[PDF](https://ntt-research.com/wp-content/uploads/2023/08/Multi-Instance-Randomness.pdf)
By: Jiaxin Guan, Daniel Wichs, and [[Mark Zhandry]].
Fascinating: a recent TCC-paper by Zhandry/Wichs/one other guy employs (essentially) NCE as a multi-instance model explicitly to model mass surveillance (the notion is basically single-shot multi-user NCE, except bounding how many messages the simulator can open while forcing it to produce _all_ the private keys, but also bounding the size of the state of the two-stage adversary—see p.21).
Disappointingly, the paper seems completely disconnected to our line of research, as they essentially re-prove Nielsen’s impossibility without citing him, and neither cite Bellare et al. or any of the follow-up works for initiating the multi-instance studies. Still, makes me wonder how our [[SoK - Public Key Encryption with Openings|systematization]] fares in the multi-instance setting.
Seems to connect both the [[Multi-Instance Secure Public-Key Encryption|MI-paper]] and the SoK.
Looking at their security-definition (page 21) it is quite literally multi-user NCE, except with no adaptability: the adversary simply receives all private keys at the end, and I suppose the real distinguishing trick is that the simulator can open only $q$ messages before providing them (and additionally that the size of the two-stage adversary's state is bounded):
> The number of messages the simulator can query is related to the storage bound of the distinguisher
Hadn't realized that one could so directly utilize [[NCE in the multi-instance setting]].