Inferensys

Glossary

Oblivious Transfer Extension

A cryptographic protocol that efficiently extends a small number of base oblivious transfers into a large number of OTs using only fast symmetric-key cryptography, dramatically improving performance.
Knowledge engineer constructing knowledge base on laptop, document hierarchy visible, casual office setup.
CRYPTOGRAPHIC EFFICIENCY

What is Oblivious Transfer Extension?

A protocol that efficiently extends a small number of base oblivious transfers into a large number of OTs using only fast symmetric-key cryptography.

Oblivious Transfer (OT) Extension is a cryptographic protocol that dramatically reduces the computational cost of performing a large number of Oblivious Transfers. It achieves this by executing a small, fixed number of 'base' OTs using expensive public-key cryptography, and then extending these into an arbitrary number of effective OTs using only cheap, fast symmetric-key operations like hash functions and pseudorandom generators.

The foundational protocol, introduced by Ishai et al., leverages a random oracle model or correlation-robust hash functions to ensure security. This technique is a cornerstone of practical secure multi-party computation (MPC), as it transforms OT from a theoretical bottleneck into a viable primitive for high-throughput applications like private set intersection and secure neural network inference, where millions of OTs may be required.

EFFICIENT CRYPTOGRAPHIC PRIMITIVES

Key Features of OT Extension

Oblivious Transfer (OT) extension is a foundational protocol that amplifies a small number of expensive base OTs into a massive number of OTs using only cheap symmetric-key operations. This breakthrough transforms OT from a theoretical bottleneck into a practical, high-throughput primitive for secure computation.

01

Base OT Foundation

The protocol bootstraps from a small number (typically 128 or 256) of base OTs implemented using public-key cryptography. These base OTs are independent of the final computation and can be pre-computed offline. The security parameter kappa determines the number of base OTs, creating a fixed one-time cost that is amortized over millions of subsequent transfers.

02

Symmetric-Key Expansion

After the base OTs are established, the extension phase uses only fast symmetric primitives like AES or hash functions. The sender generates a large matrix of pseudorandom strings, and the receiver uses a random OT extension protocol to obliviously select columns. This reduces computational cost by orders of magnitude compared to repeated public-key operations.

03

IKNP Protocol Structure

The seminal Ishai-Kilian-Nissim-Petrank (IKNP) protocol forms the backbone of modern OT extension. The receiver encodes its selection bits as a matrix and sends it to the sender, who applies a correlation-robust hash function to derive the final OT outputs. This structure enables 1-out-of-2 OT extension with minimal communication overhead.

04

Correlated OT and Variants

OT extension generalizes to specialized variants that further reduce communication:

  • Correlated OT (C-OT): The sender's messages satisfy a linear relationship, cutting bandwidth in half
  • Random OT (R-OT): Both parties receive random outputs, ideal for preprocessing
  • 1-out-of-N OT: Extends to choosing among N messages using log N communication overhead
05

Silent OT Extension

A recent advancement that eliminates the need for the receiver to send a large matrix. Using pseudorandom correlation generators (PCGs) and learning parity with noise (LPN) assumptions, silent OT extension generates an unlimited number of OTs with communication that is sublinear or even constant in the number of OTs produced.

06

MPC Protocol Backbone

OT extension is the performance engine behind modern secure multi-party computation frameworks like SPDZ and MP-SPDZ. It enables efficient Beaver triple generation for arithmetic circuits and garbled circuit evaluation for boolean circuits. Without OT extension, practical private ML inference and training at scale would be infeasible.

OBLIVIOUS TRANSFER EXTENSION

Frequently Asked Questions

Clear, technically precise answers to the most common questions about extending a small number of base oblivious transfers into a large number of efficient, symmetric-key-based OTs.

Oblivious Transfer (OT) extension is a cryptographic protocol that efficiently amplifies a small number of base OTs, typically executed using expensive public-key cryptography, into a large number of OTs using only fast symmetric-key primitives. This is necessary because naive OT requires a public-key operation for every single transfer, making it a crippling bottleneck for any practical secure multi-party computation (MPC) protocol that requires millions of OTs. OT extension reduces the amortized cost per OT to that of a few hash function evaluations, transforming OT from a theoretical construct into a practical, high-throughput primitive for private set intersection and garbled circuit evaluation.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.