mplang-nightly 0.1.dev158__py3-none-any.whl → 0.1.dev268__py3-none-any.whl

mplang/v2/libs/mpc/psi/oprf.py

@@ -0,0 +1,310 @@
+# Copyright 2025 Ant Group Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Oblivious Pseudorandom Function (OPRF).
+
+Implements KKRT-style OPRF based on OT Extension.
+Ref: https://eprint.iacr.org/2016/799.pdf
+"""
+
+from __future__ import annotations
+
+from typing import Any, cast
+
+import jax.numpy as jnp
+
+import mplang.v2.edsl as el
+from mplang.v2.dialects import simp, tensor
+from mplang.v2.libs.mpc.ot import extension as ot_extension
+
+
+def eval_oprf(
+    receiver_inputs: el.Object,  # (N, 16) bytes
+    sender: int,
+    receiver: int,
+    num_items: int,
+) -> tuple[el.Object, el.Object]:
+    """Evaluate OPRF on receiver's inputs using KKRT-style protocol.
+
+    Protocol Overview:
+    ──────────────────────────────────────────────────────────────────────────
+    This implements a simplified KKRT OPRF using IKNP OT Extension as the base.
+
+    Parties:
+    - Sender: Has secret key (T matrix, s vector) from IKNP
+    - Receiver: Has inputs x₁, ..., xₙ and gets PRF outputs
+
+    Key Relations (IKNP):
+    ──────────────────────────────────────────────────────────────────────────
+    Let:
+        Q[i]: (K,) bit vector - receiver's OT output for row i
+        T[i]: (K,) bit vector - sender's OT output for row i
+        s:    (K,) bit vector - sender's secret (random)
+        c[i]: 1 bit - receiver's choice bit for row i
+
+    IKNP Correlation:
+        T[i][j] = Q[i][j] ⊕ (c[i] · s[j])    for all j ∈ [0, K)
+
+    Where ⊕ is XOR and · is AND.
+    This means: if c[i] = 1: T[i] = Q[i] ⊕ s
+                if c[i] = 0: T[i] = Q[i]
+
+    Simplified OPRF Construction:
+    ──────────────────────────────────────────────────────────────────────────
+    Choice bits: c[i] = encode(x_i)[0]  (first bit of item encoding)
+
+    Receiver output:  PRF(x_i) = pack(Q[i])  (just pack the Q matrix row)
+    Sender can eval:  PRF(y) = pack(T[row(y)])  (pack corresponding T row)
+
+    When x_i == y and they map to same row: outputs match due to IKNP relation.
+
+    Note: Full KKRT uses Cuckoo hashing to map items to rows. This simplified
+    version assumes sequential mapping (item i uses row i).
+
+    Args:
+        receiver_inputs: (N, 16) byte tensor of receiver's inputs
+        sender: Rank of sender party
+        receiver: Rank of receiver party
+        num_items: Number of items N
+
+    Returns:
+        Tuple of:
+        - sender_key: (T, s) tuple on sender - T is (N, K) bit matrix, s is (K,)
+        - receiver_outputs: (N, 32) byte tensor of OPRF outputs on receiver (SHA256)
+    """
+    K = 128  # Security parameter (OT extension width)
+
+    # ═════════════════════════════════════════════════════════════════════════
+    # Step 1: Encode receiver's inputs to choice bits for IKNP
+    # ═════════════════════════════════════════════════════════════════════════
+    # For each input x_i, we need K choice bits for IKNP OT Extension.
+    # We use a deterministic encoding: unpack bytes to bits.
+
+    def encode_inputs(inputs: el.Object) -> el.Object:
+        """Encode (N, 16) byte inputs to (N, K) bit codes.
+
+        Each 16-byte input is unpacked to 128 bits.
+        These bits serve as the receiver's OT choices.
+        """
+
+        def _encode(x: Any) -> Any:
+            # x: (N, 16) uint8 array
+            # Unpack each byte to 8 bits: (N, 16) -> (N, 128)
+            unpacked = jnp.unpackbits(x, axis=1)  # (N, 128)
+            # Ensure exactly K bits
+            return unpacked[:, :K].astype(jnp.uint8)  # (N, K)
+
+        return cast(el.Object, tensor.run_jax(_encode, inputs))
+
+    choice_codes = simp.pcall_static((receiver,), encode_inputs, receiver_inputs)
+    # choice_codes: (N, K) bit matrix on receiver
+
+    # ═════════════════════════════════════════════════════════════════════════
+    # Step 2: Extract first bit of each code as IKNP choice bits
+    # ═════════════════════════════════════════════════════════════════════════
+    # Simplified: use only first bit of encoding as OT choice
+    # Full KKRT would use all K bits differently
+
+    # ═════════════════════════════════════════════════════════════════════════
+    # Step 3: Run IKNP OT Extension to generate correlated matrices Q and T
+    # ═════════════════════════════════════════════════════════════════════════
+    # IKNP generates:
+    #   Q: (N, K) on receiver - one K-bit row per item
+    #   T: (N, K) on sender   - correlated via T[i] = Q[i] ⊕ (choice[i] · s)
+    #   s: (K,) on sender     - random secret vector
+
+    # Pass full K-bit codes as choice bits (N, K)
+    t_matrix, q_matrix, s = ot_extension.iknp_core(
+        choice_codes, sender, receiver, num_items
+    )
+    # t_matrix: (N, K) on sender
+    # q_matrix: (N, K) on receiver
+    # s: (K,) on sender
+
+    # ═════════════════════════════════════════════════════════════════════════
+    # Step 4: Compute OPRF outputs
+    # ═════════════════════════════════════════════════════════════════════════
+    # Simplified KKRT:
+    #   Receiver: output_i = pack(Q[i])  (pack 128 bits to 16 bytes)
+    #   Sender:   can later compute pack(T[i]) for matching items
+
+    def compute_receiver_outputs(q: el.Object, codes: el.Object) -> el.Object:
+        """Compute receiver's OPRF outputs by packing Q matrix rows.
+
+        Args:
+            q: (N, K) bit matrix Q from IKNP
+            codes: (N, K) bit codes (not used in simplified version)
+
+        Returns:
+            (N, 16) packed bytes - OPRF output for each input
+        """
+
+        def _process(q_mat: Any, code_mat: Any) -> Any:
+            # q_mat: (N, K=128) bits
+            # Pack each row from 128 bits to 16 bytes
+            packed = jnp.packbits(q_mat, axis=1)  # (N, 16) uint8
+            return packed
+
+        packed_q = cast(el.Object, tensor.run_jax(_process, q, codes))
+
+        # Security Fix: Hash the OT output to implement a Random Oracle
+        # OPRF = H(OT_output, input_tweaks...)
+        # Here we use the shared vec_hash utility which handles domain separation.
+        return ot_extension.vec_hash(packed_q, domain_sep=0x0CDF, num_rows=num_items)
+
+    receiver_outputs = simp.pcall_static(
+        (receiver,), compute_receiver_outputs, q_matrix, choice_codes
+    )
+    # receiver_outputs: (N, 32) on receiver
+
+    # ═════════════════════════════════════════════════════════════════════════
+    # Step 5: Package sender's key for later PRF evaluation
+    # ═════════════════════════════════════════════════════════════════════════
+    # Sender keeps (T, s) to evaluate PRF on any input later
+    sender_key = simp.pcall_static((sender,), lambda t, s_: (t, s_), t_matrix, s)
+    # sender_key: tuple (T, s) on sender where T is (N,K), s is (K,)
+
+    return sender_key, receiver_outputs
+
+
+# =============================================================================
+# KKRT OPRF Sender Evaluation (Vectorized)
+# =============================================================================
+#
+# KKRT Formula:
+# ─────────────────────────────────────────────────────────────────────────────
+#   For sender with key (T, s) and input y:
+#     code_y = encode(y)              # K bits
+#     output = pack(T[row] XOR (code_y * s))
+#
+#   For receiver with Q matrix and input x:
+#     code_x = encode(x)              # K bits
+#     output = pack(Q[row] XOR code_x)
+#
+#   When x == y:
+#     T[row] XOR (code_x * s) == Q[row] XOR code_x  ✅ (due to IKNP correlation)
+# =============================================================================
+
+
+def sender_eval_prf_batch(
+    sender_key: el.Object,  # Tuple (t_matrix, s) on sender
+    sender_items: el.Object,  # (M, 16) bytes - items to evaluate
+    sender: int,
+    num_items: int,
+) -> el.Object:
+    """Evaluate PRF on sender's side for a batch of items.
+
+    Args:
+        sender_key: The key tuple (t_matrix, s) from eval_oprf.
+        sender_items: (M, 16) byte tensor of sender's items.
+        sender: Rank of sender party.
+        num_items: Number of items M (must be provided).
+
+    Returns:
+        (M, 32) byte tensor of PRF outputs on sender.
+    """
+    K = 128
+
+    def compute_sender_outputs(key: el.Object, items: el.Object) -> el.Object:
+        """Compute sender's PRF outputs using KKRT formula."""
+
+        def _eval(key_tuple: Any, x: Any) -> Any:
+            t_matrix, s = key_tuple
+            M = x.shape[0]
+            N = t_matrix.shape[0]
+
+            # Encode items to get choice bits
+            # Unpack: (M, 16) -> (M, 128) bits
+            codes = jnp.unpackbits(x, axis=1)[:, :K]  # (M, K)
+
+            # Compute (codes · s) for each item
+            # Masking s with item codes ensures result depends on EVERY bit
+            # codes: (M, K), s: (K,) -> broadcast to (M, K)
+            code_masked = jnp.where(codes, s, 0).astype(t_matrix.dtype)
+
+            # Use row i for item i
+            M_clipped = min(M, N)
+            t_rows = t_matrix[:M_clipped]  # (M_clipped, K)
+
+            # KKRT: output = T[i] XOR (first_bit[i] · s)
+            xored = jnp.bitwise_xor(t_rows, code_masked[:M_clipped])  # (M_clipped, K)
+
+            # Pack to bytes
+            packed = jnp.packbits(xored, axis=1)  # (M_clipped, 16)
+
+            # Pad if needed
+            if M > N:
+                padding = jnp.zeros((M - N, 16), dtype=packed.dtype)
+                packed = jnp.concatenate([packed, padding], axis=0)
+
+            return packed
+
+        raw_outputs = cast(el.Object, tensor.run_jax(_eval, key, items))
+
+        return ot_extension.vec_hash(raw_outputs, domain_sep=0x0CDF, num_rows=num_items)
+
+    return cast(
+        el.Object,
+        simp.pcall_static((sender,), compute_sender_outputs, sender_key, sender_items),
+    )
+
+
+def sender_eval_prf(
+    sender_key: el.Object,  # Tuple (t_matrix, s) on sender
+    candidate: el.Object,  # (16,) bytes to evaluate
+    sender: int,
+) -> el.Object:
+    """Evaluate PRF on sender's side for a single candidate.
+
+    This allows sender to compute PRF(k, y) for any y.
+
+    Args:
+        sender_key: The key tuple from eval_oprf.
+        candidate: A single 16-byte input to evaluate.
+        sender: Rank of sender party.
+
+    Returns:
+        (32,) byte tensor of PRF output on sender.
+    """
+    K = 128
+
+    def _eval(key: el.Object, cand: el.Object) -> el.Object:
+        def _compute(key_tuple: Any, c: Any) -> Any:
+            t_matrix, s = key_tuple
+
+            # Encode candidate to K bits
+            code = jnp.unpackbits(c)[:K]  # (K,)
+
+            # KKRT formula: output = pack(t_row XOR (code * s))
+            t_row = t_matrix[0]  # (K,) - use first row
+            code_masked = jnp.bitwise_and(code, s)  # (K,)
+            xored = jnp.bitwise_xor(t_row, code_masked)  # (K,)
+
+            # Pack to bytes
+            packed = jnp.packbits(xored)  # (16,)
+
+            # Reshape to (1, 16) for vec_hash
+            return packed.reshape(1, 16)
+
+        raw_out_batch = cast(el.Object, tensor.run_jax(_compute, key, cand))
+
+        # Use batched hash with num_rows=1
+        hashed_batch = ot_extension.vec_hash(
+            raw_out_batch, domain_sep=0x0CDF, num_rows=1
+        )
+
+        # Flatten back to (32,) using slice to avoid extra run_jax node
+        return tensor.slice_tensor(hashed_batch, (0, 0), (32,))
+
+    return cast(el.Object, simp.pcall_static((sender,), _eval, sender_key, candidate))

mplang/v2/libs/mpc/psi/rr22.py

@@ -0,0 +1,344 @@
+# Copyright 2025 Ant Group Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Private Set Intersection using VOLE and OKVS (RR22-Style).
+
+This module implements a high-performance PSI protocol based on the "Blazing Fast PSI"
+(RR22) paper. The protocol relies on Vector Oblivious Linear Evaluation (VOLE) and
+Oblivious Key-Value Stores (OKVS) to achieve efficient set intersection with linear
+communication O(N) and computation complexity.
+
+Protocol Overview:
+The core idea is to mask a "Polynomial" (encoded via OKVS) with VOLE-correlated randomness,
+such that the mask can only be removed (and the polynomial verified) if the parties share
+the same element.
+
+Phases:
+1.  **Correlated Randomness (VOLE)**:
+    Sender and Receiver establish a shared correlation:
+    W = V + U * Delta
+    - Sender holds U, V.
+    - Receiver holds W, Delta.
+    - U is random. Delta is a fixed secret scalar (Receiver's key).
+
+2.  **Encoding (OKVS)**:
+    Receiver encodes their input set Y into a structure P using OKVS, such that:
+    Decode(P, y) = H(y) for all y in Y.
+    Here H(y) is a Random Oracle (implemented via Davies-Meyer/AES).
+
+3.  **Masking & Exchange**:
+    Receiver masks the structure P with their VOLE share W:
+    Q = P ^ W
+    Receiver sends Q to Sender.
+
+4.  **Decoding & Verification**:
+    Sender attempts to decode Q for each of their items x in X.
+    Since OKVS is linear:
+    Decode(Q, x) = Decode(P, x) ^ Decode(W, x)
+
+    Sender reconstructs the potential "Target" value T:
+    T = Decode(Q, x) ^ Decode(V, x) ^ H(x)
+
+    If x in Y (Intersection):
+       Decode(P, x) = H(x)
+       Decode(W, x) = Decode(V, x) ^ Decode(U, x) * Delta
+    Substitute into T:
+       T = H(x) ^ (Decode(V, x) ^ Decode(U, x) * Delta) ^ Decode(V, x) ^ H(x)
+       T = Decode(U, x) * Delta
+
+    Thus, verification becomes checking if T == U* * Delta, where U* = Decode(U, x).
+    This check is performed securely using hashes to prevent leakage.
+"""
+
+from typing import Any, cast
+
+import jax.numpy as jnp
+
+import mplang.v2.edsl as el
+import mplang.v2.libs.mpc.ot.silent as silent_ot
+from mplang.v2.dialects import field, simp, tensor
+
+
+def psi_intersect(
+    sender: int,
+    receiver: int,
+    n: int,
+    sender_items: el.Object,
+    receiver_items: el.Object,
+) -> el.Object:
+    """Execute OKVS-based PSI Protocol.
+
+    Args:
+        sender: Rank of Sender.
+        receiver: Rank of Receiver.
+        n: Number of items (must be same for now).
+        sender_items: Object located at Sender containing (N,) u64 items.
+        receiver_items: Object located at Receiver containing (N,) u64 items.
+
+    Returns:
+        Intersection verification tuple (T, U*, Delta).
+    """
+
+    # Validation
+    if sender == receiver:
+        raise ValueError(
+            f"Sender ({sender}) and Receiver ({receiver}) must be different."
+        )
+
+    if n <= 0:
+        raise ValueError(f"Input size n must be positive, got {n}.")
+
+    # =========================================================================
+    # Phase 1. Parameter Setup & Topology
+    # =========================================================================
+    # OKVS Size M = expansion * N.
+    # The expansion factor is critical for the success probability of the "Peeling"
+    # algorithm used in OKVS encoding (Garbled Cuckoo Table).
+    # Larger N allows smaller expansion (closer to theoretical 1.23) while maintaining safety.
+    import mplang.v2.libs.mpc.psi.okvs_gct as okvs_gct
+
+    expansion = okvs_gct.get_okvs_expansion(n)
+    M = int(n * expansion)
+
+    # Align M to 128 boundary for efficient batch processing in Silent VOLE (LPN)
+    if M % 128 != 0:
+        M = ((M // 128) + 1) * 128
+
+    # =========================================================================
+    # Phase 2. Correlated Randomness Generation (VOLE)
+    # =========================================================================
+    # Parties run Silent VOLE (based on LPN assumption) to generate:
+    #   Sender:   U, V  (Vectors of size M)
+    #   Receiver: W, Delta
+    # Correlation: W = V + U * Delta
+    #
+    # Note: U is uniformly random. It acts as a "One-Time Pad" key for the protocol.
+
+    # silent_vole_random_u returns (v, w, u, delta)
+    res_tuple = silent_ot.silent_vole_random_u(sender, receiver, M, base_k=1024)
+    v_sender, w_receiver, u_sender, delta_receiver = res_tuple[:4]
+
+    # =========================================================================
+    # Phase 3. Receiver Encoding & Masking (OKVS)
+    # =========================================================================
+    # The Receiver encodes their input set Y into the OKVS structure P.
+    # Goal: Decode(P, y) = H(y)  forall y in Y.
+    #
+    # Then, Receiver masks P with the VOLE output W to get Q:
+    # Q = P ^ W
+    # This Q is sent to the Sender.
+
+    # 3.1 Generate OKVS Seed (Public/Session Randomness)
+    # Used for OKVS hashing distribution. Can be public, but generated at runtime for safety.
+    from mplang.v2.dialects import crypto
+    from mplang.v2.edsl import typing as elt
+
+    def _gen_seed() -> Any:
+        return crypto.random_tensor((2,), elt.u64)
+
+    okvs_seed = simp.pcall_static((receiver,), _gen_seed)
+    okvs_seed_sender = simp.shuffle_static(okvs_seed, {sender: receiver})
+
+    # Instantiate OKVS Data Structure
+    okvs = okvs_gct.SparseOKVS(M)
+
+    def _recv_ops(y: Any, w: Any, delta: Any, seed: Any) -> Any:
+        # y: (N,) Inputs
+        # w: (M, 2) VOLE share
+
+        # 3.2 Compute H(y) - The Random Oracle Target
+        # We use Davies-Meyer construction: H(x) = E_x(0) ^ x
+        # This is a standard, efficient, and robust way to instantiate a RO from AES.
+
+        def _reshape_seeds(items: Any) -> Any:
+            # Prepare items as AES keys (128-bit)
+            lo = items
+            hi = jnp.zeros_like(items)
+            return jnp.stack([lo, hi], axis=1)  # (N, 2)
+
+        seeds = tensor.run_jax(_reshape_seeds, y)
+        res_exp = field.aes_expand(seeds, 1)  # (N, 1, 2)
+
+        def _davies_meyer(enc: Any, s: Any) -> Any:
+            enc_flat = enc.reshape(enc.shape[0], 2)
+            return jnp.bitwise_xor(enc_flat, s)
+
+        h_y = tensor.run_jax(_davies_meyer, res_exp, seeds)
+
+        # 3.3 Solve System of Linear Equations (OKVS Encode)
+        # We find P such that: P * M_okvs(y) = h_y
+        p_storage = okvs.encode(y, h_y, seed)
+
+        # 3.4 Mask with Vole Share
+        # Q = P ^ W
+        q_storage = field.add(p_storage, w)
+
+        return q_storage
+
+    # Execute on Receiver
+    q_shared = simp.pcall_static(
+        (receiver,), _recv_ops, receiver_items, w_receiver, delta_receiver, okvs_seed
+    )
+
+    # 3.5 Send Q to Sender
+    q_sender_view = simp.shuffle_static(q_shared, {sender: receiver})
+
+    # =========================================================================
+    # Phase 4. Sender Decoding & Reconstruction
+    # =========================================================================
+    # Sender uses Q and their local shares (U, V) to reconstruct T.
+    #
+    # Derivation:
+    # 1. S_decoded = Decode(Q, x) = Decode(P ^ W, x) = P(x) ^ W(x)
+    # 2. Recall W(x) = V(x) ^ U(x)*Delta (VOLE property)
+    # 3. So S_decoded = P(x) ^ V(x) ^ U(x)*Delta
+    #
+    # 4. Sender computes T = S_decoded ^ V(x) ^ H(x)
+    #    T = P(x) ^ V(x) ^ U(x)*Delta ^ V(x) ^ H(x)
+    #    T = P(x) ^ H(x) ^ U(x)*Delta
+    #
+    # 5. If x is in Intersection (Meanings x == y for some y):
+    #    Then P(x) == H(x) (by OKVS property)
+    #    So T = H(x) ^ H(x) ^ U(x)*Delta
+    #    T = U(x)*Delta
+    #
+    # This relation T == U* * Delta is what we verify in Phase 5.
+
+    def _sender_ops(x: Any, q: Any, u: Any, v: Any, seed: Any) -> tuple[Any, Any]:
+        # x: (N,) Sender Items
+        # q: (M, 2) Received OKVS
+
+        # 4.1 Decode Q and V at x
+        # OKVS Decode is a linear combination of storage positions.
+        s_decoded = okvs.decode(x, q, seed)
+        v_decoded = okvs.decode(x, v, seed)
+
+        # 4.2 Compute H(x)
+        def _reshape_seeds(items: Any) -> Any:
+            lo = items
+            hi = jnp.zeros_like(items)
+            return jnp.stack([lo, hi], axis=1)
+
+        seeds_x = tensor.run_jax(_reshape_seeds, x)
+        res_exp_x = field.aes_expand(seeds_x, 1)
+
+        def _davies_meyer(enc: Any, s: Any) -> Any:
+            enc_flat = enc.reshape(enc.shape[0], 2)
+            return jnp.bitwise_xor(enc_flat, s)
+
+        h_x = tensor.run_jax(_davies_meyer, res_exp_x, seeds_x)
+
+        # 4.3 Compute T candidate
+        # T = S ^ V ^ H(x)
+        # Note: s_decoded is (S^V^U*Delta) effectively
+        t_val = field.add(s_decoded, v_decoded)
+        t_val = field.add(t_val, h_x)
+
+        # 4.4 Compute U* = Decode(U, x)
+        # This is the sender's share of the randomness for item x.
+        s_u = field.decode_okvs(x, u, seed)
+
+        return t_val, s_u
+
+    t_val_sender, u_star_sender = simp.pcall_static(
+        (sender,),
+        _sender_ops,
+        sender_items,
+        q_sender_view,
+        u_sender,
+        v_sender,
+        okvs_seed_sender,
+    )
+
+    # =========================================================================
+    # Phase 5. Secure Verification
+    # =========================================================================
+    # The Protocol invariant is T == U* * Delta for intersection items.
+    #
+    # Security Risk:
+    # We must NOT reveal T or Delta to the other party.
+    # - If Receiver learns T, they can compute Diff = T - U*Delta = H(x) + ... and attack x.
+    # - If Sender learns Delta, VOLE security collapses.
+    #
+    # Secure Verification Method:
+    # 1. Sender sends U* (Random Mask share) to Receiver.
+    #    - U* is derived from U (random VOLE inputs) so it reveals nothing about X.
+    #
+    # 2. Receiver computes Target = U* * Delta.
+    #    - This allows Receiver to construct the expected value of T without knowing T's components.
+    #
+    # 3. Receiver Hashes the Target and sends H(Target) to Sender.
+    #    - Hashing prevents Sender from learning Delta algebraically.
+    #    - Hash function acts as a commitment.
+    #
+    # 4. Sender compares H(T) =? H(Target).
+    #    - Equality implies x is in Intersection.
+
+    # 5.1 Sender -> Receiver: U*
+    u_star_recv = simp.shuffle_static(u_star_sender, {receiver: sender})
+
+    # 5.2 Receiver: Compute Expected Target (U* * Delta)
+    def _recv_verify_ops(u_s: Any, delta: Any) -> Any:
+        # u_s: (N, 2), delta: (2,)
+
+        # Use tensor.run_jax to isolate JAX operations (tile is not an EDSL primitive)
+        def _tile(d: Any) -> Any:
+            return jnp.tile(d, (n, 1))
+
+        delta_expanded = tensor.run_jax(_tile, delta)
+
+        # Compute U* * Delta in GF(2^128)
+        target = field.mul(u_s, delta_expanded)
+        return target
+
+    target_val = simp.pcall_static(
+        (receiver,), _recv_verify_ops, u_star_recv, delta_receiver
+    )
+
+    # 5.3 Hash Exchange
+    # Use robust hashing to prevent algebraic attacks or leakage
+    from mplang.v2.libs.mpc.ot import extension as ot_extension
+
+    def _hash_shares(share: el.Object, party: int) -> el.Object:
+        """Hash the shares using domain separator for security."""
+        return ot_extension.vec_hash(share, domain_sep=0xFEED, num_rows=n)
+
+    # Hash(Target) on Receiver
+    h_target_recv = simp.pcall_static(
+        (receiver,), lambda x: _hash_shares(x, receiver), target_val
+    )
+
+    # Hash(T) on Sender
+    h_t_sender = simp.pcall_static(
+        (sender,), lambda x: _hash_shares(x, sender), t_val_sender
+    )
+
+    # Send Hash to Sender for comparison
+    h_target_at_sender = simp.shuffle_static(h_target_recv, {sender: receiver})
+
+    # 5.4 Final Comparison on Sender
+    def _compare(h_t: Any, h_target: Any) -> Any:
+        # Compare 32-byte hashes (N, 32) row-by-row
+
+        def _core(a: Any, b: Any) -> Any:
+            eq = jnp.all(a == b, axis=1)
+            return eq.astype(jnp.uint8)  # (N,) 0 or 1
+
+        return tensor.run_jax(_core, h_t, h_target)
+
+    intersection_mask = simp.pcall_static(
+        (sender,), _compare, h_t_sender, h_target_at_sender
+    )
+
+    return cast(el.Object, intersection_mask)