading to the derivation of new black hole solutions within the framework of Rastall theory. By decoupling the field equations associated with an extended matter source into two subsystems, we address the first subsystem using the metric components of the regular Bardeen black hole. The second subsystem, incorporating the effects of the additional source, is solved through a constraint imposed by a linear equation of state. By linearly combining the solutions of these subsystems, we obtain two extended models. We then explore the distinct physical properties of these models for specific values of the Rastall and decoupling parameters. Our investigations encompass effective thermodynamic variables such as density and anisotropic pressure, asymptotic flatness, energy conditions, and thermodynamic properties including Hawking temperature, entropy, and specific heat. The results reveal that both models violate asymptotic flatness of the resulting spacetimes. The violation of energy conditions indicate the presence of exotic matter, for both models. Nonetheless, the energy density, radial pressure, as well as the Hawking temperature exhibit acceptable behavior, while the specific heat and Hessian matrix suggest thermodynamic stability.

We study quantum corrections in the gravitational path integral around nearly 1/16-BPS black holes in asymptotically AdS_5 times S^5 space, dual to heavy states in 4D N=4 super Yang-Mills. The analysis provides a gravitational explanation of why 1/16-BPS black holes exhibit an exact degeneracy at large N and why all such states have the same charges, confirming the belief that the superconformal index precisely counts the entropy of extremal black holes. We show the presence of a gap of order N^{-2} between the 1/16-BPS black holes and the lightest near-BPS black holes within the same charge sector. This is the first example of such a gap for black holes states within the context of AdS_5 holography. We also derive the spectrum of near-BPS states that lie above this gap. Our computation relies on finding the correct version of the N=2 super-Schwarzian theory which captures the breaking of the SU(1, 1|1) symmetry when the black hole has finite temperature and non-zero chemical potential. Finally, we comment on possible stringy and non-perturbative corrections that can affect the black hole spectrum.

Deep neural networks (DNNs) are known to be vulnerable to adversarial attacks even under a black-box setting where the adversary can only query the model. Particularly, query-based black-box adversarial attacks estimate adversarial gradients based on the returned probability vectors of the target model for a sequence of queries. During this process, the queries made to the target model are intermediate adversarial examples crafted at the previous attack step, which share high similarities in the pixel space. Motivated by this observation, stateful detection methods have been proposed to detect and reject query-based attacks. While demonstrating promising results, these methods either have been evaded by more advanced attacks or suffer from low efficiency in terms of the number of shots (queries) required to detect different attacks. Arguably, the key challenge here is to assign high similarity scores for any two intermediate adversarial examples perturbed from the same clean image. To address this challenge, we propose a novel Adversarial Contrastive Prompt Tuning (ACPT) method to robustly fine-tune the CLIP image encoder to extract similar embeddings for any two intermediate adversarial queries. With ACPT, we further introduce a detection framework AdvQDet that can detect 7 state-of-the-art query-based attacks with >99% detection rate within 5 shots. We also show that ACPT is robust to 3 types of adaptive attacks. Code is available at https://github.com/xinwong/AdvQDet.

We investigate the impact of massive primordial black holes (PBHs; m_{rm BH}sim 10^6~M_{odot}) on the star formation and first galaxy assembly process using high-resolution hydrodynamical simulations from z = 1100 to z sim 9. We find that PBH accretion is self-regulated by feedback, suppressing mass growth unless feedback is weak. PBHs accelerate structure formation by seeding dark matter halos and gravitationally attracting gas, but strong feedback can delay cooling and suppress star formation. In addition, the presence of baryon-dark matter streaming creates an offset between the PBH location and the peaks induced in gas density, promoting earlier and more efficient star formation compared to standard LambdaCDM. By z sim 10, PBH-seeded galaxies form dense star clusters, with PBH-to-stellar mass ratios comparable to observed high-z AGN like UHZ-1. Our results support PBHs as viable SMBH seeds but do not exclude alternative scenarios. We emphasize that PBH-seeding provides a natural explanation for some of the newly-discovered overmassive SMBHs at high redshift, in particular those with extreme ratios of BH-to-dynamical (virial) mass that challenge standard formation channels. Future studies with ultra-deep JWST surveys, the Roman Space Telescope, and radio surveys with facilities such as SKA and HERA will be critical in distinguishing PBH-driven SMBH growth from other pathways.

It is well known that query-based attacks tend to have relatively higher success rates in adversarial black-box attacks. While research on black-box attacks is actively being conducted, relatively few studies have focused on pixel attacks that target only a limited number of pixels. In image classification, query-based pixel attacks often rely on patches, which heavily depend on randomness and neglect the fact that scattered pixels are more suitable for adversarial attacks. Moreover, to the best of our knowledge, query-based pixel attacks have not been explored in the field of object detection. To address these issues, we propose a novel pixel-based black-box attack called Remember and Forget Pixel Attack using Reinforcement Learning(RFPAR), consisting of two main components: the Remember and Forget processes. RFPAR mitigates randomness and avoids patch dependency by leveraging rewards generated through a one-step RL algorithm to perturb pixels. RFPAR effectively creates perturbed images that minimize the confidence scores while adhering to limited pixel constraints. Furthermore, we advance our proposed attack beyond image classification to object detection, where RFPAR reduces the confidence scores of detected objects to avoid detection. Experiments on the ImageNet-1K dataset for classification show that RFPAR outperformed state-of-the-art query-based pixel attacks. For object detection, using the MSCOCO dataset with YOLOv8 and DDQ, RFPAR demonstrates comparable mAP reduction to state-of-the-art query-based attack while requiring fewer query. Further experiments on the Argoverse dataset using YOLOv8 confirm that RFPAR effectively removed objects on a larger scale dataset. Our code is available at https://github.com/KAU-QuantumAILab/RFPAR.

We present N-body simulations, including post-Newtonian dynamics, of dense clusters of low-mass stars harbouring central black holes (BHs) with initial masses of 50, 300, and 2000 M_{odot}. The models are evolved with the N-body code bifrost to investigate the possible formation and growth of massive BHs by the tidal capture of stars and tidal disruption events (TDEs). We model star-BH tidal interactions using a velocity-dependent drag force, which causes orbital energy and angular momentum loss near the BH. About sim 20-30 per cent of the stars within the spheres of influence of the black holes form Bahcall-Wolf cusps and prevent the systems from core collapse. Within the first 40 Myr of evolution, the systems experience 500 up to 1300 TDEs, depending on the initial cluster structure. Most (> 95 per cent) of the TDEs originate from stars in the Bahcall-Wolf cusp. We derive an analytical formula for the TDE rate as a function of the central BH mass, density and velocity dispersion of the clusters (N_{TDE} propto M_{BH} rho sigma^{-3}). We find that TDEs can lead a 300 M_{odot} BH to reach sim 7000 M_{odot} within a Gyr. This indicates that TDEs can drive the formation and growth of massive BHs in sufficiently dense environments, which might be present in the central regions of nuclear star clusters.

We study stellar core growth in simulations of merging massive (M_star>10^{11},M_odot) elliptical galaxies by a supermassive black hole (SMBH) displaced by gravitational wave induced recoil velocity. With controlled, dense sampling of the SMBH recoil velocity, we find the core radius originally formed by SMBH binary scouring can grow by a factor of 2-3 when the recoil velocity exceeds sim50 per cent of the central escape velocity, and the mass deficit grows by up to a factor of sim4. Using Bayesian inference we predict the distribution of stellar core sizes formed through this process to peak at sim1,kpc. An orbital decomposition of stellar particles within the core reveals that radial orbits dominate over tube orbits when the recoil velocity exceeds the velocity dispersion of the core, whereas tube orbits dominate for the lowest recoil kicks. A change in orbital structure is reflected in the anisotropy parameter, with a central tangential bias present only for recoil velocities less than the local stellar velocity dispersion. Emulating current integral field unit observations of the stellar line-of-sight velocity distribution, we uncover a distinct signature in the Gauss-Hermite symmetric deviation coefficient h_4 that uniquely constrains the core size due to binary scouring. This signature is insensitive to the later evolution of the stellar mass distribution due to SMBH recoil. Our results provide a novel method to estimate the SMBH recoil magnitude from observations of local elliptical galaxies, and implies these galaxies primarily experienced recoil velocities less than the stellar velocity dispersion of the core.

Neural ranking models (NRMs) have attracted considerable attention in information retrieval. Unfortunately, NRMs may inherit the adversarial vulnerabilities of general neural networks, which might be leveraged by black-hat search engine optimization practitioners. Recently, adversarial attacks against NRMs have been explored in the paired attack setting, generating an adversarial perturbation to a target document for a specific query. In this paper, we focus on a more general type of perturbation and introduce the topic-oriented adversarial ranking attack task against NRMs, which aims to find an imperceptible perturbation that can promote a target document in ranking for a group of queries with the same topic. We define both static and dynamic settings for the task and focus on decision-based black-box attacks. We propose a novel framework to improve topic-oriented attack performance based on a surrogate ranking model. The attack problem is formalized as a Markov decision process (MDP) and addressed using reinforcement learning. Specifically, a topic-oriented reward function guides the policy to find a successful adversarial example that can be promoted in rankings to as many queries as possible in a group. Experimental results demonstrate that the proposed framework can significantly outperform existing attack strategies, and we conclude by re-iterating that there exist potential risks for applying NRMs in the real world.

We consider holographic superconductors whose bulk description consists of gravity minimally coupled to a Maxwell field and charged scalar field with general potential. We give an analytic argument that there is no "hard gap": the real part of the conductivity at low frequency remains nonzero (although typically exponentially small) even at zero temperature. We also numerically construct the gravitational dual of the ground state of some holographic superconductors. Depending on the charge and dimension of the condensate, the infrared theory can have emergent conformal or just Poincare symmetry. In all cases studied, the area of the horizon of the dual black hole goes to zero in the extremal limit, consistent with a nondegenerate ground state.

The mass distribution of merging binary black holes is generically predicted to evolve with redshift, reflecting systematic changes in their astrophysical environment, stellar progenitors, and/or dominant formation channels over cosmic time. Whether or not such an effect is observed in gravitational-wave data, however, remains an open question, with some contradictory results present in the literature. In this paper, we study the ensemble of binary black holes within the latest GWTC-3 catalog released by the LIGO-Virgo-KAGRA Collaboration, systematically surveying for possible evolution of their mass distribution with redshift. We specifically focus on two key features present in the binary black hole primary mass distribution -- (1) an excess of 35,M_odot black holes and (2) a broad power-law continuum ranging from 10 to gtrsim 80 M_odot -- and ask if one or both of these features are observed to vary with redshift. We find no evidence that either the Gaussian peak or power-law continuum components of the mass distribution change with redshift. In some cases, we place somewhat stringent bounds on the degree of allowed redshift evolution. Most notably, we find that the mean location of the 35,M_odot peak and the slope of the power-law continuum are constrained to remain approximately constant below redshift zapprox 1. The data remain more agnostic about other forms of redshift dependence, such as evolution in the height of the 35,M_odot excess or the minimum and maximum black hole masses. In all cases, we conclude that a redshift-dependent mass spectrum remains possible, but that it is not required by current data.

Singular regular points often arise in differential equations describing physical phenomena such as fluid dynamics, electromagnetism, and gravitation. Traditional numerical techniques often fail or become unstable near these points, requiring the use of semi-analytical tools, such as series expansions and perturbative methods, in combination with numerical algorithms; or to invoke more sophisticated methods. In this work, we take an alternative route and leverage the power of machine learning to exploit Physics Informed Neural Networks (PINNs) as a modern approach to solving ordinary differential equations with singular points. PINNs utilize deep learning architectures to approximate solutions by embedding the differential equations into the loss function of the neural network. We discuss the advantages of PINNs in handling singularities, particularly their ability to bypass traditional grid-based methods and provide smooth approximations across irregular regions. Techniques for enhancing the accuracy of PINNs near singular points, such as adaptive loss weighting, are used in order to achieve high efficiency in the training of the network. We exemplify our results by studying four differential equations of interest in mathematics and gravitation -- the Legendre equation, the hypergeometric equation, the solution for black hole space-times in theories of Lorentz violating gravity, and the spherical accretion of a perfect fluid in a Schwarzschild geometry.

Recent work has shown it is possible to construct adversarial examples that cause an aligned language model to emit harmful strings or perform harmful behavior. Existing attacks work either in the white-box setting (with full access to the model weights), or through transferability: the phenomenon that adversarial examples crafted on one model often remain effective on other models. We improve on prior work with a query-based attack that leverages API access to a remote language model to construct adversarial examples that cause the model to emit harmful strings with (much) higher probability than with transfer-only attacks. We validate our attack on GPT-3.5 and OpenAI's safety classifier; we can cause GPT-3.5 to emit harmful strings that current transfer attacks fail at, and we can evade the safety classifier with nearly 100% probability.

Pre-trained models of code have achieved success in many important software engineering tasks. However, these powerful models are vulnerable to adversarial attacks that slightly perturb model inputs to make a victim model produce wrong outputs. Current works mainly attack models of code with examples that preserve operational program semantics but ignore a fundamental requirement for adversarial example generation: perturbations should be natural to human judges, which we refer to as naturalness requirement. In this paper, we propose ALERT (nAturaLnEss AwaRe ATtack), a black-box attack that adversarially transforms inputs to make victim models produce wrong outputs. Different from prior works, this paper considers the natural semantic of generated examples at the same time as preserving the operational semantic of original inputs. Our user study demonstrates that human developers consistently consider that adversarial examples generated by ALERT are more natural than those generated by the state-of-the-art work by Zhang et al. that ignores the naturalness requirement. On attacking CodeBERT, our approach can achieve attack success rates of 53.62%, 27.79%, and 35.78% across three downstream tasks: vulnerability prediction, clone detection and code authorship attribution. On GraphCodeBERT, our approach can achieve average success rates of 76.95%, 7.96% and 61.47% on the three tasks. The above outperforms the baseline by 14.07% and 18.56% on the two pre-trained models on average. Finally, we investigated the value of the generated adversarial examples to harden victim models through an adversarial fine-tuning procedure and demonstrated the accuracy of CodeBERT and GraphCodeBERT against ALERT-generated adversarial examples increased by 87.59% and 92.32%, respectively.

In the coming years, surveys such as the Rubin Observatory's Legacy Survey of Space and Time (LSST) are expected to increase the number of observed Tidal Disruption Events (TDEs) substantially. We employ Monte Carlo integration to calculate the unlensed and lensed TDE rate as a function of limiting magnitude in u, g, r, and i-bands. We investigate the impact of multiple luminosity models, black hole mass functions (BHMFs), and flare temperatures on the TDE rate. Notably, this includes a semi-analytical model, which enables the determination of the TDE temperature in terms of black hole (BH) mass. We predict the highest unlensed TDE rate to be in g-band. It ranges from 16 to 5,440;yr^{-1};(20,000;deg^2)^{-1} for the Zwicky Transient Facility, being more consistent with the observed rate at the low end. For LSST, we expect a rate in g-band between 3,580 and 82,060;yr^{-1};(20,000;deg^2)^{-1}. A higher theoretical prediction is understandable, as we do not consider observational effects such as completeness. The unlensed and lensed TDE rates are insensitive to the redshift evolution of the BHMF, even for LSST limiting magnitudes. The best band for detecting lensed TDEs is also g-band. Its predicted rates range from 0.43 to 15;yr^{-1};(20,000;deg^2)^{-1} for LSST. The scatter of predicted rates reduces when we consider the fraction of lensed TDEs; that is, a few in ten thousand TDEs will be lensed. Despite the large scatter in the rates of lensed TDEs, our comprehensive considerations of multiple models suggest that lensed TDEs will occur in the 10-year LSST lifetime, providing an exciting prospect for detecting such events. We expect the median redshift of a lensed TDE to be between 1.5 and 2. In this paper, we additionally report on lensed TDE properties, such as the BH mass and time delays.

In this study of the `Resolving supermAssive Black hole Binaries In galacTic hydrodynamical Simulations' (RABBITS) series, we focus on the hardening and coalescing process of supermassive black hole (SMBH) binaries in galaxy mergers. For simulations including different galaxy formation processes (i.e. gas cooling, star formation, SMBH accretion, stellar and AGN feedback), we systematically control the effect of stochastic eccentricity by fixing it to similar values during the SMBH hardening phase. We find a strong correlation between the SMBH merger time-scales and the presence of nuclear star formation. Throughout the galaxy merging process, gas condenses at the centre due to cooling and tidal torques, leading to nuclear star formation. These recently formed stars, which inherit low angular momenta from the gas, contribute to the loss cone and assist in the SMBH hardening via three-body interactions. Compared to non-radiative hydrodynamical runs, the SMBH merger time-scales measured from the runs including cooling, stellar and SMBH physical processes tend to be shortened by a factor of {sim}1.7. After fixing the eccentricity to the range of e sim 0.6--0.8 during the hardening phase, the simulations with AGN feedback reveal merger time-scales of {sim} 100--500 Myr for disc mergers and {sim} 1--2 Gyr for elliptical mergers. With a semi-analytical approach, we find that the torque interaction between the binary and its circumbinary disc has minimal impact on the shrinking of the binary orbit in our retrograde galaxy merger. Our results are useful in improving the modelling of SMBH merger time-scales and gravitational wave event rates.

Neural text ranking models have witnessed significant advancement and are increasingly being deployed in practice. Unfortunately, they also inherit adversarial vulnerabilities of general neural models, which have been detected but remain underexplored by prior studies. Moreover, the inherit adversarial vulnerabilities might be leveraged by blackhat SEO to defeat better-protected search engines. In this study, we propose an imitation adversarial attack on black-box neural passage ranking models. We first show that the target passage ranking model can be transparentized and imitated by enumerating critical queries/candidates and then train a ranking imitation model. Leveraging the ranking imitation model, we can elaborately manipulate the ranking results and transfer the manipulation attack to the target ranking model. For this purpose, we propose an innovative gradient-based attack method, empowered by the pairwise objective function, to generate adversarial triggers, which causes premeditated disorderliness with very few tokens. To equip the trigger camouflages, we add the next sentence prediction loss and the language model fluency constraint to the objective function. Experimental results on passage ranking demonstrate the effectiveness of the ranking imitation attack model and adversarial triggers against various SOTA neural ranking models. Furthermore, various mitigation analyses and human evaluation show the effectiveness of camouflages when facing potential mitigation approaches. To motivate other scholars to further investigate this novel and important problem, we make the experiment data and code publicly available.

We construct the charged Hayward-anti-de Sitter (AdS) black hole (BH) with a cloud of strings (CS) and perfect fluid dark matter (PFDM), and analyze its extended thermodynamic phase structure. The Hayward parameter g replaces the central singularity with a de Sitter (dS) core, while the CS parameter a and the PFDM parameter β encode astrophysically motivated matter content. Treating the cosmological constant as pressure, we derive the thermodynamic quantities, verify the Smarr relation, and establish P--V criticality with a van der Waals (vdW)-like small-large BH phase transition and mean-field critical exponents. The Gibbs free energy (GFE) exhibits the characteristic swallowtail below the critical pressure. The Joule-Thomson (JT) expansion yields T_i^{rm min}/T_c approx 0.247, roughly half the Reissner--Nordström-AdS value. The parameters g and Q contract the cooling region, β expands it, and a reshapes it non-monotonically. A holographic heat engine with a rectangular cycle gives efficiencies η= 0.362--0.396 and Carnot benchmarking ratios η/η_C = 0.625--0.791 across six configurations. The CS parameter improves the engine efficiency by reducing the enthalpy at fixed thermodynamic volume, while the PFDM parameter degrades it by adding gravitational enthalpy without contributing to the mechanical work.

We consider classes of translationally invariant black hole solutions whose equations of state closely resemble that of QCD at zero chemical potential. We use these backgrounds to compute the ratio zeta/s of bulk viscosity to entropy density. For a class of black holes that exhibits a first order transition, we observe a sharp rise in zeta/s near T_c. For constructions that exhibit a smooth cross-over, like QCD does, the rise in zeta/s is more modest. We conjecture that divergences in zeta/s for black hole horizons are related to extrema of the entropy density as a function of temperature.

In this study, we examine the frequency and physical drivers of transformations from cool-core (CC) to non-cool-core (NCC) clusters, and vice versa, in a sample of 352 massive galaxy clusters (M_vir = 10^14-15.3 M_sun) from the TNG-Cluster magnetohydrodynamical cosmological simulation of galaxies. By identifying transformations based on the evolution of central entropy and focusing on z<2.5, we find that clusters frequently undergo such events, depending on their assembly and supermassive black hole histories. On average, clusters experience 2 to 3 transformations. Transformations can occur in both directions and can be temporary, but those to higher entropy cores, i.e. in the direction from CC to NCC states, are the vast majority. CC phases are shorter than NCC phases, and thus overall the TNG-Cluster population forms with low-entropy cores and moves towards NCC states with time. We study the role that mergers play in driving transformations, and find that mergers within ~1Gyr prior to a transformation toward higher (but not lower) entropy cores occur statistically more often than in a random control sample. Most importantly, we find examples of mergers associated with CC disruption regardless of their mass ratio or angular momentum. However, past merger activity is not a good predictor for z=0 CC status, at least based on core entropy, even though clusters undergoing more mergers eventually have the highest core entropy values at z=0. We consider the interplay between AGN feedback and evolving cluster core thermodynamics. We find that core transformations are accompanied by an increase in AGN activity, whereby frequent and repeated (kinetic) energy injections from the central SMBHs can produce a collective, long-term impact on central entropy, ultimately heating cluster cores. Whether such fast-paced periods of AGN activity are triggered by mergers is plausible, but not necessary.

We investigate the exceptional points (EPs) and their pseudospectra in black hole perturbation theory. By considering a Gaussian bump modification to the Regge-Wheeler potential with variable amplitude, position, and width parameters, (varepsilon,d,σ_0), a continuous line of EPs (exceptional line, EL) in this three-dimensional parameter space is revealed. We find that the vorticity ν=pm1/2 and the Berry phase γ=π for loops encircling the EL, while ν=0 and γ=0 for those do not encircle the EL. Through matrix perturbation theory, we prove that the ε-pseudospectrum contour size scales as ε^{1/q} at an EP, where q is the order of the largest Jordan block of the Hamiltonian-like operator, contrasting with the linear ε scaling at non-EPs. Numerical implements confirm this observation, demonstrating enhanced spectral instability at EPs for non-Hermitian systems including black holes.

With the aim of testing massive gravity in the context of black hole physics, we investigate the gravitational radiation emitted by a massive particle plunging into a Schwarzschild black hole from slightly below the innermost stable circular orbit. To do so, we first construct the quasinormal and quasibound resonance spectra of the spin-2 massive field for odd and even parity. Then, we compute the waveforms produced by the plunging particle and study their spectral content. This allows us to highlight and interpret important phenomena in the plunge regime, including (i) the excitation of quasibound states, with particular emphasis on the amplification and slow decay of the post-ringdown phase of the even-parity dipolar mode due to harmonic resonance; (ii) during the adiabatic phase, the waveform emitted by the plunging particle is very well described by the waveform emitted by the particle living on the innermost stable circular orbit, and (iii) the regularized waveforms and their unregularized counterparts constructed from the quasinormal mode spectrum are in excellent agreement. Finally, we construct, for arbitrary directions of observation and, in particular, outside the orbital plane of the plunging particle, the regularized multipolar waveforms, i.e., the waveforms constructed by summing over partial waveforms.

Large language models (LLMs) increasingly rely on retrieving information from external corpora. This creates a new attack surface: indirect prompt injection (IPI), where hidden instructions are planted in the corpora and hijack model behavior once retrieved. Previous studies have highlighted this risk but often avoid the hardest step: ensuring that malicious content is actually retrieved. In practice, unoptimized IPI is rarely retrieved under natural queries, which leaves its real-world impact unclear. We address this challenge by decomposing the malicious content into a trigger fragment that guarantees retrieval and an attack fragment that encodes arbitrary attack objectives. Based on this idea, we design an efficient and effective black-box attack algorithm that constructs a compact trigger fragment to guarantee retrieval for any attack fragment. Our attack requires only API access to embedding models, is cost-efficient (as little as $0.21 per target user query on OpenAI's embedding models), and achieves near-100% retrieval across 11 benchmarks and 8 embedding models (including both open-source models and proprietary services). Based on this attack, we present the first end-to-end IPI exploits under natural queries and realistic external corpora, spanning both RAG and agentic systems with diverse attack objectives. These results establish IPI as a practical and severe threat: when a user issued a natural query to summarize emails on frequently asked topics, a single poisoned email was sufficient to coerce GPT-4o into exfiltrating SSH keys with over 80% success in a multi-agent workflow. We further evaluate several defenses and find that they are insufficient to prevent the retrieval of malicious text, highlighting retrieval as a critical open vulnerability.

Supermassive black hole binaries (SMBHBs) are among the most powerful known sources of gravitational waves (GWs). Accordingly, these systems could dominate GW emission in the micro- and millihertz frequency range. Within this domain, SMBHs evolve rapidly and merge with each other. Dynamical friction from stars and gas at the centers of galaxies typically helps to bring together two SMBHs when they are at relatively far separations (approx kpc - 100 pc), but becomes less efficient at smaller separations. However, dark matter (DM) spikes around SMBHs could enhance dynamical friction at close separations and, thus, shorten the evolution times. In this paper, we simulate the effects of DM spikes on GW signals in the micro- to millihertz frequency range and confirm that the GW signals from SMBHBs with DM spikes can be clearly distinguished from those without any additional matter. Making use of the projected sensitivity curve of the Laser Interferometer Space Antenna (LISA), we forecast upper limits for the (dark) matter density for given future SMBHB observations. We then compare these thresholds with the theoretical density profiles expected for self-interacting dark matter (SIDM) spikes.

Decision-based evasion attacks repeatedly query a black-box classifier to generate adversarial examples. Prior work measures the cost of such attacks by the total number of queries made to the classifier. We argue this metric is flawed. Most security-critical machine learning systems aim to weed out "bad" data (e.g., malware, harmful content, etc). Queries to such systems carry a fundamentally asymmetric cost: queries detected as "bad" come at a higher cost because they trigger additional security filters, e.g., usage throttling or account suspension. Yet, we find that existing decision-based attacks issue a large number of "bad" queries, which likely renders them ineffective against security-critical systems. We then design new attacks that reduce the number of bad queries by 1.5-7.3times, but often at a significant increase in total (non-bad) queries. We thus pose it as an open problem to build black-box attacks that are more effective under realistic cost metrics.

In this letter, we report the discovery of the highest redshift, heavily obscured, radio-loud QSO candidate selected using JWST NIRCam/MIRI, mid-IR, sub-mm, and radio imaging in the COSMOS-Web field. Using multi-frequency radio observations and mid-IR photometry, we identify a powerful, radio-loud (RL), growing supermassive black hole (SMBH) with significant spectral steepening of the radio SED (f_{1.32 GHz} sim 2 mJy, q_{24mu m} = -1.1, alpha_{1.32-3GHz}=-1.2, Delta alpha = -0.4). In conjunction with ALMA, deep ground-based observations, ancillary space-based data, and the unprecedented resolution and sensitivity of JWST, we find no evidence of QSO contribution to the UV/optical/NIR data and thus infer heavy amounts of obscuration (N_{H} > 10^{23} cm^{-2}). Using the wealth of deep UV to sub-mm photometric data, we report a singular solution photo-z of z_phot = 7.65^{+0.4}_{-0.3} and estimate an extremely massive host-galaxy (log M_{star} = 11.92 pm 0.06,M_{odot}). This source represents the furthest known obscured RL QSO candidate, and its level of obscuration aligns with the most representative but observationally scarce population of QSOs at these epochs.

Adversarial attacks are carried out to reveal the vulnerability of deep neural networks. Textual adversarial attacking is challenging because text is discrete and a small perturbation can bring significant change to the original input. Word-level attacking, which can be regarded as a combinatorial optimization problem, is a well-studied class of textual attack methods. However, existing word-level attack models are far from perfect, largely because unsuitable search space reduction methods and inefficient optimization algorithms are employed. In this paper, we propose a novel attack model, which incorporates the sememe-based word substitution method and particle swarm optimization-based search algorithm to solve the two problems separately. We conduct exhaustive experiments to evaluate our attack model by attacking BiLSTM and BERT on three benchmark datasets. Experimental results demonstrate that our model consistently achieves much higher attack success rates and crafts more high-quality adversarial examples as compared to baseline methods. Also, further experiments show our model has higher transferability and can bring more robustness enhancement to victim models by adversarial training. All the code and data of this paper can be obtained on https://github.com/thunlp/SememePSO-Attack.

We introduce a new model for the accretion and feedback of supermassive black hole (SMBH) binaries to the KETJU code, which enables us to resolve the evolution of SMBH binaries down to separations of tens of Schwarzschild radii in gas-rich galaxy mergers. Our subgrid binary accretion model extends the widely used Bondi--Hoyle--Lyttleton accretion into the binary phase and incorporates preferential mass accretion onto the secondary SMBH, which is motivated by results from small-scale hydrodynamical circumbinary disc simulations. We perform idealised gas-rich disc galaxy merger simulations using pure thermal or pure kinetic active galactic nuclei (AGN) feedback. Our binary accretion model provides more physically motivated SMBH mass ratios, which are one of the key parameters for computing gravitational wave (GW) induced recoil velocities. The merger time-scales of our simulated SMBH binaries are in the range t_{rm merge}{sim} 10--400 Myr. Prograde in-plane equal-mass galaxy mergers lead to the shortest merger time-scales, as they experience the strongest starbursts, with the ensuing high stellar density resulting in a rapid SMBH coalescence. Compared to the thermal AGN feedback, the kinetic AGN feedback predicts longer merger time-scales and results in more core-like stellar profiles, as it is more effective in removing gas from the galaxy centre and quenching star formation. This suggests that the AGN feedback implementation plays a critical role in modelling SMBH coalescences. Our model will be useful for improving the modelling of SMBH mergers in gas-rich galaxies, the prime targets for the upcoming LISA GW observatory.

Gravitational waves (GWs) are lensed by matter, offering a unique probe of both the large-scale structure of the Universe and the fundamental properties of GW propagation. GWs can also be affected by wave optics effects when their wavelength is comparable to the size of the lens. While this regime has been well studied in the Newtonian approximation, the role of strong gravitational fields remains largely unexplored. This is particularly relevant for lensing by intermediate and supermassive black holes (BHs), which can occur near active galactic nuclei or in compact triple systems. In this work, we analyze the lensing of GWs by a non-rotating BH and compare our results to the Newtonian point-mass approximation. We construct frequency-dependent amplification factors that incorporate strong-field effects, revealing explicit polarization mixing and absorption by the event horizon. Using a fiducial GW event, we explore key phenomenological signatures of BH lensing, highlighting new observational opportunities to probe strong gravitational fields through GW lensing.

We investigate magnetic-field amplification driven by the nonresonant hybrid (NRH or Bell) instability and its impact on cosmic-ray (CR) acceleration at reverse shocks of ultrafast outflows (UFOs) from active galactic nuclei (AGN). Previous kinetic studies by particle-in-cell simulations have demonstrated that when maximum CR energy is near the injection scale, NRH instability efficiently amplifies magnetic field up to the saturation level. However, the efficiency of NRH instability goes down as maximum energy increase since CR current is carried by escaping CRs near the maximum energy. We employ a one-dimensional MHD--CR framework solving telegraph-type diffusion--convection equations to trace the coupled evolution of CRs, magnetic fields, and shock dynamics under realistic parameters. We find a distinct transition with magnetic field strength: for weak background fields (B_{0}!lesssim!10^{-4},G), NRH instability efficiently amplifies upstream turbulence, driving a self-regulated state where E_{max} becomes independent of initial strength of magnetic turbulence. In contrast, for stronger background fields (B_{0}!gtrsim!10^{-3},G), the escaping CR current is too weak to drive NRH instability, and magnetic turbulence further decays through parametric instabilities, potentially reducing the acceleration efficiency. We give the physical interpretation for the transition and discuss conditions for PeV--EeV acceleration at UFO reverse shocks.

Understanding the co-evolution of super-massive black holes (SMBHs) and their host galaxies remains a key challenge of extragalactic astrophysics, particularly the earliest stages at high-redshift. However, studying SMBHs at high-redshift with cosmological simulations, is challenging due to the large volumes and high-resolution required. Through its innovative simulation strategy, the First Light And Reionisation Epoch Simulations (FLARES) suite of cosmological hydrodynamical zoom simulations allows us to simulate a much wider range of environments which contain SMBHs with masses extending to M_{bullet}>10^{9} M_{odot} at z=5. In this paper, we use FLARES to study the physical properties of SMBHs and their hosts in the early Universe (5le, z le10). FLARES predicts a sharply declining density with increasing redshift, decreasing by a factor of 100 over the range z=5to 10. Comparison between our predicted bolometric luminosity function and pre-JWST observations yield a good match. However, recent JWST observations appear to suggest a larger contribution of SMBHs than previously observed, or predicted by FLARES. Finally, by using a re-simulation with AGN feedback disabled, we explore the impact of AGN feedback on their host galaxies. This reveals that AGN feedback results in a reduction of star formation activity, even at z>5, but only in the most massive galaxies. A deeper analysis reveals that AGN are also the cause of suppressed star formation in passive galaxies but that the presence of an AGN doesn't necessarily result in the suppression of star formation.

I argue that coupling the Abelian Higgs model to gravity plus a negative cosmological constant leads to black holes which spontaneously break the gauge invariance via a charged scalar condensate slightly outside their horizon. This suggests that black holes can superconduct.

LLM based agents are increasingly deployed in high stakes settings where they process external data sources such as emails, documents, and code repositories. This creates exposure to indirect prompt injection attacks, where adversarial instructions embedded in external content manipulate agent behavior without user awareness. A critical but underexplored dimension of this threat is concealment: since users tend to observe only an agent's final response, an attack can conceal its existence by presenting no clue of compromise in the final user facing response while successfully executing harmful actions. This leaves users unaware of the manipulation and likely to accept harmful outcomes as legitimate. We present findings from a large scale public red teaming competition evaluating this dual objective across three agent settings: tool calling, coding, and computer use. The competition attracted 464 participants who submitted 272000 attack attempts against 13 frontier models, yielding 8648 successful attacks across 41 scenarios. All models proved vulnerable, with attack success rates ranging from 0.5% (Claude Opus 4.5) to 8.5% (Gemini 2.5 Pro). We identify universal attack strategies that transfer across 21 of 41 behaviors and multiple model families, suggesting fundamental weaknesses in instruction following architectures. Capability and robustness showed weak correlation, with Gemini 2.5 Pro exhibiting both high capability and high vulnerability. To address benchmark saturation and obsoleteness, we will endeavor to deliver quarterly updates through continued red teaming competitions. We open source the competition environment for use in evaluations, along with 95 successful attacks against Qwen that did not transfer to any closed source model. We share model-specific attack data with respective frontier labs and the full dataset with the UK AISI and US CAISI to support robustness research.

Recently, autonomous agents built on large language models (LLMs) have experienced significant development and are being deployed in real-world applications. These agents can extend the base LLM's capabilities in multiple ways. For example, a well-built agent using GPT-3.5-Turbo as its core can outperform the more advanced GPT-4 model by leveraging external components. More importantly, the usage of tools enables these systems to perform actions in the real world, moving from merely generating text to actively interacting with their environment. Given the agents' practical applications and their ability to execute consequential actions, it is crucial to assess potential vulnerabilities. Such autonomous systems can cause more severe damage than a standalone language model if compromised. While some existing research has explored harmful actions by LLM agents, our study approaches the vulnerability from a different perspective. We introduce a new type of attack that causes malfunctions by misleading the agent into executing repetitive or irrelevant actions. We conduct comprehensive evaluations using various attack methods, surfaces, and properties to pinpoint areas of susceptibility. Our experiments reveal that these attacks can induce failure rates exceeding 80\% in multiple scenarios. Through attacks on implemented and deployable agents in multi-agent scenarios, we accentuate the realistic risks associated with these vulnerabilities. To mitigate such attacks, we propose self-examination detection methods. However, our findings indicate these attacks are difficult to detect effectively using LLMs alone, highlighting the substantial risks associated with this vulnerability.

There is a candidate electromagnetic counterpart to the binary black hole merger GW190521, identified as ZTF19abanrhr within AGN J124942.3 + 344929. Additionally, GW190514 is proposed as a plausible precursor merger to GW190521 within a hierarchical merger scenario. In this study, we investigate the potential association between GW190514 and GW190521 as a hierarchical triple merger associated with ZTF19abanrhr, taking into account of sky position, distance, and mass of the sources using a Bayesian criterion. Our analysis reveals that the association is favored over a random coincidence, with a log Bayes factor of 16.8, corresponding to an odds ratio of sim199:1, assuming an astrophysical prior odds of 10^{-5}. Notably, when accounting for the primary masses of the two gravitational wave events as potential products of mergers in the AGN formation channel, the Bayes factor increases significantly, further enhancing the preference for this association by a factor of sim10^2, corresponding to a log Bayes factor of 21.5 and an odds ratio of sim2times10^4:1. Our results suggest strong evidence for the first hierarchical triple merger associated with an electromagnetic counterpart in the AGN formation channel. This work is crucial for understanding the formation mechanisms of massive black holes, the role of AGNs in hierarchical mergers, and the implications of multi-messenger astronomy.

Magnetohydrodynamic turbulence drives the central engine of post-merger remnants, potentially powering both a nucleosynthetically active disk wind and the relativistic jet behind a short gamma ray burst. We explore the impact of the magnetic field on this engine by simulating three post-merger black hole accretion disks using general relativistic magnetohydrodynamics with Monte Carlo neutrino transport, in each case varying the initial magnetic field strength. We find increasing ejecta masses associated with increasing magnetic field strength. We find that a fairly robust main r -process pattern is produced in all three cases, scaled by the ejected mass. Changing the initial magnetic field strength has a considerable effect on the geometry of the outflow and hints at complex central engine dynamics influencing lanthanide outflows. We find that actinide production is especially sensitive to magnetic field strength, with overall actinide mass fraction calculated at 1 Gyr post-merger increasing by more than a factor of six with a tenfold increase in magnetic field strength. This hints at a possible connection to the variability in actinide enhancements exhibited by metal poor, r -process-enhanced stars.

Components of cyber physical systems, which affect real-world processes, are often exposed to the internet. Replacing conventional control methods with Deep Reinforcement Learning (DRL) in energy systems is an active area of research, as these systems become increasingly complex with the advent of renewable energy sources and the desire to improve their efficiency. Artificial Neural Networks (ANN) are vulnerable to specific perturbations of their inputs or features, called adversarial examples. These perturbations are difficult to detect when properly regularized, but have significant effects on the ANN's output. Because DRL uses ANN to map optimal actions to observations, they are similarly vulnerable to adversarial examples. This work proposes a novel attack technique for continuous control using Group Difference Logits loss with a bifurcation layer. By combining aspects of targeted and untargeted attacks, the attack significantly increases the impact compared to an untargeted attack, with drastically smaller distortions than an optimally targeted attack. We demonstrate the impacts of powerful gradient-based attacks in a realistic smart energy environment, show how the impacts change with different DRL agents and training procedures, and use statistical and time-series analysis to evaluate attacks' stealth. The results show that adversarial attacks can have significant impacts on DRL controllers, and constraining an attack's perturbations makes it difficult to detect. However, certain DRL architectures are far more robust, and robust training methods can further reduce the impact.

We present the new public version of the KETJU supermassive black hole (SMBH) dynamics module, as implemented into GADGET-4. KETJU adds a small region around each SMBH where the dynamics of the SMBHs and stellar particles are integrated using an algorithmically regularised integrator instead of the leapfrog integrator with gravitational softening used by GADGET-4. This enables modelling SMBHs as point particles even during close interactions with stellar particles or other SMBHs, effectively removing the spatial resolution limitation caused by gravitational softening. KETJU also includes post-Newtonian corrections, which allows following the dynamics of SMBH binaries to sub-parsec scales and down to tens of Schwarzschild radii. Systems with multiple SMBHs are also supported, with the code also including the leading non-linear cross terms that appear in the post-Newtonian equations for such systems. We present tests of the code showing that it correctly captures, at sufficient mass resolution, the sinking driven by dynamical friction and binary hardening driven by stellar scattering. We also present an example application demonstrating how the code can be applied to study the dynamics of SMBHs in mergers of multiple galaxies and the effect they have on the properties of the surrounding galaxy. We expect that the presented KETJU SMBH dynamics module can also be straightforwardly incorporated into other codes similar to GADGET-4, which would allow coupling small-scale SMBH dynamics to the rich variety of galactic physics models that exist in the literature.

We study the prospect of using TianQin to detect stellar-mass binary black holes (SBBHs). We estimate the expected detection number as well as the precision of parameter estimation on SBBH inspirals, using five different population models. We note TianQin can possibly detect a few SBBH inspirals with signal to noise ratios greater than 12; lowering the threshold and combining multiple detectors can both boost the detection number. The source parameters can be recovered with good precision for most events above the detection threshold. For example, the precision of the merger time most likely occurs near 1s, making it possible to guide the detection of the ground-based detectors, the precision of the eccentricity e_0 most likely occurs near 10^{-4}, making it possible to distinguish the formation channels, and the precision of the mass parameter is better than 10^{-6} in general and most likely occurs near 10^{-7}. We note, in particular, that for a typical merger event, the error volume is likely to be small enough to contain only the host galaxy, which could greatly help in the study of gravitational wave cosmology and relevant studies through the multimessenger observation.

Deep learning models are susceptible to adversarial samples in white and black-box environments. Although previous studies have shown high attack success rates, coupling DNN models with interpretation models could offer a sense of security when a human expert is involved, who can identify whether a given sample is benign or malicious. However, in white-box environments, interpretable deep learning systems (IDLSes) have been shown to be vulnerable to malicious manipulations. In black-box settings, as access to the components of IDLSes is limited, it becomes more challenging for the adversary to fool the system. In this work, we propose a Query-efficient Score-based black-box attack against IDLSes, QuScore, which requires no knowledge of the target model and its coupled interpretation model. QuScore is based on transfer-based and score-based methods by employing an effective microbial genetic algorithm. Our method is designed to reduce the number of queries necessary to carry out successful attacks, resulting in a more efficient process. By continuously refining the adversarial samples created based on feedback scores from the IDLS, our approach effectively navigates the search space to identify perturbations that can fool the system. We evaluate the attack's effectiveness on four CNN models (Inception, ResNet, VGG, DenseNet) and two interpretation models (CAM, Grad), using both ImageNet and CIFAR datasets. Our results show that the proposed approach is query-efficient with a high attack success rate that can reach between 95% and 100% and transferability with an average success rate of 69% in the ImageNet and CIFAR datasets. Our attack method generates adversarial examples with attribution maps that resemble benign samples. We have also demonstrated that our attack is resilient against various preprocessing defense techniques and can easily be transferred to different DNN models.

Dense retrieval systems have been widely used in various NLP applications. However, their vulnerabilities to potential attacks have been underexplored. This paper investigates a novel attack scenario where the attackers aim to mislead the retrieval system into retrieving the attacker-specified contents. Those contents, injected into the retrieval corpus by attackers, can include harmful text like hate speech or spam. Unlike prior methods that rely on model weights and generate conspicuous, unnatural outputs, we propose a covert backdoor attack triggered by grammar errors. Our approach ensures that the attacked models can function normally for standard queries while covertly triggering the retrieval of the attacker's contents in response to minor linguistic mistakes. Specifically, dense retrievers are trained with contrastive loss and hard negative sampling. Surprisingly, our findings demonstrate that contrastive loss is notably sensitive to grammatical errors, and hard negative sampling can exacerbate susceptibility to backdoor attacks. Our proposed method achieves a high attack success rate with a minimal corpus poisoning rate of only 0.048\%, while preserving normal retrieval performance. This indicates that the method has negligible impact on user experience for error-free queries. Furthermore, evaluations across three real-world defense strategies reveal that the malicious passages embedded within the corpus remain highly resistant to detection and filtering, underscoring the robustness and subtlety of the proposed attack Codes of this work are available at https://github.com/ruyue0001/Backdoor_DPR..

This paper introduces a novel adversarial attack method targeting text classification models, termed the Modified Word Saliency-based Adversarial At-tack (MWSAA). The technique builds upon the concept of word saliency to strategically perturb input texts, aiming to mislead classification models while preserving semantic coherence. By refining the traditional adversarial attack approach, MWSAA significantly enhances its efficacy in evading detection by classification systems. The methodology involves first identifying salient words in the input text through a saliency estimation process, which prioritizes words most influential to the model's decision-making process. Subsequently, these salient words are subjected to carefully crafted modifications, guided by semantic similarity metrics to ensure that the altered text remains coherent and retains its original meaning. Empirical evaluations conducted on diverse text classification datasets demonstrate the effectiveness of the proposed method in generating adversarial examples capable of successfully deceiving state-of-the-art classification models. Comparative analyses with existing adversarial attack techniques further indicate the superiority of the proposed approach in terms of both attack success rate and preservation of text coherence.

Gravitational waves from asymmetric mass-ratio black-hole binaries carry unique information about their astrophysical environment. For instance, the Laser Interferometer Space Antenna (LISA) could potentially measure the amplitude and slope of gas torques in binaries embedded in the accretion disks of Active Galactic Nuclei, helping differentiate competing accretion disk models. However, this relies on simplified analytic models, which do not account for the stochastic variability of torques seen in hydrodynamic simulations. In this work, we use hydrodynamic simulations to create gravitational waveforms for extreme and intermediate mass-ratio inspirals in the LISA band. We then analyze these simulated waveforms using simpler templates that assume analytic torques, without stochastic time variability. By performing realistic Bayesian parameter estimation, we find no bias at 90% confidence in the binary parameters; however, estimates of accretion disk parameters, such as torque amplitude and slope, may be biased. Typically, the posterior distribution is centered around the average value of the torques, but when stochastic variability is large, the posterior can indicate no torques, even though they are present in the simulation. Our results suggest that while simplified analytic torque models work well for estimating binary parameters, caution is needed when using them to infer properties of the accretion disk. This work moves towards a more realistic assessment of one of the LISA science objectives, i.e., probing the properties of the astrophysical environments of black holes.

Fast X-ray transients (FXRTs) are short-lived X-ray outbursts with diverse progenitor scenarios, including compact object mergers, stellar core-collapses and tidal disruption events. The Einstein Probe (EP) has enabled the rapid discovery and follow-up of dozens of FXRTs, revealing that while some of them overlap with traditional gamma-ray bursts (GRBs), a larger fraction of FXRTs have no associated gamma-ray counterpart down to deep limits. The origin of these gamma-ray dark FXRTs and their connection to the diverse landscape of stellar explosions remains an open question, which can be tackled through the study of their multi-wavelength counterparts and environment. In this paper, we present long-term radio observations of the gamma-ray dark EP241021a, which exhibits sustained radio emission for over 100 days, placing it among the longest-lived radio afterglows. We detect signature of interstellar scintillation in early epochs, allowing us to constrain the angular size and Lorentz factor of the emitting region. Our observations point to an outflow that is at least mildly relativistic with Lorentz factor > 4. Afterglow modeling favors a moderately relativistic and collimated outflow interacting with a low-density interstellar medium. The derived beaming-corrected kinetic energy and low radiative efficiency are consistent with a standard relativistic explosion which did not produce bright gamma-rays. Alternatively, a highly-relativistic structured jet remains consistent with our observations if seen substantially off-axis. In the latter case, the initial X-ray flare detected by EP would be caused by the slower ejecta from the lateral wings intercepting our line of sight rather than by traditional prompt-emission mechanisms within the jet core.

Aligned large language models (LLMs) remain vulnerable to adversarial manipulation, and their reliance on web-scale pretraining creates a subtle but consequential attack surface. We study Stealth Pretraining Seeding (SPS), a threat model in which adversaries distribute small amounts of poisoned content across stealth websites, increasing the likelihood that such material is absorbed into future training corpora derived from sources such as Common Crawl. Because each individual payload is tiny, diffuse, and superficially benign, the attack is difficult to detect during dataset construction or filtering. The result is a latent form of poisoning that remains largely invisible under standard evaluation, yet can later be activated by a precise trigger such as <00TRIGGER00>. We call this attack PermaFrost, reflecting its latent and reactivatable nature. We study it through PermaFrost-Attack, a controlled framework for latent conceptual poisoning, together with three geometric diagnostics: Thermodynamic Length, Spectral Curvature, and the Infection Traceback Graph. Across multiple model families and scales, we show that this controlled SPS proxy can induce persistent unsafe behavior that often remains hidden under standard evaluation. Our results identify SPS as a practical and underappreciated threat to future foundation models. This paper introduces a novel geometric diagnostic lens for systematically examining latent model behavior, providing a principled foundation for detecting, characterizing, and understanding vulnerabilities that may remain invisible under standard evaluation.

Gemini is increasingly used to perform tasks on behalf of users, where function-calling and tool-use capabilities enable the model to access user data. Some tools, however, require access to untrusted data introducing risk. Adversaries can embed malicious instructions in untrusted data which cause the model to deviate from the user's expectations and mishandle their data or permissions. In this report, we set out Google DeepMind's approach to evaluating the adversarial robustness of Gemini models and describe the main lessons learned from the process. We test how Gemini performs against a sophisticated adversary through an adversarial evaluation framework, which deploys a suite of adaptive attack techniques to run continuously against past, current, and future versions of Gemini. We describe how these ongoing evaluations directly help make Gemini more resilient against manipulation.

Non-trivial gravitational saddles have played a key role in the island proposal for the black hole information paradox. It is worth asking if non-trivial saddles exist in microscopic descriptions of black holes. We show this to be the case for 1/8 BPS black holes in N = 8 String Theory in a duality frame, where all charges are Ramond Ramond. The saddles are in the Coulomb branch, where they describe marginally stable bound states of the constituent branes, and correspond to vacua of the BFSS model. The non-perturbative suppression scale is determined by the binding energy.

We focus on the problem of black-box adversarial attacks, where the aim is to generate adversarial examples for deep learning models solely based on information limited to output label~(hard label) to a queried data input. We propose a simple and efficient Bayesian Optimization~(BO) based approach for developing black-box adversarial attacks. Issues with BO's performance in high dimensions are avoided by searching for adversarial examples in a structured low-dimensional subspace. We demonstrate the efficacy of our proposed attack method by evaluating both ell_infty and ell_2 norm constrained untargeted and targeted hard label black-box attacks on three standard datasets - MNIST, CIFAR-10 and ImageNet. Our proposed approach consistently achieves 2x to 10x higher attack success rate while requiring 10x to 20x fewer queries compared to the current state-of-the-art black-box adversarial attacks.

Modern astronomical surveys, such as the Zwicky Transient Facility (ZTF), are capable of detecting thousands of transient events per year, necessitating the use of automated and scalable data analysis techniques. Recent advances in machine learning have enabled the efficient classification and characterization of these transient phenomena. We aim to develop a fully systematic pipeline to identify candidate stellar collision events in galactic nuclei, which may otherwise be identified as tidal disruption events or other transients. We also seek to validate our simulations by comparing key physical parameters derived from observations and used in modeling these events. We generate a comprehensive bank of simulated light curves spanning a range of physical parameters and employ an approximate nearest neighbor algorithm (via the annoy library) to match these with observed ZTF light curves. Our pipeline is successfully able to associate observed ZTF light curves with simulated events. The resulting estimated parameters, including supermassive black hole masses and ejecta mass, are presented and compared to known values when applicable. We demonstrate that a systematic, machine learning-based approach can effectively identify and characterize stellar collision candidate events from large-scale transient surveys. This methodology is especially promising for future surveys which will provide us with significantly high volumes of data, such as LSST, where automated, data-intensive analysis will be critical for advancing our understanding of transient astrophysical phenomena.

Multimodal large language models with Retrieval Augmented Generation (RAG) have significantly advanced tasks such as multimodal question answering by grounding responses in external text and images. This grounding improves factuality, reduces hallucination, and extends reasoning beyond parametric knowledge. However, this reliance on external knowledge poses a critical yet underexplored safety risk: knowledge poisoning attacks, where adversaries deliberately inject adversarial multimodal content into external knowledge bases to steer model toward generating incorrect or even harmful responses. To expose such vulnerabilities, we propose MM-PoisonRAG, the first framework to systematically design knowledge poisoning in multimodal RAG. We introduce two complementary attack strategies: Localized Poisoning Attack (LPA), which implants targeted multimodal misinformation to manipulate specific queries, and Globalized Poisoning Attack (GPA), which inserts a single adversarial knowledge to broadly disrupt reasoning and induce nonsensical responses across all queries. Comprehensive experiments across tasks, models, and access settings show that LPA achieves targeted manipulation with attack success rates of up to 56%, while GPA completely disrupts model generation to 0% accuracy with just a single adversarial knowledge injection. Our results reveal the fragility of multimodal RAG and highlight the urgent need for defenses against knowledge poisoning.

We investigate in more detail the holographic model of a superconductor recently found by Hartnoll, Herzog, and Horowitz [Phys. Rev. Lett. 101, 031601], which is constructed from a condensate of a charged scalar field in AdS_4-Schwarzschild background. By analytically studying the perturbation of the gravitational system near the critical temperature T_c, we obtain the superconducting coherence length proportional to 1/1-T/T_c via AdS/CFT correspondence. By adding a small external homogeneous magnetic field to the system, we find that a stationary diamagnetic current proportional to the square of the order parameter is induced by the magnetic field. These results agree with Ginzburg-Landau theory and strongly support the idea that a superconductor can be described by a charged scalar field on a black hole via AdS/CFT duality.

This paper introduces a new method for adversarial attacks on large language models (LLMs) called the Single-Turn Crescendo Attack (STCA). Building on the multi-turn crescendo attack method introduced by Russinovich, Salem, and Eldan (2024), which gradually escalates the context to provoke harmful responses, the STCA achieves similar outcomes in a single interaction. By condensing the escalation into a single, well-crafted prompt, the STCA bypasses typical moderation filters that LLMs use to prevent inappropriate outputs. This technique reveals vulnerabilities in current LLMs and emphasizes the importance of stronger safeguards in responsible AI (RAI). The STCA offers a novel method that has not been previously explored.

Correlation does not imply causation, but patterns of statistical association between variables can be exploited to infer a causal structure (even with purely observational data) with the burgeoning field of causal discovery. As a purely observational science, astrophysics has much to gain by exploiting these new methods. The supermassive black hole (SMBH)--galaxy interaction has long been constrained by observed scaling relations, that is low-scatter correlations between variables such as SMBH mass and the central velocity dispersion of stars in a host galaxy's bulge. This study, using advanced causal discovery techniques and an up-to-date dataset, reveals a causal link between galaxy properties and dynamically-measured SMBH masses. We apply a score-based Bayesian framework to compute the exact conditional probabilities of every causal structure that could possibly describe our galaxy sample. With the exact posterior distribution, we determine the most likely causal structures and notice a probable causal reversal when separating galaxies by morphology. In elliptical galaxies, bulge properties (built from major mergers) tend to influence SMBH growth, while in spiral galaxies, SMBHs are seen to affect host galaxy properties, potentially through feedback in gas-rich environments. For spiral galaxies, SMBHs progressively quench star formation, whereas in elliptical galaxies, quenching is complete, and the causal connection has reversed. Our findings support theoretical models of hierarchical assembly of galaxies and active galactic nuclei feedback regulating galaxy evolution. Our study suggests the potentiality for further exploration of causal links in astrophysical and cosmological scaling relations, as well as any other observational science.

Since their discovery, AGN light curves are known to be intrinsically variable. In the optical/UV band, this variability is consistent with correlated or red noise and is particularly well described by the damped random walk (DRW) model. In this work, we evaluate the feasibility of a new method for identifying spatially unresolved couples of AGN through a fully Bayesian time-domain analysis of the observed light curves (LCs). More specifically, we check whether observed LCs are better described by a single DRW, which we interpret as emitted by a single massive black hole (MBH), or a pair of independent DRWs, generated by a pair of MBHs. We test the method on mock LCs associated with a single MBH and pairs generated with different cadences and lengths of observational campaigns. We constrained the occurrence of false positives, that is, the percentage of single MBH LCs that show substantial evidence in favour of the unresolved MBH pair scenario, finding a fraction of 0.2% and 0.59% in the even and uneven sampling scenarios. We discuss how well the method recovers the model parameters, showing that about 51% and 7% of the simulated LCs have all the recovered parameters within 20% of their true values in our best scenario of evenly sampled LCs for the single MBH and MBH pair scenarios, respectively. We finally study the region of the parameter space in which the detection of an MBH pair is possible, finding that such objects can be correctly identified if the timescales of the process describing the noise are very different, with a ratio smaller than ~0.2, and the variability amplitudes are similar, with their ratio bigger than ~0.2. When limiting to such a region of the parameter space, the fraction of pairs with all the recovered parameters within 20% of the injected values increases up to about 14% and 8% for evenly and unevenly sampled LCs, respectively.

We report the discovery of two broad-line X-ray AGNs cid_414 and cid_947 at z~3 that exhibit prominent He Iλ10830+ Paγ emission and absorption, identified from the JWST Cycle 3 large GO treasury program COSMOS-3D using NIRCam F444W grism spectroscopy. Additional UV/optical line measurements (e.g., Lyα, Si IV, C IV) come from complementary COSMOS-field spectroscopy. Both sources are robustly detected in the mid-infrared, with detections in MIRI F1000W for both AGNs and an additional detection in MIRI F2100W for cid_414, indicating the presence of hot dust emission. The source cid_947 shows a higher He Iλ10830 absorption column density and X-ray-inferred N_{rm H}, and displays strong outflow signatures in He I, Si IV, and C IV with velocity offsets exceeding 5000 km/s. The source cid_414 shows a narrow Lyα emission line with luminosity log L_{rm Lyα}=42.49pm0.01~erg~s^{-1} and a higher intrinsic 2-10 keV X-ray luminosity. Host-galaxy decomposition and multi-component SED fitting indicate that cid_947 hosts a more massive black hole but lower star formation rate than cid_414. From simplified photoionization modeling, we infer that the dense absorbing gas has a characteristic size comparable to the nuclear broad-line region and is likely kinematically coupled to the obscuration associated with the dust torus. He Iλ1083 absorption has also been identified in several compact little red dots at similar redshifts. Together with the two AGNs reported here, these findings suggest that dense circumnuclear gas are plausibly prevalent at high redshift and plays an important role in regulating AGN obscuration and black hole--host co-evolution.

The possible existence of black holes has fascinated scientists at least since Michell and Laplace's proposal that a gravitating object could exist from which light could not escape. In the 20th century, in light of the general theory of relativity, it became apparent that, were such objects to exist, their structure would be far richer than originally imagined. Today, astronomical observations strongly suggest that either black holes, or objects with similar properties, not only exist but may well be abundant in our universe. In light of this, black hole research is now not only motivated by the fascinating theoretical properties such objects must possess but also as an attempt to better understand the universe around us. We review here some selected developments in black hole research, from a review of its early history to current topics in black hole physics research. Black holes have been studied at all levels; classically, semi-classically, and more recently, as an arena to test predictions of candidate theories of quantum gravity. We will review here progress and current research at all these levels as well as discuss some proposed alternatives to black holes.

We present new limits on an isotropic stochastic gravitational-wave background (GWB) using a six pulsar dataset spanning 18 yr of observations from the 2015 European Pulsar Timing Array data release. Performing a Bayesian analysis, we fit simultaneously for the intrinsic noise parameters for each pulsar, along with common correlated signals including clock, and Solar System ephemeris errors, obtaining a robust 95% upper limit on the dimensionless strain amplitude A of the background of A<3.0times 10^{-15} at a reference frequency of 1yr^{-1} and a spectral index of 13/3, corresponding to a background from inspiralling super-massive black hole binaries, constraining the GW energy density to Omega_gw(f)h^2 < 1.1times10^{-9} at 2.8 nHz. We also present limits on the correlated power spectrum at a series of discrete frequencies, and show that our sensitivity to a fiducial isotropic GWB is highest at a frequency of sim 5times10^{-9}~Hz. Finally we discuss the implications of our analysis for the astrophysics of supermassive black hole binaries, and present 95% upper limits on the string tension, Gmu/c^2, characterising a background produced by a cosmic string network for a set of possible scenarios, and for a stochastic relic GWB. For a Nambu-Goto field theory cosmic string network, we set a limit Gmu/c^2<1.3times10^{-7}, identical to that set by the {\it Planck} Collaboration, when combining {\it Planck} and high-ell Cosmic Microwave Background data from other experiments. For a stochastic relic background we set a limit of Omega^relic_gw(f)h^2<1.2 times10^{-9}, a factor of 9 improvement over the most stringent limits previously set by a pulsar timing array.

In this study of the `Resolving supermAssive Black hole Binaries In galacTic hydrodynamical Simulations' (RABBITS) series, we investigate the orbital evolution of supermassive black holes (SMBHs) during galaxy mergers. We simulate both disc and elliptical galaxy mergers using the KETJU code, which can simultaneously follow galaxy (hydro-)dynamics and small-scale SMBH dynamics with post-Newtonian corrections. With our SMBH binary subgrid model, we show how active galactic nuclei (AGNs) feedback affects galaxy properties and SMBH coalescence. We find that simulations without AGN feedback exhibit excessive star formation, resulting in merger remnants that deviate from observed properties. Kinetic AGN feedback proves more effective than thermal AGN feedback in expelling gas from the centre and quenching star formation. The different central galaxy properties, which are a result of distinct AGN feedback models, lead to varying rates of SMBH orbital decay. In the dynamical friction phase, galaxies with higher star formation and higher SMBH masses possess denser centres, become more resistant to tidal stripping, experience greater dynamical friction, and consequently form SMBH binaries earlier. As AGN feedback reduces gas densities in the centres, dynamical friction by stars dominates over gas. In the SMBH hardening phase, compared to elliptical mergers, disc mergers exhibit higher central densities of newly formed stars, resulting in accelerated SMBH hardening and shorter merger time-scales (i.e. lesssim 500 Myr versus gtrsim 1 Gyr). Our findings highlight the importance of AGN feedback and its numerical implementation in understanding the SMBH coalescing process, a key focus for low-frequency gravitational wave observatories.

Decision-based adversarial attacks construct inputs that fool a machine-learning model into making targeted mispredictions by making only hard-label queries. For the most part, these attacks have been applied directly to isolated neural network models. However, in practice, machine learning models are just a component of a much larger system. By adding just a single preprocessor in front of a classifier, we find that state-of-the-art query-based attacks are as much as seven times less effective at attacking a prediction pipeline than attacking the machine learning model alone. Hence, attacks that are unaware of this invariance inevitably waste a large number of queries to re-discover or overcome it. We, therefore, develop techniques to first reverse-engineer the preprocessor and then use this extracted information to attack the end-to-end system. Our extraction method requires only a few hundred queries to learn the preprocessors used by most publicly available model pipelines, and our preprocessor-aware attacks recover the same efficacy as just attacking the model alone. The code can be found at https://github.com/google-research/preprocessor-aware-black-box-attack.

Our knowledge of supermassive black holes (SMBHs) and their relation to their host galaxies is still limited, and there are only around 150 SMBHs that have their masses directly measured and confirmed. Better black hole mass scaling relations will help us reveal the physics of black holes, as well as predict black hole masses that are not yet measured. Here, we apply symbolic regression, combined with random forest to those directly-measured black hole masses and host galaxy properties, and find a collection of higher-dimensional (N-D) black hole mass scaling relations. These N-D black hole mass scaling relations have scatter smaller than any of the existing black hole mass scaling relations. One of the best among them involves the parameters of central stellar velocity dispersion, bulge-to-total ratio, and density at the black hole's sphere-of-influence with an intrinsic scatter of epsilon=0.083, dex, significantly lower than epsilon sim 0.3, dex for the M-sigma relation. These relations will inspire black hole physics, test black hole models implemented in simulations, and estimate unknown black hole masses on an unprecedented precision.

We introduce Doublespeak, a simple in-context representation hijacking attack against large language models (LLMs). The attack works by systematically replacing a harmful keyword (e.g., bomb) with a benign token (e.g., carrot) across multiple in-context examples, provided a prefix to a harmful request. We demonstrate that this substitution leads to the internal representation of the benign token converging toward that of the harmful one, effectively embedding the harmful semantics under a euphemism. As a result, superficially innocuous prompts (e.g., ``How to build a carrot?'') are internally interpreted as disallowed instructions (e.g., ``How to build a bomb?''), thereby bypassing the model's safety alignment. We use interpretability tools to show that this semantic overwrite emerges layer by layer, with benign meanings in early layers converging into harmful semantics in later ones. Doublespeak is optimization-free, broadly transferable across model families, and achieves strong success rates on closed-source and open-source systems, reaching 74\% ASR on Llama-3.3-70B-Instruct with a single-sentence context override. Our findings highlight a new attack surface in the latent space of LLMs, revealing that current alignment strategies are insufficient and should instead operate at the representation level.

In this Essay, we will look at the relation between the No Transmission principle and the Strong cosmic censorship (SCC), which we will highlight in the background of quantum gravity. We show that taking quantum gravity into account, one can provide a complete picture of the instability of the inner horizon and the principle that two independent CFTs, under the gauge-gravity duality, imply that the dual bulks must also be independent in that there must not exist a way to transmit a signal between the two spacetimes. We show that this can simply be interpreted as SCC, and that the inner horizon must be unstable (at either linear or nonlinear orders) to be in accordance with holographic quantum gravity.

We study Einstein-Maxwell-dilaton gravity models in four-dimensional anti-de Sitter (AdS) spacetime which admit the Reissner-Nordstrom (RN) black hole solution. We show that below a critical temperature the AdS-RN solution becomes unstable against scalar perturbations and the gravitational system undergoes a phase transition. We show using numerical calculations that the new phase is a charged dilatonic black hole. Using the AdS/CFT correspondence we discuss the phase transition in the dual field theory both for non-vanishing temperatures and in the extremal limit. The extremal solution has a Lifshitz scaling symmetry. We discuss the optical conductivity in the new dual phase and find interesting behavior at low frequencies where it shows a "Drude peak". The resistivity varies with temperature in a non-monotonic way and displays a minimum at low temperatures which is reminiscent of the celebrated Kondo effect.

Large language models (LLMs) can be adapted to new tasks using parameter-efficient fine-tuning (PEFT) methods that modify only a small number of trainable parameters, often through low-rank updates. In this work, we adopt a quantum-information-inspired perspective to understand their effectiveness. From this perspective, low-rank parameterizations naturally correspond to low-dimensional Matrix Product States (MPS) representations, which enable entanglement-based characterizations of parameter structure. Thereby, we term and measure "Artificial Entanglement", defined as the entanglement entropy of the parameters in artificial neural networks (in particular the LLMs). We first study the representative low-rank adaptation (LoRA) PEFT method, alongside full fine-tuning (FFT), using LLaMA models at the 1B and 8B scales trained on the Tulu3 and OpenThoughts3 datasets, and uncover: (i) Internal artificial entanglement in the updates of query and value projection matrices in LoRA follows a volume law with a central suppression (termed as the "Entanglement Valley"), which is sensitive to hyper-parameters and is distinct from that in FFT; (ii) External artificial entanglement in attention matrices, corresponding to token-token correlations in representation space, follows an area law with logarithmic corrections and remains robust to LoRA hyper-parameters and training steps. Drawing a parallel to the No-Hair Theorem in black hole physics, we propose that although LoRA and FFT induce distinct internal entanglement signatures, such differences do not manifest in the attention outputs, suggesting a "no-hair" property that results in the effectiveness of low rank updates. We further provide theoretical support based on random matrix theory, and extend our analysis to an MPS Adaptation PEFT method, which exhibits qualitatively similar behaviors.

Compact binary millisecond pulsars (MSPs) with orbital periods lesssim1d are key to understanding binary evolution involving massive neutron stars (NSs). Due to the ablation of the companion by the rapidly spinning pulsar, these systems are also known as spiders and categorized into two main branches: redbacks (RBs; companion mass in the range of 0.1 to 0.5\,\Msun) and black widows (BWs; companion mass lesssim\,0.1\,\Msun). We present models of low- and intermediate-mass X-ray binaries and compare them with observations of Galactic spiders (including the presence or absence of hydrogen lines in their optical spectra), and we constrain and quantify the interaction between the pulsar and the companion. Using MESA, we created the allowed initial parameter space. For the first time in MESA, we also included the detailed evolution of the pulsar spin and modeled the irradiation of the companion by the pulsar wind. Efficient mass accretion onto the NS (at least 70% of the mass transferred is accreted) with an X-ray irradiated disk followed by strong irradiation of the companion can explain most of the properties of the observed spiders. Our RB evolutionary tracks continue to the BW regime, connecting the two branches of spiders. Our models explain the lack of hydrogen in some observed BWs with ultra-light companions. During accretion induced spin up, the mass required to spin up an NS to sub-milliseconds is high enough to collapse it into a black hole. Finally, after analyzing the formation of RB-like spiders with giant companions and orbital periods of several days (huntsmen), we conclude that they are unlikely to produce super-massive NSs (maximum accreted mass lesssim0.5M_{odot}). Cannibalistic MSP binary formation depends heavily on the interplay between accretion onto the pulsar and pulsar wind irradiation.

Recent advances in large language models (LLMs) have demonstrated remarkable potential in the field of natural language processing. Unfortunately, LLMs face significant security and ethical risks. Although techniques such as safety alignment are developed for defense, prior researches reveal the possibility of bypassing such defenses through well-designed jailbreak attacks. In this paper, we propose QueryAttack, a novel framework to examine the generalizability of safety alignment. By treating LLMs as knowledge databases, we translate malicious queries in natural language into structured non-natural query language to bypass the safety alignment mechanisms of LLMs. We conduct extensive experiments on mainstream LLMs, and the results show that QueryAttack not only can achieve high attack success rates (ASRs), but also can jailbreak various defense methods. Furthermore, we tailor a defense method against QueryAttack, which can reduce ASR by up to 64% on GPT-4-1106. Our code is available at https://github.com/horizonsinzqs/QueryAttack.

We investigate thermodynamics of static and spherically symmetric black holes (BHs) in the Horndeski theories. Because of the presence of the higher-derivative interactions and the nonminimal derivative couplings of the scalar field, the standard Wald entropy formula may not be directly applicable. Hence, following the original formulation by Iyer and Wald, we obtain the differentials of the BH entropy and the total mass of the system in the Horndeski theories, which lead to the first-law of thermodynamics via the conservation of the Hamiltonian. Our formulation covers the case of the static and spherically symmetric BH solutions with the static scalar field and those with the linearly time-dependent scalar field in the shift-symmetric Horndeski theories. We then apply our results to explicit BH solutions in the Horndeski theories. In the case of the conventional scalar-tensor theories and the Einstein-scalar-Gauss-Bonnet theories, we recover the BH entropy obtained by the Wald entropy formula. In the shift-symmetric theories, in the case of the BH solutions with the static scalar field we show that the BH entropy follows the ordinary area law even in the presence of the nontrivial profile of the scalar field. On the other hand, in the case of the BH solutions where the scalar field linearly depends on time, i.e., the stealth Schwarzschild and Schwarzschild-(anti-) de Sitter solutions, the BH entropy also depends on the profile of the scalar field. By use of the entropy, we find that there exists some range of the parameters in which Schwarzschild-(AdS) BH with non-trivial scalar field is thermodynamically stable than Schwarzschild-(AdS) BH without scalar field in general relativity.

Active Galactic Nuclei (AGN) are some of the most luminous and extreme environments in the Universe. The central engines of AGN, believed to be super-massive black-holes, are fed by accretion discs threaded by magnetic fields within a dense magneto-ionic medium. We report our findings from polarimetric Very-long-baseline Interferometry (VLBI) observations of quasar NRAO150 taken in October 2022 using a combined network of the Very Long Baseline Array (VLBA) and Effelsberg 100-m Radio Telescope. These observations are the first co-temporal multi-frequency polarimetric VLBI observations of NRAO150 at frequencies above 15GHz. We use the new VLBI polarization calibration procedure, GPCAL, with polarization observations of frequencies of 12GHz, 15GHz, 24GHz, and 43GHz of NRAO150. From these observations, we measure Faraday rotation. Using our measurement of Faraday rotation, we also derive the intrinsic electric vector position angle (EVPA0) for the source. As a complementary measurement we determine the behavior of polarization as a function of observed frequency. The polarization from NRAO150 only comes from the core region, with a peak polarization intensity occurring at 24GHz. Across the core region of NRAO150 we see clear gradients in Faraday rotation and EVPA0 values that are aligned with the direction of the jet curving around the core region. We find that for the majority of the polarized region the polarization fraction is greater at higher frequencies, with intrinsic polarization fractions in the core 3%. The Faraday rotation gradients and circular patterns in EVPA0 are strong evidence for a helical/toroidal magnetic field, and the presence of low intrinsic polarization fractions indicate that the polarized emission and hence the helical/toroidal magnetic field, occur within the innermost jet.

Deep neural networks for image classification remain vulnerable to adversarial examples -- small, imperceptible perturbations that induce misclassifications. In black-box settings, where only the final prediction is accessible, crafting targeted attacks that aim to misclassify into a specific target class is particularly challenging due to narrow decision regions. Current state-of-the-art methods often exploit the geometric properties of the decision boundary separating a source image and a target image rather than incorporating information from the images themselves. In contrast, we propose Targeted Edge-informed Attack (TEA), a novel attack that utilizes edge information from the target image to carefully perturb it, thereby producing an adversarial image that is closer to the source image while still achieving the desired target classification. Our approach consistently outperforms current state-of-the-art methods across different models in low query settings (nearly 70% fewer queries are used), a scenario especially relevant in real-world applications with limited queries and black-box access. Furthermore, by efficiently generating a suitable adversarial example, TEA provides an improved target initialization for established geometry-based attacks.

We study the black-box attacks on graph neural networks (GNNs) under a novel and realistic constraint: attackers have access to only a subset of nodes in the network, and they can only attack a small number of them. A node selection step is essential under this setup. We demonstrate that the structural inductive biases of GNN models can be an effective source for this type of attacks. Specifically, by exploiting the connection between the backward propagation of GNNs and random walks, we show that the common gradient-based white-box attacks can be generalized to the black-box setting via the connection between the gradient and an importance score similar to PageRank. In practice, we find attacks based on this importance score indeed increase the classification loss by a large margin, but they fail to significantly increase the mis-classification rate. Our theoretical and empirical analyses suggest that there is a discrepancy between the loss and mis-classification rate, as the latter presents a diminishing-return pattern when the number of attacked nodes increases. Therefore, we propose a greedy procedure to correct the importance score that takes into account of the diminishing-return pattern. Experimental results show that the proposed procedure can significantly increase the mis-classification rate of common GNNs on real-world data without access to model parameters nor predictions.

Modern code completion engines, powered by large language models (LLMs), assist millions of developers with their strong capabilities to generate functionally correct code. Due to this popularity, it is crucial to investigate the security implications of relying on LLM-based code completion. In this work, we demonstrate that state-of-the-art black-box LLM-based code completion engines can be stealthily biased by adversaries to significantly increase their rate of insecure code generation. We present the first attack, named INSEC, that achieves this goal. INSEC works by injecting an attack string as a short comment in the completion input. The attack string is crafted through a query-based optimization procedure starting from a set of carefully designed initialization schemes. We demonstrate INSEC's broad applicability and effectiveness by evaluating it on various state-of-the-art open-source models and black-box commercial services (e.g., OpenAI API and GitHub Copilot). On a diverse set of security-critical test cases, covering 16 CWEs across 5 programming languages, INSEC increases the rate of generated insecure code by more than 50%, while maintaining the functional correctness of generated code. We consider INSEC practical -- it requires low resources and costs less than 10 US dollars to develop on commodity hardware. Moreover, we showcase the attack's real-world deployability, by developing an IDE plug-in that stealthily injects INSEC into the GitHub Copilot extension.

Pre-trained programming language (PL) models (such as CodeT5, CodeBERT, GraphCodeBERT, etc.,) have the potential to automate software engineering tasks involving code understanding and code generation. However, these models operate in the natural channel of code, i.e., they are primarily concerned with the human understanding of the code. They are not robust to changes in the input and thus, are potentially susceptible to adversarial attacks in the natural channel. We propose, CodeAttack, a simple yet effective black-box attack model that uses code structure to generate effective, efficient, and imperceptible adversarial code samples and demonstrates the vulnerabilities of the state-of-the-art PL models to code-specific adversarial attacks. We evaluate the transferability of CodeAttack on several code-code (translation and repair) and code-NL (summarization) tasks across different programming languages. CodeAttack outperforms state-of-the-art adversarial NLP attack models to achieve the best overall drop in performance while being more efficient, imperceptible, consistent, and fluent. The code can be found at https://github.com/reddy-lab-code-research/CodeAttack.

The illumination of the accretion disks is frequently studied assuming that the incident X-ray flux is a point-like source. The approach is referred as lamppost model.The most recent computations of the X-ray reprocessing by the disk take into account the departure from the simple lamppost models. However, in computations of the incident flux thermalization and subsequent re-emission in the optical-UV band the lamppost approximation is most frequently assumed. We test if the UV-optical reverberation mapping and time delay measurements are sensitive to this assumption. We assume that the incident radiation originates from a region extended along the symmetry axis. To model this, we adopt a simple setup by representing the emission as two lamps irradiating the disk simultaneously from two different heights. We then compare the resulting predictions with those obtained for a single lamppost located at an intermediate height. We show at the basis of the transfer function that the deviation of the wavelength-dependent delay curve shows at most a difference of 20% in comparison to a single lamppost, assuming the black hole mass of 10^8 M_{odot}, Eddington ratio 1, and the location of the lamps at 5 and 100 rg. The maximum deviation happens for the lamp luminosity ratio sim3. When simulating light curves for a two-lamp setup and a standard lamppost with the same black hole mass and a sampling rate of 0.1 days, we find no measurable differences in the ICCF profiles between the two setups. Larger black hole mass and considerably lower Eddington ratio would allow to see larger differences between a single lamppost and a two-lampost model. UV/optical reverberation mapping is not very sensitive to the vertical extension of the corona.

E. T. Whittaker produced two papers in 1903 and 1904 that, although sometimes considered mere mathematical statements (Barrett, 1993), held important implications for physical theory. The Whittaker 1903 paper united electrostatic and gravitational attraction as resulting from longitudinal waves - waves whose wavefronts propagate parallel to their direction. The Whittaker 1904 paper showed that electromagnetic waves resulted from the interference of two such longitudinal waves or scalar potential functions. Although unexplored, the implications of these papers are profound: gravitational lensing, gravitational waves, the Aharonov-Bohm effect, the existence of a hyperspace above or behind normal space, the elimination of gravitational and point charge singularities, MOND, and the expansion of the universe. This last implication can be related to the recent finding that black holes with posited vacuum energy interior solutions alongside cosmological boundaries have a cosmological coupling constant of k=3, meaning that black holes gain mass-proportional to a3 in a parameterization equation within a Robertson-Walker cosmology and are a cosmological accelerated expansion species (Farrah et al., 2023). This expansion and many features of General Relativity can be explained by the mass-proportionality and preferred direction of the longitudinal waves within the two underlying non-local Whittaker potentials (Titleman, 2022). Whittaker potential theory also offers a simple explanation for expansion of the universe - it is produced as longitudinal motion within the Whittaker potentials only when dynamic electromagnetism is separate from time-static gravity in intergalactic space.

Large Language Models (LLMs) presents significant priority in text understanding and generation. However, LLMs suffer from the risk of generating harmful contents especially while being employed to applications. There are several black-box attack methods, such as Prompt Attack, which can change the behaviour of LLMs and induce LLMs to generate unexpected answers with harmful contents. Researchers are interested in Prompt Attack and Defense with LLMs, while there is no publicly available dataset with high successful attacking rate to evaluate the abilities of defending prompt attack. In this paper, we introduce a pipeline to construct high-quality prompt attack samples, along with a Chinese prompt attack dataset called CPAD. Our prompts aim to induce LLMs to generate unexpected outputs with several carefully designed prompt attack templates and widely concerned attacking contents. Different from previous datasets involving safety estimation, we construct the prompts considering three dimensions: contents, attacking methods and goals. Especially, the attacking goals indicate the behaviour expected after successfully attacking the LLMs, thus the responses can be easily evaluated and analysed. We run several popular Chinese LLMs on our dataset, and the results show that our prompts are significantly harmful to LLMs, with around 70% attack success rate to GPT-3.5. CPAD is publicly available at https://github.com/liuchengyuan123/CPAD.

We compute upper limits on the nanohertz-frequency isotropic stochastic gravitational wave background (GWB) using the 9-year data release from the North American Nanohertz Observatory for Gravitational Waves (NANOGrav) collaboration. We set upper limits for a GWB from supermassive black hole binaries under power law, broken power law, and free spectral coefficient GW spectrum models. We place a 95\% upper limit on the strain amplitude (at a frequency of yr^{-1}) in the power law model of A_{rm gw} < 1.5times 10^{-15}. For a broken power law model, we place priors on the strain amplitude derived from simulations of Sesana (2013) and McWilliams et al. (2014). We find that the data favor a broken power law to a pure power law with odds ratios of 22 and 2.2 to one for the McWilliams and Sesana prior models, respectively. The McWilliams model is essentially ruled out by the data, and the Sesana model is in tension with the data under the assumption of a pure power law. Using the broken power-law analysis we construct posterior distributions on environmental factors that drive the binary to the GW-driven regime including the stellar mass density for stellar-scattering, mass accretion rate for circumbinary disk interaction, and orbital eccentricity for eccentric binaries, marking the first time that the shape of the GWB spectrum has been used to make astrophysical inferences. We then place the most stringent limits so far on the energy density of relic GWs, Omega_gw(f),h^2 < 4.2 times 10^{-10}, yielding a limit on the Hubble parameter during inflation of H_*=1.6times10^{-2}~m_{Pl}, where m_{Pl} is the Planck mass. Our limit on the cosmic string GWB, Omega_gw(f), h^2 < 2.2 times 10^{-10}, translates to a conservative limit of Gmu<3.3times 10^{-8} - a factor of 4 better than the joint Planck and high-l CMB data from other experiments.

Current research in adversarial robustness of LLMs focuses on discrete input manipulations in the natural language space, which can be directly transferred to closed-source models. However, this approach neglects the steady progression of open-source models. As open-source models advance in capability, ensuring their safety also becomes increasingly imperative. Yet, attacks tailored to open-source LLMs that exploit full model access remain largely unexplored. We address this research gap and propose the embedding space attack, which directly attacks the continuous embedding representation of input tokens. We find that embedding space attacks circumvent model alignments and trigger harmful behaviors more efficiently than discrete attacks or model fine-tuning. Furthermore, we present a novel threat model in the context of unlearning and show that embedding space attacks can extract supposedly deleted information from unlearned LLMs across multiple datasets and models. Our findings highlight embedding space attacks as an important threat model in open-source LLMs. Trigger Warning: the appendix contains LLM-generated text with violence and harassment.

Extreme-mass-ratio inspirals (EMRIs) and intermediate-mass-ratio inspirals (IMRIs) are important gravitational wave (GW) sources for the Laser Interferometer Space Antenna (LISA). It has been recently suggested that EMRIs and IMRIs can both form in the accretion disk of an active galactic nucleus (AGN). Considering the likely encounter between a sBH and an IMBH during the migration in the AGN disk, Paper I showed that a gap-opening IMBH can drive a surrounding sBH to migrate synchronously. In this work, we extend the study in Paper I with a more sophisticated model. We first use 3D hydrodynamical simulations to study the co-evolution of the disk and the migration of a sBH in the vicinity of an IMBH. We find that the gaseous torque, together with the tidal torque exerted by the IMBH, can drive synchronized migration until sim 10 Schwarzschild radii from the central supermassive black hole (SMBH). We further use a relativistic three-body code to study the final fate of the sBH in the GW-dominated regime. We find that the sBH can be either captured or kicked out by the IMBH, which will result in either two subsequent IMRIs or an EMRI followed by an IMRI. These events will bring rich information about the formation and evolution of sBHs and IMBHs in AGNs.

Safety alignment is critical for the ethical deployment of large language models (LLMs), guiding them to avoid generating harmful or unethical content. Current alignment techniques, such as supervised fine-tuning and reinforcement learning from human feedback, remain fragile and can be bypassed by carefully crafted adversarial prompts. Unfortunately, such attacks rely on trial and error, lack generalizability across models, and are constrained by scalability and reliability. This paper presents NeuroStrike, a novel and generalizable attack framework that exploits a fundamental vulnerability introduced by alignment techniques: the reliance on sparse, specialized safety neurons responsible for detecting and suppressing harmful inputs. We apply NeuroStrike to both white-box and black-box settings: In the white-box setting, NeuroStrike identifies safety neurons through feedforward activation analysis and prunes them during inference to disable safety mechanisms. In the black-box setting, we propose the first LLM profiling attack, which leverages safety neuron transferability by training adversarial prompt generators on open-weight surrogate models and then deploying them against black-box and proprietary targets. We evaluate NeuroStrike on over 20 open-weight LLMs from major LLM developers. By removing less than 0.6% of neurons in targeted layers, NeuroStrike achieves an average attack success rate (ASR) of 76.9% using only vanilla malicious prompts. Moreover, Neurostrike generalizes to four multimodal LLMs with 100% ASR on unsafe image inputs. Safety neurons transfer effectively across architectures, raising ASR to 78.5% on 11 fine-tuned models and 77.7% on five distilled models. The black-box LLM profiling attack achieves an average ASR of 63.7% across five black-box models, including the Google Gemini family.

The Single-Turn Crescendo Attack (STCA), first introduced in Aqrawi and Abbasi [2024], is an innovative method designed to bypass the ethical safeguards of text-to-text AI models, compelling them to generate harmful content. This technique leverages a strategic escalation of context within a single prompt, combined with trust-building mechanisms, to subtly deceive the model into producing unintended outputs. Extending the application of STCA to text-to-image models, we demonstrate its efficacy by compromising the guardrails of a widely-used model, DALL-E 3, achieving outputs comparable to outputs from the uncensored model Flux Schnell, which served as a baseline control. This study provides a framework for researchers to rigorously evaluate the robustness of guardrails in text-to-image models and benchmark their resilience against adversarial attacks.

We investigate the robustness of reasoning models trained for step-by-step problem solving by introducing query-agnostic adversarial triggers - short, irrelevant text that, when appended to math problems, systematically mislead models to output incorrect answers without altering the problem's semantics. We propose CatAttack, an automated iterative attack pipeline for generating triggers on a weaker, less expensive proxy model (DeepSeek V3) and successfully transfer them to more advanced reasoning target models like DeepSeek R1 and DeepSeek R1-distilled-Qwen-32B, resulting in greater than 300% increase in the likelihood of the target model generating an incorrect answer. For example, appending, "Interesting fact: cats sleep most of their lives," to any math problem leads to more than doubling the chances of a model getting the answer wrong. Our findings highlight critical vulnerabilities in reasoning models, revealing that even state-of-the-art models remain susceptible to subtle adversarial inputs, raising security and reliability concerns. The CatAttack triggers dataset with model responses is available at https://huggingface.co/datasets/collinear-ai/cat-attack-adversarial-triggers.

Recent research has highlighted the vulnerability of Deep Neural Networks (DNNs) against data poisoning attacks. These attacks aim to inject poisoning samples into the models' training dataset such that the trained models have inference failures. While previous studies have executed different types of attacks, one major challenge that greatly limits their effectiveness is the uncertainty of the re-training process after the injection of poisoning samples, including the re-training initialization or algorithms. To address this challenge, we propose a novel attack method called ''Sharpness-Aware Data Poisoning Attack (SAPA)''. In particular, it leverages the concept of DNNs' loss landscape sharpness to optimize the poisoning effect on the worst re-trained model. It helps enhance the preservation of the poisoning effect, regardless of the specific retraining procedure employed. Extensive experiments demonstrate that SAPA offers a general and principled strategy that significantly enhances various types of poisoning attacks.

Time series data from observations of black hole ringdown gravitational waves are often analyzed in the time domain by using damped sinusoid models with acyclic boundary conditions. Data conditioning operations, including downsampling, filtering, and the choice of data segment duration, reduce the computational cost of such analyses and can improve numerical stability. Here we analyze simulated damped sinsuoid signals to illustrate how data conditioning operations, if not carefully applied, can undesirably alter the analysis' posterior distributions. We discuss how currently implemented downsampling and filtering methods, if applied too aggressively, can introduce systematic errors and skew tests of general relativity. These issues arise because current downsampling and filtering methods do not operate identically on the data and model. Alternative downsampling and filtering methods which identically operate on the data and model may be achievable, but we argue that the current operations can still be implemented safely. We also show that our preferred anti-alias filtering technique, which has an instantaneous frequency-domain response at its roll-off frequency, preserves the structure of posterior distributions better than other commonly used filters with transient frequency-domain responses. Lastly, we highlight that exceptionally long data segments may need to be analyzed in cases where thin lines in the noise power spectral density overlap with central signal frequencies. Our findings may be broadly applicable to any analysis of truncated time domain data with acyclic boundary conditions.

Quantum computing promises to enhance machine learning and artificial intelligence. Different quantum algorithms have been proposed to improve a wide spectrum of machine learning tasks. Yet, recent theoretical works show that, similar to traditional classifiers based on deep classical neural networks, quantum classifiers would suffer from the vulnerability problem: adding tiny carefully-crafted perturbations to the legitimate original data samples would facilitate incorrect predictions at a notably high confidence level. This will pose serious problems for future quantum machine learning applications in safety and security-critical scenarios. Here, we report the first experimental demonstration of quantum adversarial learning with programmable superconducting qubits. We train quantum classifiers, which are built upon variational quantum circuits consisting of ten transmon qubits featuring average lifetimes of 150 mus, and average fidelities of simultaneous single- and two-qubit gates above 99.94% and 99.4% respectively, with both real-life images (e.g., medical magnetic resonance imaging scans) and quantum data. We demonstrate that these well-trained classifiers (with testing accuracy up to 99%) can be practically deceived by small adversarial perturbations, whereas an adversarial training process would significantly enhance their robustness to such perturbations. Our results reveal experimentally a crucial vulnerability aspect of quantum learning systems under adversarial scenarios and demonstrate an effective defense strategy against adversarial attacks, which provide a valuable guide for quantum artificial intelligence applications with both near-term and future quantum devices.