Oblivious Transfer (OT)

Oblivious Transfer (OT) is a cryptographic protocol where a sender holds multiple messages and a receiver can choose to learn a subset of them without the sender discovering which ones were selected. The receiver, conversely, gains no information about the messages they did not choose. This creates a secure, privacy-preserving interaction where the sender's input remains confidential from the receiver's selection, and the receiver's choice remains hidden from the sender. It is a cornerstone for constructing more complex secure multi-party computation (MPC) protocols.

The most common variant is 1-out-of-2 OT, where the sender has two messages, m₀ and m₁. The receiver inputs a choice bit b (0 or 1) and learns only the corresponding message m_b, while learning nothing about m_{1-b}. The sender remains completely unaware of the value of b. This primitive can be extended to k-out-of-n OT, where the receiver selects k messages from a set of n. The security of OT is typically based on computational hardness assumptions like the Decisional Diffie-Hellman (DDH) or Learning With Errors (LWE).

OT has critical applications in privacy-enhancing technologies. It is the essential building block for private information retrieval (PIR), where a client can query a database without revealing which entry they are fetching. It is also fundamental to secure function evaluation, allowing two parties to compute a function on their private inputs without revealing those inputs to each other. In blockchain contexts, OT enables privacy-preserving smart contracts and confidential transactions, where parties can selectively reveal data based on protocol logic without exposing underlying secrets.

Implementing OT efficiently is an active area of cryptographic research. Early constructions were computationally expensive, but modern techniques like OT extension allow for generating a large number of OTs from a small number of base OTs, dramatically improving performance. This makes OT practical for real-world systems handling massive datasets. Libraries like libOTe provide optimized implementations. The protocol's 'oblivious' property is distinct from encryption; it is a two-party interactive protocol ensuring mutual privacy of inputs during the computation itself.

Oblivious Transfer (OT) is a cryptographic protocol where a sender transmits one of several pieces of information to a receiver, but remains "oblivious" to which piece was actually received. The term's etymology directly reflects this core property: the sender is oblivious to the outcome of the transfer. It was first formally introduced in 1981 by Michael O. Rabin, who described a specific 1-out-of-2 variant where the receiver has a 50% chance of successfully obtaining the message, and the sender remains unaware of success or failure. This established the foundational paradox of the protocol: enabling a conditional transfer without revealing the condition.

The concept was later generalized by Shimon Even, Oded Goldreich, and Abraham Lempel in 1985 into the more practical 1-out-of-2 OT, which is now the standard formulation. In this version, the sender has two messages, and the receiver can choose to learn exactly one of them, while the sender learns nothing about the receiver's choice. This evolution from a probabilistic to a deterministic choice model made OT vastly more useful as a building block. The protocol's power lies in its ability to facilitate secure multi-party computation (MPC) by allowing parties to selectively share private inputs without exposing them in full.

Oblivious Transfer is considered one of the most important cryptographic primitives, fundamental to privacy-preserving technologies. Its origins in theoretical computer science have led to direct applications in modern blockchain and zero-knowledge systems. For instance, OT is crucial for private information retrieval (PIR), secure function evaluation, and forms the backbone of many multi-party computation (MPC) protocols used for wallet threshold signatures and private smart contracts. Its development showcases how an abstract, theoretical construct became an indispensable tool for practical cryptographic engineering in decentralized systems.

Oblivious Transfer (OT) is a cryptographic protocol where a sender transmits one of several pieces of information to a receiver, but remains oblivious to which specific piece was chosen, while the receiver learns nothing about the content of the unchosen pieces. This asymmetric knowledge guarantee is the protocol's core security property. It is a foundational building block for more complex secure multi-party computation (MPC) systems, enabling private data queries, secure auctions, and privacy-preserving machine learning without a trusted third party.

The most common variant is 1-out-of-2 OT, where the sender holds two messages (M₀, M₁) and the receiver holds a choice bit b (0 or 1). The protocol ensures the receiver obtains only M_b, learns nothing about M_{1-b}, and the sender gains no information about the value of b. This is achieved using cryptographic techniques like the Diffie-Hellman key exchange or RSA encryption, where the receiver's choice is encoded in a way that the sender can encrypt both messages but cannot decrypt the receiver's selection to infer the choice.

In practice, OT protocols often use a public-key cryptography setup. A typical RSA-based 1-out-of-2 OT protocol involves the receiver generating an RSA key pair and sending a specially crafted public key to the sender based on their secret choice. The sender uses this key to encrypt both messages and sends the ciphertexts back. The receiver can only decrypt the message corresponding to their original choice, as the cryptographic construction blinds the other. The sender, seeing only the public key and ciphertexts, cannot determine which secret was used.

Oblivious Transfer is not just theoretical; it has critical real-world applications in blockchain and Web3. It is essential for private smart contracts, where parties can compute on sensitive inputs without revealing them. For example, OT enables private information retrieval (PIR) from a blockchain database and is a key component in zk-SNARKs and zk-STARKs for constructing zero-knowledge proofs. Its efficiency has improved dramatically with OT extension techniques, which use a small number of base OTs to generate a vast number of OT instances with symmetric-key cryptography, making large-scale MPC feasible.

Oblivious Transfer (OT) is a cryptographic protocol between a sender and a receiver where the sender transfers one of several pieces of information, but remains oblivious to which piece the receiver obtained. In its most common form, 1-out-of-2 OT, the sender has two messages (m₀, m₁). The receiver chooses to learn one message based on a secret selection bit b, but learns nothing about the other message, while the sender gains no knowledge of which bit b was chosen. This ensures both privacy of choice for the receiver and privacy of the unselected data for the sender, forming a cornerstone for more complex secure multi-party computation (MPC).

The protocol's security is based on computational hardness assumptions, such as the Decisional Diffie-Hellman (DDH) problem or learning with errors (LWE). Modern implementations, like OT extension, allow for the efficient execution of many OT instances after an initial, computationally expensive setup, making OT practical for large-scale applications. This efficiency is critical, as many advanced cryptographic systems require thousands or millions of OT instances to function, such as in private set intersection or secure neural network training.

In blockchain and Web3 contexts, Oblivious Transfer is a key enabler for privacy-preserving technologies. It is the fundamental building block for Private Information Retrieval (PIR), allowing a user to query a blockchain or database without revealing which data entry they accessed. Furthermore, OT protocols are essential for secure decentralized identity systems and confidential smart contracts, where parties must compute on sensitive inputs—like balances or bids—without exposing them to each other or the public ledger, thus expanding the functionality of transparent blockchains into private domains.