Oblivious Transfer

Oblivious Transfer is a foundational two-party protocol in cryptography. In its most common form, 1-out-of-2 OT, a sender holds two messages (M₀, M₁). The receiver selects an index (0 or 1) and receives the corresponding message Mᵢ, but learns nothing about the other message. Crucially, the sender remains oblivious to which index i the receiver chose. This asymmetric knowledge guarantee—the receiver gets one choice, the sender learns nothing—is the protocol's core security property. It serves as a critical building block for more complex secure multi-party computation (MPC) systems.

The protocol's utility extends beyond simple message transfer. It is essential for constructing private information retrieval (PIR), where a client can fetch an item from a database without the server learning which item was requested. In blockchain and cryptocurrency contexts, OT underpills privacy-preserving smart contracts and mechanisms like anonymous credentials and secure voting protocols. For example, it can enable a user to prove they satisfy certain criteria (e.g., being over 18) without revealing their exact birthdate or other underlying data.

Modern implementations, such as OT Extension, overcome early efficiency limitations. Standard OT protocols relied on costly public-key cryptography for each transfer. OT Extension, pioneered by Ishai et al., uses a small number of initial "base" OTs to generate a vast number of efficient, correlated OTs using only symmetric cryptography (like hash functions and pseudorandom generators). This breakthrough made OT practical for large-scale applications, allowing it to be used as a subroutine in high-throughput secure computation of machine learning models or genomic analysis without either party exposing their private datasets.

Oblivious Transfer (OT) is a cryptographic protocol where a sender transmits one of several potential messages to a receiver, but remains oblivious to which specific message was received, while the receiver learns only the message they selected and gains no information about the others. This asymmetric knowledge is the protocol's core security guarantee. The most common variant is 1-out-of-2 OT, where the sender has two messages (M₀, M₁) and the receiver chooses to learn one (M_b, where b is 0 or 1) without revealing their choice b to the sender.

The protocol typically works using public-key cryptography and a series of encrypted challenges. In a simplified model, the receiver generates a key pair and sends a specially crafted public key to the sender, embedding their secret choice within it. The sender then encrypts both messages using this public key and a randomization technique, returning both ciphertexts. Due to the cryptographic construction, the receiver can only decrypt the message corresponding to their initial secret choice, while the ciphertexts appear indistinguishable to the sender, preserving the receiver's privacy.

Oblivious Transfer is not just theoretical; it serves as a critical building block for more complex secure multi-party computation (MPC) protocols, such as private set intersection and privacy-preserving auctions. For instance, in a private database query, a client can use OT to retrieve a specific record from a server without the server learning which record was accessed, and without the client learning any other records. Modern implementations often use more efficient OT extension techniques, which use a small number of costly base OTs to generate a large number of OTs with symmetric-key cryptography, making it practical for real-world applications.

The security of OT protocols is formally proven under standard cryptographic assumptions, such as the hardness of the Decisional Diffie-Hellman problem or learning with errors. This ensures that even a computationally unbounded sender cannot deduce the receiver's choice, and a malicious receiver cannot extract more than the allotted number of messages. These properties make OT a cornerstone for constructing systems that require both data confidentiality and user privacy in adversarial environments.

1-out-of-2 Oblivious Transfer (OT) is a foundational cryptographic protocol involving two parties: a sender holding two secret messages (M₀, M₁) and a receiver who wishes to learn one of them based on a secret choice bit b (0 or 1). The protocol's core security guarantees are obliviousness, where the sender learns nothing about the receiver's choice b, and message secrecy, where the receiver learns nothing about the message they did not select. This asymmetric knowledge transfer is the basis for more complex secure multi-party computation (MPC) and private information retrieval systems.

The classic flow, often based on the Rabin-OT or Bellare-Micali constructions, begins with the receiver generating a public-private key pair. For their chosen index b, they create a valid public key, and for the other index 1-b, they create a malformed or "trapdoor" key. The sender, upon receiving both public keys, encrypts each message with the corresponding key and sends both ciphertexts. Crucially, the receiver can only decrypt the ciphertext encrypted with the valid key they created, thus obtaining their chosen message while remaining unable to decrypt the other.

This primitive is not merely theoretical; it is a critical building block in practice. Modern implementations, such as those using Elliptic Curve Cryptography (ECC) for efficiency, enable Private Set Intersection (PSI), secure auctions, and privacy-preserving data mining. In blockchain contexts, 1-out-of-2 OT underpills certain confidential transaction schemes and secure wallet recovery mechanisms, allowing a user to prove control of a secret without revealing it fully. Its role in enabling trustless, selective disclosure makes it a cornerstone of cryptographic privacy.

Oblivious Transfer (OT) is a cryptographic protocol where a sender transmits some of a set of messages to a receiver, who remains "oblivious" to the content of the messages they did not choose to receive. The concept was first introduced in 1981 by Michael O. Rabin, who formulated a version where a receiver gets a message with a 50% probability, while the sender remains unaware of whether the transfer was successful. This foundational work established the core principle of conditional disclosure with sender privacy, a concept that would be refined and expanded upon for decades. Early OT protocols were largely theoretical, demonstrating feasibility but lacking the efficiency required for practical systems.

The evolution of OT saw major improvements in efficiency and flexibility. A pivotal advancement was the 1-out-of-2 OT protocol, where a sender holds two messages and a receiver can choose to learn exactly one, without the sender discovering which one was selected. This more practical formulation, along with subsequent 1-out-of-n and k-out-of-n variants, unlocked a vast array of applications. Crucially, work by cryptographers like Silvio Micali, Shafi Goldwasser, and Charles Rackoff in the 1980s and 1990s demonstrated that OT could be used as a cryptographic primitive to construct more complex secure multi-party computation (MPC) protocols. This established OT as a cornerstone of modern cryptographic theory.

In the context of blockchain and web3, OT has found renewed importance as a tool for privacy-preserving computation. It is a key component in private information retrieval (PIR), allowing a user to query a blockchain or database without revealing which specific data they are accessing. Furthermore, OT protocols are essential for secure, privacy-focused applications like private smart contracts and confidential decentralized finance (DeFi) transactions, where parties wish to compute on sensitive inputs without exposing them. The ongoing development of post-quantum OT schemes ensures this foundational protocol will remain relevant as cryptographic threats evolve, securing the next generation of private blockchain interactions.