Private Set Intersection (PSI) is a cryptographic protocol that enables two or more mutually distrusting parties to compute the intersection of their private datasets without revealing any information about items not in the intersection. It is a specialized form of Secure Multi-Party Computation (MPC) that provides a strong privacy guarantee: the output is solely the set of common elements, with no leakage about the size or contents of the other party's non-matching data.
Glossary
Private Set Intersection (PSI)

What is Private Set Intersection (PSI)?
A foundational privacy-enhancing technology for secure data collaboration.
In federated learning, particularly vertical federated learning (VFL), PSI is crucial for the initial data alignment or entity resolution phase. Before joint training on partitioned feature spaces, parties must privately identify their overlapping users or samples. Using PSI ensures this alignment occurs without exposing sensitive user lists, maintaining the decentralized, privacy-preserving promise of the overall system architecture.
Core Properties of PSI Protocols
Private Set Intersection (PSI) protocols are defined by a set of fundamental cryptographic properties that determine their security, efficiency, and suitability for different federated learning scenarios.
Correctness
Correctness guarantees that the protocol's output is accurate. If an item is in the intersection of all parties' private sets, the protocol will correctly include it. Conversely, items not in the intersection are excluded. This property ensures the utility of the protocol for downstream tasks like aligning user cohorts in vertical federated learning, where accurate data matching is critical for joint model training. A failure in correctness would render the protocol useless for its intended analytical purpose.
Privacy (Security)
Privacy is the paramount security guarantee. It ensures that no party learns anything about the other parties' set elements beyond what is revealed by the final intersection itself. Formally, a party's view of the protocol (all messages received) should be computationally indistinguishable from a simulation that uses only that party's input and the final output. This prevents inference about non-intersecting items. Strong privacy definitions often require security against malicious adversaries who may arbitrarily deviate from the protocol, not just semi-honest ones who follow it but try to learn extra information.
Input Privacy
A stricter subset of the general privacy property, input privacy specifically guarantees that nothing is leaked about the size of any party's private set. This is crucial because the cardinality of a dataset can be sensitive metadata. For example, in a healthcare federation, revealing that a hospital has 10,000 records for a specific rare disease could be a privacy breach. Advanced PSI protocols like those using oblivious transfer or homomorphic encryption can achieve input privacy, while simpler hash-based methods may leak set sizes.
Unlinkability
Unlinkability ensures that if the protocol is executed multiple times, an adversary cannot determine if the same element was used by a party across different executions. This prevents long-term profiling. For instance, in a federated continual learning system where PSI is run periodically to find new overlapping users, unlinkability prevents a server from tracking a specific user's persistent presence across rounds. This property is often achieved through the use of fresh, random cryptographic tokens for each protocol execution.
Asymmetry (One-Way vs. Mutual)
This property defines what is revealed to each participant. In mutual PSI, all parties learn the intersection. In one-way PSI (or PSI with Authorization), only one designated party learns the intersection, while the other learns nothing. The latter is common in client-server architectures where a server holds a large dataset (e.g., a malware hash list) and a client wants to check its private data against it without revealing the server's entire set. The choice between mutual and one-way PSI is a key architectural decision.
Computational & Communication Efficiency
These are practical performance properties critical for adoption.
- Computational Complexity: The runtime cost for each party, often measured in big O notation relative to set sizes (n, m). Modern PSI protocols aim for linear or near-linear complexity (O(n)).
- Communication Complexity: The total amount of data transmitted between parties. High communication overhead is a bottleneck in wide-area networks. Efficient protocols use techniques like hashing, bloom filters, and oblivious transfer extension to minimize rounds and bandwidth, making them feasible for large-scale federated learning deployments with millions of elements.
How Does Private Set Intersection Work?
Private Set Intersection (PSI) is a foundational cryptographic protocol for privacy-preserving data collaboration, enabling secure computation of common data points.
Private Set Intersection (PSI) is a cryptographic protocol that allows two or more parties, each holding a private dataset, to compute the intersection of their sets without revealing any information about items not in the intersection. This is achieved through techniques like oblivious transfer, homomorphic encryption, or garbled circuits, which enable computations on encrypted or obfuscated data. The core security guarantee is that parties learn only the intersecting elements and nothing else.
In vertical federated learning, PSI is crucial for the initial private data alignment phase, where parties with different features for overlapping users must securely identify the common user base without exposing non-overlapping records. Modern PSI protocols, such as those based on Diffie-Hellman key exchange or RSA blind signatures, are highly optimized for speed, enabling practical application on large datasets while maintaining provable privacy guarantees against semi-honest adversaries.
Primary Use Cases for PSI
Private Set Intersection (PSI) is a foundational cryptographic protocol enabling secure, privacy-preserving data collaboration. Its core utility lies in scenarios where multiple parties need to discover commonalities in their private datasets without exposing the full contents.
Fraud Detection & Threat Intelligence Sharing
Financial institutions and cybersecurity firms can collaboratively identify common threats (e.g., fraudulent transaction IDs, malicious IP addresses, compromised accounts) without disclosing their full internal watchlists. Using PSI, each party learns only the intersecting indicators of compromise. This enables a collective defense posture while preserving competitive and regulatory boundaries that prevent raw data sharing. Multi-party PSI variants allow more than two entities to participate in this secure intelligence fusion.
Privacy-Preserving Ad Conversion Measurement
Advertisers and publishers can measure the effectiveness of ad campaigns by calculating how many users who saw an ad (publisher's set) later made a purchase (advertiser's set). PSI allows this conversion calculation without the publisher learning who purchased or the advertiser learning the browsing history of users who didn't purchase. This addresses growing privacy regulations that restrict third-party cookie tracking and user identity linkage.
Secure Data Clean Rooms
PSI is a core enabling technology for secure data clean rooms, which are controlled environments for joint data analysis. It provides the foundational 'join key' operation. Enterprises can combine first-party datasets (e.g., customer IDs) to enable joint analytics, audience segmentation, and model training within the clean room's trust boundary, ensuring raw data never leaves its origin. This is critical for media, retail, and cloud partnerships.
PSI vs. Related Privacy Technologies
A technical comparison of Private Set Intersection (PSI) against other core cryptographic protocols used for privacy-preserving computation in federated and decentralized learning systems.
| Protocol / Feature | Private Set Intersection (PSI) | Secure Multi-Party Computation (MPC) | Homomorphic Encryption (HE) | Differential Privacy (DP) |
|---|---|---|---|---|
Primary Cryptographic Foundation | Public-key (ECC), OT, PSI-CA | Secret Sharing, Garbled Circuits, OT | Lattice-based (FHE/SHE) | Randomized Algorithms, Noise Addition |
Core Computation Goal | Compute set intersection cardinality or elements | Jointly compute any arbitrary function | Compute on encrypted data (ciphertext) | Publish aggregate statistics from a dataset |
Revealed Output | Only the intersection (or its size) | Only the agreed-upon function output | Encrypted result, decrypted by key holder | Noisy aggregate (e.g., average, count) |
Input Privacy Guarantee | Items not in intersection remain secret | All private inputs remain secret | Data remains encrypted throughout | Individual records protected via plausible deniability |
Typical Use Case in Federated Learning | Data alignment for Vertical FL | Secure aggregation of model updates | Training on encrypted data (server-side) | Adding noise to client updates before aggregation |
Communication/Compute Overhead | Moderate (O(n log n) with ECC-PSI) | Very High (scales with circuit complexity) | Extremely High (ciphertext expansion, ops) | Low (noise addition is cheap) |
Resilience to Client Dropout | High (pairwise protocols possible) | Low (often requires all parties online) | N/A (typically client-server) | High (applied per-client independently) |
Output Verifiability / Correctness | Possible with zero-knowledge proofs | Possible with verifiable MPC | Possible (depends on scheme) | No (noise is random, correctness probabilistic) |
Common Threat Model | Semi-honest (passive) adversaries | Semi-honest or Malicious (active) | Semi-honest (curious server) | Curious analyst / data curator |
Frequently Asked Questions
Private Set Intersection (PSI) is a foundational cryptographic protocol for privacy-preserving data collaboration. These FAQs address its core mechanisms, applications, and relationship to federated learning systems.
Private Set Intersection (PSI) is a cryptographic protocol that allows two or more parties, each holding a private set of data, to compute the intersection of their sets without revealing any information about items that are not in the intersection. It works by having parties transform their data elements (e.g., client IDs, email hashes) into encrypted or obfuscated representations using commutative encryption, oblivious transfer, or hash-based techniques. These transformed values are then exchanged and compared. Only matching items produce identical transformed values, allowing all parties to learn which items they have in common while learning nothing about the non-intersecting elements. For example, in a basic hash-based PSI, both parties hash their items with a shared salt, exchange the hashed lists, and identify matches, assuming the original inputs are from a sufficiently large domain to prevent brute-force reversal.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Private Set Intersection (PSI) is a foundational cryptographic protocol for privacy-preserving data collaboration. The following concepts are essential for understanding its role and application within federated and continual learning systems.
Vertical Federated Learning (VFL)
Vertical Federated Learning is a scenario where different organizations hold different features for the same or overlapping sets of users. PSI is a critical pre-processing step in VFL to securely identify the overlapping user cohort without exposing non-intersecting records. For example, a bank and an e-commerce company could use PSI to find their common customers before jointly training a model using the bank's credit history and the company's purchase data, aligning their datasets in a privacy-preserving manner.
Differential Privacy (DP)
Differential Privacy provides a statistical guarantee that the presence or absence of any single individual's data in a dataset does not significantly affect the outcome of an analysis. While PSI protects the raw sets during the alignment phase, DP is often applied afterward to the computation on the intersected data (e.g., model training or analytics). A common pattern is PSI + DP, where PSI securely finds the overlap, and DP-SGD is used to train a model on that overlap, ensuring end-to-end privacy.
Federated Analytics
Federated Analytics involves performing data analysis tasks (e.g., computing aggregates, histograms, or unique counts) over decentralized datasets without centralizing raw data. PSI is a core primitive for analytics tasks like cardinality estimation (e.g., 'How many unique users do both companies share?') or attribute concatenation for overlapping users. It enables businesses to gain collaborative insights, such as joint marketing reach analysis, while complying with data residency and privacy regulations.
Private Join and Compute
Private Join and Compute is an advanced cryptographic protocol that extends PSI. It not only computes the intersection of two private sets but also allows the parties to perform a computation (e.g., sum, average, standard deviation) on associated attribute values for the matched records—all in a single privacy-preserving step. This is directly applicable to vertical federated learning, where after the private join, the parties can immediately compute aggregated statistics or gradients for the overlapping cohort.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us