Inferensys

Glossary

Private Set Intersection (PSI)

Private Set Intersection (PSI) is a cryptographic protocol that allows two or more parties to compute the intersection of their private datasets without revealing any information about items not in the intersection.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
CRYPTOGRAPHIC PROTOCOL

What is Private Set Intersection (PSI)?

Private Set Intersection (PSI) is a foundational cryptographic protocol enabling secure, privacy-preserving data collaboration, primarily used for entity alignment in federated learning systems.

Private Set Intersection (PSI) is a cryptographic protocol that allows two or more mutually distrusting parties to compute the intersection of their private datasets—such as lists of user identifiers—without revealing any information about items not in the intersection. This ensures that parties learn only the common elements, with all other data remaining confidential. PSI is a critical privacy-enhancing technology (PET) for initializing collaborative workflows like Vertical Federated Learning (VFL), where aligning entities across different data owners is the first step.

The protocol operates by having each party encrypt or hash their dataset using a commutative cryptographic scheme, then securely compare these transformed values. Modern PSI protocols, such as those based on Diffie-Hellman key exchange or homomorphic encryption, are highly efficient, often requiring communication linear only to the set sizes. In VFL, PSI enables secure entity resolution, allowing a label owner and feature owners to identify their overlapping customers for training without exposing their entire client lists, thus preserving commercial confidentiality and user privacy from the outset.

PRIVATE SET INTERSECTION

Core Properties of PSI Protocols

Private Set Intersection (PSI) protocols are defined by a set of fundamental cryptographic properties that guarantee privacy and correctness during the computation of shared elements between private datasets.

01

Privacy (Input Confidentiality)

The primary guarantee of a PSI protocol. It ensures that no party learns anything about the other party's set elements except for the items in the intersection. A secure protocol reveals nothing about the size or contents of non-intersecting items.

  • Strong Guarantee: Even if one party's set contains a single, highly sensitive element not in the intersection, the other party cannot infer its existence or value.
  • Formal Models: Security is proven under standard cryptographic models like the semi-honest (honest-but-curious) or malicious adversarial models, defining what an adversarial party is allowed to do.
02

Correctness

The protocol must correctly compute the intersection. All items that are truly common to both input sets must be in the output, and no items that are not common should appear.

  • Deterministic Output: For given input sets, the output intersection is always the same.
  • Handling Errors: Protocols must be robust against communication failures or cryptographic errors to maintain correctness. Some advanced PSI variants introduce a controlled, negligible error rate for performance gains, but this is explicitly defined (e.g., in PSI with False Positives).
03

Efficiency & Scalability

Practical PSI protocols must be computationally feasible and scale to large sets (millions or billions of items). Performance is measured along three key axes:

  • Computational Complexity: The time required for cryptographic operations (e.g., public-key encryptions, elliptic curve operations). Modern PSI-CA (Circuit-based) and PSI-DDH (Diffie-Hellman based) protocols offer near-linear complexity.
  • Communication Overhead: The total amount of data sent between parties. Efficient protocols have communication costs linear in the set sizes, not quadratic.
  • Round Complexity: The number of sequential back-and-forth messages. Single-round or two-round protocols are preferred for low-latency environments.
04

Unbalanced Set Support

A critical property for real-world applications where one party's set (e.g., a service provider's user database) is vastly larger than the other's (e.g., a client's list). Efficient protocols handle this asymmetry.

  • Example: A hospital (large set of patient records) intersecting with a research institute (small set of study participants).
  • Protocol Adaptation: Specialized constructions like PSI with Unbalanced Sets optimize computation and communication relative to the size of the smaller set, often using techniques like Cuckoo hashing and Garbled Bloom Filters.
05

Output Variants

PSI is not a single operation; different protocol variants provide different output formats to suit application needs.

  • Plain PSI: Outputs the actual intersecting items.
  • PSI-Cardinality (PSI-CA): Outputs only the number of intersecting items, not the items themselves, offering an extra layer of privacy.
  • PSI with Data Transfer: Upon intersection, one party can securely transfer payload data associated with the intersecting keys to the other party (e.g., transferring user attributes after matching IDs).
  • Threshold PSI: Reveals the intersection only if its size exceeds a predefined threshold, preventing inference from small matches.
06

Security Model Adherence

Protocols are designed and proven secure under specific assumptions about participant behavior.

  • Semi-Honest Security: Assumes parties follow the protocol but may try to learn extra information from the messages they receive. This is the most common model for business collaboration scenarios.
  • Malicious Security: Protects against parties who may arbitrarily deviate from the protocol to cheat or learn private data. These protocols are more complex and costly but essential for high-stakes or adversarial environments.
  • Composability: A desirable property where the protocol remains secure even when run concurrently with other instances or as part of a larger system (e.g., within a Vertical Federated Learning pipeline for entity alignment).
CRYPTOGRAPHIC PROTOCOL

How Does Private Set Intersection Work?

Private Set Intersection (PSI) is a foundational cryptographic protocol for privacy-preserving data collaboration, enabling secure entity alignment in federated learning.

Private Set Intersection (PSI) is a cryptographic protocol that allows two or more parties to compute the intersection of their private datasets—such as lists of user IDs—without revealing any information about items not in the intersection. It is a privacy-enhancing technology critical for the initial entity alignment phase in Vertical Federated Learning (VFL), where different organizations hold different features about overlapping entities but cannot directly share their raw identifier lists. By revealing only the common elements, PSI establishes a secure, aligned dataset for subsequent collaborative model training.

The core mechanism often involves homomorphic encryption or oblivious transfer techniques. One party encrypts its set elements and sends them to another, who performs computations on the encrypted values to determine matches without learning the underlying plaintext. This process ensures input privacy for all participants. For VFL, after PSI aligns the entities, the parties proceed with a split neural network architecture, where each computes on its local feature subset, passing only encrypted intermediate outputs to coordinate training without exposing the raw, vertically partitioned data.

PRIVATE SET INTERSECTION

Primary Use Cases for PSI

Private Set Intersection (PSI) is a foundational cryptographic protocol enabling secure, privacy-preserving collaboration. Its primary applications center on enabling joint computation and analysis where data cannot be directly shared.

01

Entity Alignment for VFL

PSI is the critical first step in Vertical Federated Learning (VFL), allowing two or more parties to securely identify their overlapping users or entities without revealing their entire datasets. This enables the creation of a virtual aligned dataset for training, where each party contributes different features about the same users.

  • Process: A healthcare provider (with diagnoses) and a pharmacy (with prescriptions) use PSI to find their common patients.
  • Outcome: They can train a model predicting readmission risk without ever exposing the full patient lists of either party.
02

Fraud Detection & Threat Intelligence

Financial institutions and cybersecurity firms use PSI to collectively identify malicious actors while protecting customer privacy and proprietary threat lists. By computing the intersection of private sets of fraudulent transaction IDs, IP addresses, or compromised accounts, participants can gain a comprehensive view of threats.

  • Key Benefit: Dramatically improves detection rates by pooling intelligence.
  • Privacy Guarantee: A bank learns only if a specific account appears on another's blocklist, not the entire list.
03

Private Contact Tracing & Health Analytics

PSI enables privacy-centric public health initiatives. During an outbreak, individuals' devices can use PSI to determine if they have been in proximity to a confirmed case without revealing their location history or identity. Similarly, research institutions can compute disease prevalence across regions without sharing sensitive patient rosters.

  • Mechanism: Devices exchange encrypted, ephemeral identifiers; only matches (contacts) are revealed.
  • Compliance: Aligns with regulations like HIPAA by minimizing data exposure.
04

Secure Ad Conversion Measurement

Advertisers and publishers leverage PSI to measure campaign effectiveness—such as calculating how many users who saw an ad later made a purchase—without building cross-site user profiles. The advertiser (with purchase records) and the publisher (with ad impression logs) compute the intersection of their user IDs.

  • Industry Shift: Moves away from third-party cookies and pervasive tracking.
  • Output: The advertiser learns only the aggregate conversion count, not which specific users converted.
05

Genomic Research & Collaborative Discovery

Research hospitals and biobanks use PSI to find patients with specific genetic markers across institutions without disclosing full genomic sequences. This enables cohort discovery for clinical trials or genome-wide association studies (GWAS) while preserving patient confidentiality.

  • Precision: Can intersect sets based on specific variant carriers (e.g., BRCA1 mutation).
  • Scale: Modern PSI protocols can efficiently handle sets containing millions of genetic identifiers.
06

Supply Chain & Inventory Optimization

Companies in a supply chain can use PSI to identify shared bottlenecks, like commonly out-of-stock parts, without revealing full inventory or supplier lists. A manufacturer and a distributor can find intersecting part numbers that are critically low, enabling proactive coordination.

  • Business Intelligence: Reveals overlapping dependencies without exposing competitive sourcing data.
  • Efficiency: Reduces the need for manual, trust-based data-sharing agreements.
FEATURE COMPARISON

PSI vs. Related Privacy Technologies

A technical comparison of Private Set Intersection (PSI) with other cryptographic and statistical methods used for privacy-preserving data collaboration, highlighting core mechanisms, guarantees, and typical use cases.

Feature / AspectPrivate Set Intersection (PSI)Secure Multi-Party Computation (MPC)Homomorphic Encryption (HE)Differential Privacy (DP)

Primary Cryptographic Foundation

Oblivious Transfer, Public-Key Crypto, or OT-based PSI

Garbled Circuits, Secret Sharing, or Oblivious Transfer

Lattice-based cryptography (e.g., CKKS, BFV)

Statistical noise addition (Laplace, Gaussian)

Core Privacy Guarantee

Reveals only the intersection; all other set elements remain hidden

Reveals only the output of a joint function; all inputs remain private

Computations performed on encrypted data; plaintext never exposed

Formal mathematical guarantee against membership inference

Typical Output

Set of common identifiers (e.g., matched user IDs)

Arbitrary function output (e.g., sum, average, model parameters)

Encrypted result of a computation (requires decryption)

Noisy aggregate statistic (e.g., count, mean) or model

Communication Complexity

Linear or sublinear in set size (e.g., O(n))

Often high, depends on circuit complexity of function

Very high due to ciphertext size expansion

Low to moderate (transmits noisy data/updates)

Computation Overhead

Moderate (public-key operations per element)

High (circuit evaluation or interactive protocols)

Extremely high (polynomial operations on ciphertexts)

Low (primarily noise generation and addition)

Supports Arbitrary Joint Computations

Preserves Exact Output (No Noise)

Primary Use Case in Federated Learning

Privacy-preserving entity alignment for VFL

Secure aggregation of model updates (horizontal FL)

Training on encrypted data (e.g., encrypted gradient aggregation)

Adding formal privacy bounds to client updates

Resistant to Auxiliary Information Attacks

Common Threat Model

Semi-honest (honest-but-curious) adversaries

Semi-honest or malicious (with additional protocols)

Semi-honest (cryptographic security)

Curious analyst or data aggregator

PRIVATE SET INTERSECTION

Frequently Asked Questions

Private Set Intersection (PSI) is a foundational cryptographic protocol for privacy-preserving data collaboration. These FAQs address its core mechanisms, applications, and role within Vertical Federated Learning.

Private Set Intersection (PSI) is a cryptographic protocol that allows two or more parties, each holding a private set of data (e.g., lists of user IDs), to compute the intersection of their sets—discovering which items they have in common—without revealing any information about items that are not in the intersection. It works by having parties transform their data using agreed-upon cryptographic primitives (like hash functions, oblivious transfer, or public-key encryption) in a way that only matching items produce identical, comparable outputs. For example, in a common public-key-based PSI protocol, one party encrypts its set using a public key and sends it to another party, who then processes these ciphertexts with its own set using homomorphic properties or blinding techniques. The result is a set of processed values that can only be decrypted or matched if the underlying plaintext items were identical, thereby revealing the intersection while keeping all non-matching items cryptographically hidden.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.