**Open Problem**
Is stateless vector sampling strictly weaker than stateful vector sampling? (Conjecture from Fig. 7 in [[SoK - Public Key Encryption with Openings]].)
~~**Open Problem**~~
Do variable-length vector samplers make for even stronger notions, given that the sampled length can itself depend on the sampled messages?
- There is a problem with this question: In order for a stateless-vector-sampler notion to generalize existing formalizations, a vector of key handles should be input. The existing formalizations are:
1. The canonical sender-opening challenge oracle, where ell messages are sampled, to be encrypted under a sole public key.
2. The canonical receiver-opening challenge oracle, where ell messages are sampled, to be encrypted one-each und a public key.
- One could (as I have) imagine that keeping ell and kappa general capture both, as the first one would be recovered by setting ell > 1 and keys = 1, and the second one would be recovered by setting ell = 1 and keys > 1.
- The first one is fine; the problem lies with the second one, as for stateless samplers there would be no way for the messages to relate to each other, and you get independent sampling and product distributions and an IND-equivalent notion of ISO.
- For stateless vector sampling in a bi-opening setting, then, the adversary must be able to choose if they would like the first or the second alternative, by inputting a list of key handles.
- (For stateful vector sampling, it doesn't matter, as already shown in the lemma.)
- As a consequence, ell is determined by the length of the handles list, and asking about sampled ell makes little sense.
- One could circumvent this by also sampling the list of key handles, including its length. Interestingly this ends up reinventing the key privacy mechanism previously discussed.
- Unless the list of sampled key handles is returned to the adversary alongside the ciphertexts.
- Interesting though it is, this veers way off track, and we should therefore ignore both this idea and the overall question.
Slettet kommentar fra [[SoK - Public Key Encryption with Openings]]:
> Pose as open problem?: "For which messages samplers does the separation from
ISO-CPA-recop to SSO-CPA-recop hold?"
Initial thought: For all. The latter is unachievable.
Later thought: Well. The sampler probably needs to have some
entropy at the very least.
Final thought: probably closer to the heart of the matter to ask
for which samplers IND-CPA implies ISO-CPA-recop, or -biop,
or for CCA.
Se også: [[Message re-samplers]]