Oblivious Transfer (OT) is a cryptographic protocol where a sender inputs multiple messages, and a receiver selects and learns only one, while the sender remains oblivious to the choice. This primitive simultaneously enforces sender privacy—the receiver learns nothing about the unselected messages—and receiver privacy—the sender gains zero knowledge of the index chosen.
Glossary
Oblivious Transfer (OT)

What is Oblivious Transfer (OT)?
Oblivious Transfer is a fundamental cryptographic protocol enabling a sender to transmit one of several pieces of information to a receiver without knowing which piece was selected.
In the classic 1-out-of-2 OT, the sender holds two strings m0 and m1; the receiver inputs a choice bit c and receives mc without the sender learning c. OT serves as a foundational building block for Secure Multi-Party Computation (SMPC) and Private Set Intersection (PSI), enabling collaborative fraud analytics across institutions without exposing proprietary transaction data.
Key Properties of Oblivious Transfer
Oblivious Transfer (OT) is a foundational cryptographic protocol that resolves a seemingly paradoxical requirement: a sender transmits one of several messages, but remains completely unaware of which message was selected by the receiver.
Sender Obliviousness
The defining property of OT. After the protocol executes, the sender has zero information about which secret the receiver chose. This is not merely a promise; it is a mathematically provable guarantee based on computational hardness assumptions.
- Mechanism: Achieved by masking all sender messages with cryptographic keys, only one of which the receiver can decrypt.
- Contrast: Unlike a simple encrypted download where a server logs access, OT leaves no digital trace of the selection.
- Requirement: The sender must hold multiple inputs (typically 2 in the base case, denoted as 1-out-of-2 OT) for the choice to be meaningful.
Receiver Privacy
The receiver learns exactly one piece of information and nothing about the other messages. This is enforced by the protocol's cryptographic construction, not by trust.
- 1-out-of-2 OT: The receiver chooses bit
band learns messageM_b, but gains no information aboutM_{1-b}. - 1-out-of-n OT: Extends the concept to
nmessages, where the receiver selects a single indexiand learns onlyM_i. - Security Guarantee: Even a malicious sender with unbounded computational power cannot force the receiver to learn more than one message (information-theoretic security for the receiver in some constructions).
Foundation for Secure Computation
OT is cryptographically complete for secure multi-party computation (SMPC). Any arbitrary function that can be computed jointly by multiple parties with private inputs can be constructed solely from OT protocols.
- Garbled Circuits: OT is the essential mechanism for the evaluator to obliviously receive the wire labels corresponding to their private input without the garbler learning that input.
- AND Gate Evaluation: A 1-out-of-2 OT directly implements a secure AND gate, which is a universal gate for boolean circuits.
- Efficiency Driver: Because OT is the primary bottleneck in many SMPC protocols, massive engineering effort focuses on OT extension techniques to generate millions of OT instances from a small number of base OTs.
OT Extension
A performance breakthrough that allows a small number of computationally expensive base OTs (using public-key cryptography) to be extended into a virtually unlimited number of OTs using only fast symmetric-key operations.
- IKNP Protocol: The foundational OT extension protocol by Ishai, Kilian, Nissim, and Petrank (2003) that dramatically reduced the computational cost.
- Impact: Reduces the public-key overhead from linear in the number of OTs to a constant, making OT practical for large-scale SMPC applications like private set intersection on million-element datasets.
- Correlated OT: A variant where the sender's messages are not independent but satisfy a linear correlation, further optimizing specific SMPC sub-protocols.
Application in Fraud Analytics
OT enables competing financial institutions to collaboratively detect fraud without exposing their proprietary transaction data or customer lists to one another.
- Private Set Intersection (PSI): Banks can use OT-based PSI to discover accounts appearing on multiple institutions' fraud watchlists without revealing any non-intersecting accounts.
- Private Database Query: An investigator can query a consortium's shared fraud database for a specific entity's risk score without the database learning which entity was queried.
- Regulatory Compliance: Satisfies data localization and privacy regulations (like GDPR) by ensuring raw data never leaves the originating institution's control during collaborative analytics.
Random OT
A highly efficient variant where the sender's messages are not chosen by the sender but are generated as random strings by the protocol itself. The sender learns the random pair, and the receiver learns one of them based on their choice bit.
- Pre-computation Phase: Random OTs can be generated in bulk during an offline phase, independent of the actual data to be computed on.
- Online Phase: When the actual inputs are known, the random strings are used as one-time pads to mask the real messages, requiring only trivial XOR operations.
- Benefit: Shifts heavy cryptographic work to an offline, non-latency-critical phase, enabling extremely fast online secure computation.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about Oblivious Transfer protocols, their cryptographic foundations, and their role in privacy-preserving fraud analytics.
Oblivious Transfer (OT) is a fundamental cryptographic protocol where a sender transmits one of potentially many pieces of information to a receiver, but remains oblivious as to which piece was selected. The receiver, in turn, learns only the chosen piece and gains no information about the others. The classic 1-out-of-2 OT works as follows: the sender holds two messages, m0 and m1; the receiver inputs a choice bit b (0 or 1); the protocol outputs mb to the receiver, while the sender learns nothing about b. This is achieved through public-key cryptography, typically using the Diffie-Hellman assumption. The sender generates a key pair, and the receiver creates a blinded public key that encodes their choice. The sender encrypts both messages using derived keys, but the receiver can only decrypt the one corresponding to their original choice. OT is a complete primitive for Secure Multi-Party Computation (SMPC), meaning any secure computation can be built from it.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Oblivious Transfer is a foundational building block for secure computation. Explore the related protocols and primitives that compose OT to enable privacy-preserving fraud analytics.
Garbled Circuits
A two-party protocol where a function is represented as a Boolean circuit with encrypted wires. The circuit generator uses OT to transfer the correct input-wire keys to the evaluator without learning which input was selected.
- Foundation of constant-round SMPC
- OT is essential for the input transfer phase
- Prevents the generator from seeing the evaluator's private data
1-out-of-2 OT Protocol
The canonical form where a sender inputs two messages (m₀, m₁) and the receiver inputs a choice bit (b). The receiver learns only m_b, and the sender learns nothing about b.
- Implemented via RSA or Elliptic Curve Cryptography
- Extended to 1-out-of-n via repeated invocations
- Forms the atomic unit for all OT extensions
OT Extension
A performance optimization that uses a small number of base OTs (executed with expensive public-key crypto) to generate a vast number of OTs using only fast symmetric-key operations.
- Reduces computational overhead by orders of magnitude
- Enables practical SMPC for high-throughput fraud pipelines
- IKNP protocol is the seminal construction
Secure Aggregation
A federated learning primitive where a server computes the sum of model updates from multiple banks without seeing individual contributions. OT can be used to mask individual updates via pairwise secret sharing.
- Protects gradient leakage in fraud model training
- Ensures no single bank's transaction patterns are exposed
- Often combined with Differential Privacy

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us