Inferensys

Glossary

Private Set Intersection (PSI)

Private Set Intersection (PSI) is a cryptographic protocol that enables two or more parties to compute the intersection of their private datasets without revealing any information about items not in the intersection.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
CRYPTOGRAPHIC PROTOCOL

What is Private Set Intersection (PSI)?

A foundational privacy-enhancing technology for secure data collaboration.

Private Set Intersection (PSI) is a cryptographic protocol that enables two or more mutually distrusting parties to compute the intersection of their private datasets without revealing any information about items not in the intersection. It is a specialized form of Secure Multi-Party Computation (MPC) that provides a strong privacy guarantee: the output is solely the set of common elements, with no leakage about the size or contents of the other party's non-matching data.

In federated learning, particularly vertical federated learning (VFL), PSI is crucial for the initial data alignment or entity resolution phase. Before joint training on partitioned feature spaces, parties must privately identify their overlapping users or samples. Using PSI ensures this alignment occurs without exposing sensitive user lists, maintaining the decentralized, privacy-preserving promise of the overall system architecture.

CRYPTOGRAPHIC GUARANTEES

Core Properties of PSI Protocols

Private Set Intersection (PSI) protocols are defined by a set of fundamental cryptographic properties that determine their security, efficiency, and suitability for different federated learning scenarios.

01

Correctness

Correctness guarantees that the protocol's output is accurate. If an item is in the intersection of all parties' private sets, the protocol will correctly include it. Conversely, items not in the intersection are excluded. This property ensures the utility of the protocol for downstream tasks like aligning user cohorts in vertical federated learning, where accurate data matching is critical for joint model training. A failure in correctness would render the protocol useless for its intended analytical purpose.

02

Privacy (Security)

Privacy is the paramount security guarantee. It ensures that no party learns anything about the other parties' set elements beyond what is revealed by the final intersection itself. Formally, a party's view of the protocol (all messages received) should be computationally indistinguishable from a simulation that uses only that party's input and the final output. This prevents inference about non-intersecting items. Strong privacy definitions often require security against malicious adversaries who may arbitrarily deviate from the protocol, not just semi-honest ones who follow it but try to learn extra information.

03

Input Privacy

A stricter subset of the general privacy property, input privacy specifically guarantees that nothing is leaked about the size of any party's private set. This is crucial because the cardinality of a dataset can be sensitive metadata. For example, in a healthcare federation, revealing that a hospital has 10,000 records for a specific rare disease could be a privacy breach. Advanced PSI protocols like those using oblivious transfer or homomorphic encryption can achieve input privacy, while simpler hash-based methods may leak set sizes.

04

Unlinkability

Unlinkability ensures that if the protocol is executed multiple times, an adversary cannot determine if the same element was used by a party across different executions. This prevents long-term profiling. For instance, in a federated continual learning system where PSI is run periodically to find new overlapping users, unlinkability prevents a server from tracking a specific user's persistent presence across rounds. This property is often achieved through the use of fresh, random cryptographic tokens for each protocol execution.

05

Asymmetry (One-Way vs. Mutual)

This property defines what is revealed to each participant. In mutual PSI, all parties learn the intersection. In one-way PSI (or PSI with Authorization), only one designated party learns the intersection, while the other learns nothing. The latter is common in client-server architectures where a server holds a large dataset (e.g., a malware hash list) and a client wants to check its private data against it without revealing the server's entire set. The choice between mutual and one-way PSI is a key architectural decision.

06

Computational & Communication Efficiency

These are practical performance properties critical for adoption.

  • Computational Complexity: The runtime cost for each party, often measured in big O notation relative to set sizes (n, m). Modern PSI protocols aim for linear or near-linear complexity (O(n)).
  • Communication Complexity: The total amount of data transmitted between parties. High communication overhead is a bottleneck in wide-area networks. Efficient protocols use techniques like hashing, bloom filters, and oblivious transfer extension to minimize rounds and bandwidth, making them feasible for large-scale federated learning deployments with millions of elements.
CRYPTOGRAPHIC PROTOCOL

How Does Private Set Intersection Work?

Private Set Intersection (PSI) is a foundational cryptographic protocol for privacy-preserving data collaboration, enabling secure computation of common data points.

Private Set Intersection (PSI) is a cryptographic protocol that allows two or more parties, each holding a private dataset, to compute the intersection of their sets without revealing any information about items not in the intersection. This is achieved through techniques like oblivious transfer, homomorphic encryption, or garbled circuits, which enable computations on encrypted or obfuscated data. The core security guarantee is that parties learn only the intersecting elements and nothing else.

In vertical federated learning, PSI is crucial for the initial private data alignment phase, where parties with different features for overlapping users must securely identify the common user base without exposing non-overlapping records. Modern PSI protocols, such as those based on Diffie-Hellman key exchange or RSA blind signatures, are highly optimized for speed, enabling practical application on large datasets while maintaining provable privacy guarantees against semi-honest adversaries.

APPLICATIONS

Primary Use Cases for PSI

Private Set Intersection (PSI) is a foundational cryptographic protocol enabling secure, privacy-preserving data collaboration. Its core utility lies in scenarios where multiple parties need to discover commonalities in their private datasets without exposing the full contents.

03

Fraud Detection & Threat Intelligence Sharing

Financial institutions and cybersecurity firms can collaboratively identify common threats (e.g., fraudulent transaction IDs, malicious IP addresses, compromised accounts) without disclosing their full internal watchlists. Using PSI, each party learns only the intersecting indicators of compromise. This enables a collective defense posture while preserving competitive and regulatory boundaries that prevent raw data sharing. Multi-party PSI variants allow more than two entities to participate in this secure intelligence fusion.

05

Privacy-Preserving Ad Conversion Measurement

Advertisers and publishers can measure the effectiveness of ad campaigns by calculating how many users who saw an ad (publisher's set) later made a purchase (advertiser's set). PSI allows this conversion calculation without the publisher learning who purchased or the advertiser learning the browsing history of users who didn't purchase. This addresses growing privacy regulations that restrict third-party cookie tracking and user identity linkage.

06

Secure Data Clean Rooms

PSI is a core enabling technology for secure data clean rooms, which are controlled environments for joint data analysis. It provides the foundational 'join key' operation. Enterprises can combine first-party datasets (e.g., customer IDs) to enable joint analytics, audience segmentation, and model training within the clean room's trust boundary, ensuring raw data never leaves its origin. This is critical for media, retail, and cloud partnerships.

PROTOCOL COMPARISON

PSI vs. Related Privacy Technologies

A technical comparison of Private Set Intersection (PSI) against other core cryptographic protocols used for privacy-preserving computation in federated and decentralized learning systems.

Protocol / FeaturePrivate Set Intersection (PSI)Secure Multi-Party Computation (MPC)Homomorphic Encryption (HE)Differential Privacy (DP)

Primary Cryptographic Foundation

Public-key (ECC), OT, PSI-CA

Secret Sharing, Garbled Circuits, OT

Lattice-based (FHE/SHE)

Randomized Algorithms, Noise Addition

Core Computation Goal

Compute set intersection cardinality or elements

Jointly compute any arbitrary function

Compute on encrypted data (ciphertext)

Publish aggregate statistics from a dataset

Revealed Output

Only the intersection (or its size)

Only the agreed-upon function output

Encrypted result, decrypted by key holder

Noisy aggregate (e.g., average, count)

Input Privacy Guarantee

Items not in intersection remain secret

All private inputs remain secret

Data remains encrypted throughout

Individual records protected via plausible deniability

Typical Use Case in Federated Learning

Data alignment for Vertical FL

Secure aggregation of model updates

Training on encrypted data (server-side)

Adding noise to client updates before aggregation

Communication/Compute Overhead

Moderate (O(n log n) with ECC-PSI)

Very High (scales with circuit complexity)

Extremely High (ciphertext expansion, ops)

Low (noise addition is cheap)

Resilience to Client Dropout

High (pairwise protocols possible)

Low (often requires all parties online)

N/A (typically client-server)

High (applied per-client independently)

Output Verifiability / Correctness

Possible with zero-knowledge proofs

Possible with verifiable MPC

Possible (depends on scheme)

No (noise is random, correctness probabilistic)

Common Threat Model

Semi-honest (passive) adversaries

Semi-honest or Malicious (active)

Semi-honest (curious server)

Curious analyst / data curator

PRIVATE SET INTERSECTION

Frequently Asked Questions

Private Set Intersection (PSI) is a foundational cryptographic protocol for privacy-preserving data collaboration. These FAQs address its core mechanisms, applications, and relationship to federated learning systems.

Private Set Intersection (PSI) is a cryptographic protocol that allows two or more parties, each holding a private set of data, to compute the intersection of their sets without revealing any information about items that are not in the intersection. It works by having parties transform their data elements (e.g., client IDs, email hashes) into encrypted or obfuscated representations using commutative encryption, oblivious transfer, or hash-based techniques. These transformed values are then exchanged and compared. Only matching items produce identical transformed values, allowing all parties to learn which items they have in common while learning nothing about the non-intersecting elements. For example, in a basic hash-based PSI, both parties hash their items with a shared salt, exchange the hashed lists, and identify matches, assuming the original inputs are from a sufficiently large domain to prevent brute-force reversal.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.