Latest Crypto related questions

Let's consider this definition of computational indistinguishability.

Computational indistinguishability. A probability ensemble $X=\{X(a, n)\}_{a \in\{0,1\}^{*} ; n \in \mathbb{N}}$ is an infinite sequence of random variables indexed by $a \in\{0,1\}^{*}$ and $n \in \mathbb{N}$. In the context of secure computation, the value $a$ will represent the parties' inputs and $n$ will represent the securit ...

I'm reading Understanding Cryptography by Christof Paar and Jan Pelzl. In chapter 2 (Stream Ciphers) there's a question that goes like this:

Assume we have a stream cipher whose period is quite short. We happen to know that the period is 150–200 bit in length. We assume that we do not know anything else about the internals of the stream cipher. In particular, we should not assume that it is a simple L ...

Any body can explain, what are the key differences between Shannon entropy and Guessing Entropy? In some research I got entropy uses binary search or balanced Huffman tree. Guesswork uses linear and unbalances Huffman tree?

Also guesswork can calculate unlimited guessing?

I am trying to find a reduction for the following DLOG problem in generic groups. It is a simple generalization but I'm not finding any reference (the closest being the Chaum-Pedersen signature scheme sec 3.2, and BLS signatures without the hashing).

Let $G$ be a cyclic group, and $g, h$ generators. The problem is to find $y$ given $g^y, h^y$.

Looking for any insight or reference.

I know AES-GCM and AES-CCM but what is the difference between AES-CCM8 mode and AES-CCM mode ? Is it the length of the cipher?

Consider a scenario：data owners $C$ sends a $l$ bits value $x$ to parties $P_0$ and $P_1$ via additively secret sharing scheme, for example, $C$ randomly selects $r \in_R \{0, 1\}^l$, and sends $r$ to $P_0$ and $x-r$ to $P_1$. In insecure channel, adversary $\mathcal{A}$ could obtain $r$ and $x-r$ to construct secret $x$ by eavesdroping the channel.

But there a scheme: $C$ sends $\mbox{Enc}_{{pk}_0} ...

Looking at https://crypto.stackexchange.com/a/30616/16548 and all the ways I generate RSA keys (code, SSL) the MSB is always 1 and so when DER encoded has 0x00 prefix.

I think it is always so when the RSA key length is a power of two (e.g. 2048 or 4096).

But the question I'm wondering now before going to bed: is it so?

Quoting from the link

We typically select RSA modulus sizes which are powers of two  ...