Estimating the number needed to treat from continuous outcomes in randomised controlled trials: methodological challenges and worked example using data from the UK Back Pain Exercise and Manipulation (BEAM) trial

Background Reporting numbers needed to treat (NNT) improves interpretability of trial results. It is unusual that continuous outcomes are converted to numbers of individual responders to treatment (i.e., those who reach a particular threshold of change); and deteriorations prevented are only rarely considered. We consider how numbers needed to treat can be derived from continuous outcomes; illustrated with a worked example showing the methods and challenges. Methods We used data from the UK BEAM trial (n = 1, 334) of physical treatments for back pain; originally reported as showing, at best, small to moderate benefits. Participants were randomised to receive 'best care' in general practice, the comparator treatment, or one of three manual and/or exercise treatments: 'best care' plus manipulation, exercise, or manipulation followed by exercise. We used established consensus thresholds for improvement in Roland-Morris disability questionnaire scores at three and twelve months to derive NNTs for improvements and for benefits (improvements gained+deteriorations prevented). Results At three months, NNT estimates ranged from 5.1 (95% CI 3.4 to 10.7) to 9.0 (5.0 to 45.5) for exercise, 5.0 (3.4 to 9.8) to 5.4 (3.8 to 9.9) for manipulation, and 3.3 (2.5 to 4.9) to 4.8 (3.5 to 7.8) for manipulation followed by exercise. Corresponding between-group mean differences in the Roland-Morris disability questionnaire were 1.6 (0.8 to 2.3), 1.4 (0.6 to 2.1), and 1.9 (1.2 to 2.6) points. Conclusion In contrast to small mean differences originally reported, NNTs were small and could be attractive to clinicians, patients, and purchasers. NNTs can aid the interpretation of results of trials using continuous outcomes. Where possible, these should be reported alongside mean differences. Challenges remain in calculating NNTs for some continuous outcomes

Why caregivers have no autonomy-based reason to respect advance directives in dementia care

Advance directives (ADs) have for some time been championed by ethicists and patient associations alike as a tool that people newly diagnosed with dementia, or prior to onset, may use to ensure that their future care and treatment are organized in accordance with their interests. The idea is that autonomous people, not yet neurologically affected by dementia, can design directives for their future care that caregivers are morally obligated to respect because they have been designed by autonomous individuals. In this paper, we first criticize the idea that ADs can retain moral authority in severe dementia by arguing that it is paradoxical. Second, we consider two arguments that initially seem to refute this critique of ADs, but we eventually dismiss them. The first argument states that ADs retain moral authority in severe dementia because autonomously formed interests, for example, ADs, can only be appropriately discarded by autonomous persons. This we term the historical autonomy argument. We dismiss it by demonstrating how we, in analog cases, are not obligated to continue to respect autonomously formed interests even though they have been discarded under nonappropriate conditions. The second argument is that ADs can be justified by what we term external interests. While we agree that people with severe dementia plausible can be said to have external interests, we show that ADs cannot express such interests and hence cannot be justified by them. We conclude that none of the discussed arguments support the use of ADs and because of this, the idea of ADs should be reassigned.</p

AES-Based Authenticated Encryption Modes in Parallel High-Performance Software

Authenticated encryption (AE) has recently gained renewed interest due to the ongoing CAESAR competition. This paper deals with the performance of block cipher modes of operation for AE in parallel software. We consider the example of the AES on Intel\u27s new Haswell microarchitecture that has improved instructions for AES and finite field multiplication. As opposed to most previous high-performance software implementations of operation modes -- that have considered the encryption of single messages -- we propose to process multiple messages in parallel. We demonstrate that this message scheduling is of significant advantage for most modes. As a baseline for longer messages, the performance of AES-CBC encryption on a single core increases by factor 6.8 when adopting this approach. For the first time, we report optimized AES-NI implementations of the novel AE modes OTR, CLOC, COBRA, SILC, McOE-G, POET and Julius -- both with single and multiple messages. For almost all AE modes considered, we obtain a consistent speed-up when processing multiple messages in parallel. Notably, among the nonce-based modes, CCM, CLOC and SILC get by factor 3.7 faster, achieving a performance comparable to GCM (the latter, however, possessing classes of weak keys), with OCB3 still performing at only 0.77 cpb. Among the nonce-misuse resistant modes, McOE-G receives a speed-up by more than factor 4 with a performance of about 1.62 cpb, with COPA consistently performing best at 1.45 cpb

Haraka v2 – Efficient Short-Input Hashing for Post-Quantum Applications

Recently, many efficient cryptographic hash function design strategies have been explored, not least because of the SHA-3 competition. These designs are, almost exclusively, geared towards high performance on long inputs. However, various applications exist where the performance on short (fixed length) inputs matters more. Such hash functions are the bottleneck in hash-based signature schemes like SPHINCS or XMSS, which is currently under standardization. Secure functions specifically designed for such applications are scarce. We attend to this gap by proposing two short-input hash functions (or rather simply compression functions). By utilizing AES instructions on modern CPUs, our proposals are the fastest on such platforms, reaching throughputs below one cycle per hashed byte even for short inputs, while still having a very low latency of less than 60 cycles. Under the hood, this results comes with several innovations. First, we study whether the number of rounds for our hash functions can be reduced, if only second-preimage resistance (and not collision resistance) is required. The conclusion is: only a little. Second, since their inception, AES-like designs allow for supportive security arguments by means of counting and bounding the number of active S-boxes. However, this ignores powerful attack vectors using truncated differentials, including the powerful rebound attacks. We develop a general tool-based method to include arguments against attack vectors using truncated differentials

Security of the AES with a Secret S-box

How does the security of the AES change when the S-box is replaced by a secret S-box, about which the adversary has no knowledge? Would it be safe to reduce the number of encryption rounds? In this paper, we demonstrate attacks based on integral cryptanalysis which allows to recover both the secret key and the secret S-box for respectively four, five, and six rounds of the AES. Despite the significantly larger amount of secret information which an adversary needs to recover, the attacks are very efficient with time/data complexities of $2^{17}/2^{16}$, $2^{38}/2^{40}$ and $2^{90}/2^{64}$, respectively. Another interesting aspect of our attack is that it works both as chosen plaintext and as chosen ciphertext attack. Surprisingly, the chosen ciphertext variant has a significantly lower time complexity in the attacks on four and five round, compared to the respective chosen plaintext attacks

Analyzing Permutations for AES-like Ciphers: Understanding ShiftRows

Designing block ciphers and hash functions in a manner that resemble the AES in many aspects has been very popular since Rijndael was adopted as the Advanced Encryption Standard. However, in sharp contrast to the MixColumns operation, the security implications of the way the state is permuted by the operation resembling ShiftRows has never been studied in depth. Here, we provide the first structured study of the influence of ShiftRows-like operations, or more generally, word-wise permutations, in AES-like ciphers with respect to diffusion properties and resistance towards differential- and linear attacks. After formalizing the concept of guaranteed trail weights, we show a range of equivalence results for permutation layers in this context. We prove that the trail weight analysis when using arbitrary word-wise permutations, with rotations as a special case, reduces to a consideration of a specific normal form. Using a mixed-integer linear programming approach, we obtain optimal parameters for a wide range of AES-like ciphers, and show improvements on parameters for Rijndael-192, Rijndael-256, PRIMATEs-80 and Prøst-128. As a separate result, we show for specific cases of the state geometry that a seemingly optimal bound on the trail weight can be obtained using cyclic rotations only for the permutation layer, i.e. in a very implementation friendly way

Improved Linear Cryptanalysis of Reduced-round SIMON

SIMON is a family of ten lightweight block ciphers published by Beaulieu et al.\ from U.S. National Security Agency (NSA). In this paper we investigate the security of SIMON against different variants of linear cryptanalysis techniques, i.e.\ classical and multiple linear cryptanalysis and linear hulls. We present a connection between linear- and differential characteristics as well as differentials and linear hulls in SIMON. We employ it to adapt the current known results on differential cryptanalysis of SIMON into the linear setting. In addition to finding a linear approximation with a single characteristic, we show the effect of the linear hulls in SIMON by finding better approximations that enable us to improve the previous results. Our best linear cryptanalysis employs average squared correlation of the linear hull of SIMON based on correlation matrices. The result covers 21 out of 32 rounds of SIMON32/64 with time and data complexity $2^{54.56}$ and $2^{30.56}$ respectively. We have implemented our attacks for small scale variants of SIMON and our experiments confirm the theoretical biases and correlation presented in this work. So far, our results are the best known with respect to linear cryptanalysis for any variant of SIMON

Effect of Vasopressin and Methylprednisolone vs. Placebo on Long-Term Outcomes in Patients with In-Hospital Cardiac Arrest A Randomized Clinical Trial

Objective: The primary results from the Vasopressin and Methylprednisolone for In-Hospital Cardiac Arrest (VAM-IHCA) trial have previously been reported. The objective of the current manuscript is to report long-term outcomes. Methods: The VAM-IHCA trial was a multicenter, randomized, double-blind, placebo-controlled trial conducted at ten hospitals in Denmark. Adult patients (age ≥ 18 years) were eligible for the trial if they had an in-hospital cardiac arrest and received at least one dose of epinephrine during resuscitation. The trial drugs consisted of 40 mg methylprednisolone (Solu-Medrol®, Pfizer) and 20 IU of vasopressin (Empressin®, Amomed Pharma GmbH) given as soon as possible after the first dose of epinephrine. This manuscript report outcomes at 6 months and 1 year including survival, survival with favorable neurological outcome, and health-related quality of life. Results: 501 patients were included in the analysis. At 1 year, 15 patients (6.3%) in the intervention group and 22 patients (8.3%) in the placebo group were alive corresponding to a risk ratio of 0.76 (95% CI, 0.41–1.41). A favorable neurologic outcome at 1 year, based on the Cerebral Performance Category score, was observed in 14 patients (5.9%) in the intervention group and 20 patients (7.6%) in the placebo group (risk ratio, 0.78 [95% CI, 0.41–1.49]. No differences existed between groups for favorable neurological outcome and health-related quality of life at either 6 months or 1 year. Conclusions: Administration of vasopressin and methylprednisolone, compared with placebo, in patients with in-hospital cardiac arrest did not improve long-term outcomes in this trial.</p