Modular Design of KEM-Based Authenticated Key Exchange

A key encapsulation mechanism (KEM) is a basic building block for key exchange which must be combined with long-term keys in order to achieve authenticated key exchange (AKE). Although several KEM-based AKE protocols have been proposed, KEM-based modular building blocks are not available. We provide a KEM-based authenticator and a KEM-based protocol in the Authenticated Links model (AM), in the terminology of Canetti and Krawczyk (2001). Using these building blocks we achieve a set of generic AKE protocols. By instantiating these with post-quantum secure primitives we are able to propose several new post-quantum secure AKE protocols

Swoosh: Practical Lattice-Based Non-Interactive Key Exchange

The advent of quantum computers has sparked significant interest in post-quantum cryptographic schemes, as a replacement for currently used cryptographic primitives. In this context, lattice-based cryptography has emerged as the leading paradigm to build post-quantum cryptography. However, all existing viable replacements of the classical Diffie-Hellman key exchange require additional rounds of interactions, thus failing to achieve all the benefits of this protocol. Although earlier work has shown that lattice-based Non-Interactive Key Exchange~(NIKE) is theoretically possible, it has been considered too inefficient for real-life applications. In this work, we challenge this folklore belief and provide the first evidence against it. We construct a practical lattice-based NIKE whose security is based on the standard module learning with errors (M-LWE) problem in the quantum random oracle model. Our scheme is obtained in two steps: (i) A passively-secure construction that achieves a strong notion of correctness, coupled with (ii) a generic compiler that turns any such scheme into an actively-secure one. To substantiate our efficiency claim, we provide an optimised implementation of our construction in Rust and Jasmin. Our implementation demonstrates the scheme\u27s applicability to real-world scenarios, yielding public keys of approximately $220$\,KBs. Moreover, the computation of shared keys takes fewer than $12$ million cycles on an Intel Skylake CPU, offering a post-quantum security level exceeding $120$ bits

Practical Isogeny-Based Key-Exchange with Optimal Tightness

We exploit the Diffie-Hellman-like structure of CSIDH to build a quantum-resistant authenticated key-exchange algorithm. Our security proof has optimal tightness, which means that the protocol is efficient even when instantiated with theoretically-sound security parameters. Compared to previous isogeny-based authenticated key-exchange protocols, our scheme is extremely simple, its security relies only on the underlying CSIDH-problem and it has optimal communication complexity for CSIDH-based protocols. Our security proof relies heavily on the re-randomizability of CSIDH-like problems and carries on in the ROM

Symmetric Key Exchange with Full Forward Security and Robust Synchronization

We construct lightweight authenticated key exchange protocols based on pre-shared keys, which achieve full forward security and rely only on simple and efficient symmetric-key primitives. All of our protocols have rigorous security proofs in a strong security model, all have low communication complexity, and are particularly suitable for resource-constrained devices. We describe three protocols that apply linear key evolution to provide different performance and security properties. Correctness in parallel and concurrent protocol sessions is difficult to achieve for linearly key-evolving protocols, emphasizing the need for assurance of availability alongside the usual confidentiality and authentication security goals. We introduce synchronization robustness as a new formal security goal, which essentially guarantees that parties can re-synchronize efficiently. All of our new protocols achieve this property. Since protocols based on linear key evolution cannot guarantee that all concurrently initiated sessions successfully derive a key, we also propose two constructions with non-linear key evolution based on puncturable PRFs. These are instantiable from standard hash functions and require O(C⋅log(|CTR|)) memory, where C is the number of concurrent sessions and |CTR| is an upper bound on the total number of sessions per party. These are the first protocols to simultaneously achieve full forward security, synchronization robustness, and concurrent correctness

Training GPs to improve their management of work-related problems: results of a cluster randomized controlled trial

Contains fulltext : 199046.pdf (publisher's version ) (Open Access

How to set up and apply reference levels in fluoroscopy at a national level.

A nationwide survey was launched to investigate the use of fluoroscopy and establish national reference levels (RL) for dose-intensive procedures. The 2-year investigation covered five radiology and nine cardiology departments in public hospitals and private clinics, and focused on 12 examination types: 6 diagnostic and 6 interventional. A total of 1,000 examinations was registered. Information including the fluoroscopy time (T), the number of frames (N) and the dose-area product (DAP) was provided. The data set was used to establish the distributions of T, N and the DAP and the associated RL values. The examinations were pooled to improve the statistics. A wide variation in dose and image quality in fixed geometry was observed. As an example, the skin dose rate for abdominal examinations varied in the range of 10 to 45 mGy/min for comparable image quality. A wide variability was found for several types of examinations, mainly complex ones. DAP RLs of 210, 125, 80, 240, 440 and 110 Gy cm2 were established for lower limb and iliac angiography, cerebral angiography, coronary angiography, biliary drainage and stenting, cerebral embolization and PTCA, respectively. The RL values established are compared to the data published in the literature