Simple Two-Message OT in the Explicit Isogeny Model

. In this work we study algebraic and generic models for group actions, and extend them to the universal composability (UC) framework of Canetti (FOCS 2001). We revisit the constructions of Duman et al. (PKC 2023) integrating the type-safe model by Zhandry (Crypto 2022), adapted to the group action setting, and formally define an algebraic action model (AAM). This model restricts the power of the adversary in a similar fashion to the algebraic group model (AGM). By imposing algebraic behaviour to the adversary and environment of the UC framework, we construct the UC-AAM. Finally, we instantiate UC-AAM with isogeny-based assumptions, in particular the CSIDH action with twists, obtaining the explicit isogeny model, UC-EI; we observe that, under certain assumptions, this model is “closer” to standard UC than the UC-AGM, even though there still exists an important separation. Wedemonstrate the utility of our definitions by proving UC-EI security for the passive-secure oblivious transfer protocol described by Lai et al. (Eurocrypt 2021), hence providing the first concretely efficient two-message isogeny-based OT protocol in the random oracle model against malicious adversaries.


Introduction
Oblivious transfer (OT), introduced by Rabin [Rab05], is a fundamental cryptographic primitive that plays a central role in modern cryptography.In particular, OT is both sufficient and necessary for secure two-party and multiparty computation, and it is widely deployed in a number of efficient protocols [BLN + 21, KOS16] and applications ranging from private set intersection [DCW13,PSZ14] to contract signing [EGL82].The most commonly studied form of oblivious transfer is 1-out-of-2 OT, where a sender P S holds two messages m 0 , m 1 and a receiver P R holds a bit b corresponding to the sender's message m b that it will receive as output of the protocol.The security requirement is that P R should obtain m b without learning any information about the other message m 1−b and P S should learn nothing about the choice bit b.Oblivious transfer can be constructed from various assumptions: number-theoretic assumptions like Decisional Diffie-Hellman (DDH) [BM90, NP01, AIR01, PVW08, ZLWR13, CO15], and quadratic-residuosity (QR) [HK12]; and also from (presumed) post-quantum assumptions like coding-theory E-mail: emmanuela.orsini@unibocconi.it(Emmanuela Orsini), riccardo.zanotto@cispa.de(Riccardo Zanotto) a Emmanuela Orsini was supported by CyberSecurity Research Flanders with reference number VR20192203.Her work was primarily carried out while she was affiliated with imec-COSIC.
b Funded by the European Union (ERC, LACONIC, 101041207).Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Research Council.Neither the European Union nor the granting authority can be held responsible for them.Security and complexity.The efficiency of oblivious transfer protocols is a very important metric, as it directly impacts the efficiency of larger cryptographic systems in which OT is used; in addition, even if there exists a variety of security models for OT, ideally we would like to achieve security in the universal composability (UC) framework described by Canetti [Can01], where security is maintained under concurrent general composition.Unfortunately, achieving efficient UC-secure OT protocols is not an easy task, especially if we want a protocol with a low number of messages exchanged by the two parties.A straightforward approach to achieve fully secure OT is by using zero-knowledge proofs to transform a passively secure protocol into an active one.However, this technique often increases the number of interactions, which may not be desirable if the goal is to design a protocol with few interactions, such as a two-message protocol, where P R sends a single "request" message, and P S answers with a single "response" message.Therefore, alternative approaches are necessary, focusing on two-message protocols that are already actively secure.
A first barrier is given by the the impossibility result of Goldreich and Oren [GO94], which states that achieving two-message OT with simulation-based security is impossible in the plain model; therefore, it is necessary to rely on setup assumptions such as a common reference string (CRS) or a random oracle (RO).In a simulation-based proof, the main challenge is to extract the receiver's input bit and then argue that the message m 1−b remains hidden.
When considering (presumed) post-quantum assumptions exclusively, only a few constructions for two-message maliciously secure OT are known.The first one is the general framework described by Peikert, Vaikuntanathan and Waters [PVW08], where they instantiate dual mode cryptosystems from LWE (and also DDH and QR), and obtain an efficient bit OT.We also have OT from LPN via the compiler described by Döttling et al.
[DGH + 20], but this construction is more involved and requires garbled circuits.
Hence, the following natural question arises: Can we describe a concretely efficient UC-secure two-message oblivious transfer protocol from (presumed) post-quantum secure assumptions, and in particular from isogeny-based assumptions?
Why isogeny-based OT.Isogeny-based cryptography is a very recent and active field from which there have been many proposed schemes for post-quantum secure key exchange, public key encryption, signatures and much more.One of the main advantage of these constructions, compared to other post-quantum constructions, is their relatively small keys.
The first isogeny-based cryptosystem was given by Couveignes [Cou06] and Rostovtsev and Stolbunov [RS06].They described a non-interactive key-exchange protocol based on the theory of complex multiplication of ordinary elliptic curves over F q , whose endomorphism ring is a given quadratic order O.In particular, they observed that the commutative action of the ideal class group Cl(O) naturally leads to a key-exchange procedure à la Diffie-Hellman.Later, Jao and De Feo [JD11] proposed the SIDH key-exchange scheme using supersingular elliptic curves.Unfortunately, this scheme and related variants, like the NIST candidate SIKE [JAC + 20], have been recently broken [CD23, MMP + 23, Rob23] using Kani's reducibility criterion [Kan97].These attacks have no effect on another class of isogeny-based schemes, namely CSIDH-based constructions.
CSIDH stands for Commutative-SIDH and it was introduced by Castryck et al. [CLM + 18], as an adaptation of the original Couveignes-Rostovtsev-Stolbunov protocol with supersingular curves, and is now one of the main tools of isogeny-based cryptography.
In particular, it sparked new interest in the general framework of group actions, which can be seen as a generalization of the exponentiation property of Diffie-Hellman.
The challenging question, which we will address, is then if it is possible to construct UC-secure efficient OT protocols from the CSIDH group action, similarly to how the Chou and Orlandi [CO15] protocol can be seen as a variation of two DDH-based key-exchanges.

Our Contributions
In this work, we address the question above by focusing on the isogeny-based two-message OT protocol described by Lai et al. [LGD21] (Figure 2), which was originally proven secure only against semi-honest adversaries.
We first introduce a general framework for group action-based cryptography, and formally define an Algebraic Action Model, following [Zha22] and [DHK + 23].Inspired by the UC-AGM described by Abdalla et al. [ABK + 21], we then extend the Algebraic Action Model to the UC framework, obtaining the UC-AAM.Although our UC-AAM is actually less expressive than standard UC, as it is for the UC-AGM, we provide some evidence to suggest that our UC-AAM might be "closer" to plain UC, and we believe that this model can be of independent interest.
We then specialize the UC-AAM to the context of CSIDH and refer to it as the UC Explicit-Isogeny (UC-EI) model; this new model incorporates twists into a slightly bigger group action, offering a novel perspective on the CSIDH action.Using the UC-EI model, we finally show how to prove malicious security for the two-message protocol described by Lai et al. [LGD21].We conclude with a thoughtful comparison between several existing constructions of OT protocols from isogeny-based assumptions in Section 5.3.

Technical overview
Background.In [CO15], Chou and Orlandi proposed a simple and efficient OT protocol, hereafter known as the CO protocol (we refer to Section B.1 for further details), based on DDH in the random oracle model.The protocol follows the Bellare-Micali [BM90] paradigm, where there is a public element C ∈ Z * p with unknown discrete logarithm relative to a generator g, and the receiver creates two public keys (g r , C/g r ) so that they can only know the secret key relative to one of them.
This scheme has been used as a blueprint for many subsequent constructions based on different hardness assumptions.However, proving its UC security is problematic: the main issue is that a corrupt receiver might never query the random oracle to get the decryption key for the ciphertext, and in this case the simulator cannot extract the receiver's choice bit and thus cannot query the functionality for the corresponding sender's message and finish the simulation.
One solution to this problem is to require some sort of "proof of decryption": some protocols, like [BDD + 17], add one or two messages between the parties to allow the simulator to extract and to complete the simulation of the corresponding functionality.This same approach was taken by Lai et al. [LGD21] to describe a concretely efficient 4-message isogeny-based UC-secure oblivious transfer.
Another solution, proposed by Abdalla et al. [ABK + 21], is given by using a different model of computation, in which the extraction of the input bit is made almost automatic by the behaviour imposed on the adversary by the model.More concretely, the authors introduced the UC-AGM, obtained by extending the algebraic group model (AGM) within the UC framework, and showed that some important protocols, like CO, can be proven secure in this model.We recall that the AGM, introduced by Fuchsbauer, Kiltz and Loss [FKL18], takes the middle ground between the standard model and the generic group model (GGM), which has been proposed in different and not necessarily equivalent variants, like the ones described by Shoup [Sho97] and Maurer [Mau05].
Roughly, adversaries in the AGM are allowed to see and use the structure of the group, but they are required to behave "algebraically", i.e. obtain new group elements only via group multiplications from known elements.More precisely, an adversary A is algebraic if for every h ∈ G that it outputs, it also provides a vector of exponents (x 1 , . . ., x n ) such that h = n i=1 g xi i , where the g i are all the group elements already seen by the adversary A.
Drawbacks of the AGM.While the AGM (and UC-AGM) enables easier proofs of security for protocols, the model also shows some limitations and gives rise to concerns.For example, in the AGM we are not able to sample group elements without access to an external oracle.
Another important issue, highlighted concurrently by Katz et al. [ZZK22] and Zhandry [Zha22], is that the AGM is incomparable to Shoup's GGM, due to the not fully formal definition of the AGM.Katz et al. focus on the problems of encoding group elements and what it means to "output a group element"; in particular, the authors prove that an algebraic adversary can be used to reduce a generic-hard problem to a generic-easy problem, thus showing a key weakness in the AGM's definition.In the paper by Zhandry, a solution to this issue is proposed by formally defining the AGM as a compiler for games in the Type-Safe (TS) generic-group model, which is a variant of Maurer's GGM; the TS model restricts the type of games that can be described, and among those the AGM requirement is met.Additional issues are encountered when one tries to combine computational models and the UC framework; for example, [Zha22] showed that security in the TS model is equivalent to security in Shoup's model for single-stage games, which however cannot describe UC security.
A more fundamental problem, specific to the UC-AGM [ABK + 21], is that a composition theorem holds only if the algebraic adversary "does not mix" protocols, i.e., if it explains group elements of some sub-protocol using only group elements from the same sub-protocol as a base.This means that we can safely compose protocols only if they operate on independent groups.Our models.Informally, a group action G = (G, X, ⋆) consists of a group G and a set X, along with an action ⋆ : G × X → X, such that for any g, g ′ ∈ G and x ∈ X, it holds that (gg ′ ) ⋆ x = g ⋆ (g ′ ⋆ x).This definition allows us to capture the exponentiation-only property of Diffie-Hellman, but without imposing any structure on the set X so that we can instantiate it with Shor-resistant constructions.Similarly to the group setting, the most studied hardness assumption for group actions is the "discrete logarithm", or vectorization, problem: it is easy to compute y = g ⋆ x given g and x, while it is assumed to be hard computing g from only x, y.Group actions have long been considered for cryptography [BY91,GS10,Cou06], and the isogeny-based key exchange CSIDH [CLM + 18] highlighted the potential of this framework, which now has different instantiations, like the lattice isomorphism problem [Dv22] and the general linear group action on tensors [JQSY19]; the problems of code equivalence and graph isomorphism can also be viewed as discrete logarithm problems with respect to an appropriate group action.
In a seminal paper for group action-based cryptography, Alamati et al. [ADMP20] introduced the notions of effective-GA (EGA) and restricted-EGA (REGA) to model cryptographic group actions and in particular CSIDH, where computing the group action efficiently is not possible for all group elements g ∈ G.We propose a new generalization of EGA and REGA to hint-effective GA (HEGA), which simply means that it is possible to attach an efficient way to evaluate the action to sampled group elements.We then introduce a type-safe model for group actions, which is a generalization of the generic group model for the group action setting.Informally, a circuit is said to be type-safe with respect to an action G if it has two types of wires: bit wires and element wires.Bit wires can be combined together in any way with usual boolean gates, while element wires can only be used through special gates: an action gate, whose input are a bunch of bit wires representing a group element g ∈ G and an element wire representing a set element x ∈ X, and it outputs an element wire representing g ⋆ x; and an equality gate, which outputs a bit wire from two element wires.Notice that the only way to get bits from elements is through equality gates, and this resolves the problems highlighted in [ZZK22,Zha22].
We can view our type-safe model as a "Maurer-style" generic model, while the Generic Group Action Model proposed in [DHK + 23] is a "Shoup-style" model.We will need this formalization in order to avoid the problems in the AGM with the encoding of group elements.Notice however that like [DHK + 23] we allow "generic" algorithms to have full access to the group structure, in contrast to the model proposed in [MZ22], where even the group operations are computed through an oracle.Using the type-safe model, and following [Zha22], we can define the Algebraic Action Model (AAM) as a "compiler" for certain games in the TS model.Loosely speaking, in our setting an adversary is said to be algebraic if, every time they output a set element y ∈ X, they must explain it as a group action y = g ⋆ x, where x ∈ X was a set element already known; the adversary moreover has complete access to the group structure and representation.Then, given a type-safe protocol π and an algebraic adversary A, we can "plug" it in: A only has bit wires, but we can use the explanations it provides to connect its "element" outputs to the element wires of the protocol π as shown in Figure 1.
UC emulation in the AAM.We follow [ABK + 21] in defining a restricted UC framework where we impose algebraic behaviour; as in [Zha22], we limit ourselves to type-safe protocols in order to properly define the algebraic framework, and in particular what it means to "output a set element".Indeed, given a type-safe protocol π and a pair (A, E) of algebraic adversary and environment, we can connect them to the protocol π as in the usual UC framework using the AA compiler described above.Informally, the UC-AAM has the same definitions of the standard UC framework, but we are restricting the adversary-environment pair to be algebraic, i.e. for every y ∈ X that they output towards the protocol, they must explain it with g ∈ G, x ∈ X such that y = g ⋆ x.
We have the usual notions of a protocol π UC-AAM emulating a protocol ϕ (denoted by π ∼ ϕ) if an algebraic environment cannot distinguish the two executions, and we can prove transitivity of emulation.We can also define execution in an F-hybrid model, where F is any type-safe functionality, and prove that if π UC-AAM emulates F, then also ρ π ∼ ρ F .However, like in the UC-AGM, the composition theorem needs extra care: since we have that π ∼ F, it means that the adversary uses set elements from protocols π as the "base" for outputting algebraic explanations; when proving that ρ π ∼ ρ F we can only get emulation with respect to algebraic adversaries that use set elements from π instead of the whole ρ π .This means that even if we prove that ρ F ∼ F ′ , we cannot immediately obtain that ρ π ∼ F ′ , since for the second part of the emulation we are also using set elements from ρ as the base for algebraic explanations.In particular, in order to get to a full composition theorem ρ π ∼ F ′ we need to restrict to "non-mixing" adversaries, i.e. they explain set elements they output to ρ with elements previously seen in ρ, and set elements going into π with set elements coming from π.As noted in [ABK + 21], this should not necessarily be seen as a limitation of UC-AGM (and UC-AAM), but rather as a limitation of proofs in idealized models.More discussion on this point can be found on their paper.
Ways to overcome this issue, and consider also "mixing adversaries", could be either proving multiple protocol executions simultaneously or proving security in extended settings like GUC (UC with global setup) [CDPW07].
The UC-EI model.We finally introduce the UC-EI (Explicit Isogeny) model, which is simply the specialization of the UC-AAM to the group action of CSIDH [CLM + 18].We recall that CSIDH uses the action of the class group Cl(O) on the set of supersingular elliptic curves having O as endomorphism ring defined by a ⋆ E = E/E[a], which is a commutative and regular action.
Since it is possible to compute the twist E t of an elliptic curve, the models should consider this operation as well; the authors of [DHK + 23] model twists externally in their CEGAT and AGAM T , while we don't need any new definition.In particular, since the twisting operation satisfies the relation (a ⋆ E) t = a −1 ⋆ E t , we notice that this translates into an action (G tw in Proposition 3) of the group Cl(O) ⋊ Z/2Z; this results in a noncommutative and non-regular group action, but neither of the properties are of fundamental importance.
Moreover, the EI model doesn't seem to actually restrict real adversaries, given our current knowledge.Indeed, the only efficient way we know to generate a supersingular curve is via an isogeny walk or with twisting: a well known open problem in isogeny-based cryptography is in fact how to sample random supersingular elliptic curves without taking a random isogeny walk from an already known curve.The sampling problem has recently gained some attention [MMP22, BBD + 22], but so far all the attempts to solve it have failed.
Assuming that the problem is hard implies that the CSIDH action group G tw is actually an unsampleable HEGA, and therefore restricting algorithms to be algebraic does not restrict the model.Notice that this is different to what happens in AGM, where algebraic algorithms have to provide a representation of any group element they output, but it is not true that the only way for them to output a new group element is to derive it using group multiplication from known group elements.
The 2-message isogeny-based OT.Once we have established our UC-EI model, proving full malicious security of the two-message OT protocol given in [LGD21] is a relatively easy task.Indeed, the algebraic behaviour of the adversary allows us to immediately extract the choice bit of a corrupted receiver, thus we can conclude the simulation.The algebraic explanations give also an easy reduction to the group action discrete logarithm problem simply by computing some equations, exactly as it usually happens in the AGM.
In this way, we obtain an efficient two-message protocol in the ROM with a trusted setup curve (TSC) based on CSIDH.In addition, we show how to eliminate the TSC requirement, but at the cost of adding an extra message of communication, so the resulting scheme is not optimal.This latter protocol needs one message less than the maliciously secure protocol described in [LGD21] with less computation and without TSC.

Other Related Work
Another important line of work aims to construct two-message oblivious transfer with a slightly weaker form of security, namely statistically sender-private OT (SSP OT) [NP01,AIR01].In this setting, different schemes based on different quantum secure assumptions are known, like [BD18, DGI + 19, MS20, ADMP20].
The recent work [BMM + 23] introduces some new OT protocols based on isogenies; in particular, the authors show how to build UC-secure round-optimal protocols based on the computational CSIDH assumption, both in the plain model and in the setup model (i.e.respectively 4-message and 2-message).This is an important theoretical result, since round-optimal protocols were known only from the decisional CSIDH problem [ADMP20].However, both constructions require a number of isogeny computations linear in the security parameter, which is highly inefficient.
More details about their constructions and efficiency of theirs and other isogeny-based OT protocols can be found in Section 5.3.

Preliminaries
For a set S, we denote by a ←$ S the process of drawing a from S with a uniform distribution on S. If D is a probability distribution, we denote by a ←$ D the process of drawing a with the given probability distribution.For a probabilistic algorithm A, we denote by a ←$ A the process of assigning a the output of algorithm A, with the underlying probability distribution being determined by the random coins of A. We write ≈ (resp.≈ s ) to denote computational (resp.statistical) indistinguishability between probabilistic distributions.
In this work we assume familiarity with the UC framework, of which we provide an informal overview in Appendix A.3; in Appendix A.4 we describe our functionalities.In Appendix B, we also give a brief description of UC-AGM [ABK + 21].

Cryptographic Group Actions
Group actions have recently been getting a lot of attention for their use in cryptography, starting from the "Hard Homogeneous Spaces" by Couvegines [Cou06], which is a precursor of CSIDH.Here we will follow the formalization by Alamati et al. [ADMP20].
Definition 1 (Group action).A group G is said to act on a set X if there is a map ⋆ : G × X → X that satisfies the following two properties: A group action as described in the previous definition is usually denoted by G = (G, X, ⋆).The standard notion of cryptographic group actions is given by effective group action (EGA).Roughly, an EGA (G, X, ⋆) is such that all the well-defined group operations and group action operations are efficiently computable, sampling random group elements is efficient and set elements are uniquely represented.It is also possible to endow group actions with different hardness assumptions like one-way EGA (ow-EGA), weak-unpredictable EGA (wUP-EGA), weak pseudorandom EGA (wPR-EGA) [ADMP20].
EGA is usually too powerful to capture isogeny-based assumptions, therefore, to model isogeny-based protocols, [ADMP20] provides the definition of restricted effective group action (REGA), where it is possible to only evaluate the action of a generating set of small cardinality.

CSIDH
In [CLM + 18], the authors propose an efficient post-quantum abelian group action, as an adaptation of the Couveignes-Rostovtsev-Stolbunov scheme, from which they derive a key-exchange primitive, called CSIDH.
They consider a supersingular elliptic curve E over F p , so that its F p -rational endomorphism ring End p (E) is an order O in a quadratic imaginary field.If a is a non-zero ideal in O, then it defines a kernel subgroup E[a].We can then consider the quotient isogeny ψ : The main idea of CSIDH is to pick a prime of the form p = 4ℓ 1 . . .ℓ n − 1, with ℓ i small odd primes.In addition, they fix E 0 : y 2 = x 3 + x, which is supersingular when p ≡ 3 (mod 4).This curve has End Since the characteristic polynomial of the Frobenius map is π 2 + p = 0, when reduced modulo ℓ i it becomes π 2 − 1 ≡ 0 (mod ℓ i ), given that p ≡ −1 (mod ℓ i ).In particular, this means that ℓ splits as the product of l i = (ℓ i , π − 1) and li = (ℓ i , π + 1) inside O (primes that are split are called Elkies primes).
The very peculiar choice of the prime p implies that the evaluation of the action l i ⋆ E is very easy: the kernel of the corresponding isogeny E[l i ] is the intersection of ker(ℓ i ) and ker(π − 1), which is the F p -rational ℓ i -torsion subgroup.By computing it and using Vélu's formulas, we can compute the isogeny φ li .
For computing l −1 i ⋆ E we can either compute the F p 2 -rational ℓ i -torsion or we can use the fact that (a ⋆ E) t ∼ = a −1 ⋆ E t , where E t is the quadratic twist of E. For more details on evaluating the class group action, we refer to [CLM + 18, section 8].
Another key aspect of CSIDH is that it uses curves in Montgomery form.Indeed, we have the following proposition.
Proposition 1 ([CLM + 18, Proposition 8]).Let p ≥ 5 be a prime with p ≡ 3 (mod 8), and let E/F p be a supersingular elliptic curve.Then End This means that it is sufficient to use the A coefficient as the public key, instead of a j-invariant and then having to check that it has the correct endomorphism ring.The only check needed is that A ̸ ∈ {±2} (otherwise E A is not even smooth), and that E A is supersingular.Furthermore, it is very easy to see that in this setting the twist of CSIDH assumptions.We list below the main hardness assumptions we use in our protocols; notice that these are the direct translation of respectively the discrete logarithm and the computational Diffie-Hellman problems to the CSIDH setting.
the problem asks to find said element r.
Notice that since the action is regular, the generic vectorization problem is equivalent to the one with E = E 0 .

Problem 2 (Computational CSIDH (Comp-CSIDH)). Given curves (E, r ⋆ E, s ⋆ E) in E with r, s ∈ Cl(O), the problem asks to find E
Additional hard problems and some discussion can be found in Section A.2.
Sampling ideals in the class group.One of the issues with CSIDH is that we know how to efficiently evaluate only the action of the ideals l i corresponding to the Elkies primes ℓ i of the factorization of p + 1.This is why CSIDH has been defined as a REGA [ADMP20], which actually means that it describes an action of the additive group Z n on the set E. Indeed, we have a morpishm Π : Therefore, even if we could in theory pick a uniformly random element of the source group Cl(O) (which is what many protocols would require), we can only efficiently represent and operate with it using the integer vector representation.
We thus pose the following assumption in order to deal with this issue.
Assumption 1.Let D m be the distribution on Cl(O) given by sampling (e 1 , . . ., e n ) uniformly at random from [−m, m] n and outputting a = Π(e 1 , . . ., e n ) = This assumption is strongly motivated by the following heuristic from [CLM + 18, Section 7.1]: choosing m to be the smallest integer such that (2m + 1) n ≥ |Cl(O)|, for any a ∈ Cl(O), the size of Π −1 (a) ∩ [−m, m] n is "small"; this means that the min-entropy of the uniform distribution on Cl(O) and the one of D m differ just by a few bits.
Remark 1.In the case of CSIDH-512, the structure of the class group has been fully computed [BKV19], which means that we know Λ = ker Π, and thus can compute unique representatives.This implies that we can consider the CSIDH-512 action as a full blown EGA, and allow for uniform sampling without heuristic assumptions.Notice however that this is at the cost of solving a CVP problem in Λ each time that we want to evaluate the action, as highlighted by Panny [Pan23].
Additional definitions and preliminaries about isogenies and computational assumptions are given in Appendix A.

Type-Safe and Algebraic Models for Group Actions
In this section, we first propose a generalization of both EGAs and REGAs, called hinteffective group action (HEGA), and secondly introduce a variant of Zhandry's type-safe (TS) model for the setting of group actions, which corresponds to the generic group model.We then describe the algebraic action model (AAM) as a compiler, similarly to the AGM but for group actions, where any adversary must explain any set element that it outputs with the group element that has generated it.Finally, we study this model in the UC framework.
A generic (and algebraic) group action model has been proposed by Duman et al. [DHK + 23], where the authors prove generic hardness results and equivalence between different assumptions in a quantum setting; in particular, their algebraic group action model is almost identical to the one proposed by us, and they both differ from the one first proposed by [MZ22] in the sense that we both only encode set elements and otherwise give full access to the group to the adversary.However, we follow [Zha22] to first describe a type-safe generic model which formally delimits the games that can be described in our algebraic action model, while [DHK + 23] poses the same informal constraint as in the AGM that "input that is not a set element x ∈ X does not depend on set elements".
Another difference is that [DHK + 23] only considers abelian group actions (in particular the concrete group Z/nZ), and the authors have to model externally the twisting property of CSIDH, while we embed it in a bigger group action, which is however neither abelian nor regular.

Hint-Effective Group Actions
Definition 2 (HEGA).A group action (G, X, ⋆) is hint-effective if the following properties are satisfied: 1.The group G is finite, and there is an efficiently sampleable distribution D G on G.
Moreover, sampling from this distribution produces also a hint e, and we write that as (g, e) ←$ D G .
2. The set X is finite, and there are efficient algorithms for membership testing and computing a unique representation.
3. There is a distinguished and known element x 0 ∈ X, called the origin.
4. There exists an efficient algorithm such that for any (g, e) ←$ D G and any x ∈ X computes g ⋆ x, eventually using the hint e.
We collect these parameters in G = (G, X, ⋆, D G , x 0 ).
Notice that an EGA is an HEGA where the hints are empty and group operations on G are also efficient, while a REGA is an HEGA where the hint is the exponent vector with respect to the chosen generating set.In addition, all protocols of [ADMP20] built from EGAs can also be instantiated from HEGAs, as soon as D G is statistically close to the uniform distribution on G.
Computational assumptions on HEGAs.We can define the one-way, weak unpredictable and weak pseudorandom hardness assumptions on HEGAs exactly as for EGAs in [ADMP20].More explicitly, we can define the "discrete logarithm" analogue for group actions as follows.Note that we do not restrict ourselves to regular actions, so there might be more than one possible answer.
We finally describe an important property of a group action, namely the inability of sample directly from X without using group elements.
Definition 3 (Unsampleable HEGA).An HEGA G = (G, X, ⋆, D G , x 0 ) is said to be unsampleable if for any PPT algorithm A G (x 1 , . . ., x n ) that outputs a set element x ∈ X, there exists a PPT algorithm A ′ G that outputs (g, e) such that x = g ⋆ x i for some i ∈ {0, 1, . . ., n}.

The Type-Safe Model
Following Zhandry's type-safe model [Zha22], we define a similar model in the context of group actions, and in particular HEGAs.Definition 4. Let G = (G, X, ⋆, D G , x 0 ) be an HEGA.An algorithm A, given as a circuit, is said to be type-safe w.r.t.G (written as T S G ) if • It has two types of wires, bit wires and element wires.Element wires should be thought as containing/hiding values x ∈ X.
• There always exists a given element wire containing the origin x 0 of the action.
• The only gates allowed are the following: Boolean gate: It only has bit wires for input and output, and can perform any classical boolean function.
Action gate: It has as inputs some bit wires that encode the group element g with an hint e, and an element wire containing x.Its output is an element wire which contains g ⋆ x.
Equality gate: It has two element wires x, y as inputs, and outputs a bit wire that is 1 if x = y, and 0 otherwise.
This "type-safe" model can be seen as a possible definition of a generic group action; in [MZ22] the authors briefly propose a generic group action framework based on Shoup's model, stating that it can also model quantum adversaries.Unfortunately, since AGM is incompatible with Shoup's GGM, for our purposes we decided to follow the type-safe approach.Moreover, we allow the adversary to access the group structure in any case: the hardness of a group action should derive from hiding the group inside the set, and not from the group having a "generic" structure.

The Algebraic Action Model
We now introduce the algebraic action model (AAM) as a relaxation of the TS model, where adversaries can behave arbitrarily, but must explain the set elements they produce.
First we define what it means for an adversary to behave algebraically.The meaning of this definition is that if an algebraic adversary wants to output a set element y ∈ X, it must explain it as some y = g ⋆ x for some x ∈ X that it has already seen.Notice that any given T S G algorithm can be translated into an AA G algorithm, and thus we can use the AA model as a compiler in the following way.Definition 6.Let π be a T S G protocol between parties P 1 , . . ., P n , and let Q = {Q i1 , . . ., Q i k } a set of algebraic algorithms, with S = {i 1 , . . ., i k } ⊂ {1, . . ., n}.
Then AA(π, Q) is a protocol where each party P s for s ∈ S is replaced by Q s and its communication wires have been transformed as follows: • Any incoming bit wire to P s gets translated to a BIT message for Q s .
• Any incoming element wire to P s gets translated into a (EL, x) message for Q s , and the element wire gets labelled as el x .
• Any outgoing BIT message from Q s gets translated into a bit wire from P s .
• Any outgoing (EL, (g, e, x)) message from Q s gets translated back into an element wire from P s , by applying an action gate on el x with group element (g, e).
The AA compilation on a party P 1 being substituted by an algebraic Q 1 can be seen in Figure 1.What this compiler is doing is transforming a fixed subset of parties in a TS protocol into algebraic machines, forcing them to output group elements with which they have generated the element y they are sending.The goal of this transformation is being able to give a definition of what it means to be "secure in the algebraic action model".The intuition here is that a protocol π is secure in the AAM model if its compiled version AA(π) is secure in the standard model.This type of approach is exactly the one used by [Zha22] for formally (re)defining security in the AGM.
We conclude the discussion of the AAM with the following informal statement about unsampleable HEGA.
Remark 2. Let G be an unsampleable HEGA, and let A be any PPT algorithm that receives inputs and sends outputs of the form (BIT, b) and (EL, x).Then, if the BIT inputs give no information about the group action G, there exists an algebraic algorithm A ′ that upon the same inputs of A gives the same outputs, giving also an explanation to the EL messages that it outputs.This gives the intuition that for an unsampleable HEGA, all possible adversaries are actually algebraic; however, this is the closest we can get to a formal result, which cannot exist since it's not clear what it means that BIT messages don't reveal anything about G.This is the fundamental issue with the AGM, as highlighted in [ZZK22]; the best resolution of this issue is some kind of type-safe model, but there will always be a gap between the TS model and the standard model.

UC Emulation in the Algebraic Action Model
We now formalize the definition of security in the AA model within the UC framework.First, we use the previous compiler to define the execution of a type-safe protocol against algebraic adversaries.Definition 7. Let π be a T S G protocol, and A, Z be AA G algorithms.
Denote by U C(π) the T S G protocol defined by adding a "dummy" type-safe adversary and environment A ′ , Z ′ .In particular, we have that: • The environment Z ′ can send input messages to the main parties of π, and read their output messages, all of which consist of both a bit wire and an element wire.
• The environment Z ′ and the adversary A ′ can communicate freely.
• The adversary A ′ has a backdoor channel towards the parties, which also has both bit wires and element wires.
We define exec π,A,Z (z) as the output bit of the environment Z in an execution of the protocol AA(U C(π), {A, Z}) with input z, i.e. we are compiling the "dummy" adversary and environment into meaningful algebraic ones.
With this definition we are modelling a similar setting of UC-AGM, while using the type-safe model to give a precise definition on the condition "when the adversary outputs a group element" given in UC-AGM [ABK + 21].
Notice that with our definition we are allowing π to have hybrid type-safe functionalities, and also to have element wires as input/output.For example, F RO is a T S G algorithm that keeps a list of pairs (element wire, bit-string).When activated with an element wire input, it checks with equality gates if that input is present; if yes, it answers with the bit-string, otherwise it samples a bit-string, answers with it and stores it in the list with the input element wire.
We can finally define what an algebraic emulation of a protocol is, and consequently define an algebraic realization of a type-safe functionality.Definition 8. Let π, ϕ be T S G protocols.We say that π UC-AA emulates ϕ if for any AA G adversary A there is an AA G simulator S such that for all AA G environments Z it holds that If F is a T S G functionality, we say that a T S G protocol π UC-AA realizes F if π UC-AA emulates ideal F , where ideal F is the protocol in which all the parties forward their input to the ideal functionality F, and output the returned value from F.
We can also prove a composition theorem, but, as in UC-AGM, there is an important limitation.In order to obtain emulation, the adversary must give its explanations relative to elements of the same sub-protocol where it's sending the output.Concretely, we say that an AA G adversary against a T S G composed protocol ρ π is non-mixing if the explanations of messages to be sent to ρ only use element wires from ρ, and analogously with π.Therefore, we can state the composition theorem respect to non-mixing adversaries as follow.Note the proof of this theorem is exactly the same as the one given in [ABK + 21].
Theorem 1 (Informal).Let F 1 , F 2 be T S functionalities.Let π be a T S protocol that UC-AA realizes F 2 , and ρ a protocol that UC-AA realizes F 1 in the F 2 -hybrid model.Then protocol ρ π UC-AA realizes F 1 against non-mixing algebraic adversaries.

The Explicit Isogeny Model
In this section we will introduce the Explicit Isogeny model of computation, which we will then use to prove the security against malicious adversaries of the two-message OT protocol proposed in [LGD21].Concretely, the UC-EI model is nothing else than UC-AA instantiated with the action given by CSIDH, where we also incorporate twists for a more accurate model.This means that for any curve E the adversary must output the secret isogeny path that it used to generate E.
We will then argue that, given the difficulty of the "hash-to-curve" problem, the CSIDH action is an example of an unsampleable HEGA, so that this new model of computation is really close to the standard model.

The CSIDH Action with Twists
Recall that the CSIDH action is ⋆ : Cl(O) × E → E, where O is the order Z[ √ −p] and E = Ell p (O).However, to fully capture the structure of the F p -rational supersingular isogeny graph it is necessary to also consider twists.This has also been proposed and used by [AEK + 22] to construct password authentication key-exchange (PAKE) protocols and to prove their (in)security.Moreover, also Duman et al. [DHK + 23] consider twists in their AGAM T , by modelling them as an external construction.However, we notice that twists can still be described internally to the group action framework, by introducing the appropriate semidirect product.
We recall that a semidirect product of two groups is given by the following definition.
Proposition 2 (Semidirect product).Let H, N be groups, and ϕ : H → Aut(N ) (where Aut(N ) denotes the group of all automorphisms of N ).Then the cartesian product N × H equipped by the operation This construction is useful because of the following classical result in the theory of group actions.
Theorem 2. Let H be a group and N a H-group, meaning that there is a map ϕ : H → Aut(N ).Suppose that both H and N act on the same set X (with actions denoted by ⋆ H , ⋆ N respectively) in a compatible way, i.e. h ⋆ H (n Then there is a well-defined action of N ⋊ ϕ H on the set X given by (n, h) ⋆ x = n ⋆ N (h ⋆ H x).
We will apply the theorem in our setting, where H = Z/2Z, N = Cl(O), X = E.The action of Z/2Z on E is exactly twisting, in particular 0 • E = E and 1 • E = E t .Moreover, Z/2Z has also a natural action on Cl(O) given by 1•a = a −1 , which corresponds to the map ι : Z/2Z → Aut(Cl(O)) where ι(1) : a → a −1 .It is now easy to see that the compatibility requirement is exactly the fact that (a ⋆ E) t = a −1 ⋆ E t .We can then construct a new action on E, which automatically includes twists in its description.
We conclude by showing that what we have constructed is still an HEGA.
Proposition 3. Let ⋆ tw : G tw × E → E the action defined above.Then the group action • E 0 is the same as in the CSIDH action, namely the curve Proof.The last claim follows directly from the assumption that the CSIDH sampling is close to the uniform distribution on Cl(O).The fact that G tw is a HEGA directly follows from the fact that CSIDH is a HEGA (indeed, the hint allows us to evaluate the action of sampled group elements).

The UC-EI Model
We are now ready to define the Explicit Isogeny model, which is an instantiation of UC-AA with G tw .More concretely, we see that our compiler turns the adversaries into EI-adversaries.
Definition 9. Let G tw be the HEGA defined before.We say that an algorithm A uses Explicit Isogenies (EI) if its communication tapes have messages of the type (bit, m) and (curve, E), where m is a bit-string and E is an element of E, i.e., a supersingular curve over F p .Moreover, for any outgoing message (curve, E), A must also send an explanation (a, e, E ′ ) such that E = a ⋆ E ′ , where E ′ is one of the previous incoming curves or its twist.
Notice that for our UC-AA definition to make sense, it's necessary that the original protocol is type-safe w.r.t.G tw , so incorporating twists into the action is a fundamental step of the construction, otherwise we couldn't describe protocols that use twists, such as the one proposed by Lai et al. [LGD21].
Our EI model can thus be seen as the formalized type-safe variant of the AGAM T model by [DHK + 23].We also restate our definition of UC emulation, which is exactly that given for UC-AA for the specific case of G tw protocols against EI adversaries.Definition 10.Given two T S Gtw protocols π and ϕ, we say that π UC-EI emulates ϕ if for any efficient EI-adversary A there is an efficient EI-simulator S such that for any efficient EI-environment Z we have that exec ϕ,S,Z ≈ exec π,A,Z .
If F is an ideal functionality and ϕ = ideal F , we say that π UC-EI realizes F.
Like UC-AGM, also UC-EI limits the capabilities of the adversary, so it may seem that it's less expressive than the plain model of UC security.However, as we will discuss in the next sections, there is strong evidence suggesting that any PPT adversary A behaves like in the explicit isogeny model, in particular given the fact that "hashing" to a supersingular curve seems to be very hard.

The EI Model and the Sampling Problem
One of the main open problems of isogeny-based cryptography is how to sample a supersingular curve without taking a random isogeny walk from another known curve; this is also called the "hashing-to-curve" problem, which can be roughly stated as follows.
Problem 4 (Informal).Given a prime p, compute a supersingular curve E/F p 2 , without revealing anything about End(E), or any information that helps solving the isogeny path problem from E.
More concretely, the sampling problem is defined and studied in [MMP22], where it is called the cSRS (cryptographic Supersingular Random Sampling) problem.In this work and another comprehensive study of the problem [BBD + 22], the authors review some known methods to generate supersingular elliptic curves and explore possible ways to hash into the isogeny graph, but the conclusion of both these works is that the best algorithms we know for this task still have exponential complexity.
We can then introduce a new knowledge assumption based on this problem.
Assumption 2. For any PPT algorithm A that receives as input a prime number p and outputs a supersingular j-invariant j ∈ F p 2 , there exists a PPT algorithm A ′ that outputs the pair (j, R), where R = End(E) is the endomorphism ring of a curve E with j(E) = j.
We can also use a slightly different variant of the problem, that only deals with isogeny paths and not endomorphism rings.Assumption 3.For any PPT algorithm A(p, j 0 , j 1 , . . ., j n ) that outputs a supersingular j-invariant j ∈ F p 2 knowing a list of some j-invariants, there exists a PPT algorithm A ′ that outputs a computable isogeny ϕ : E i → E, where j(E) = j and j(E i ) = j i .
It is important to notice that the two different Assumptions 2 and 3 are not equivalent: knowing an isogeny ϕ : E 0 → E is equivalent to knowing End(E) only if we can compute End(E 0 ), but in an interactive protocol a party ususally receives a supersingular curve from other parties, and cannot know its endomorphism ring.The second assumption is thus trying to model exactly the multi-party computation setting, by forcing any party to generate new curves only by walking in the isogeny graph, starting from curves that have been sent to it.Moreover, in [BBD + 22] the authors highlight some variants for the hashing problem, in particular the problem of sampling F p -rational supersingular curves.It is related to the general problem, and it likely seems as difficult, but it is very hard to prove an equivalence between them.However, we currently don't know better algorithms to hash into the F p -graph than those that hash into the F p 2 -graph.
We will then pose another assumption, specific to the CSIDH setting.
Assumption 4. For any PPT algorithm A(p, E 0 , E 1 , . . ., E n ) that outputs a supersingular curve E/F p knowing a list of some supersingular curves E i /F p , there exists a PPT algorithm A ′ that outputs a computable F p -rational isogeny ϕ : Notice that this is a quite literal translation of Assumption 3 into the F p -isogeny graph, where we have to use curves instead of j-invariants: any supersingular invariant j ∈ F p will correspond to multiple curves which are Fp -isomorphic, but not F p -isomorphic, i.e. all the twists.Moreover, this assumption also captures the fact that twists are easy to compute, so an algorithm can easily generate E t from E, even without knowing an isogeny from E to E t .This new assumption is actually needed, and it doesn't seem to follow directly from the other two.Indeed, Assumption 2 and Assumption 4 are not related for the exact same reason for which Assumption 2 and Assumption 3 are not equivalent.Trying to directly

Sender Receiver
Input: (m0, m1) In conjunction with Remark 2, this means that our UC-EI model does not seem to impose any actual restrictions, and can almost be thought as equivalent to the plain UC model, with all the caveats of that remark.

Actively-Secure 2-Message Isogeny-Based OT
In this section we describe a 2-message OT protocol secure against malicious adversaries and give its security proof in the UC-EI model.We describe in Section 5.2 a variant of this protocol with 3 messages, but without the need of a trusted setup.Finally, a comparison of different isogeny-based OT protocols can be found in Section 5.3.

The Twist OT Protocol
The protocol Π tw , described in Figure 2, is exactly the 2-message protocol proposed by Lai et al. [LGD21].
The protocol is actually type-safe w.r.t.G tw , since the only operations we do on curves are twists and CSIDH actions.In addition, both functionalities F TSC and F RO can be easily seen to be type-safe. 3his protocol was only proved to be semi-honest secure in the UC framework by Lai et al.; in the same paper, the authors give a maliciously-secure version of it that requires two additional messages to allow the extraction of the input of a malicious receiver in the UC proof.We now show that this is not needed in our UC-EI setting.
Theorem 3. The protocol Π tw , described in Figure 2, UC-EI realizes the functionality F OT (Figure 4) in the (F RO , F TSC )-hybrid model in the presence of malicious adversaries and static corruptions, if the encryption scheme (KeyGen, Enc, Dec) is IND-CPA secure, the CSIDH vectorization problem is hard, and Assumption 1 holds.
Proof.We distinguish the main two cases of honest P S and corrupt P R and corrupt P S and honest P R .Proving security in the remaining two cases is straightforward.
Honest sender and corrupt receiver.We first describe the simulator S, and in particular how it can extract the input of the corrupt receiver to forward to the OT functionality.Simulation.Throughout the execution, S simulates the random oracle H by answering every new query with a random value from the relevant set and maintaining a list of past queries to answer repeated queries consistently.More concretely, S keeps a list L in E × K in which it stores all the past queries.It initializes the random oracle with an empty list, then for each query X ∈ E it checks whether (X, k) ∈ L for some k: if this is the case, returns that k, otherwise it samples a random k ←$ K, adds (X, k) to L and returns k.The simulator is defined by the following instructions: • Emulate the trusted setup step, defining the curve E = t ⋆ E 0 , with a randomly sampled t ∈ Cl(O).
• Set its public key as the honest sender A = s ⋆ E, for a random s ←$ Cl(O).
• When receiving the curve C from the adversary, also obtain an explanation query the functionality and get the message m σ .
• Sample two random keys k i ← − KeyGen() and for any additional query to H proceed as follows: -If query is s ⋆ C, then if σ ̸ = 0 send abort to F OT , otherwise returns k 0 -If query is s ⋆ C t , then if σ ̸ = 1 send abort to F OT , otherwise returns k 1 • Set any m i that it doesn't know to 0 (i.e.m 1−σ if σ ∈ {0, 1}, both m 0 , m 1 otherwise); then it computes c i = Enc ki (m i ).
• Finally, send A, c 0 , c 1 to the adversary.
Indistinguishability. We now prove indistinguishability between the real and ideal execution.Let Z S denote exec F ,S,Z , while Z π denote exec π,A,Z .Let Ab be the event that S aborts in an ideal execution.Write Then we have The theorem will then follow from the fact that both quantities are negligible.Indeed if S aborts, then we can solve a vectorization CSIDH problem, while if Z can distinguish we can break the IND-CPA property of the encryption scheme.More concretely, suppose that S does not abort, then we can construct an adversary D for the IND-CPA game as we describe in what follows.D internally runs Z against S, but stopping the execution before the simulator computes c 1−σ .Then D takes the input (m 0 , m 1 ) for the honest sender, and sends to the IND-CPA oracle the pair of messages (0, m 1−σ ), which returns At this points D resumes the execution, but it sets c 1−σ = c.Finally D outputs whatever Z outputs.Notice that when the bit b of the IND-CPA oracle is 1, D runs a perfect emulation of the real protocol, while if b = 0, D is running S.This means that In particular Z cannot distinguish S and the real world if the encryption scheme E is IND-CPA, in the case that S doesn't abort.We now estimate the probability of S aborting.Suppose then that we have a CSIDH problem E 1 = a ⋆ E 0 we want to solve.We create two possible solvers for this problem: • Algorithm D 1 will run S with E 1 as trusted setup.Then it will check if it can compute a from the queries and explanations that Z makes to the random oracle.
• Algorithm D 2 will run S with b ⋆ E 0 as trusted setup and b ⋆ E 1 as sender's public key.Then it will check queries to compute a value a ′ such that a ′ ⋆ (b In Table 1, we show how D 1 and D 2 can compute the solutions from the query.The rows are indexed by the explanation of the curve C and the query, while the columns are the explanation of the query.We now compute the probability that the simulator aborts, Pr[S aborts], and estimate it with the advantages of D 1 , D 2 for the CSIDH problem.Let T 1 be the event that Z makes one of the "forbidden" queries and explains it as y ⋆ A (so that t can be computed); let T 2 be the event that a forbidden query is made and is explained differently from y ⋆ A (in which case s can be computed).Notice that S only aborts when a forbidden query is made, so we have that Pr[S aborts] = Pr[T 1 ] + Pr[T 2 ].Moreover D i wins with probability 1 if event T i happens, so we have that In particular, we get that Pr[S aborts] ≤ Adv csidh D0 + Adv csidh D1 , from which we can finally conclude which proves indistinguishability, provided that the encryption scheme is IND-CPA and the CSIDH problem is hard.
Corrupt sender and honest receiver.As in the previous case, we first describe the simulator and then we argue indistinguishability between the real and ideal execution.
Simulation.The simulator S handles random oracles queries as in the previous case and does the following.
• Backdoor the trusted setup as before: sample t ←$ Cl(O) and set E = t ⋆ E 0 • Sample r ←$ Cl(O) and compute C = r ⋆ E. Set σ = 0 and send C to A. Then proceed as an honest party would do.
• If, at some point, A sends abort, then forward abort to the OT functionality.
• If receive (A, c 0 , c 1 ), together with an explanation for A, from A, using t can recover both the keys k 0 and k 1 as follows: k 0 = H(r ⋆ A) and k 1 = H(r −1 t −2 ⋆ A); then decrypt the two messages with the computed keys m i = Dec ki (c i ).Send m 0 , m 1 to the functionality.
• Output whatever the adversary outputs and halt.
Indistinguishability. In the trusted setup, the simulator backdoors the public curve, but this is unnoticeable to the adversary.After the setup phase, in the real protocol the curve C sent by the receiver is either r ⋆ E or (r ⋆ E) t depending on whether σ = 0 or σ = 1, respectively.In the former case the messages received by A are identically distributed in the two executions, in the latter case, by Assumption 1 the messages are computationally indistinguishable, since both r ⋆ E and (r ⋆ E) t are sampled from distributions that are computationally indistinguishable from uniform (notice that the twist of the uniform distribution is again uniform).Finally, using its knowledge of t it is straightforward to see that S is able to correctly extract the input of A. Therefore we can conclude that the two executions are indistinguishable.
In conclusion, by proving UC-EI security for the protocol Π tw , we can claim security against malicious adversaries of a two-round OT protocol that only requires 3 isogeny computations for the sender and 2 for the receiver.Removing one of the two assumptions, i.e., either ROM or TSC, without compromising the efficiency of the protocol, remains a fascinating open question, whose answer will probably require a completely different approach.

A 3-message variant
We can apply our model to prove UC-EI security of other isogeny-based OT protocols.We decided to only show this for a variant of Π tw that does not require a trusted setup, but unfortunately needs 3 messages, and thus it's not optimal.The protocol Π tw 3 , described in Figure 3, is similar to Π tw , except that now it is the sender P S that generates the curve E and sends it to the receiver P R .
Theorem 4. The protocol Π tw 3 , described in Figure 3, UC-EI realizes the functionality F OT in the random oracle model if the CSIDH vectorization problem is hard and the encryption scheme (KeyGen, Enc, Dec) is IND-CPA secure.
Sketch.As before we distinguish between the two main cases of corrupt sender and honest receiver and honest sender and corrupt receiver.Corrupt sender and honest receiver.As in the other proof, the twisting statistically hides the choice bit, since the lemma holds for any starting curve, even possibly ones that have been maliciously generated.Honest sender and corrupt receiver.This also works as in the other proof, since by simulating the honest sender we know t such that E = t ⋆ E 0 , which otherwise we knew by simulating the trusted setup functionality.

Efficiency and Comparison
In Table 2, we give a detailed comparison between the protocol Π tw presented in Section 5.1 and other isogeny-based OT protocols that have been proposed in the last few years; we considered only the ones whose security relies on CSIDH or variants.
In the table, we report the number of messages #M, the number of isogenies computed by the sender and the receiver, respectively, #(PK S , PK R ), the power of the adversary,  the proof framework, the model of computation, and the underlying hardness assumption on which the security of the protocol is based on.We denote the security parameter by λ.
A brief description of some of the works cited in Table 2 was already given in [LGD21].We recall here their main properties for completeness.In the first rows, we have semi-honest secure protocols.
In [DOPS20], the authors introduce the concept of masking, which generalizes the one of hard homogeneous spaces.The paper contains two passively secure OT protocols, one with two rounds, derived from the Shamir-3-Pass key transportation scheme, and the other with three rounds derived from the CO protocol.In addition, the authors prove that their two-round protocol can be extended to be secure against malicious adversaries using a transformation by Döttling et al. [DGH + 20], which increases the complexity of the protocol as a side effect.As mentioned before, the protocols are based on masking assumptions, ParallelEither, ParallelBoth and ParallelDouble, that can be instantiated with isogeny-based assumptions.The ParallelEither asks for either g ab or g a/b given g a , g b ; the ParallelBoth asks for g ba0/a1 or g ba1/a0 given g a0 , g a1 , g b ; the ParallelDouble asks for g ac and g bc given g a , g b , g c and a one-time access to an oracle that exponentiates by c.We refer to [DOPS20] for additional details.
In [ADMP20], the authors introduce a new framework based on group actions, from which they derive new cryptographic primitives based on CSIDH.In particular, they construct a "dual-mode encryption scheme" which allows them to use the framework by Peikert et al. [PVW08] to produce an OT protocol that is UC-secure against malicious adversaries.The resulting protocols has only two rounds, but it needs to generate O(λ) public keys and compute O(λ) isogenies.They also directly build a statistically senderprivate OT protocol, which still needs O(λ) public key operations.The security of these protocols relies on the weak pseudorandomness of the underlying EGA.
The recent paper [BMM + 23] constructs a 4-round maliciously secure protocol in the plain model, and a 2-round UC-secure protocol in the ROM+CRS model.They start from a semi-honest protocol and add a proof of knowledge to show that the messages are well-formed.Both protocols are based on the computational CSIDH problem, but need a number of isogeny computation that is linear in the security parameter λ, which mainly comes from the PoK.
Lai et al. [LGD21] describe the 2-round semi-honest protocol that we prove to be maliciously secure in the UC-EI model.This protocol is particularly efficient compared to other isogeny-based protocols as it requires only 2 round of communications and a constant, very low number of isogeny computations.The protocol requires both a random oracle and a trusted setup.

A.1 Elliptic Curves, Isogenies, Endomorphisms
An elliptic curve is a smooth curve of genus one with a distinguished rational point.More concretely, an elliptic curve E defined over a field K (denoted E/K) is the set of points satisfying the Weierstrass equation y 2 = x 3 + ax + b, with a, b ∈ K, with an additional "point at infinity".The points of an elliptic curve, denoted by E(K), have an abelian and algebraic group structure given by intersecting lines with the curve.Given two elliptic curves E 1 and E 2 over K, an isogeny ψ between E 1 and E 2 is a non-constant morphism between them.The degree of an isogeny is its degree as a rational map; an isogeny is said to be separable if its degree is equal to the size of its kernel.Given a finite subgroup G of E, there exists a separable isogeny ψ : E → E/G, with ker ψ = G, which is unique up to isomorphism.Both the isogeny ψ and image E/G can be computed from the kernel using Vélu's formulas [Vél71], whose efficiency depends on the smoothness of the isogeny degree.
An endomorphism of an elliptic curve E is an isogeny from E to itself.The set End(E) of endomorphisms of E, together with the zero map, is a ring.When E is defined over a finite field, the endomorphism ring of E is either an order in a quadratic field, in which case we say E is ordinary, or a maximal order in a quaternion algebra and E is called supersingular.For more background on elliptic curves, isogenies and their use in cryptography we refer to standard resources [Sil09,Feo17].

A.2 Other Computational Assumptions
The two main problems of isogeny based cryptography are the Endomorphism Ring Problem (EndRing) and the Isogeny Path Problem (IsogenyPath), which can be stated as follows.
Problem 5 (IsogenyPath).Given two isogenous supersingular curves E, E ′ , compute an isogeny ϕ : E → E ′ .This problem deals with the computational complexity of finding a path in the isogeny graph of all supersingular curves.Indeed, we know that for any pair of curves having the same number of points, there exists an isogeny between them; the problem then asks to explicitly compute it.
Since End(E) is a rank 4 lattice for supersingular curves, finding even one extra endomorphisms that is not "trivial" (i.e. a combination of scalar multiplications and the Frobenius) seems to be very hard.
One of the most important results for isogeny based cryptography is the following theorem that relates EndRing to IsogenyPath.

Theorem 5 ([Wes22b]). The problems EndRing and IsogenyPath are equivalent, under the generalised Riemann hypothesis (GRH).
We can also try to understand the relationship between CSIDH, where curves and isogenies are constrained to be F p -rational, and the general EndRing problem.In [CPV20], the authors describe an efficient algorithm that, given two curves E 1 , E 2 over F p and their full endomorphism rings, outputs a class group element a such that a • E 1 = E 2 .The problem is that this ideal usually doesn't have a smooth norm, so its action cannot be efficiently computed.In order to smoothen the norm, we need to find relations in Cl(O) and then run lattice reduction algorithms, which greatly increase complexity.This previous result can be made effective, and we actually have the following equivalence.the environment is activated, it can read the output tapes of all honest parties and A, and it can activate a subset of the parties and A by writing input messages on their input tapes.Parties, once activated, can perform local computation, write on their output tape, send messages to other parties and send subroutine output messages to Z.The adversary A can send backdoor messages to Z and all parties, and receive backdoor messages from all parties.We say that the adversary is passive (or semi-honest) if it always instructs the corrupt parties to follow the protocol; while we say that the adversary is malicious if it may instruct the corrupt parties to arbitrarily deviate from the protocol's instructions.We let exec π,A,Z (κ, z, r) denote Z's output on input z and security parameter κ, after interacting with A, P 1 , . . ., P n running the protocol Π with random tape r.
Ideal model.In the ideal protocol ]ideal F , we have n dummy parties P 1 , . . ., P n which interact with an ideal functionality F in a simple way: they pass their private inputs to F and wait for it to return their assigned output.There is also an ideal-adversary S which is responsible for the delivery of messages.The ideal functionality F defines the desired behaviour of the computation, playing the role of a trusted third party, and can communicate with the ideal adversary S by providing and receiving backdoor information.Finally, the same environment Z is present in the ideal world.Z also prescribes the inputs and observes the outputs of all parties.We only consider static corruptions, hence the set of corrupt parties is fixed before the start of the computation and is known to F, Z and S. We let exec F ,S,Z (κ, z, r) denote Z's output on input z and security parameter κ, after interacting with S and dummy parties P 1 , . . ., P n that interact with F using random tape r.UC emulation.One of the main concept of the UC framework is that of UC-emulation.Informally, it involves two protocols, say π and ϕ, and we say that π UC-emulates ϕ (π ∼ ϕ), if for every efficient adversary A in an execution of π, there is an efficient ideal adversary S in an execution of ϕ, such that no efficient environment Z can distinguish an execution of π with A and an execution of ϕ with S, i.e. exec π,A,Z ≈ exec ϕ,S,Z .In particular, it implies that π can be safely used on behalf of ϕ without compromising security.
Since the security of protocols is defined by comparing the "real" protocol execution with an "ideal" one, we can instantiate the concept of protocol emulation with the very special case of ϕ being an ideal protocol ideal F for the functionality F. Therefore, we say that π UC-emulates F if we can infer that π does not leak any other information to an adversary than F would have, and hence securely realizes the given task no matter how many other instances of π and/or other protocols are executed concurrently.In this case we write exec π,A,Z ≈ exec F ,S,Z .Definition 11.We say that a protocol π UC-realizes an ideal functionality F if π UC-emulates the ideal protocol ideal F .
Hybrid model.When a protocol π uses an ideal functionality G as a sub-routine, the UC-framework considers the G-hybrid model.In this case the parties, in both real and ideal world, have access to a copy of the ideal functionality G.In the real world, this is an independent trusted party that executes the functionality honestly.In the ideal world, S executes an internal copy of the functionality G and only interacts with F. An important property of the UC framework is that the ideal functionality G in a G-hybrid model can be replaced with a protocol ρ that UC-realizes G.More concretely, let ρ be a protocol that securely realizes G and let π ρ be identical to π with the exception that the interaction with each copy of G is replaced with an interaction of a separate instance of ρ.Then π and π ρ have essentially the same input/output behaviour.In particular, if π securely realizes F in the G-hybrid model, then π ρ securely realizes F in the standard model, i.e., without access to G and any other functionalities.In the following, we informally state the composition theorem.

Functionality F OT
The functionality runs with a receiver PR, a sender PS and an adversary S 1.On input (receive, sid, σ) from PR, if no message with the same sid has been stored, store (receive, sid, σ).
2. On input (send, sid, (m0, m1)) from PS, if no message with the same sid has been stored, store (send, sid, (m0, m1)).).Let π be a protocol that UC-securely realizes the ideal functionality F in the G-hybrid model, let ϕ be a protocol that UC-securely realizes the ideal functionlity G, then the protocol π ϕ , obtained by replacing each call to the ideal functionality G in π with a call to the sub-protocol ϕ, securely realizes F in the standard model.

A.4 Functionalities
In this work we will make use of relatively standard functionalities.The main OT functionality, F OT , described in Figure 4, is a standard 2-party functionality.
We will also need a random oracle functionality, F RO , as described in Figure 5.It initially contains an empty list L, then, each time it receives a query m from a fixed domain D, it checks if the queried value m is already present in the list l.If this is the case, the functionality output the pair (m, k) in L; otherwise, it samples a random k ←$ R, outputs (m, k), and stores that pair in L.
Finally, we will make use of a trusted setup F TSC , described in Figure 6, that fixes a starting curve E ∈ E. Note that it outputs E = t ⋆ E 0 , but not t which maps E 0 to E.

B The Algebraic Adversary Model
Here, we briefly recall the algebraic group model by Fuchsbauer, Kiltz and Loss [FKL18], and in particular its instantiation in the UC framework, resulting in the UC-AGM as described by Abdalla et al. [ABK + 21].We also show how the AGM enables a proof of the "simplest OT" by Chou and Orlandi [CO15].
The UC-AGM Framework.The setting involves a group G of prime order p, with known generator g.We collect those parameters in G = (G, g, p).Roughly, an algebraic adversary, compared to a standard adversary, has an additional auxiliary tape on which it writes the representation of any group element it outputs on some other tapes.More formally, we have the following definition.
Definition 12. Suppose a protocol π uses the group G as above.A pair of environment Z and adversary A is said (G , π)-algebraic if it satisfies the following conditions.
1.A has a special output tape called algebraic tape; With this definition, it is possible to restrict standard UC-emulation to algebraic adversaries and environments.Definition 13.Suppose protocols π and ϕ involve the same group G .We say that π G -AGM emulates ϕ if for any efficient adversary A there is an efficient simulator S such that for any efficient environment Z with (Z, A) that is (G , π)-algebraic we have that also (Z, S) is (G , ϕ)-algebraic and exec ϕ,S,Z ≈ exec π,A,Z .
We can apply the definition of AGM-emulations (Definition 13) to an ideal protocol ideal F and instantiate Definition 11 accordingly.
Like in standard UC, we can use dummy adversaries also in this algebraic setting; we only need to pay attention to the algebraic representations that the environment send to the adversary, because we don't want to forward them to the actual protocol.Definition 14. Suppose the protocol π involves G .An adversary D is (G , π)-algebraically dummy if it only forwards messages in this way: • For any received message of the type (backdoor, m) from a party ID, it sends (backdoor, (ID, m)) to Z.
• For any (input, (ID, m)) from Z, it sends (input, m ′ ) to ID, where m ′ is equal to m, but without all algebraic representations X of elements h ∈ G which are inside m.
Using this definition of dummy adversary we then have the following theorem.
Theorem 9. Suppose protocols π and ϕ involve group G .Then π G -AGM emulates ϕ if and only if π G -AGM emulates ϕ with respect to the dummy adversary.
Observe also that since the dummy adversary doesn't output any algebraic representation, they must all come from the environment Z.

OT
The functionality runs with a receiver PR, a sender PS and an adversary S • On input (receive, sid, σ) from PR or S, if no message with the same sid has been stored, store (receive, sid, σ) and notify S.
• On input (deliver, sid, S) from the adversary, if it was previously output (output, sid, mσ), then send (output, sid) to PS; otherwise output ⊥ to S. Proof.We construct a simulator S for the dummy algebraic adversary in each of the four corruption cases.By definition, this means that all group elements output by Z to S must have a representation.
Corrupted sender and honest receiver: When S receives A from the adversary, it also learns the value a such that A = g a .The simulator then chooses a random b, computes B = g b , and sends it back to A.
Then it computes the key k = H(A b ).When the adversary sends any (c 0 , c 1 ), the simulator sends (c 0 ⊕ k, c 1 ⊕ k) to the trusted party and makes it deliver to the honest receiver.
This simulates correctly since the output of the receiver is identical in both the ideal and the real execution; moreover the distributions g aσ+b and g b are identical, so the environment cannot distinguish between the case σ = 0 and σ = 1.
Honest sender and corrupted receiver: The simulator samples a, computes A = g a and sends it to the adversary, which responds with an arbitrary element B; since A is algebraic, it must also output a representation B = A x g y .
If x ∈ {0, 1}, the simulator queries the functionality with this bit, and sets m x to the retrieved value; in all other cases (i.e.i = 1 − x, or both 0 and 1 if x ̸ ∈ {0, 1}), it sets m i to null.It also samples random c 0 , c 1 .
The simulator also runs the random oracle, and checks the queries made to it.In particular, upon learning B, it retroactively checks all queries for the values B a g −ia 2 : if m i is null the simulator aborts, otherwise it sets c i = k i ⊕ m i , where k i was the answer of the query; it also does this for future queries, this time by computing the answer as k i = c i ⊕ m i .This means that S aborts precisely when x ∈ {0, 1} and A queries for both B a and B a g −a 2 , of if x ̸ ∈ {0, 1} and A queries at least one of B a or B a g −a 2 .
The simulator concludes the simulation by sending (c 0 , c 1 ) to the adversary.Notice that when S does not abort, the simulation is perfect.Thus, the proof follows from this claim: Claim.S aborts with negligible probability if the discrete logarithm is hard.
Proof.Suppose we want to solve the discrete logarithm problem A = g a , using A as an oracle.We feed A the element A as coming from the simulator.Notice that now the simulator cannot check what is the query that makes it abort, so the solver for the discrete logarithm problem analyzes all queries made by A, and for each of them tries to solve the equation in z and checks if g z = A, thus finding the secret exponent.
• Case x ̸ ∈ {0, 1}.Suppose A queries B z .Being algebraic, it must know a representation B z = A s g t .But this means that g z 2 x+zy = (A x g y ) z = B z = g sz+t , i.e. z 2 x + z(y − s) − t ≡ 0 (mod p) from which we can compute z.In the other case we have that B z g −z 2 = A s g t , for which the equation is z 2 (x − 1) + zy ≡ sz + t (mod p), which also has a solution.
• Case x = 0.The adversary A has queried B z g −z 2 , for which it knows a representation A s g t .Then it gets the equation zy − z 2 ≡ sz + t (mod p), which has a solution.
• Case x = 1.The adversary A has queried B z , and represents it as A s g t .Then the equation is z 2 + zy ≡ sz + t (mod p), which also has a solution.
This concludes the proof of the claim.
Honest sender and honest receiver: This simulation can be constructed putting together both simulations above, as we did in the proof of the toy protocol.This concludes the proof since if the simulator doesn't abort, the simulation is perfect, given that the keys queried from the random oracle statistically hide the messages.Finally we observe that all the simulators we have constructed are algebraic themselves.
the set of curves having O has their F p -endomorphism ring, we have a free and transitive action of the class group Cl(O)×E → E given by a⋆E := E/E[a].

Figure 1 :
Figure 1: Compiled protocol AA(π, {Q 1 }) defined by independently sampling (a, e) from Cl(O) as in CSIDH, and choosing a random bit b ∈ Z/2Z; the group element is (a, b) and the hint is e ′ = (e, b) is an HEGA.Moreover, if Assumption 1 holds, D Gtw is close to the uniform distribution.

Figure 2 :
Figure 2: The twist OT protocol by Lai et al.

Figure 3 :
Figure 3: The twist protocol without trusted setup

Figure 5 :
Figure 5: Random oracle functionality Functionality F TSC The functionality runs with a receiver PR, a sender PS and an adversary S -Upon activation, sample t ←$ Cl and output the curve t ⋆ E0.

Figure 6 :
Figure 6: Trusted setup functionality 2. Whenever A sends a (backdoor, m) message to a party and m contains an element h ∈ G, then either (a) It must provide (to a special "algebraic tape") an algebraic representation X of h, or (b) A has previously received such algebraic representation from Z,where the algebraic representation of h is a list X = [(g 1 , x 1 ), . . ., (g k , x k )] such that h = k i=1 g xi i and g i are group elements already seen by A or Z in the execution of π.

Figure 8 :
Figure 8: OT functionality in the AGM-UC framework

Table 1 :
The computable solutions to the CSIDH problem

Table 2 :
Comparison of some properties of proposed OT protocols S sends abort, forward abort to the honest parties.Otherwise, on input (deliver, sid) from the adversary, if there have been stored both messages (receive, sid, σ) and (send, sid, (m0, m1)), send (output, sid, mσ) to PR.The functionality runs with a receiver PR, a sender PS and an adversary S. It is parametrized by a domain D and range R. It keeps a list L of pairs of values, which is initially empty and proceeds as follows: 1. Upon receiving a querym ∈ D, if there is a pair (m, k ′ ) ∈ L, set k = k ′ ; otherwise choose k ←$ R and store (m, k) in L.2.Output k.