Oblivious Transfer (OT) is a cryptographic protocol where a sender transmits one of many messages to a receiver, but remains oblivious to which message was selected, while the receiver learns nothing about the unselected messages. This asymmetric privacy guarantee makes OT a foundational building block for Secure Multi-Party Computation (MPC) and Private Set Intersection (PSI).
Glossary
Oblivious Transfer (OT)

What is Oblivious Transfer (OT)?
Oblivious Transfer is a fundamental two-party protocol that enables selective, private information retrieval, forming the bedrock of secure multi-party computation and private set intersection.
In the standard 1-out-of-2 OT, the sender inputs two strings, and the receiver inputs a choice bit; the receiver learns only the chosen string, and the sender learns nothing. While computationally expensive on its own, OT Extension protocols like IKNP dramatically amplify a small number of base OTs into millions of transfers using only fast symmetric-key operations, enabling practical, large-scale private computation.
Key Properties of Oblivious Transfer
Oblivious Transfer (OT) is a cornerstone protocol in secure computation, enabling a sender to transmit one of many messages without knowing which was selected, while the receiver learns nothing about the unselected messages. These properties define its security and utility.
Sender Privacy (Obliviousness)
The sender remains oblivious to the receiver's choice. After the protocol concludes, the sender has no information about which of the transmitted messages was accessed. This is achieved through cryptographic blinding, where the receiver's selection is hidden within a set of indistinguishable protocol messages. The formal guarantee is that the sender's view when the receiver chooses message i is computationally indistinguishable from its view when the receiver chooses message j, for any i and j. This property is essential for applications like private information retrieval and privacy-preserving advertising, where the querier's intent must remain hidden.
Receiver Privacy (Chooser Security)
The receiver learns only the content of the single message they selected and gains zero knowledge about the other messages. This is enforced by the protocol's cryptographic construction, typically using public-key techniques where the receiver can only decrypt one of several ciphertexts. For example, in a 1-out-of-2 OT, the receiver generates keys that allow decryption of only one of two encrypted messages. Any attempt to extract information about the unselected message would require solving a computationally hard problem, such as the Computational Diffie-Hellman problem. This property is critical for secure database lookup and contract signing.
1-out-of-n Generalization
While the classic formulation is 1-out-of-2 OT, the primitive generalizes to 1-out-of-n OT, where the sender holds n messages and the receiver selects one index. This is not merely a theoretical extension; it is a practical building block. A 1-out-of-n OT can be constructed from log(n) instances of 1-out-of-2 OT, preserving efficiency. This generalization allows a client to privately query a single record from a database of arbitrary size without revealing which record was accessed, forming the basis for Private Information Retrieval (PIR) and secure table lookups in garbled circuit evaluations.
OT Extension Efficiency
A naive implementation of OT requires expensive public-key cryptography for every single transfer, making it impractical for large-scale secure computation. OT Extension protocols, such as the IKNP protocol, solve this bottleneck. They enable the execution of a small number of 'base' OTs (e.g., 128) using public-key crypto, and then bootstrap these into millions of OTs using only fast symmetric-key operations like hash functions. This reduces the amortized cost per OT by orders of magnitude, transforming OT from a theoretical curiosity into a practical, high-throughput primitive for protocols like Private Set Intersection (PSI) and secure multi-party computation.
Random vs. Chosen-Message OT
OT comes in two functional variants. In Random OT (ROT), the sender's messages are randomly generated by the protocol itself, and both parties learn their respective outputs. This is extremely efficient and serves as a setup phase. In Chosen-Message OT, the sender provides specific, pre-determined input messages. A standard optimization is to perform a batch of cheap ROTs first, and then use the random outputs as one-time pads to encrypt and transmit the actual chosen messages in a second, minimal communication round. This decoupling of the setup from the input-dependent phase is a key technique in high-performance PSI protocols like KKRT.
Completeness for Secure Computation
Oblivious Transfer is complete for secure two-party computation. This means that any arbitrary function that can be jointly computed by two parties on their private inputs can be realized using an OT protocol as the sole cryptographic building block, combined with other non-cryptographic operations. In practice, this is achieved by using OT to evaluate Garbled Circuits, where each AND gate in the circuit requires a 1-out-of-2 OT. This theoretical result establishes OT as the most fundamental asymmetric primitive in cryptography, from which all other secure computation protocols can be derived.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about Oblivious Transfer, its variants, and its foundational role in modern cryptography.
Oblivious Transfer (OT) is a foundational cryptographic protocol between a sender and a receiver. The sender inputs multiple messages, and the receiver selects and learns only one of them. Crucially, the sender remains oblivious to which message was chosen, and the receiver learns nothing about the unselected messages.
In the classic 1-out-of-2 OT, the sender inputs two messages (m₀, m₁), and the receiver inputs a choice bit (c). The receiver learns m_c, but not m_{1-c}. The sender learns nothing about c. This is typically constructed using public-key cryptography, such as the Diffie-Hellman key exchange, where the receiver creates two public keys but only knows the private key for one, forcing the sender to encrypt each message with a different key.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Oblivious Transfer is a fundamental building block for secure computation. These related protocols and concepts form the cryptographic ecosystem that enables private set intersection and general secure multi-party computation.
Oblivious Pseudorandom Function (OPRF)
A protocol where a client learns PRF(key, input) without learning the server's key, and the server learns nothing about the input. OPRFs are constructed from OT and serve as the core building block for many modern PSI protocols. The server's keyed PRF output on the client's elements enables private equality testing.
Semi-Honest vs. Malicious Security
Two fundamental adversarial models in secure computation. Semi-honest security assumes parties follow the protocol but may try to learn extra information from the transcript—sufficient for many enterprise collaboration scenarios. Malicious security guarantees correctness and privacy even when adversaries arbitrarily deviate, typically requiring zero-knowledge proofs and incurring higher overhead.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us