Private Set Intersection (PSI) is a cryptographic protocol that allows two or more mutually distrusting parties to compute the intersection of their private datasets—such as lists of user identifiers—without revealing any information about items not in the intersection. This ensures that parties learn only the common elements, with all other data remaining confidential. PSI is a critical privacy-enhancing technology (PET) for initializing collaborative workflows like Vertical Federated Learning (VFL), where aligning entities across different data owners is the first step.
Glossary
Private Set Intersection (PSI)

What is Private Set Intersection (PSI)?
Private Set Intersection (PSI) is a foundational cryptographic protocol enabling secure, privacy-preserving data collaboration, primarily used for entity alignment in federated learning systems.
The protocol operates by having each party encrypt or hash their dataset using a commutative cryptographic scheme, then securely compare these transformed values. Modern PSI protocols, such as those based on Diffie-Hellman key exchange or homomorphic encryption, are highly efficient, often requiring communication linear only to the set sizes. In VFL, PSI enables secure entity resolution, allowing a label owner and feature owners to identify their overlapping customers for training without exposing their entire client lists, thus preserving commercial confidentiality and user privacy from the outset.
Core Properties of PSI Protocols
Private Set Intersection (PSI) protocols are defined by a set of fundamental cryptographic properties that guarantee privacy and correctness during the computation of shared elements between private datasets.
Privacy (Input Confidentiality)
The primary guarantee of a PSI protocol. It ensures that no party learns anything about the other party's set elements except for the items in the intersection. A secure protocol reveals nothing about the size or contents of non-intersecting items.
- Strong Guarantee: Even if one party's set contains a single, highly sensitive element not in the intersection, the other party cannot infer its existence or value.
- Formal Models: Security is proven under standard cryptographic models like the semi-honest (honest-but-curious) or malicious adversarial models, defining what an adversarial party is allowed to do.
Correctness
The protocol must correctly compute the intersection. All items that are truly common to both input sets must be in the output, and no items that are not common should appear.
- Deterministic Output: For given input sets, the output intersection is always the same.
- Handling Errors: Protocols must be robust against communication failures or cryptographic errors to maintain correctness. Some advanced PSI variants introduce a controlled, negligible error rate for performance gains, but this is explicitly defined (e.g., in PSI with False Positives).
Efficiency & Scalability
Practical PSI protocols must be computationally feasible and scale to large sets (millions or billions of items). Performance is measured along three key axes:
- Computational Complexity: The time required for cryptographic operations (e.g., public-key encryptions, elliptic curve operations). Modern PSI-CA (Circuit-based) and PSI-DDH (Diffie-Hellman based) protocols offer near-linear complexity.
- Communication Overhead: The total amount of data sent between parties. Efficient protocols have communication costs linear in the set sizes, not quadratic.
- Round Complexity: The number of sequential back-and-forth messages. Single-round or two-round protocols are preferred for low-latency environments.
Unbalanced Set Support
A critical property for real-world applications where one party's set (e.g., a service provider's user database) is vastly larger than the other's (e.g., a client's list). Efficient protocols handle this asymmetry.
- Example: A hospital (large set of patient records) intersecting with a research institute (small set of study participants).
- Protocol Adaptation: Specialized constructions like PSI with Unbalanced Sets optimize computation and communication relative to the size of the smaller set, often using techniques like Cuckoo hashing and Garbled Bloom Filters.
Output Variants
PSI is not a single operation; different protocol variants provide different output formats to suit application needs.
- Plain PSI: Outputs the actual intersecting items.
- PSI-Cardinality (PSI-CA): Outputs only the number of intersecting items, not the items themselves, offering an extra layer of privacy.
- PSI with Data Transfer: Upon intersection, one party can securely transfer payload data associated with the intersecting keys to the other party (e.g., transferring user attributes after matching IDs).
- Threshold PSI: Reveals the intersection only if its size exceeds a predefined threshold, preventing inference from small matches.
Security Model Adherence
Protocols are designed and proven secure under specific assumptions about participant behavior.
- Semi-Honest Security: Assumes parties follow the protocol but may try to learn extra information from the messages they receive. This is the most common model for business collaboration scenarios.
- Malicious Security: Protects against parties who may arbitrarily deviate from the protocol to cheat or learn private data. These protocols are more complex and costly but essential for high-stakes or adversarial environments.
- Composability: A desirable property where the protocol remains secure even when run concurrently with other instances or as part of a larger system (e.g., within a Vertical Federated Learning pipeline for entity alignment).
How Does Private Set Intersection Work?
Private Set Intersection (PSI) is a foundational cryptographic protocol for privacy-preserving data collaboration, enabling secure entity alignment in federated learning.
Private Set Intersection (PSI) is a cryptographic protocol that allows two or more parties to compute the intersection of their private datasets—such as lists of user IDs—without revealing any information about items not in the intersection. It is a privacy-enhancing technology critical for the initial entity alignment phase in Vertical Federated Learning (VFL), where different organizations hold different features about overlapping entities but cannot directly share their raw identifier lists. By revealing only the common elements, PSI establishes a secure, aligned dataset for subsequent collaborative model training.
The core mechanism often involves homomorphic encryption or oblivious transfer techniques. One party encrypts its set elements and sends them to another, who performs computations on the encrypted values to determine matches without learning the underlying plaintext. This process ensures input privacy for all participants. For VFL, after PSI aligns the entities, the parties proceed with a split neural network architecture, where each computes on its local feature subset, passing only encrypted intermediate outputs to coordinate training without exposing the raw, vertically partitioned data.
Primary Use Cases for PSI
Private Set Intersection (PSI) is a foundational cryptographic protocol enabling secure, privacy-preserving collaboration. Its primary applications center on enabling joint computation and analysis where data cannot be directly shared.
Entity Alignment for VFL
PSI is the critical first step in Vertical Federated Learning (VFL), allowing two or more parties to securely identify their overlapping users or entities without revealing their entire datasets. This enables the creation of a virtual aligned dataset for training, where each party contributes different features about the same users.
- Process: A healthcare provider (with diagnoses) and a pharmacy (with prescriptions) use PSI to find their common patients.
- Outcome: They can train a model predicting readmission risk without ever exposing the full patient lists of either party.
Fraud Detection & Threat Intelligence
Financial institutions and cybersecurity firms use PSI to collectively identify malicious actors while protecting customer privacy and proprietary threat lists. By computing the intersection of private sets of fraudulent transaction IDs, IP addresses, or compromised accounts, participants can gain a comprehensive view of threats.
- Key Benefit: Dramatically improves detection rates by pooling intelligence.
- Privacy Guarantee: A bank learns only if a specific account appears on another's blocklist, not the entire list.
Private Contact Tracing & Health Analytics
PSI enables privacy-centric public health initiatives. During an outbreak, individuals' devices can use PSI to determine if they have been in proximity to a confirmed case without revealing their location history or identity. Similarly, research institutions can compute disease prevalence across regions without sharing sensitive patient rosters.
- Mechanism: Devices exchange encrypted, ephemeral identifiers; only matches (contacts) are revealed.
- Compliance: Aligns with regulations like HIPAA by minimizing data exposure.
Secure Ad Conversion Measurement
Advertisers and publishers leverage PSI to measure campaign effectiveness—such as calculating how many users who saw an ad later made a purchase—without building cross-site user profiles. The advertiser (with purchase records) and the publisher (with ad impression logs) compute the intersection of their user IDs.
- Industry Shift: Moves away from third-party cookies and pervasive tracking.
- Output: The advertiser learns only the aggregate conversion count, not which specific users converted.
Genomic Research & Collaborative Discovery
Research hospitals and biobanks use PSI to find patients with specific genetic markers across institutions without disclosing full genomic sequences. This enables cohort discovery for clinical trials or genome-wide association studies (GWAS) while preserving patient confidentiality.
- Precision: Can intersect sets based on specific variant carriers (e.g., BRCA1 mutation).
- Scale: Modern PSI protocols can efficiently handle sets containing millions of genetic identifiers.
Supply Chain & Inventory Optimization
Companies in a supply chain can use PSI to identify shared bottlenecks, like commonly out-of-stock parts, without revealing full inventory or supplier lists. A manufacturer and a distributor can find intersecting part numbers that are critically low, enabling proactive coordination.
- Business Intelligence: Reveals overlapping dependencies without exposing competitive sourcing data.
- Efficiency: Reduces the need for manual, trust-based data-sharing agreements.
PSI vs. Related Privacy Technologies
A technical comparison of Private Set Intersection (PSI) with other cryptographic and statistical methods used for privacy-preserving data collaboration, highlighting core mechanisms, guarantees, and typical use cases.
| Feature / Aspect | Private Set Intersection (PSI) | Secure Multi-Party Computation (MPC) | Homomorphic Encryption (HE) | Differential Privacy (DP) |
|---|---|---|---|---|
Primary Cryptographic Foundation | Oblivious Transfer, Public-Key Crypto, or OT-based PSI | Garbled Circuits, Secret Sharing, or Oblivious Transfer | Lattice-based cryptography (e.g., CKKS, BFV) | Statistical noise addition (Laplace, Gaussian) |
Core Privacy Guarantee | Reveals only the intersection; all other set elements remain hidden | Reveals only the output of a joint function; all inputs remain private | Computations performed on encrypted data; plaintext never exposed | Formal mathematical guarantee against membership inference |
Typical Output | Set of common identifiers (e.g., matched user IDs) | Arbitrary function output (e.g., sum, average, model parameters) | Encrypted result of a computation (requires decryption) | Noisy aggregate statistic (e.g., count, mean) or model |
Communication Complexity | Linear or sublinear in set size (e.g., O(n)) | Often high, depends on circuit complexity of function | Very high due to ciphertext size expansion | Low to moderate (transmits noisy data/updates) |
Computation Overhead | Moderate (public-key operations per element) | High (circuit evaluation or interactive protocols) | Extremely high (polynomial operations on ciphertexts) | Low (primarily noise generation and addition) |
Supports Arbitrary Joint Computations | ||||
Preserves Exact Output (No Noise) | ||||
Primary Use Case in Federated Learning | Privacy-preserving entity alignment for VFL | Secure aggregation of model updates (horizontal FL) | Training on encrypted data (e.g., encrypted gradient aggregation) | Adding formal privacy bounds to client updates |
Resistant to Auxiliary Information Attacks | ||||
Common Threat Model | Semi-honest (honest-but-curious) adversaries | Semi-honest or malicious (with additional protocols) | Semi-honest (cryptographic security) | Curious analyst or data aggregator |
Frequently Asked Questions
Private Set Intersection (PSI) is a foundational cryptographic protocol for privacy-preserving data collaboration. These FAQs address its core mechanisms, applications, and role within Vertical Federated Learning.
Private Set Intersection (PSI) is a cryptographic protocol that allows two or more parties, each holding a private set of data (e.g., lists of user IDs), to compute the intersection of their sets—discovering which items they have in common—without revealing any information about items that are not in the intersection. It works by having parties transform their data using agreed-upon cryptographic primitives (like hash functions, oblivious transfer, or public-key encryption) in a way that only matching items produce identical, comparable outputs. For example, in a common public-key-based PSI protocol, one party encrypts its set using a public key and sends it to another party, who then processes these ciphertexts with its own set using homomorphic properties or blinding techniques. The result is a set of processed values that can only be decrypted or matched if the underlying plaintext items were identical, thereby revealing the intersection while keeping all non-matching items cryptographically hidden.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Private Set Intersection (PSI) is a foundational cryptographic protocol for Vertical Federated Learning, enabling secure collaboration. These related concepts detail the privacy-preserving techniques and system components that make VFL possible.
Secure Entity Resolution
Secure entity resolution is the privacy-preserving process of identifying records that refer to the same real-world entity (e.g., a customer ID) across multiple databases without revealing non-matching records. It is a critical prerequisite for entity alignment in Vertical Federated Learning (VFL).
- Core Function: Determines the overlapping set of entities between parties' datasets.
- Privacy Guarantee: Parties learn only which entities they have in common, not the full contents of each other's databases.
- Common Techniques: Often implemented using PSI protocols, but can also involve private matching based on fuzzy or composite keys.
Vertical Data Partition
A vertical data partition is a dataset split where different features (columns) of the same samples (rows/entities) are held by different parties. This structure is the defining characteristic of Vertical Federated Learning.
- Contrast with Horizontal FL: In horizontal FL, parties have different samples but the same features.
- Example: Hospital A holds patient lab results (features), while Hospital B holds patient imaging data (different features) for the same set of patients (entities).
- Implication: Training requires secure alignment of entities first, followed by collaborative computation across the split feature space.
Split Neural Network
A split neural network is a model architecture used in VFL where the neural network is divided into multiple parts, each residing on a different party that holds a specific subset of the features.
- Cut Layer: The specific layer where the model is divided. The feature owner computes the forward pass up to this layer, producing an intermediate output.
- Forward Propagation: The intermediate output is securely sent to the label owner, who completes the forward pass and computes the loss.
- Backpropagation: Gradients are passed backwards through the network across parties to update their respective model segments, a process known as vertical backpropagation.
Homomorphic Encryption for VFL
Homomorphic Encryption (HE) is a cryptographic technique that allows computations to be performed directly on encrypted data. In VFL, it enables parties to train on encrypted intermediate outputs or gradients.
- Core Benefit: The label owner can perform computations (e.g., activation functions) on encrypted data from feature owners without decrypting it, preserving privacy.
- Trade-off: Introduces significant computation and communication overhead due to the size and complexity of ciphertext operations.
- Common Use: Often used to protect the intermediate results sent from feature owners to the label owner in a split neural network architecture.
Vertical Secure Aggregation
Vertical secure aggregation refers to cryptographic protocols used to combine model updates (e.g., gradients from feature owners) in VFL without revealing any individual party's contribution.
- Privacy Goal: The label owner learns only the aggregated update (e.g., the sum of gradients), not the update from any single feature owner.
- Techniques: Can be implemented using Secure Multi-Party Computation (MPC) or masking techniques where individual updates are obscured by random values that cancel out upon summation.
- Contrast with Horizontal FL: In horizontal FL, secure aggregation protects client model weights; in VFL, it often protects feature-space gradients or intermediate results.
Vertical Training Protocol
A vertical training protocol is the defined sequence of communication and computation steps that coordinating parties follow to execute a complete training round in a VFL system.
- Standard Steps: 1) Entity Alignment via PSI, 2) Vertical Forward Propagation, 3) Loss calculation by label owner, 4) Vertical Backpropagation, 5) Secure Aggregation of updates, 6) Model segment updates.
- Orchestration: Typically dictated by the label owner or a central coordinator.
- Framework Role: This protocol is the core logic implemented by Vertical FL frameworks like FATE or TensorFlow Federated for vertical scenarios.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us