Oblivious Transfer (OT) is a cryptographic protocol where a sender inputs multiple messages, and a receiver retrieves exactly one message of their choice. The protocol enforces two critical privacy guarantees: the sender remains oblivious to which message was selected, and the receiver learns nothing about the unselected messages. This primitive is a foundational building block for more complex secure computation schemes.
Glossary
Oblivious Transfer (OT)

What is Oblivious Transfer (OT)?
Oblivious Transfer is a fundamental two-party protocol enabling a receiver to select and learn a specific piece of information from a sender without the sender discovering which piece was selected.
In the standard 1-out-of-2 OT variant, the sender holds two strings, and the receiver chooses a selection bit. The protocol ensures the receiver obtains only the chosen string, while the sender gains no information about the bit. OT is often computationally expensive but is essential for constructing garbled circuits and Multi-Party Computation (MPC) protocols, frequently relying on public-key cryptographic assumptions for its security.
Key Properties of Oblivious Transfer
Oblivious Transfer (OT) is a foundational building block for secure computation. These cards break down its essential security guarantees, common protocol flavors, and the computational mechanisms that make it indispensable for privacy-preserving systems.
Sender Privacy (Obliviousness)
The core security guarantee for the sender. After the protocol executes, the sender learns absolutely nothing about which message the receiver selected. This is not merely computational hiding; it is information-theoretic in many constructions. The sender's view is statistically independent of the receiver's choice index, meaning even an adversary with unbounded computational power cannot determine which secret was accessed. This property is critical for protocols like Private Set Intersection (PSI) where the sender's database contents must remain private beyond the single intersection element.
Receiver Privacy (Indistinguishability)
The core security guarantee for the receiver. The receiver's choice input must remain computationally hidden from the sender. Specifically, the sender cannot distinguish between a receiver selecting message m0 versus message m1 with any probability significantly greater than random chance. This is typically achieved through public-key cryptography where the receiver crafts two public keys—one real and one fake—but the sender cannot tell which is which. This property relies on hard problems like the Decisional Diffie-Hellman assumption.
1-out-of-2 OT (The Standard Flavor)
The most fundamental and widely implemented variant. The sender inputs two messages (m0, m1), and the receiver inputs a single choice bit b (0 or 1). The receiver learns mb but learns nothing about m1-b, while the sender learns nothing about b. This primitive is the atomic unit of secure computation; any multi-party computation (MPC) circuit can be theoretically constructed from a sufficient number of 1-out-of-2 OT executions combined with garbled circuits.
1-out-of-n OT (Database Access)
A generalization where the sender holds a database of n messages, and the receiver retrieves a single record at index i without revealing i to the sender. A naive approach using repeated 1-out-of-2 OT would require O(n) complexity, but optimized protocols using OT Extension can reduce the computational overhead dramatically. This variant is the direct cryptographic backbone of Private Information Retrieval (PIR) systems, allowing users to query databases without exposing their search terms.
OT Extension (Amortized Efficiency)
A critical performance optimization that allows a small number of 'base' OTs (typically 128) to be extended into millions of effective OTs using only fast symmetric-key operations (like AES hashes). This technique, introduced by Ishai et al., breaks the reliance on expensive public-key crypto for every single transfer. By generating a matrix of correlated randomness, OT Extension makes OT practical for high-volume secure computation tasks, such as evaluating deep neural networks in MPC frameworks.
Random OT (Pre-computation Phase)
A variant where the sender does not input specific messages; instead, the protocol generates random messages and the receiver randomly learns one of them. This produces a pool of correlated randomness that can be stored offline. Later, in an online phase, the sender can simply XOR their actual messages with the pre-computed random values to convert the Random OT into a Standard OT with minimal latency. This separation of phases is vital for low-latency encrypted inference.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the mechanics, security, and applications of Oblivious Transfer protocols.
Oblivious Transfer (OT) is a fundamental cryptographic protocol where a sender transmits one of potentially many pieces of information to a receiver, but remains oblivious to which piece was selected. In the classic 1-out-of-2 OT, the sender inputs two messages m0 and m1, and the receiver inputs a choice bit b. The receiver learns mb and nothing about m1-b, while the sender learns nothing about b. The protocol works by leveraging asymmetric cryptography: the receiver generates a public key pair where they know the secret key for only one of two possible public keys, forcing the sender to encrypt each message under a different key. The receiver can only decrypt the message corresponding to their chosen key, achieving the dual privacy guarantees. This primitive is a complete building block for secure multi-party computation, meaning any secure function evaluation can be constructed from OT alone.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Oblivious Transfer is a foundational building block for secure multi-party computation. Explore these related protocols and concepts that extend OT or rely on it for privacy-preserving applications.
1-out-of-2 OT
The fundamental variant where a sender holds two messages (m₀, m₁) and the receiver chooses one bit. The receiver learns only their chosen message, and the sender remains oblivious to the choice.
- Mechanism: Relies on trapdoor permutations or Diffie-Hellman assumptions
- Use case: Core subroutine in Yao's Garbled Circuits for secure two-party computation
- Efficiency: Can be extended from a small number of base OTs using OT extension protocols
k-out-of-n OT
A generalized protocol where the receiver selects k messages from a set of n held by the sender. The sender learns nothing about which subset was chosen.
- Privacy: Receiver's selection remains computationally hidden
- Application: Private information retrieval (PIR) and privacy-preserving database queries
- Trade-off: Higher communication overhead than 1-out-of-2, but more expressive selection
OT Extension
A cryptographic technique that amplifies a small number of expensive public-key base OTs into a large number of OTs using only fast symmetric-key operations.
- IKNP Protocol: The foundational OT extension construction by Ishai, Kilian, Nissim, and Petrank
- Performance: Reduces computational cost from O(n) public-key ops to O(n) hash evaluations
- Impact: Makes OT practical for large-scale secure computation with millions of gates
Correlated OT
A specialized variant where the sender's messages are not independent but satisfy a specific correlation, typically m₁ = m₀ ⊕ Δ for a fixed global secret Δ.
- Efficiency: Reduces communication since only one message needs to be sent explicitly
- Application: Critical for efficient Garbled Circuit evaluation and silent OT generation
- Silent OT: A recent advancement enabling OT with near-zero communication using learning parity with noise (LPN) assumptions
Random OT
A non-interactive variant where both sender's messages are uniformly random strings generated during the protocol, rather than chosen by the sender in advance.
- Preprocessing: Can be executed offline before inputs are known
- Conversion: Random OTs are converted to standard OTs at online time with minimal communication
- Advantage: Decouples expensive OT generation from the input-dependent phase of secure computation
Garbled Circuits
A secure two-party computation protocol that relies on OT as its sole cryptographic primitive for input transfer. The circuit evaluator uses OT to obliviously receive wire labels corresponding to their private input bits.
- Yao's Construction: The foundational protocol enabling any polynomial-time function to be computed securely
- OT Role: Prevents the evaluator from learning both wire labels, which would break security
- Optimizations: Point-and-permute, free-XOR, and half-gates techniques reduce circuit size

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us