Inferensys

Glossary

Oblivious Transfer (OT)

A foundational cryptographic protocol where a sender transmits one of many pieces of information to a receiver, but remains oblivious to which piece was selected, while the receiver learns nothing about the other pieces.
Moody home-office setup in a converted highrise loft, analyst working late with multiple screens showing knowledge graph visualizations, city lights through large windows behind.
FOUNDATIONAL CRYPTOGRAPHIC PRIMITIVE

What is Oblivious Transfer (OT)?

Oblivious Transfer is a fundamental two-party protocol that enables selective, private information retrieval, forming the bedrock of secure multi-party computation and private set intersection.

Oblivious Transfer (OT) is a cryptographic protocol where a sender transmits one of many messages to a receiver, but remains oblivious to which message was selected, while the receiver learns nothing about the unselected messages. This asymmetric privacy guarantee makes OT a foundational building block for Secure Multi-Party Computation (MPC) and Private Set Intersection (PSI).

In the standard 1-out-of-2 OT, the sender inputs two strings, and the receiver inputs a choice bit; the receiver learns only the chosen string, and the sender learns nothing. While computationally expensive on its own, OT Extension protocols like IKNP dramatically amplify a small number of base OTs into millions of transfers using only fast symmetric-key operations, enabling practical, large-scale private computation.

FOUNDATIONAL CRYPTOGRAPHIC PRIMITIVE

Key Properties of Oblivious Transfer

Oblivious Transfer (OT) is a cornerstone protocol in secure computation, enabling a sender to transmit one of many messages without knowing which was selected, while the receiver learns nothing about the unselected messages. These properties define its security and utility.

01

Sender Privacy (Obliviousness)

The sender remains oblivious to the receiver's choice. After the protocol concludes, the sender has no information about which of the transmitted messages was accessed. This is achieved through cryptographic blinding, where the receiver's selection is hidden within a set of indistinguishable protocol messages. The formal guarantee is that the sender's view when the receiver chooses message i is computationally indistinguishable from its view when the receiver chooses message j, for any i and j. This property is essential for applications like private information retrieval and privacy-preserving advertising, where the querier's intent must remain hidden.

Computationally Indistinguishable
Formal Security Guarantee
02

Receiver Privacy (Chooser Security)

The receiver learns only the content of the single message they selected and gains zero knowledge about the other messages. This is enforced by the protocol's cryptographic construction, typically using public-key techniques where the receiver can only decrypt one of several ciphertexts. For example, in a 1-out-of-2 OT, the receiver generates keys that allow decryption of only one of two encrypted messages. Any attempt to extract information about the unselected message would require solving a computationally hard problem, such as the Computational Diffie-Hellman problem. This property is critical for secure database lookup and contract signing.

Zero
Information Leaked About Unselected Items
03

1-out-of-n Generalization

While the classic formulation is 1-out-of-2 OT, the primitive generalizes to 1-out-of-n OT, where the sender holds n messages and the receiver selects one index. This is not merely a theoretical extension; it is a practical building block. A 1-out-of-n OT can be constructed from log(n) instances of 1-out-of-2 OT, preserving efficiency. This generalization allows a client to privately query a single record from a database of arbitrary size without revealing which record was accessed, forming the basis for Private Information Retrieval (PIR) and secure table lookups in garbled circuit evaluations.

log(n)
1-out-of-2 OTs Required for 1-out-of-n
04

OT Extension Efficiency

A naive implementation of OT requires expensive public-key cryptography for every single transfer, making it impractical for large-scale secure computation. OT Extension protocols, such as the IKNP protocol, solve this bottleneck. They enable the execution of a small number of 'base' OTs (e.g., 128) using public-key crypto, and then bootstrap these into millions of OTs using only fast symmetric-key operations like hash functions. This reduces the amortized cost per OT by orders of magnitude, transforming OT from a theoretical curiosity into a practical, high-throughput primitive for protocols like Private Set Intersection (PSI) and secure multi-party computation.

10^6+
OTs Generated from ~128 Base OTs
Symmetric-Key Speed
Amortized Cost After Extension
05

Random vs. Chosen-Message OT

OT comes in two functional variants. In Random OT (ROT), the sender's messages are randomly generated by the protocol itself, and both parties learn their respective outputs. This is extremely efficient and serves as a setup phase. In Chosen-Message OT, the sender provides specific, pre-determined input messages. A standard optimization is to perform a batch of cheap ROTs first, and then use the random outputs as one-time pads to encrypt and transmit the actual chosen messages in a second, minimal communication round. This decoupling of the setup from the input-dependent phase is a key technique in high-performance PSI protocols like KKRT.

1 Round
Additional Overhead to Convert ROT to Chosen-Message
06

Completeness for Secure Computation

Oblivious Transfer is complete for secure two-party computation. This means that any arbitrary function that can be jointly computed by two parties on their private inputs can be realized using an OT protocol as the sole cryptographic building block, combined with other non-cryptographic operations. In practice, this is achieved by using OT to evaluate Garbled Circuits, where each AND gate in the circuit requires a 1-out-of-2 OT. This theoretical result establishes OT as the most fundamental asymmetric primitive in cryptography, from which all other secure computation protocols can be derived.

Universal
Completeness for 2-Party Computation
OBLIVIOUS TRANSFER CLARIFIED

Frequently Asked Questions

Clear, technically precise answers to the most common questions about Oblivious Transfer, its variants, and its foundational role in modern cryptography.

Oblivious Transfer (OT) is a foundational cryptographic protocol between a sender and a receiver. The sender inputs multiple messages, and the receiver selects and learns only one of them. Crucially, the sender remains oblivious to which message was chosen, and the receiver learns nothing about the unselected messages.

In the classic 1-out-of-2 OT, the sender inputs two messages (m₀, m₁), and the receiver inputs a choice bit (c). The receiver learns m_c, but not m_{1-c}. The sender learns nothing about c. This is typically constructed using public-key cryptography, such as the Diffie-Hellman key exchange, where the receiver creates two public keys but only knows the private key for one, forcing the sender to encrypt each message with a different key.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.