Delegated PSI is a private set intersection variant where the computationally intensive operations are outsourced to a third-party server without the server learning the private inputs or the intersection result. This architecture allows two resource-constrained clients to compute the overlap between their datasets by leveraging a powerful but untrusted cloud server, while maintaining cryptographic guarantees that the server remains completely oblivious to both the raw data and the final output.
Glossary
Delegated PSI

What is Delegated PSI?
A cryptographic protocol variant that offloads the heavy computation of private set intersection to an untrusted third-party server without revealing the private input sets or the final intersection result to that server.
The protocol typically relies on a combination of homomorphic encryption and oblivious pseudorandom functions to ensure the server can process encrypted data without decryption. Unlike standard two-party PSI, delegated PSI reduces the client-side computational burden to near-constant complexity, making it practical for mobile devices or thin clients performing contact discovery or private record linkage against large remote databases.
Key Features of Delegated PSI
Delegated Private Set Intersection offloads the heavy cryptographic lifting to a powerful third-party server without compromising the confidentiality of the inputs or the final result.
Computational Offloading
The core value proposition is shifting O(n) or O(n log n) cryptographic operations from weak clients to a robust server. Clients perform only lightweight, constant-time operations—typically a single round of encryption or hashing—while the server handles the heavy comparison logic.
- Client Complexity: O(1) or O(output size)
- Server Role: Executes the secure comparison protocol on behalf of clients
- Benefit: Enables PSI on mobile devices, IoT sensors, and browser-based applications
Server Unawareness Guarantee
The delegated server learns nothing about the private input sets or the resulting intersection. This is enforced through cryptographic blinding: clients mask their data with secret keys before transmission.
- Input Privacy: Server sees only randomized or encrypted representations
- Output Privacy: Intersection result is encrypted so only the authorized client can decrypt it
- Mechanism: Typically achieved via Oblivious Pseudorandom Functions (OPRF) or Homomorphic Encryption (HE) evaluated by the server on blinded inputs
Dual-Client Delegation Model
In the standard two-party setting, both clients delegate computation to a single server. Each client independently blinds their set and sends it to the server, which computes the intersection over the blinded representations and returns the encrypted result.
- Symmetric Delegation: Both parties benefit equally from offloading
- Non-Collusion Assumption: Security typically relies on the server not colluding with either client
- Use Case: Two hospitals delegating patient record matching to a cloud server without revealing their full patient rosters
Single-Client Outsourcing Variant
A variant where one party is resource-constrained and delegates to a server, while the other party runs the full protocol. The server acts as a proxy for the weak client.
- Asymmetric Model: Only one client benefits from delegation
- Server-Client Interaction: Server and strong party execute a standard PSI protocol on behalf of the weak client
- Application: A mobile app (weak client) querying a corporate database (strong party) for contact discovery, with a cloud server performing the heavy matching
Verifiability of Computation
Advanced delegated PSI protocols incorporate verifiable computation to ensure the server performed the intersection correctly and didn't return a falsified or incomplete result.
- Proof Generation: Server produces a cryptographic proof of correct execution
- Client Verification: Client checks the proof in sub-linear time without re-executing the protocol
- Techniques: Leverages Zero-Knowledge Proofs (ZKPs) or Verifiable Polynomial Delegation to guarantee integrity without sacrificing privacy
Multi-Key Homomorphic Encryption Backend
Many delegated PSI constructions use Multi-Key Fully Homomorphic Encryption (MK-FHE) or Threshold HE, where clients encrypt under independent keys and the server evaluates the intersection circuit directly on the combined ciphertexts.
- Key Independence: Each client uses their own secret key; no shared key setup required
- Distributed Decryption: The final result can only be decrypted through a collaborative protocol among authorized parties
- Advantage: Eliminates the need for clients to be online simultaneously during the server's computation phase
Frequently Asked Questions
Clear answers to common questions about delegated private set intersection, a variant that offloads computation to third-party servers without compromising data privacy.
Delegated PSI is a variant of private set intersection where the computationally intensive operations are outsourced to one or more third-party servers without those servers learning the private inputs or the intersection result. In a standard two-party PSI, both data owners must remain online and perform cryptographic operations proportional to their set sizes. Delegated PSI shifts this burden to a cloud server or service provider. The protocol works by having the data owners encrypt or mask their sets using secret keys, then transmit the protected data to the server. The server performs the heavy matching computation over the encrypted or encoded representations and returns the result to the authorized parties. Crucially, the server remains oblivious to the underlying plaintext values and the final intersection. This is achieved through techniques such as homomorphic encryption, oblivious pseudorandom functions (OPRF) , or garbled circuits combined with secret sharing. For example, in a typical construction, each client applies a one-way function keyed with their own secret to their set elements, sends the hashed values to the server, and the server computes the intersection over the doubly-encrypted domain. Only the clients who hold the corresponding keys can decrypt the result. Delegated PSI is particularly valuable for mobile contact discovery, where a lightweight client delegates matching to a server without revealing their address book, and for collaborative analytics across multiple hospitals that lack the infrastructure to run heavyweight cryptographic protocols directly.
Real-World Applications of Delegated PSI
Delegated PSI shifts the heavy cryptographic lifting to powerful cloud servers without exposing sensitive data. Here are the key scenarios where this architecture unlocks privacy-preserving collaboration at scale.
Cross-Institutional Healthcare Analytics
Hospitals and research centers use Delegated PSI to identify overlapping patient cohorts for clinical trials without revealing their full patient rosters. A semi-trusted cloud server performs the heavy cryptographic matching.
- Input: Encrypted patient identifiers from multiple institutions
- Computation: Delegated server finds intersections obliviously
- Output: Only authorized researchers learn the matching cohort size and labels
This enables multi-site studies while maintaining HIPAA compliance and patient privacy.
Financial Fraud Consortiums
Banks collaborate to detect fraudulent accounts and money laundering rings by privately intersecting their transaction watchlists. Delegated PSI allows a third-party auditor to run the intersection without accessing raw customer data.
- Setup: Each bank encrypts its suspicious entity list
- Delegation: Cloud server computes overlaps across all institutions
- Outcome: Consortium learns shared fraud indicators without exposing proprietary customer bases
This preserves competitive confidentiality while strengthening collective defense against financial crime.
Mobile Device Private Keyword Matching
A resource-constrained smartphone can delegate PSI computation to a cloud server to check if locally typed keywords match a sensitive server-side database, such as a content moderation blocklist or threat intelligence feed.
- Client: Generates encrypted query from local input
- Delegated Server: Performs heavy OT-based matching against the database
- Result: Phone learns only if a match exists, server learns nothing
This offloads battery-draining cryptography while keeping user keystrokes and server blocklists mutually private.
Supply Chain Risk Assessment
Manufacturers and suppliers use Delegated PSI to check for sanctioned entities or prohibited materials across their partner networks. A neutral cloud platform runs the intersection without exposing each company's full supplier list.
- Input: Encrypted supplier identifiers and material codes
- Computation: Delegated server cross-references against compliance databases
- Output: Companies learn only about overlapping risks
This enables regulatory compliance across complex multi-tier supply chains without revealing competitive sourcing strategies.
Advertising Conversion Measurement
Advertisers and publishers use Delegated PSI to measure campaign conversion rates by intersecting user impression logs with purchase records, all processed by a neutral measurement service.
- Ad Platform: Uploads encrypted impression data
- Advertiser: Uploads encrypted conversion data
- Delegated Server: Computes intersection cardinality and aggregate metrics
This delivers accurate attribution analytics without exposing individual user behavior to either party, aligning with privacy-preserving ad tech standards.
Delegated PSI vs. Standard PSI vs. FHE-Based PSI
Architectural and performance comparison of three private set intersection paradigms for outsourced computation scenarios.
| Feature | Delegated PSI | Standard PSI | FHE-Based PSI |
|---|---|---|---|
Computation Model | Outsourced to third-party server | Direct two-party interaction | Computation on encrypted data |
Server Learns Intersection | |||
Client Computation | O(set size) lightweight ops | O(set size) cryptographic ops | O(set size) encryption ops |
Round Complexity | 2-3 rounds | 2-4 rounds | 1-2 rounds |
Communication Complexity | O(n log n) | O(n) | O(n log n) to O(n²) |
Requires Trusted Hardware | |||
Post-Quantum Ready | Depends on underlying primitives | Depends on underlying primitives | |
Bandwidth Efficiency | High (server handles heavy lifting) | Moderate | Low (large ciphertext expansion) |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Delegated PSI relies on a constellation of cryptographic primitives and architectural patterns to securely outsource computation. These related terms define the building blocks and threat models essential to understanding the protocol's design.
Oblivious Pseudorandom Function (OPRF)
A foundational protocol where a client learns the output of a pseudorandom function keyed by a server on the client's input. The server remains oblivious to the input, and the client learns nothing about the server's key. In delegated PSI, OPRFs are often used to blind elements before sending them to the untrusted third-party server, preventing the server from brute-forcing the underlying data.
Malicious Security
A cryptographic security model that guarantees protocol correctness and privacy even when an adversary arbitrarily deviates from the protocol specification. For delegated PSI, this is critical because the delegated server is inherently untrusted. A protocol with malicious security ensures the server cannot cheat by returning a false intersection or attempting to extract private inputs without detection.
Semi-Honest Security
A security model where all parties follow the protocol correctly but may attempt to learn additional information from the transcript. In delegated PSI, a semi-honest server executes the computation faithfully but is curious about the data. This model offers a baseline efficiency-security trade-off, often resulting in faster protocols than those requiring full malicious security.
Vector OLE (VOLE)
A cryptographic primitive that allows two parties to generate a long vector of correlated oblivious linear evaluations. VOLE serves as a fast, low-communication foundation for modern high-performance PSI protocols. In delegated settings, VOLE-based constructions can significantly reduce the computational load on the client, making them ideal for outsourcing to a powerful but untrusted server.
Asymmetric PSI
A variant of private set intersection where only one party learns the intersection result while the other party learns nothing. This is the natural model for delegated PSI, where the client or a designated receiver learns the intersection, but the delegated server performing the heavy computation must remain completely oblivious to the output and the private inputs.
Communication Complexity
A measure of the total amount of data exchanged between parties during a protocol execution. A primary goal of delegated PSI is to minimize communication between the resource-constrained client and the server. Efficient protocols shift the burden to computation on the server side while keeping the client's upload and download sizes minimal, often linear only in the client's set size.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us