Cryptography
Oblivious Transfer: The 1-of-2 Primitive That Powers MPC
A sender holds two secret strings, m0 and m1. A receiver wants exactly one of them, say m1. When the two-message protocol finishes, the receiver learns m1 and nothing about m0 — while the sender learns nothing about which string was chosen. That impossible-sounding trick, executable in a handful of elliptic-curve operations, is 1-out-of-2 Oblivious Transfer (OT).
OT is a two-party cryptographic primitive in which a receiver selects one of the sender's messages by a private choice bit b, obtaining m_b while remaining ignorant of m_{1-b}, and the sender remains ignorant of b. Introduced by Michael Rabin in 1981 and cast in its dominant 1-of-2 form by Even, Goldreich, and Lempel in 1985, OT is complete for secure multiparty computation: given enough OTs, any function can be computed jointly with no party revealing its inputs.
- TypeTwo-party cryptographic primitive
- InventedRabin 1981; 1-of-2 by Even, Goldreich & Lempel 1985
- AssumptionPublic-key (DDH/CDH/RSA); provably not from OWFs alone
- Cost per OT~O(1) public-key ops base; ~2 hashes amortized via IKNP extension
- Used inGarbled circuits, GMW, PSI, threshold signing, private ML inference
- Key ideaReceiver learns m_b only; sender never learns b — completeness for MPC
Interactive visualization
Press play, or step through manually. The visualization is yours to drive — try it before reading on.
Watch the 60-second explainer
A condensed visual walkthrough — narrated, captioned, under a minute.
The problem: choosing without revealing the choice
Imagine two mutually distrusting parties. A sender has two messages, m0 and m1. A receiver has a private choice bit b and wants m_b. The seemingly contradictory requirements are:
- Receiver privacy: the sender must not learn b (which message was taken).
- Sender privacy: the receiver must learn only m_b and gain zero information about m_{1-b}.
No trusted third party is allowed. This is the definition of 1-out-of-2 oblivious transfer. It sounds paradoxical because a naive solution — send both messages — leaks m_{1-b}, while asking the receiver "which do you want?" leaks b.
Rabin's original 1981 formulation was subtly different: an erasure channel where the receiver gets the single message with probability 1/2 and the sender never learns whether it arrived. Crépeau proved in 1987 that Rabin OT and 1-of-2 OT are equivalent. The 1-of-2 form is the one that plugs directly into higher protocols, which is why it became the standard.
How it works: the Chou-Orlandi simplest OT, step by step
The cleanest concrete construction is the Chou-Orlandi (2015) "simplest OT", secure under Computational Diffie-Hellman in the random-oracle model. Work in a group of prime order q with generator G and a hash H.
Setup: sender picks secret a, sends A = a*G to receiver.
Receiver (choice bit b):
pick random r
if b == 0: B = r*G
if b == 1: B = A + r*G
send B
compute k_R = H( r*A ) // = H(a*r*G)
Sender:
k0 = H( a*B ) // = H(a*r*G) when b=0
k1 = H( a*(B - A) ) // = H(a*r*G) when b=1
send e0 = Enc(k0, m0), e1 = Enc(k1, m1)
Receiver: decrypt e_b with k_R -> m_bWhy it works: the receiver can derive only one of {k0, k1} because computing the other would require the discrete log of A (i.e., a). The sender computes both keys but cannot tell which B encodes, because B is uniformly random in both cases — that hides b perfectly.
Complexity and a worked key-agreement trace
Base OT cost. Chou-Orlandi needs one setup message (A) plus, per OT instance, a few group exponentiations: the sender computes 2 scalar mults for k0/k1 and 1 encryption; the receiver does ~2 scalar mults. That is O(1) public-key operations per OT and 2 rounds of communication. Public-key operations are expensive (microseconds each), so doing millions of them naively is the bottleneck.
OT extension changes the asymptotics. The IKNP extension (2003) performs only κ base OTs (κ = security parameter, e.g. 128), then produces an unbounded number of extended OTs using just ~2 hash evaluations each. So m OTs cost O(κ) public-key ops + O(m) symmetric ops — effectively amortized O(1) symmetric-key work per OT.
Trace (b = 1):
a = 7 A = 7G
r = 4, b=1 -> B = A + 4G = 11G
sender: k0 = H(7*11G)=H(77G), k1 = H(7*(11G-7G))=H(7*4G)=H(28G)
receiver: k_R = H(4*A)=H(4*7G)=H(28G) == k1 ✓ (m1 recovered)
receiver cannot form H(77G) without discrete-log of A.
Where it's used in real systems
OT is invisible to end users but sits under a growing stack of privacy technology:
- Garbled circuits (Yao): the evaluator uses one OT per input wire to fetch the garbled label for its private input bit without revealing that bit. Every secure two-party computation over Boolean circuits runs OT at the input layer.
- GMW protocol: multiplication gates over secret shares are evaluated with OT, making OT the arithmetic engine of the GMW MPC framework.
- Private Set Intersection (PSI): contact-discovery and ad-conversion measurement systems use OT-based PSI so two parties learn only their shared elements.
- Threshold signing & key management: MPC wallets (Fireblocks, Coinbase-style custody) use OT-based multiplication for ECDSA/threshold signatures.
- Private ML inference: frameworks such as CrypTen, ABY/ABY3, and secure-inference systems use OT for the nonlinear (ReLU, comparison) layers.
Modern deployments rely on silent OT / VOLE (Boyle et al., 2019+) to generate correlated OTs with near-zero communication, pushing OT into practical large-scale MPC.
Compared to its cousins: the tradeoff
OT is often confused with adjacent primitives; the distinctions are concrete.
- vs. Private Information Retrieval (PIR): PIR hides the receiver's index into a database but does not protect the unqueried records — the receiver may learn more. OT enforces both directions (sender privacy too). PIR optimizes for sublinear communication over huge databases; OT is a fixed 1-of-n unit.
- vs. Homomorphic encryption (FHE): FHE lets one party compute on another's ciphertext non-interactively but with heavy per-gate cost. OT is interactive and round-heavy but far cheaper per operation; MPC-via-OT usually beats FHE on wall-clock for circuits of moderate depth.
- vs. plain public-key encryption: PKE moves a message to a known recipient. OT adds the oblivious choice — the sender doesn't know which of two payloads was delivered.
The fundamental tradeoff: OT cannot be built from one-way functions alone (Impagliazzo-Rudich 1989, black-box separation) — it requires public-key-strength assumptions. You buy MPC-completeness at the price of number-theoretic hardness.
Pitfalls, failure modes, and why it matters
Malicious vs. semi-honest security. Basic protocols like plain IKNP are semi-honest secure — a cheating receiver who deviates from the protocol can break sender privacy. Production systems need actively-secure OT extension (Keller-Orsini-Scholl 2015) with consistency checks; forgetting this is a classic real-world break.
Selective-failure attacks. A malicious sender can encode m_{1-b} so that decryption failure reveals b — leaking the receiver's choice. Correct constructions must make both branches indistinguishable regardless of b.
- Correlation-robust hash: IKNP's security rests on the hash being correlation-robust; using a plain PRG or a broken hash silently voids the guarantee.
- Nonce/randomness reuse: reusing the receiver's r or the sender's a across instances collapses privacy — the same failure class as nonce reuse in ECDSA.
- Quantum: DDH/CDH-based OT falls to Shor's algorithm; post-quantum OT uses LWE/isogeny/code-based assumptions.
Why it matters: Kilian (1988) proved OT is complete for secure computation — with OT and a one-way function you can securely evaluate any function. That single result makes OT the load-bearing primitive of the entire MPC field.
| Construction / variant | Cost per OT | Assumption | Notes |
|---|---|---|---|
| Rabin OT (1981) | 1 RSA op | RSA / factoring | Erasure channel: receiver gets message w.p. 1/2; equivalent to 1-of-2 OT |
| EGL 1-of-2 OT (1985) | O(1) public-key ops | Trapdoor permutation | Canonical form; receiver picks 1 of 2 messages |
| Chou-Orlandi 'simplest OT' (2015) | ~3 exponentiations | CDH / gap-DH in ROM | Base-OT of choice; 2 rounds, very few group ops |
| IKNP OT extension (2003) | ~2 hash evals (amortized) | Correlation-robust hash + κ base OTs | Turns κ base OTs into millions; symmetric-key speed |
| 1-of-n OT | O(n) or O(log n) comm. | Same as underlying OT | Generalizes 1-of-2; used in PIR-style lookups |
| Correlated OT (COT) | ~1 hash (amortized) | IKNP-style | Outputs correlated pairs; backbone of modern silent-OT/VOLE |
Frequently asked questions
Is 1-of-2 oblivious transfer really equivalent to Rabin's original OT?
Yes. Rabin's 1981 OT is an erasure channel: the receiver gets a message with probability 1/2 and the sender never learns whether it arrived. Claude Crepeau proved in 1987 that Rabin OT and 1-of-2 OT can be converted into each other, so they are equivalent primitives. The 1-of-2 form is preferred because it plugs directly into garbled circuits and GMW.
Why can't oblivious transfer be built from a hash function or one-way function alone?
Impagliazzo and Rudich (1989) proved a black-box separation: there is no black-box construction of OT (or key agreement) from one-way functions. OT inherently needs public-key-strength assumptions such as DDH, CDH, factoring/RSA, or LWE. That is why base OTs use elliptic-curve or number-theoretic operations rather than just symmetric primitives.
If base OT needs public-key operations, how is large-scale MPC fast?
Through OT extension. IKNP (2003) runs only kappa base OTs (e.g., 128) using public-key crypto, then produces an unlimited number of additional OTs using roughly two hash evaluations each. Modern silent-OT/VOLE techniques push communication near zero. So the expensive public-key cost is a one-time O(kappa) setup, and per-OT work becomes symmetric-key speed.
What is the difference between oblivious transfer and private information retrieval?
PIR hides which database index the client queried but does not necessarily protect the rest of the database from the client. OT additionally guarantees sender privacy: the receiver learns only the chosen item and nothing about the others. PIR is optimized for sublinear communication over large databases; OT is a fixed 1-of-n unit and is complete for general MPC.
What is a selective-failure attack in OT?
A malicious sender crafts the two encryptions so that whether decryption succeeds depends on the receiver's choice bit b. By observing whether the receiver aborts or proceeds, the sender infers b, breaking receiver privacy. Secure OT (and OT extension) must make both branches behave identically regardless of b, which is why actively-secure protocols add consistency checks.
Is oblivious transfer secure against quantum computers?
Not the standard constructions. OT based on Diffie-Hellman, RSA, or factoring is broken by Shor's algorithm. Post-quantum OT is built from lattice assumptions (LWE), isogenies, or codes. Note also that unconditionally secure OT is impossible even with quantum communication (Lo 1997), so OT always rests on a computational or setup assumption.