SARKAR PRATIK (US)
PATRANABIS SIKHAR (US)
RAGHURAMAN SRINIVASAN (US)
MASNY DANIEL (US)
BADRINARAYANAN SAIKRISHNA (US)
US20210075610A1 | 2021-03-11 | |||
US20050094806A1 | 2005-05-05 | |||
US20190050541A1 | 2019-02-14 | |||
US20210135870A1 | 2021-05-06 |
WHAT IS CLAIMED IS: 1. A method for performing a privacy-preserving multi-party computation, the method comprising performing, by a receiver device: storing an input value b; obtaining a common reference string xb; sampling a first random isogeny map r using a generator G; generating a first elliptic curve z using the first random isogeny map r and the common reference string xb; transmitting the first elliptic curve z to a sender device; receiving, from the sender device, a second elliptic curve y0, a third elliptic curve y1, a first masked message c0, and a second masked message c1, wherein the first masked message c0 is generated using a first message m0, and wherein the second masked message c0 is generated using a second message m1; generating a hash output using a hash function H that operates on a combined value of the first random isogeny map r and a fourth elliptic curve yb, wherein the fourth elliptic curve yb is either the second elliptic curve y0 or the third elliptic curve y1 depending on the input value b; and generating a third message mb by combining a third masked message cb with the hash output using an invertible function, wherein the third message mb is either the first masked message m0 or the second masked message m1 depending on the input value b, and wherein third masked message cb is either the first masked message c0 or the second masked message c1 depending on the input value b. 2. The method of claim 1, wherein the input value b that is to be used in executing an encrypted program, the method further comprising: executing the encrypted program using the third message mb to obtain an encrypted output value. 3. The method of claim 2, further comprising: sending the encrypted output value to the sender device, wherein the sender device decrypts the encrypted output value using the third message mb. 4. The method of claim 1, wherein the hash function H is a random oracle. 5. The method of claim 1, wherein the sender device or the receiver device is a semi-honest adversary. 6. The method of claim 1, wherein the sender device or the receiver device is a malicious adversary. 7. The method of claim 6, further comprising: computing a non-interactive zero-knowledge proof of knowledge (NIZKPOK) proof pf on the input value b and the first elliptic curve z, wherein the sender device verifies the NIZKPOK proof pf, wherein the NIZKPOK proof pf guarantees that the receiver device cannot change the input value b and the first elliptic curve z after computing the NIZKPOK proof pf. 8. The method of claim 1, wherein the common reference string xb is generated by a trusted authority such that none of the sender device and the receiver device can manipulate but has access to. 9. The method of claim 1, wherein the first elliptic curve z and the combined value are generated using an isogeny mapping operation. 10. A method for performing a privacy-preserving multi-party computation, the method comprising performing, by a sender device: storing a first message m0 and a second message m1, receiving, from a receiver device, a first elliptic curve z that was generated using a first random isogeny map r; obtaining a first common reference string x0 and a second common reference string x1; sampling a second random isogeny map k0 and a third random isogeny map k1 using a generator G; generating a second elliptic curve y0 using the second random isogeny map k0 and the first common reference string x0; generating a third elliptic curve y1 using the third random isogeny map k1 and the second common reference string x1; generating a first hash output using a hash function H that operates on a first combined value of the second random isogeny map k0 and the first elliptic curve z; generating a second hash output using the hash function H that operates on a second combined value of the third random isogeny map k1 and the first elliptic curve z; generating a first masked message c0 by combining the first message m0 with the first hash output using an invertible function; generating a second masked message c1 by combining the second message m1 with the second hash output using the invertible function; and transmitting, to the receiver device, the second elliptic curve y0, the third elliptic curve y1, the first masked message c0, and the second masked message c1. 11. The method of claim 10, further comprising: sending an encrypted program to the receiver device, wherein the receiver device executes the encrypted program to generate an encrypted output value; receiving the encrypted output value; and decrypting the encrypted output value using a corresponding message mb. 12. The method of claim 10, wherein the sender device or the receiver device is a semi-honest adversary. 13. The method of claim 10, wherein the sender device or the receiver device is a malicious adversary. 14. The method of claim 13, further comprising: receiving a non-interactive zero-knowledge proof of knowledge (NIZKPOK) proof pf from the sender device; and verifying the NIZKPOK proof pf. 15. The method of claim 10, wherein the first common reference string x0 and the second common reference string x1 are generated by a trusted authority such that none of the sender device and the receiver device can manipulate but has access to. 16. The method of claim 10, wherein the second elliptic curve y0, the third elliptic curve y1, the first combined value, and the second combined value are generated by using an isogeny mapping operation. 17. The method of claim 10, wherein the invertible function is an XOR operation. 18. A receiver device comprising: one or more processors; and a computer readable medium coupled to the one or more processor and containing instructions for causing the one or more processors to perform the method of any one of claims 1-9. 19. A sender device comprising: one or more processors; and a computer readable medium coupled to the one or more processors and containing instructions for causing the one or more processors to perform the method of any one of claims 10-17. 20. A computer readable medium containing instructions for causing a processor to perform the method of any one of claims 1-17. |
[0069] Multiple oblivious transfer (OT) protocols can be built based on isogenies-based assumptions. In the embodiments, a two round oblivious transfer in common reference string from computation CSIDH assumption, a four-round oblivious transfer in the plain model from the decisional CSIDH assumption, and a three round oblivious transfer extension protocol in the random oracle model from the reciprocal CSIDH assumption can be built.
[0070] The multiple OT protocols based on isogeny -based assumptions can be used for other oblivious transfer protocols as well. For example, the OT protocols with isogenies- based assumptions can be used in OT protocols with classical assumptions.
[0071] Cryptographic group actions are used in various implementations and can be defined in the following manner. A group G is said to act on a set X if there is a map * : G x X -» X that satisfies the following: 1) Identity: If e is the identity element of G, then for any x G X, we have e * x = x, and 2) Compatibility: For any g, h G G and any x G X, we have (gh) * x = g * (h * x).
[0072] Group actions (G,X,*) can satisfy one or more of the following properties: 1) Abelian: The group G is abelian, 2) Transitive: For every x 1 , x 2 ∈ X, there exists a group element g G G such that x 2 = g * x r 3) Faithful: For each group element g G G, either g is the identity element or there exists a set element x G X such that x g* x. and 4) Free: For each group element g G G, g is the identity element if and only if there exists some set element x G X such that x = g * x.
[0073] The abbreviated notation (G, X,*) can be used to denote a group action. A cryptographic group operation * can also be known as isogeny mapping. The cryptographic group actions can be used in OT protocols such as two-round OT protocol in CRS and three- round OT extension protocol. IV. TWO-ROUND OBLIVIOUS TRANSFER (OT) [0074] A semi-honest secure oblivious transfer assumes that both a sender and a receiver adhere to how the protocol is supposed to be executed honestly. But it is not completely honest as both parties can still try to get some information about the other party’s inputs. In order to prevent this from happening, a common reference string (CRS) can be used. The common reference string can be a public randomness generated by a trusted authority that none of the two parties can manipulate but only access it. [0075] A maliciously secure oblivious transfer assumes that both a sender and a receiver can be malicious (corrupted) and try to deviate from the protocol. Both the sender and the receiver can maliciously take other actions besides the protocol. In order to prevent this from happening, a common reference string (CRS) and a non-interactive zero-knowledge proof of knowledge (NIZKPOK) can be used. The NIZKPOK guarantees that whatever commitment made using the NIZKPOK cannot be changed, thereby binding the values used for OT protocol such that even if the sender and the receiver are corrupted, they cannot go back and change the commitments. [0076] An effective group action (abbreviated throughout as an EGA) can be defined. At a high level, an EGA is an abelian and regular group action with certain special computational properties that allow it to be useful for cryptographic applications. Formally, an abelian and regular group action (G, X,⋆) can be effective if the following properties are satisfied. [0077] 1) The group G is finite and there exist efficient probabilistic polynomial time (PPT) algorithms for (a) Membership testing, i.e., to decide if a given bit string represents a valid group element in G, (b) Equality testing, i.e., to decide if two bit strings represent the same group element in G, (c) Sampling, i.e., to sample an element g from a distribution G on G, (d) Operation, i.e., to compute gh for any g, h ∈ G, and (e) Inversion, i.e., to compute g-1 for any g ∈ G. [0078] 2) The set X is finite and there exist efficient algorithms for (a) Membership testing, i.e., to decide if a bit string represents a valid set element and (b) Unique representation, i.e., given any arbitrary set element x ∈ X, compute a string that canonically represents x. [0079] 3) There exists a distinguished element x ^ ∈ X, called the origin, such that its bit- string representation is known. [0080] 4) There exists an efficient algorithm that given (some bit-string representations of) any g G G and any x G X, outputs g * x.
[0081] An EGA (G, X,*) is weakly unpredictable if the family of functions (more specifically, permutations) is weakly unpredictable, where n g is defined as
[0082] The embodiments described below contain a 2-round OT protocol in the (structured) CRS plus random oracle model from any weak unpredictable effective group action (wu-EGA), or computational CSIDH assumption. It is round-optimal and UC-secure against malicious adversaries (i.e., corruption of parties). The construction can also be represented as the format of two-round oblivious transfer (OT) protocol in the CRS model with a tuple of four algorithms/functions (Setup, OTR, OTS, OTD). The OTR, OTS, and OTD refer respectively to OT-Receiver, OT-Sender, and OT-Dervice. OTR is for OT- Receiver since the receiver runs the function to generate the first message, OTS is for OT- Sender since the sender runs the function to generate the second message, and OTD is for OT-Derive, which derives the final output. These functions are described below.
[0083] The two-round oblivious transfer (OT) protocol in the CRS model can be formally defined. A two-round OT protocol in the CRS model of a tuple of four algorithms of the form OT = Setup, OTR, OTS, OTD) can be described below.
[0084] Setup(l K ): Takes as input the security parameter K and outputs a CRS string.
[0085] OTR(crs, b ∈ 0,1): Takes as input the crs and a bit b G 0,1, and outputs the receiver’s message ot x and the receiver’s (secret) internal state st.
[0086] OTS(crs, ot 1( m 0 , m x ) : Takes as input the crs, the receiver’s message ot 15 a pair of input strings (m 0 , m . and outputs the sender’s message ot 2 .
[0087] OTD(crs, st, ot 2 ): Takes as input the crs, the sender’s message ot 2 , and the receiver’s internal state st, and outputs a message string m'.
A. Semi-Honest Secure Oblivious Transfer
[0088] In the semi-honest secure version, it is assumed that both of the parties, a sender and a receiver, can follow the protocol specification exactly. However, it may try to learn more information than allowed by looking at the transcript of messages that it received and its internal state. Therefore, the semi-honest adversaries can guarantee that there is no inadvertent leakage of information, and the parties involved can trust each other. But the parties may still want to make sure no record of their input is found elsewhere. The following semi-honest secure oblivious transfer can be used when the sender is malicious. [0089] FIG.4 shows a semi-honest secure oblivious transfer. At the high level, there is a two-round or two-message protocol between the receiver R 400 and the sender S 402, where the first message is from the receiver R 400 to the sender S 402, and the second message is from the sender S 402 to the receiver R 400. At the end of receiving the message, the receiver R 400 is able to complete the protocol and recover one of the messages. [0090] (G, X, *) can be a wU-EGA group operation with an elliptic curve x being a publicly available element in the set X. A random oracle function H can map an elliptic curve into a bit string ( [0091] CRS 401 can provide public randomness that none of the two parties, the sender and the receiver, can manipulate but has access to. CRS 401 can include a first common reference string x 0 and a second common reference string x 1 . The first common reference string x 0 can be generated by combining with the elliptic curve x and an isogeny map g0 using an isogeny mapping. The second common reference string x 1 can be generated by combining with the elliptic curve x and an isogeny map g1 using an isogeny mapping. The isogeny maps g0 and g1 can be sampled from the generator G. This step can correspond to the Setup(1 λ ) algorithm. [0092] In step S402, the Receiver R 400 can generate a first elliptic curve z. The Receiver R 400 can sample a first random isogeny map r using a generator G and obtain a third common reference string xb according to a choice bit b (or input value b) from the CRS 401. Note that the third common reference string x b can be either equivalent to the first common reference string x0 or the second common reference string x1 depending on the choice bit b. The first random isogeny map r can then be combined with the third common reference string xb using an isogeny mapping operation to generate a first elliptic curve z. This step can correspond to the OTR(crs, b) algorithm with a receiver state st = (b,r) and a receiver message ot1 = z. [0093] In step S404, the Receiver R 400 can transmit the first elliptic curve z (or the receiver message ot 1 ) to the Sender S 402. [0094] The Sender S 402 can store a first message m0 and a second message m1. The Sender S 402 can send a third message m b back to the Receiver R 400 upon request. However, since the Sender S 402 does not know the choice bit b and needs to keep a fourth message m 1-b away from the Receiver R 400, the Sender S 402 can mask (e.g., by encrypting) two messages m0 and m1, so that the Receiver R 400 is able to de-mask (e.g., decrypt) only the third message m b and not the fourth message m 1-b . The process of masking the messages are further described in step S405. [0095] In step S405, the Sender S 402 can generate a second elliptic curve y0 and a third elliptic curve y 1 . The Sender S 402 can sample a second random isogeny map k 0 and a third random isogeny map k1 using the generator G, and obtain the first common reference string x 0 and the second common reference string x 1 from the crs 401. The second random isogeny map k0 can then be combined with the first common reference string x0 using an isogeny mapping operation to generate the second elliptic curve y 0 . The third random isogeny map k 1 can be combined with the second common reference string x1 using an isogeny mapping operation to generate a third elliptic curve y 1 . [0096] The Sender S 402 can generate a first random oracle output (e.g., a hash output) using a random oracle function H (e.g., a hash function) that operates on a first combined value of the second random isogeny map k0 and the first elliptic value z. The first combined value can be obtained by performing an isogeny mapping operation on the second random isogeny map k0 and the first elliptic value z. An invertible operation (e.g., XOR) can then be performed on the first random oracle output and the first message m 0 to generate the first masked message c0. Other group operations that are invertible may be used in place of the XOR. For example, multiplication, division, subtraction, or elliptic-curve addition can be used. [0097] The Sender S 402 can generate a second random oracle output (e.g., a hash output) using a random oracle function H (e.g., a hash function) that operates on a second combined value of the third random isogeny map k1 and the first elliptic value z. The second combined value can be obtained by performing an isogeny mapping operation con the third random isogeny map k1 and the first elliptic value z. The invertible operation can then be performed on the second random oracle output and the second message m 1 to generate the second masked message c1. This step can correspond to the OTS(crs, (m0, m1), ot1) algorithm with a sender message ot 2 = (y 0 , y 1 , c 0 , c 1 ). [0098] In step S406, the Sender S 402 can transmit the second elliptic curve y0, the third elliptic curve y 1 , the first masked message c 0 , and the second masked message c 1 (or the sender message ot2) to the Receiver R 400. All this information is sent as the Sender S 402 does not know the choice bit b. By sending the masked messages c 0 and c 1 along with the elliptic curves y0 and y1, the Sender S 402 can allow the Receiver R 400 to only de- mask/decrypt the masked message c b while keeping the masked message c 1-b hidden. [0099] In step S408, the Receiver R 400 can obtain the third message m b . Note that the third message mb is either equivalent to the first message m0 or the second message m1 depending on the choice bit b. The receiver R can first generate a third random oracle output (e.g., a hash output) using the random oracle function H (e.g., a hash function) that operates on a third combined value of the first random isogeny map r and a fourth elliptic curve y b . Note that the fourth elliptic curve yb can either be equivalent to the second elliptic curve y0 or the third elliptic curve y 1 depending on the choice bit b. [0100] The third combined value can be obtained by performing an isogeny mapping operation with the first random isogeny map r and the fourth elliptic curve yb. The invertible function (corresponding to one used in step S405) can then be performed on the third random oracle output and the third masked message cb to generate the third message mb. The invertible aspect of the function causes the random oracle output (e.g., either the first or second random oracle output depending on the choice bit b) from step S405 to cancel so that the third message mb is obtained. Note that third masked message cb is either equivalent to the first masked message c 0 or the second masked message c 1 depending on the choice bit b. This step can correspond to the OTD(st,ot2) algorithm with an output of mb. B. Malicious Secure Oblivious Transfer [0101] In the malicious secure version, it is assumed that there is a possibility that the receiver and the sender might actually be malicious, and they might try to deviate from the protocol or behave weirdly during the execution of the protocol in order to cheat (via to learn more information than allowed). For example, the receiver and the sender can change the inputs and outputs, abort the protocol, and etc. Therefore, a non-interactive zero knowledge proof of knowledge (NIZKPOK) can be used to get security even if the receiver and the sender are maliciously corrupted. [0102] FIG 5 shows a malicious secure oblivious transfer. The process of FIG.5 may be similar to the process in FIG.4. However, the Receiver R 500 can compute a NIZKPOK proof pf that guarantees that the Receiver R 500 did not change or manipulate a first elliptic curve z and the bit b later on. The first elliptic curve z can be generated by performing an isogeny mapping operation on a first random isogeny map r and a third common reference string x b (which either has a value of a first common reference string x 0 or a second common reference string x1 according to a choice bit b (S502). This NIZKPOK proof pf can be sent to the Sender S (S504). The NIZKPOK proof can come with specifications of algorithms, including a verification algorithm. The sender S (S505) can use the verification algorithm to verify the NIZKPOK proof pf. If the NIZKPOK proof does not verify, then the Sender S 502 can essentially abort. By adding the NIZKPOK proof, the receiver R 500 cannot deviate the values of a choice bit b and the first elliptic curve z after computing the NIZKPOK proof. Not being able to change the first elliptic curve z can additionally guarantee that the first random isogeny map r and the third common reference string x b do not change. [0103] In some embodiments, non-interactive witness indistinguishable proof of knowledge (NIWIPOK) can be used in place of the non-interactive zero knowledge proof of knowledge (NIZKPOK) to add security against the malicious receiver. The sender can verify the proof as part of the OT protocol. The NIWIPOK can be performed by applying Fiat- Shamir Transform and can be instantiated based on computational CSIDH assumption. V. 4-ROUND OT IN THE PLAIN MODEL [0104] A 4-round (black-box) OT protocol in the plain model from the decisional CSIDH assumption can be built. The OT protocol can be round-optimal, simulation-secure against malicious adversaries, and can be built in a generic manner from any statically sender-private (SSP) OT protocol with a perfect correctness. SSP OT protocol with a perfect correctness and simulation security against malicious adversaries can be based on other assumptions such as Learning With Errors, Decisional Diffie Hellman, Quadratic Residuosity, and N th -residuosity. Additionally, the 4-round OT protocol achieving simulation security in the plain model can be from any isogeny-based assumptions. [0105] The four-round oblivious transfer (OT) protocol in the plain model can be formally defined. A four-round OT protocol in the plain model of a tuple of five algorithms of the form OT = (OTR 1 , OTS 1 , OTR 2 , OTS 2 , OTD) can be described below. [0106] OTR 1 (1 k , b): Given κ and a bit b ∈ 0,1, output message ot ^ and (secret) receiver state st ୖ . [0107] OTR 1 (1 k , (m 0 , m 1 ), ot 1 ): Given κ, a pair of strings (m 0 , m 1 ), and a message ot ^ , output message ot 2 and (secret) sender state st s . [0108] OTR ଶ 2(t R , ot 2 ): Given receiver state st R and a message ot 2 , output message ot 3 and an updated receiver state st 3 . [0109] OTS 2 (st s , ot 3 ): Given sender state st s and message ot 3 , output message ot 4 . [0110] OTD^st ୖ , ot ସ ^: Given receiver state st R and message ot 4 , output string m′. [0111] A statistically sender private OT (SSP-OT) is an OT protocol where a receiver’s choice bit b is computationally hidden from a corrupt sender and a message m1-b is statically hidden from a malicious receiver. A 2-round SSP-OT protocol, which has a specific kind of security notion, can be used to create a 4-round OT protocol with a stronger security notion. The SSP-OT can be constructed from various assumptions like decisional CSIDH, LWE, DDH, QR, DCR, etc. [0112] The SSP-OT can be used in assumptions that are classical or quantum. For example, isogeny is one way to construct an SSP-OT. It could also be constructed from other assumptions such as lattice assumptions. The SSP OT can comprise three algorithms: OTR, OTS, and OTD. OTR can be an algorithm the receiver executes, OTS can be an algorithm that the sender executes, and OTD can be a final algorithm that allows the receiver to compute an OT string used to obtain a message m b . [0113] An SSP-OT can provide indistinguishability based security against malicious corruption of parties. However, the SSP-OT may not allow a simulator to extract the corrupt parties’ inputs. To achieve simulation-based secure OT, two extra rounds can be added to enable input extraction of the corrupt parties (building a 4-round OT protocol by adding to a 2-round SSP-OT protocol as described above). This is performed by rewinding the adversarial party in simulation. This transformation can then allow a simulator to extract a corrupt receiver’s input. At the same time, the choice bit can maintain indistinguishability against a malicious sender. [0114] The two-round SSP-OT protocols in the plain model can be formally defined. The two-round SSP-OT can be a tuple of three PPT algorithms (OTR, OTS, OTD) that can satisfy correctness, receiver privacy, and statistical sender privacy as described below. [0115] Given k and a bit b ∈ 0,1, outputs a message ot and a (secret) 1 receiver state st . [0116] Given k , a pair of strings ( m 0 , m ), and a message ot , 1 1 outputs a message o t 2 . [0117] Given a secret state st and a message ot 2 , it outputs a bit [0118] The receiver privacy can be have a following property: and ^ be the receiver’s output on 0 and 1 respectively, then ^ [0119] The statistical sender privacy can have a following property: There exists a bit b∈0,1 such that for any message ot_1 and any two pairs of strings (m_0,m_1) and (m'_0,m'_1) such that m_b=m'_b, then [0120] FIG 6 shows a statistically sender private oblivious transfer based on decisional CSIDH assumption. At the high level, there is a four-round or four-message protocol between a receiver 602 and a sender 604, where the first message is from the receiver 602 to the sender 604, the second message is from the sender 604 to the receiver 602, the third message is from the receiver 602 to the sender 604, and the fourth message is from the sender 604 to the receiver 602. Any process that runs sequentially (e.g., a process that runs in a for loop “For j ∈ [n], i ∈ {0,1}”in step S602 of Fig.6) can run in a parallel manner. [0121] The receiver 602 has a choice bit b and the sender 604 has messages m 0 and m 1 . At the end of receiving the message, the receiver 602 can complete the protocol and recover one of the messages mb in accordance with the choice bit b. The construction can also be represented as the format of four-round oblivious transfer (OT) protocol in the plain model with a tuple of five algorithms (OTR1, OTS1, OTR2, OTS2, OTD). A first algorithm (OTR), a second algorithm (OTS), and a third algorithm (OTD) can be a tuple of three algorithms (OTR, OTS, OTD) of the two-round SSP-OT protocol. [0122] The tuple of three algorithms (OTR, OTS, OTD) can be instantiations of perfectly two-round SSP-OT from decisional CSIDH [Navid Alamati, Luca De Feo, Hart Montgomery, and Sikhar Patranabis. Cryptographic group actions and applications. In ASIACRYPT 2020, Part II, LNCS, pages 411–439. Springer, Heidelberg, December 2020.], Learning With Errors (LWE) [Zvika Brakerski and Nico Döttling. Two-message statistically sender-private OT from LWE. In Amos Beimel and Stefan Dziembowski, editors, TCC 2018, Part II, volume 11240 of LNCS, pages 370–390. Springer, Heidelberg, November 2018.], Decisional Diffie Hellman (DDH) [Moni Naor and Benny Pinkas. Efficient oblivious transfer protocols. In S. Rao Kosaraju, editor, 12th SODA, pages 448–457. ACM-SIAM, January 2001.], Quadratic Residuosity (QR) [Shai Halevi and Yael Tauman Kalai. Smooth projective hashing and two-message oblivious transfer.Journal of Cryptology, 25(1):158– 193, January 2012.], and Nth-residuosity [Shai Halevi and Yael Tauman Kalai. Smooth projective hashing and two-message oblivious transfer. Journal of Cryptology, 25(1):158– 193, January 2012.]. [0123] In step S602, the receiver 602 can generate a random choice bit a j,i and a randomness tape rRj,i. The randomness tape rRj,i can be a string of random bits. The receiver 602 can then determine a first SSP-OT message ssp-ot1,j,i using the first algorithm (OTR) on the random choice bit aj,i and the randomness tape rRj,i for every j in n and for i in a bit set {0,1}. The n can be a value related to a security parameter.2 -n can be negligible in the security parameter. Therefore, total of 2n random choice bits {aj,i}j∈[n], i∈{0,1}, 2n randomness tapes {rR j,i } j∈[n], i∈{0,1} , and 2n first SSP-OT messages {ssp-ot 1,j,i } j∈[n], i∈{0,1} can be generated. Half, or n, of the 2n random choice bits {a j,i } j∈[n], i∈{0,1} , the 2n randomness tape {rR j,i } j∈[n], i∈{0,1} , and the 2n first SSP-OT message {ssp-ot 1,j,i } j∈[n], i∈{0,1} can later be used by the sender 604 to check that the receiver 602 generated these values honestly while the other half are used by the sender 604 to mask the messages m 0 and m 1 . More of this is described in later steps. The receiver 602 can then generate a first oblivious transfer message ot1 comprising the 2n first SSP-OT messages {ssp-ot1,j,i}j∈[n], i∈{0,1}. This step can correspond to the OTR1(1 k ,b) algorithm with the first oblivious transfer message ot 1 . [0124] In step S604, the receiver 602 can send the first oblivious transfer message ot 1 to the sender 604. [0125] In step S606, the sender 604 can generate a challenge c. The challenge c can comprise a collection of n random challenge bits (c 1 ,...,c n ). The sender 604 can generate a random string sj,σ with the same length as messages (m0 and m1). The random string sj,σ can be generated for every j in n and for σ in a bit set {0,1}. Therefore, total of 2n random messages {s j,σ } j∈[n], σ∈{0,1} can be generated. The sender 604 can determine a second SSP-OT message ssp-ot2,j by using the second algorithm (OTS) on a first SSP-OT message ssp-ot1,j,1-cj and a pair of random messages (s j,0 , s j,1 ) for every j in n. Therefore, total of n second SSP-OT messages {ssp-ot2,j}j∈[n] can be determined by using n first SSP-OT messages {ssp-ot1,j,1- cj}j∈[n] and n pairs of random messages {(sj,0, sj,1)}j∈[n]. [0126] The n first SSP-OT message {ssp-ot 1,j,1-cj } j∈[n] can be messages among the 2n first SSP-OT messages {ssp-ot1,j,i}j∈[n], i∈{0,1} with the i having the value of a bit that doesn’t correspond to a challenge bit cj (1-cj). The n pairs of random messages {(sj,0, sj,1)}j∈[n] can be random messages among the 2n random messages {sj,σ}j∈[n], i∈{0,1} with the first of the pair sj,0 having the σ equal to 0 and the second of the pair s j,1 having the σ equal to 1. Each of the pair of n random messages {(sj,0, sj,1)}j∈[n] can be used later by the sender 604 to mask the messages m0 and m1. More of this is described in later steps. The sender 604 can then generate a second oblivious transfer message ot 2 comprising the challenge c and n second SSP-OT messages {ssp-ot2,j}j∈[n]. This step can correspond to the OTS1(1 k ,(m0,m1),ot1) algorithm with the second oblivious transfer message ot 2 . [0127] In step S608, the sender 604 can send the second oblivious transfer message ot 2 to the receiver 602. [0128] In step S610, the receiver 602 can determine a mask bit zj . The mask bit zj can be determined by using a first invertible function (e.g., XOR) on a choice bit b and a random choice bit a j,1-cj for every j in n. Therefore, total of n mask bits {z j } j∈[n] can be determined by using the choice bit b and n random choice bits {aj,1-cj}j∈[n]. The n random choice bits {aj,1- cj}j∈[n] can be random choice bits among the 2n random choice bits {aj,i}j∈[n], i∈{0,1} with i having the value of a bit that doesn’t correspond to the challenge bit c j (1-c j ). The receiver 602 can then generate a third oblivious transfer message ot3 comprising the mask bit zj, the random choice bit a j,cj , and the randomness tape rR j,cj for every j in n. Therefore, the third oblivious transfer message ot 3 can comprise n mask bits {z j } j∈[n] , n random choice bits {aj,cj}j∈[n], and n randomness tapes {rRj,cj}j∈[n] ({zj, aj,cj, rRj,cj}j∈[n]). The n random choice bits {aj,cj}j∈[n] can be random choice bits among the 2n random choice bits {aj,i}j∈[n], i∈{0,1} with i having the value of a the challenge bit cj. The n randomness tapes {rRj,cj}j∈[n] can be randomness tapes among the 2n randomness tapes {rRj,i}j∈[n], i∈{0,1} with i having the value of the challenge bit cj. This step can correspond to the OTR2(stR, ot2) algorithm with the third oblivious transfer message ot 3 . [0129] In step S612, the receiver 602 can send the third oblivious transfer message ot 3 to the sender 604. [0130] In step S614, the sender 604 can parse the first oblivious transfer message ot1 that contains 2n first SSP-OT messages {ssp-ot1,j,i}j∈[n], i∈{0,1}. The sender 604 can then reconstruct the first SSP-OT message using the first algorithm on a random choice bit a j,cj and a randomness tape rRj,cj for every j in n. The reconstructed message can then be compared with the first SSP-OT message ssp-ot 1,j,cj of the first oblivious transfer message ot 1 for every j in n. Therefore, total of n reconstructed messages can be compared with n first SSP-OT messages {ssp-ot 1,j,cj } j∈[n] . The n first SSP-OT message {ssp-ot 1,j,cj } j∈[n] can be messages among the 2n first SSP-OT messages {ssp-ot 1,j,i } j∈[n], i∈{0,1} with the i having the value of the challenge bit c j . If any of the first SSP-OT messages ssp-ot1,j,cj does not match with the corresponding reconstructed message for every j in n, then the operation aborts. [0131] The reason for checking the first SSP-OT message ssp-ot 1,j,cj with the reconstructed message is to check whether the receiver 602 has generated the first SSP-OT messages honestly since the sender 604 does not know if the receiver 602 manipulated the first SSP-OT messages. Since there are n challenge bits {cj}j∈[n], half of the 2n first SSP-OT messages {ssp-ot1,j,i}j∈[n], i∈{0,1} are opened and checked by the sender 604 to verify that the receiver 602 generated the first SSP-OT messages honestly (by comparing with reconstructed messages). By verifying the first SSP-OT messages {ssp-ot 1,j,cj } j∈[n] , the sender 604 can be confident that the receiver 602 did not manipulate the 2n first SSP-OT messages {ssp-ot1,j,i}j∈[n], i∈{0,1}. [0132] Once the n first SSP-OT messages {ssp-ot 1,j,cj } j∈[n] are checked, then the sender 604 can mask both messages m0 and m1. For every σ in a set {0,1}, A masked message Mσ can be determined by using a second invertible operation on the message m σ and a summation of a random message s j,σ⊕zj for every j in n. The sender 604 can mask both messages m 0 and m 1 as it does not know the choice bit b of the receiver 602. Therefore, the sender 604 can set a message bit σ for both 0 and 1 to determine masked messages M 0 and M 1 . For every j in n, the random string sj,σ⊕zj can be chosen among the 2n random strings {sj,σ}j∈[n], σ∈{0,1} for σ having a value determined using the first invertible operation on the message bit σ and the mask bit z j . [0133] For the message bit σ that corresponds to the choice bit b (σ = b) of the receiver 602, the sender 604 can compute the random choice bit a j,1-cj when performing the first invertible operation on the message bit σ and the mask bit zj. This is because the mask bit zj can be determined by using the first invertible function on the choice bit b and the random choice bit aj,1-cj (step S610). Therefore, for the masked message Mσ with the message bit σ that corresponds to the choice bit b, the sender 604 would be using a summation of n random messages Σj∈[n] sj,x, where x is aj,1-cj, to mask the message mσ. This summation of n random messages Σj∈[n] sj,x can be reconstructed by the receiver 602, which is described more in later steps. However, for the message bit σ that doesn’t correspond to the choice bit b (σ = 1-b) of the receiver device, the first invertible operation on the message bit σ and the mask bit zj results in a random value that the receiver 602 cannot recover, thereby hiding the message m1-b from the receiver 602. [0134] Additionally, by performing a summation of all the n random messages Σ j∈[n] s j,σ⊕zj , the receiver 602 is being prevented from maliciously learning the other message m1-b, as the receiver 602 would have to know all n random messages {s j,(1-b)⊕zj } j∈[n] (where σ is bit 1-b for m 1-b ) to determine a summation that is used to mask the message m 1-b . There is no incentive for the receiver 602 to maliciously learn the random message sj,(1-b)⊕zj as maliciously learning all n random messages {sj,(1-b)⊕zj}j∈[n] to determine a summation that is used to mask the other message m 1-b would require sacrificing the knowledge of learning n random messages {sj,b⊕zj}j∈[n] to determine a summation that is used to mask the message mb. Maliciously learning only some of n random messages {sj,(1-b)⊕zj}j∈[n] of the other message m1-b would lead to discovering only some of n random messages {sj,b⊕zj}j∈[n] of the message m b , which would result in the receiver 602 not being able to find a full summation value of neither messages mb and m1-b. Therefore, the summation can provide extra level of security in which the sender 604 can assure that the receiver 602 cannot de-mask the other message m 1-b . This step can correspond to the OTS2(stS, ot3) algorithm with a fourth oblivious transfer message ot 4 = (M 0 , M 1 ). [0135] In step S616, the sender 604 can send masked messages M 0 and M 1 , or the fourth oblivious transfer message ot4 to the receiver 602. [0136] In step S618, the receiver 602 can use the third algorithm (OTD) on the second SSP-OT message ssp-ot 2,j (received in step S608) and the randomness tape rR j,1-cj to determine the random messages sj,x, where x is aj,1-cj, for j in n. Therefore, total of n random messages {s j,x } j∈[n] can be determined using n second SSP-OT messages {ssp-ot 2,j } j∈[n] and n randomness tapes {rRj,1-cj}j∈[n]. The n randomness tapes {rRj,1-cj}j∈[n] can be randomness tapes among the 2n randomness tapes {rRj,i}j∈[n], i∈{0,1} with i having the value of a bit that doesn’t correspond to the challenge bit cj (1-cj). The receiver 602 can then select the masked message Mb that corresponds to its choice bit b, and use the second invertible function on the masked message M b and the summation of the random messages s j,x for every j in n to de-mask the masked message Mb. Upon de-masking the masked message Mb, the receiver 602 can access the message m b . This step can correspond to the OTD(st R , ot 4 ) algorithm with an output of mb. [0137] The choice bit indistinguishability of the SSP-OT and the fact that the SSP-OT choice bit (i.e., random choice bit a) masks the actual choice bit b of the receiver can imply choice bit indistinguishability for the four round OT. A simulation strategy can rely on the perfect correctness of SSP-OT in the following way. When the receiver opens the randomness tape and choice bit b of an SSP-OT, the perfect correctness can imply that the receiver will learn the SSP-OT string (i.e., random string s) corresponding to the choice bit b (i.e., message m b ). Thus, by the statistical sender privacy, the other SSP-OT string will therefore be statistically hidden. VI. 3-ROUND OT EXTENSION PROTOCOL [0138] Oblivious transfer is used extensively in protocols for secure computation such as in the settings of multi-party computation. As secure computation becomes more practical, a large scale oblivious transfer protocols ranging up to several millions of oblivious transfers can be run. However, running several millions of full OT protocol can be expensive and time consuming. In order to solve this issue, an OT protocol extension can be used. [0139] An OT protocol extension can be a method to perform many OTs in a more efficient way by using a single or a small number of base OTs that are used as a base for obtaining many OTs via the use of cheap symmetric cryptographic operations instead of running full OT protocols for each OTs. By using OT protocol extension, exchanging future messages requiring OTs can be done efficiently. An example of using OT protocol can be later described in FIG.7. [0140] From the point of view of cryptographic applications, EGA can be an abstraction that captures the CSI-FiSh family of isogenies, where the group action operation ⋆ can be computed efficiently for any element ^^ in the group ^^. However, this is not the case for the CSIDH family of isogenies; the group action operation ⋆ can be efficiently for “certain" elements in the group ^^ (more specifically, a generating set of small cardinality). To model such families of isogenies, a weaker or restricted variant of EGA (abbreviated throughput as REGA) can be introduced. [0141] The embodiment can build a UC-secure, 3-round OT protocol extension in the random oracle model. This OT protocol extension can yield the first secure OT extension protocol from the reciprocal CSIDH assumption in the framework of (R)EGA. This assumption is known to be quantum-equivalent to the computational CSIDH assumption, and does not have an analogue in the Diffie-Hellman setting. The construction of the embodiment relies on crucially on the quadratic twist of an elliptic curve, which can be computed efficiently in the CSIDH setting. [0142] An abstraction of the quadratic twist can be presented. Let be an EGA (equivalently an REGA) as described above. A “twist" as a map that satisfies the following properties can be defined. [0143] FIG 7 shows a UC-secure, 3-round OT protocol extension in the random oracle model. At the high level, there is a three-round or three-message protocol between the receiver 702 and the sender 704, where the first message is from the receiver 702 to the sender 704, the second message is from the sender 704 to the receiver 702, and the third message is from the receiver 702 to the sender 704. The receiver 702 can have choice bits b (or {bi}i∈[l]) as inputs. The receiver 702 can output choice bits b (or {bi}i∈[l]) and masking messages a b while the sender 704 can output masking messages a 0 and a 1 . Any process that runs sequentially (e.g., a process that runs in a for loop “For i ∈ [l]”in step S702 of Fig.6) can run in a parallel manner. [0144] (G, X, *) can be a EGA group operation with elliptic curve x0 being a publicly available element in the set X where reciprocal EGA assumption can hold. A first hash function H1 can map elliptic curve into a bit string of length k (H1 ^ {0,1} k ), a second hash function H2 can map bit string into a bit string of length k (H2: {0,1} k ^ {0,1} k , a third hash function H 3 can map a collection of l bit strings of length k into a bit string of length k (H 3 : {0,1} k ^ {0,1} k ), and a fourth hash function H4 can map a collection of 2 bit strings of length k into a bit string of length k (H 4 : {0,1} 2k ^ {0,1} k ). [0145] Common reference string (CRS) 703 can provide public randomness that none of the two parties, the sender 704 and the receiver 702, can manipulate but has access to. CRS 703 can include a common reference string x that is determined from doing an isogeny mapping operation of an isogeny map g and a special elliptic curve x0 such that a twist of the special elliptic curve can be itself. Performing the twist on an elliptic curve other than the special elliptic curve x0 can result in a different elliptic curve. The isogeny map g can be sampled from a generator G. [0146] In step S702, the receiver 702 can sample an isogeny map r i using a generator G. The receiver 702 can then determine an elliptic curve zi. If a choice bit bi is equal to 0, then the elliptic curve z i can equal to an isogeny mapping operation of the isogeny map r i and the common reference string x. If the choice bit bi is equal to 1, then the elliptic curve zi can equal to a twist of an isogeny mapping operation of the isogeny map r i and the common reference string x. The receiver 702 can sample the isogeny map ri and determine the elliptic curve zi for every i in a specified number (denoted as l) of OT protocols that can be performed using the OT extension protocol. For example, if 10 OT protocols need to be performed, then l can be 10. Therefore, there will be l elliptic curves z (or {z i } i∈[l] ) determined by using l isogeny maps r (or {r i } i∈[l] ) and the common reference string x. Once the receiver 702 determines the l elliptic curves z, the receiver 702 can generate a first oblivious transfer message ot 1 that includes the elliptic curves z and a receiver state st 1 including the choice bits b and the isogeny maps r. The specified number l can be associated with a security parameter. [0147] In step S704, the receiver 702 can send the first oblivious transfer message (ot 1 ) to the sender 704. [0148] In step S706, the sender 704 can sample an isogeny map si using the generator G. The sender 704 can determine an elliptic curve y i by performing an isogeny mapping operation on the isogeny map si and the common reference string x. The sender 704 can use the first hash function H1 on a counter i and a first combined value to determine a masking message p 0,i . The first combined value can be determined by using the isogeny mapping operation on the isogeny map si and the elliptic curve zi. The first hash function H1 can convert the elliptic curve into a bit string. The sender 704 can use the first hash function H 1 on the counter i and a second combined value to determine a masking message p1,i. The second combined value can be determined by performing the isogeny mapping operation on the isogeny map si and the twist of the elliptic curve zi. [0149] The sender 704 can use the second hash function H2 on the counter i and the masking message p 0,i to generate a message u 0,i . The second hash function H 2 takes bit strings as inputs and outputs bit strings. The sender 704 can use a second hash function H2 on the counter i and the masking message p 1,i to generate a message u 1,i . The masking messages p 0,i and p1,i are converted to messages u0,i and u1,i for extra layer of security. The message u0,i and the message u 1,i can then go through an XOR operation to generate a challenge chall i . [0150] The isogeny map s i , the elliptic curve y i , the masking message a 0,i , the masking message a1,i, the message u0,i, the message u1,i, and the challenge challi can be determined for every i in l. Therefore, there can be l isogeny maps s (or {s i } i∈[l] ), l elliptic curves y (or {y i } i∈[l] ), l masking messages p 0 (or {a 0,i } i∈[l] ), l masking messages p 1 (or {a 1,i } i∈[l] ), l messages u 0 (or {u 0,i } i∈[l] ) , l messages u 1 (or {u 1,i } i∈[l] ) , and l challenges chall (or {chall i } i∈[l] ) can be determined. [0151] The sender 704 can then use the third hash function H3 on a collection of the messages u 0 (u 0,1 , u 0,2 ,...,u 0,l ) to generate a response ans. The third hash function H 3 can take a collection of bit strings and output a single bit string. The response ans can then go through the second hash function H 2 to determine a proof pf. The ans and pf can be later used by the receiver 702 to verify that it generated correct masking messages m (or {mi}i∈[l]). This is described in later steps. The sender 704 can generate a second oblivious transfer message ot 2 comprising the elliptic curves y, responses chall, and the proof pf to the receiver 702, and a sender state st 2 including the response ans. [0152] In step S708, the sender 704 can send the second oblivious transfer message ot 2 to the receiver 702. [0153] In step S710, the receiver 702 can parse the receiver state st1 comprising choice bits b and the isogeny maps r, and the second oblivious transfer message ot 2 comprising the elliptic curves y, the challenges chall, and the proof pf. The receiver 702 can then generate a masking message p bi,i using the first hash function H 1 on the isogeny mapping operation of the isogeny map ri and the elliptic curve yi. The masking message pbi can either have the value of the masking message p0,i or p1,i depending on the choice bit b. Since the elliptic curve y i is determined by performing an isogeny mapping operation on the isogeny map s i and the elliptic curve x, by reordering the isogeny mapping operation of the isogeny map ri, isogeny map s i , and the elliptic curve x, either the masking message p 0,i or the masking message p1,i can be reconstructed depending on the choice bit b. For example, if the choice bit b is 0, then it can reconstruct the masking message p 0,i . If the choice bit is 1, then it can reconstruct the masking message p1,i. [0154] The receiver 702 can then perform a numerical multiplication on a response challi and a bit b i . For example, if bit b i is equal to 1, then the numerical multiplication of the response challi and the bit bi can result in just the response challi. If bit bi is equal to 0, then the numerical multiplication of the response chall i and the bit b i can result in bit string 0. The second hash function on the masking message pbi can be either the message u0,i or the u1,i depending on the choice bit b i . [0155] If the bit b i is equal to 0, the numerical multiplication of the response chall i and the bit bi can result in a bit string of just zero, and the second hash function on the masking message p bi can be determined to be the message u 0,i . A message u i ’ can be determined by performing an XOR operation on the bit string of zero and the message u0,i. The message ui’ can result in the message u0,i since any value XOR’d with zero is left unchanged. [0156] If the bit bi is equal to 1, the numerical multiplication of the response challi and the bit bi can result in a bit string of the response challi, and the second hash function on the masking message pbi can be determined to be the message u1,i. The message ui’ can be determined by performing an XOR operation on the bit string of the response chall i and the message u1,i. Since the response challi is determined by performing an XOR operation on the message u 0,i and the message u 1,i , another XOR operation of u 1,i on the chall i can cancel the u1,i values. Therefore, the message ui’ can result in the message u0,i. [0157] The masking message pbi and the message ui’ can be determined for every i in l. Therefore, there can be l masking messages pbi (or {pbi,i}i∈[l]) and l messages u’ (or {ui’}i∈[l]) can be determined. [0158] Once the messages u’ are determined, a collection of all messages u’ (u’ 1 , u’ 2 ,...,u’ l ) can be used on the third hash function to determine an answer ans’. The ans’ can then go through the second hash function H 2 to determine if it is equal to the proof pf of the second oblivious transfer message ot2. If they are equivalent, then the receiver 702 can generate a third oblivious transfer message ot3 including the answer ans’. The receiver 702 can then determine a masking message a bi,i for every i in l. The masking message a bi,i can be determined by using a fourth hash function H4 on the answer ans’ and the masking message p bi,i . Therefore, a specified number (denoted by character l) masking messages a b (or {a bi,i } i∈[l] ) can be determined. The receiver 702 can then output masking messages a b and the choice bit b. [0159] In step S712, the receiver 702 can send the third oblivious transfer message ot3 to the sender 704. [0160] In step S714, the sender 704 can parse the third oblivious transfer message ot 3 comprising the answer ans’. The sender 704 can then check if the answer ans’ in the third oblivious transfer message ot 3 is equal to the answer ans in the sender state st 2 . If they are equivalent, then the sender 704 can determine masking messages a0,i and a1,i for every i in l. The masking message a0,i can be determined by using the fourth hash function on the answer ans and the masking message p 0,i . The masking message a 1,i can be determined by using the fourth hash function on the answer ans and the masking message p1,i. The sender 704 can then output the masking messages a0 (or {a0,i}i∈[l]) and a1 (or {a1,i}i∈[l]) . [0161] The receiver 702 can use the masking messages ab while the sender 704 can use the masking messages a 0 and a 1 as a building block to build OT extension. Since each of the masking message abi,i corresponds to one of the masking messages a0,i and a1,i according to the choice bits b i , the oblivious transfer can be performed in a simple symmetric cryptographic operation. For example, when performing a OT transfer with the sender 704 having input messages q 0 and q 1 , instead of going through a full OT transfer, the sender 704 can use the masking messages a0,i and a1,i on the messages q0 and q1 respectively (via using an invertible function) to create masked messages Q 0 and Q 1 , and send it to the receiver 702. Since the receiver 702 already knows the masking message abi,i for the input bit bi it chose from the extension, the receiver 702 can decrypt the masked message Q b using the masking message abi,i to obtain the message qbi of the input bit bi. For each i OT protocol in l OT protocols, the masking message a bi,i and the masking messages a 0,i and a 1,i can be used to perform OT protocol. [0162] It can be observed that the sender 704 can reuse the isogeny map s for multiple OT protocols by reusing the same elliptic curve y for all the OT protocols. This can translate into a ^^ ^^ ^^ ^^^ ^^^ loss in the security parameter, where k is the length of the security parameter. The security loss by reusing the isogeny map s and the elliptic curve y can be compensated by increasing the security parameter accordingly. This optimization can reduce the number of isogeny computations to 4 for each OT. VII. TWO ROUND OBLIVIOUS TRANSFER FROM ISOGENIES [0163] Methods described herein may be totally or partially performed with a computer system including one or more processors, which can be configured to perform the steps. Thus, embodiments are directed to computer systems configured to perform the steps of any of the methods described herein, potentially with different components performing a respective step or a respective group of steps. The semi-honest secure oblivious transfer implementation in FIG.4 and the malicious secure oblivious transfer implementation in FIG. 5 may be carried out using the aspect methods disclosed in greater detail with reference to FIGs.8 and 9. A. Receiver device [0164] FIG.8 shows a flow chart for performing a two-round OT protocol from the computational CSIDH assumption. The method 800 shows a receiver device (e.g., a client computing device 140) requesting, from the sender device having a first message m0 and a second message m 1 , a third message m b of the input value b from the sender device (e.g., a server computing device 180). The two-round OT protocol can be semi-honest secure protocol as described in FIG.4 or malicious secure protocol as described in FIG.5. [0165] In step S802, the receiver device can store an input value b. The input value b can be a choice bit having a value of 0 or 1. The receiver device can select the choice bit prior to performing the oblivious transfer protocol. The input value b can be used by the receiver device later to select the third message mb according to the input value b. [0166] In step S804, the receiver device can obtain a common reference string xb. The common reference string xb can be a public randomness generated by a trusted authority that none of the two parties, a sender device and the receiver device, can manipulate but only access it. The common reference string xb can be either equivalent to a first common reference string x 0 or second common reference string x 1 depending on the choice bit b. This operation performed by the receiver device in step S804 may correspond in part to step S402 of the semi-secure OT protocol and step S502 of the malicious OT protocol. [0167] In step S806, the receiver device can sample a first random isogeny map r using a generator G. This operation performed by the receiver device in step S806 may correspond in part to step S402 of the semi-secure OT protocol and step S502 of the malicious OT protocol. [0168] In step S808, the receiver device can generate a first elliptic curve z using the first random isogeny map r and the common reference string x b . The receiver device generates the first elliptic curve z by performing an isogeny mapping operation on the first random isogeny map r and the common reference string x b . In the case of a malicious secure oblivious transfer protocol, the receiver device can compute a non-interactive zero-knowledge proof of knowledge (NIZKPOK) proof pf using the input value b and the first elliptic curve z. The NIZKPOK proof pf can guarantee that the receiver device cannot change the input value b and the first elliptic curve z after computing the NIZKPOK proof pf. This operation performed by the receiver device in step S808 may correspond in part to step S402 of the semi-secure OT protocol and step S502 of the malicious OT protocol. [0169] In step S810, the receiver device can transmit the first elliptic curve z to the sender device. In the case of a malicious secure OT protocol, the receiver device can transmit the NIZKPOK proof pf to the sender device. This operation performed by the receiver device in step S810 may correspond to step S404 of the semi-secure OT protocol and step S504 of the malicious OT protocol. [0170] In step S812, the receiver device can receive a second elliptic curve y0, a third elliptic curve y1, a first masked message c0, and a second masked message c1 from the sender device. The first masked message c0 can be generated using the first message m0, and the second masked message c 0 can be generated using the second message m 1 . The receiver device can later choose a third masked message cb and a fourth elliptic curve yb that corresponds to the input value b. The masked message c b can be de-masked to obtain the third message mb using the fourth elliptic curve yb in later steps. In the case of a malicious secure OT protocol, the sender device may have verified the NIZKPOK proof pf. This operation performed by the receiver device in step S812 may correspond to step S406 of the semi-secure OT protocol and step S506 of the malicious OT protocol. [0171] In step S814, the receiver device can generate a hash output using a hash function H that can operate on a combined value of the first random isogeny map r and the fourth elliptic curve y b . The fourth elliptic curve y b can either be the second elliptic curve y 0 or the third elliptic curve y1 depending on the input value b. This operation performed by the receiver device in step S814 may correspond in part to step S408 of the semi-secure OT protocol and step S508 of the malicious OT protocol. [0172] In step S816, the receiver device can generate a third message m b by combining a third masked message cb with the hash output generated in step S814 using an invertible function. The third masked message c b can be either the first masked message c 0 or the second masked message c1 depending on the input value b. The third message mb can either be the first masked message m 0 or the second masked message m 1 depending on the input value b. This operation performed by the receiver device in step S816 may correspond in part to step S408 of the semi-secure OT protocol and step S508 of the malicious OT protocol. [0173] The receiver device can, upon generating the third message m b according to the choice bit b, can receive an encrypted program from the sender device. The sender device can execute the encrypted program using the third message m b and obtain an encrypted output value. The receiver device can then send the encrypted output value to the sender device, wherein the sender device can decrypt the output value using the third message m b , as the sender device has both the first message m0 and the second message m1. B. Sender device [0174] FIG.9 shows a flow chart for performing a two-round OT protocol from the computational CSIDH assumption. The method 800 can show a sender device (e.g., a server computing device 180) sending a first masked message c 0 corresponding to a first message m0 and a second masked message c1 corresponding to a second message m1 to a receiver device. The receiver device can then de-mask a third masked message c b corresponding to either the first masked message c0 or the second masked message c1 to obtain a third message m b according to the receiver’s input value b. The two-round OT protocol can be semi-honest secure protocol as described in FIG.4 or malicious secure protocol as described in FIG.5. [0175] In step S902, the sender device can store the first message m0 and the second message m 1 . These messages can be stored by the sender device prior to the oblivious transfer. The receiver device can choose the third message mb among the first message m0 and the second message m 1 according to the input value b using the oblivious transfer. [0176] In step S904, the sender device can receive a first elliptic curve z that was generated using a first random isogeny map r by the receiver device. In the case of a malicious secure OT protocol, the sender device can additionally receive a NIZKPOK proof pf generated by using the first elliptic curve z. The operation performed in step S904 can correspond in part to step S404 of the semi-secure OT protocol and step S504 of the malicious OT protocol. [0177] In step S906, the sender device can obtain a first common reference string x 0 and a second common reference string x1. The first common reference string x0 and the second common reference string x 1 can be public randomness generated by a trusted authority that none of the two parties, a sender device and the receiver device, can manipulate but only access it. The operation performed in step S906 can correspond in part to step S405 of the semi-secure OT protocol and step S505 of the malicious OT protocol. [0178] In step S908, the sender device can sample a second random isogeny map k0 and a third random isogeny map k 1 using a generator G. The operation performed in step S908 can correspond in part to step S405 of the semi-secure OT protocol and step S505 of the malicious OT protocol. [0179] In step S910, the sender device can generate a second elliptic curve y 0 using the second random isogeny map k0 and the first common reference string x0. The second elliptic curve y 0 can be generated by performing an isogeny mapping operation on the second random isogeny map k0 and the first common reference string x0. The operation performed in step S910 can correspond in part to step S405 of the semi-secure OT protocol and step S505 of the malicious OT protocol. [0180] In step S912, the sender device can generate a third elliptic curve y1 using the third random isogeny map k1 and the second common reference string x1. The third elliptic curve y1 can be generated by performing an isogeny mapping operation on the third random isogeny map k1 and the second common reference string x1. The operation performed in step S912 can correspond in part to step S405 of the semi-secure OT protocol and step S505 of the malicious OT protocol. [0181] In step S914, the sender device can generate a first hash output using a hash function H that operates on a first combined value of the second random isogeny map k 0 and the first elliptic curve z. The first combined value can be generated by performing an isogney mapping operation on the second random isogney map k 0 and the first elliptic curve z. This operation performed by the receiver device in step S914 may correspond in part to step S405 of the semi-secure OT protocol and step S505 of the malicious OT protocol. [0182] In step S916, the sender device can generate a second hash output using the hash function H that operates on a second combined value of the third random isogeny map k 1 and the first elliptic curve z. The second combined value can be generated by performing an isogney mapping operation on the third random isogney map k 1 and the first elliptic curve z. This operation performed by the receiver device in step S916 may correspond in part to step S405 of the semi-secure OT protocol and step S505 of the malicious OT protocol. [0183] In step S918, the sender device can generate a first masked message c 0 by combining the first message m0 with the first hash output using an invertible function. The invertible function can be an XOR operation. This operation performed by the receiver device in step S918 may correspond in part to step S405 of the semi-secure OT protocol and step S505 of the malicious OT protocol. [0184] In step S920, the sender device can generate a second masked message c 1 by combining the second message m1 with the second hash output using the invertible function. The invertible function can be an XOR operation. This operation performed by the receiver device in step S920 may correspond in part to step S405 of the semi-secure OT protocol and step S505 of the malicious OT protocol. In the case of malicious secure OT protocol, after generating the second masked message c1, the sender device can verify the NIZKPOK proof pf received from the receiver device. If the NIZKPOK proof pf does not verify, then the sender device can abort the OT protocol. [0185] In step S922, the sender device can transmit the second elliptic curve y0, the third elliptic curve y1, the first masked message c0, and the second masked message c1 to the receiver device. The receiver device would then be able to use a fourth elliptic curve y b having the value of either the second elliptic curve y0 or the third elliptic curve y1 to de-mask the third masked message c b according to the input value b. The third masked message c b can have the value of either the first masked message c0 and the second masked message c1, and upon de-masking the third masked message c b , the receiver device can generate the third message mb. [0186] In additional to sending the second elliptic curve y0, the third elliptic curve y1, the first masked message c 0 and the second masked message c 1 , the sender device can transmit an encrypted program to the receiver device. The receiver device can execute the encrypted program using the third message m b that it decrypted from the third masked message c b , and generate an encrypted output value that it sends to the sender device. The sender device can receive the encrypted output value and decrypt the encrypted output value using a corresponding message to the third message m b . VIII. COMPUTING SYSTEM [0187] Any of the computer systems mentioned herein may utilize any suitable number of subsystems. Examples of such subsystems are shown in FIG.8 in computer system 10. In some embodiments, a computer system includes a single computer apparatus, where the subsystems can be the components of the computer apparatus. In other embodiments, a computer system can include multiple computer apparatuses, each being a subsystem, with internal components. A computer system can include desktop and laptop computers, tablets, mobile phones and other mobile devices. [0188] The subsystems shown in FIG.8 are interconnected via a system bus 75. Additional subsystems such as a printer 74, keyboard 78, storage device(s) 79, monitor 76 (e.g., a display screen, such as an LED), which is coupled to display adapter 82, and others are shown. Peripherals and input/output (I/O) devices, which couple to I/O controller 71, can be connected to the computer system by any number of means known in the art such as input/output (I/O) port 77 (e.g., USB, FireWire ® ). For example, I/O port 77 or a network interface 81 (e.g., Ethernet, Wi-Fi, etc.) can be used to connect computer system 10 to a wide area network such as the Internet, a mouse input device, or a scanner. The interconnection via system bus 75 allows the central processor 73 to communicate with each subsystem and to control the execution of a plurality of instructions from system memory 72 or the storage device(s) 79 (e.g., a fixed disk, such as a hard drive, or optical disk), as well as the exchange of information between subsystems. The system memory 72 and/or the storage device(s) 79 may embody a computer readable medium. Another subsystem is a data collection device 85, such as a camera, microphone, accelerometer, and the like. Any of the data mentioned herein can be output from one component to another component and can be output to the user. [0189] A computer system can include a plurality of the same components or subsystems, e.g., connected together by external interface 81, by an internal interface, or via removable storage devices that can be connected and removed from one component to another component. In some embodiments, computer systems, subsystem, or apparatuses can communicate over a network. In such instances, one computer can be considered a client and another computer a server, where each can be part of a same computer system. A client and a server can each include multiple systems, subsystems, or components. [0190] Aspects of embodiments can be implemented in the form of control logic using hardware circuitry (e.g. an application specific integrated circuit or field programmable gate array) and/or using computer software with a generally programmable processor in a modular or integrated manner. As used herein, a processor can include a single-core processor, multi- core processor on a same integrated chip, or multiple processing units on a single circuit board or networked, as well as dedicated hardware. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art will know and appreciate other ways and/or methods to implement embodiments of the present disclosure using hardware and a combination of hardware and software. [0191] Any of the software components or functions described in this application may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C, C++, C#, Objective-C, Swift, or scripting language such as Perl or Python using, for example, conventional or object-oriented techniques. The software code may be stored as a series of instructions or commands on a computer readable medium for storage and/or transmission. A suitable non-transitory computer readable medium can include random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a compact disk (CD) or DVD (digital versatile disk) or Blu-ray disk, flash memory, and the like. The computer readable medium may be any combination of such devices. In addition, the order of operations may be re-arranged. A process can be terminated when its operations are completed, but could have additional steps not included in a figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination may correspond to a return of the function to the calling function or the main function [0192] Such programs may also be encoded and transmitted using carrier signals adapted for transmission via wired, optical, and/or wireless networks conforming to a variety of protocols, including the Internet. As such, a computer readable medium may be created using a data signal encoded with such programs. Computer readable media encoded with the program code may be packaged with a compatible device or provided separately from other devices (e.g., via Internet download). Any such computer readable medium may reside on or within a single computer product (e.g. a hard drive, a CD, or an entire computer system), and may be present on or within different computer products within a system or network. A computer system may include a monitor, printer, or other suitable display for providing any of the results mentioned herein to a user. [0193] Any of the methods described herein may be totally or partially performed with a computer system including one or more processors, which can be configured to perform the steps. Thus, embodiments can be directed to computer systems configured to perform the steps of any of the methods described herein, potentially with different components performing a respective step or a respective group of steps. Although presented as numbered steps, steps of methods herein can be performed at a same time or at different times or in a different order. Additionally, portions of these steps may be used with portions of other steps from other methods. Also, all or portions of a step may be optional. Additionally, any of the steps of any of the methods can be performed with modules, units, circuits, or other means of a system for performing these steps. [0194] The specific details of particular embodiments may be combined in any suitable manner without departing from the spirit and scope of embodiments of the disclosure. However, other embodiments of the disclosure may be directed to specific embodiments relating to each individual aspect, or specific combinations of these individual aspects. [0195] The above description of example embodiments of the present disclosure has been presented for the purposes of illustration and description. It is not intended to be exhaustive or to limit the disclosure to the precise form described, and many modifications and variations are possible in light of the teaching above. [0196] A recitation of "a", "an" or "the" is intended to mean "one or more" unless specifically indicated to the contrary. The use of “or” is intended to mean an “inclusive or,” and not an “exclusive or” unless specifically indicated to the contrary. Reference to a “first” component does not necessarily require that a second component be provided. Moreover, reference to a “first” or a “second” component does not limit the referenced component to a particular location unless expressly stated. The term “based on” is intended to mean “based at least in part on.” When a Markush group or other grouping is used herein, all individual members of the group and all combinations and subcombinations possible of the group are intended to be individually included in the disclosure. [0197] All patents, patent applications, publications, and descriptions mentioned herein are incorporated by reference in their entirety for all purposes. None is admitted to be prior art. Where a conflict exists between the instant application and a reference provided herein, the instant application shall dominate.
Next Patent: DECODER SIDE MOTION DERIVATION USING SPATIAL CORRELATION