Privacy protection in electronic education based on polymorphic pseudonymization

In [13.] Dutch government proposes an identity scheme supporting personal data exchange of pupils with private e-textbook publishers. This design propagates sharing personal numbers of pupils among private parties violating the data minimisation principle in privacy laws. We describe a privacy friendly alternative, giving pupils (and parents) control on exchange of their personal data. Three generic forms based on homomorphic encryption are used as building blocks. These forms do not yield personal numbers, or even personal data from a legal perspective, and have strong, unlinkability properties. Only if required a school provides a party with a party-specific {\em pseudonym} identifying a pupil. For this the school is provided an {\em encrypted pseudonym} by a central party based on a {\em polymorphic pseudonym} formed by the school. Only intended parties, not even schools, have access to pseudonyms. Different publishers can send pupil test results to a school without being able to assess whether pupils are identical. We also describe support for privacy friendly attributes and user inspection as required by privacy laws

Practical backward unlinkable revocation in FIDO, German e-ID, Idemix and U-Prove

FIDO, German e-ID, Idemix and U-Prove constitute privacy-enhanced public-key infrastructures allowing users to authenticate in an anonymous way. This however hampers timely revocation in a privacy friendly way. From a legal perspective, revocation typically should be effective within 24 hours after user reporting. It should also be backward unlinkable, i.e. user anonymity cannot be removed after revocation. We describe a new, generic revocation mechanism based on pairing based encryption and apply it to supplement the systems mentioned. This allows for both flexible and privacy friendly revocation. Protocol execution takes less than a quarter of a second on modern smartcards. An additional property is that usage after revocation is linkable, allowing users to identify fraudulent usage after revocation. Our technique is the first Verifier Local Revocation scheme with backwards unlinkable revocation for the systems mentioned. This also allows for a setup resembling the well-known Online Certificate Status Protocol (OCSP). Here the service provider sends a pseudonym to a revocation provider that returns its status. As the information required for this is not secret the status service can be distributed over many cloud services. In addition to the status service our technique also supports the publication of a central revocation list

Activate Later Certificates for V2X -- Combining ITS efficiency with privacy

We specify Issue First Activate Later (IFAL). This is an ETSI type of V2X Public Key Infrastructure based on short-lived pseudonymous certificates without Certificate Revocation Lists. IFAL certificates are valid in the future but can only be used together with periodically provided activation codes. IFAL supports controlled de-pseudonymization enabling provisioning to stop for misbehaving vehicles. IFAL allows for flexible policies, trade-offs between three essential V2X properties: trust, privacy and usability. IFAL activation codes are small and can be sent in an SMS, through roadside equipment or even broadcasted. Like the Butterfly scheme, IFAL uses key derivation with one base private/public key pair. However in IFAL the security module can be simple as it can be kept oblivious of key derivation

Colorectal liver metastases: Surgery versus thermal ablation (COLLISION) - a phase III single-blind prospective randomized controlled trial

Background: Radiofrequency ablation (RFA) and microwave ablation (MWA) are widely accepted techniques to eliminate small unresectable colorectal liver metastases (CRLM). Although previous studies labelled thermal ablation inferior to surgical resection, the apparent selection bias when comparing patients with unresectable disease to surgical candidates, the superior safety profile, and the competitive overall survival results for the more recent reports mandate the setup of a randomized controlled trial. The objective of the COLLISION trial is to prove non-inferiority of thermal ablation compared to hepatic resection in patients with at least one resectable and ablatable CRLM and no extrahepatic disease. Methods: In this two-arm, single-blind multi-center phase-III clinical trial, six hundred and eighteen patients with at least one CRLM (≤3cm) will be included to undergo either surgical resection or thermal ablation of appointed target lesion(s) (≤3cm). Primary endpoint is OS (overall survival, intention-to-treat analysis). Main secondary endpoints are overall disease-free survival (DFS), time to progression (TTP), time to local progression (TTLP), primary and assisted technique efficacy (PTE, ATE), procedural morbidity and mortality, length of hospital stay, assessment of pain and quality of life (QoL), cost-effectiveness ratio (ICER) and quality-adjusted life years (QALY). Discussion: If thermal ablation proves to be non-inferior in treating lesions ≤3cm, a switch in treatment-method may lead to a reduction of the post-procedural morbidity and mortality, length of hospital stay and incremental costs without compromising oncological outcome for patients with CRLM. Trial registration:NCT03088150 , January 11th 2017