Inferensys

Glossary

Private Set Intersection

Private Set Intersection (PSI) is a secure multi-party computation protocol that allows two or more parties to compute the intersection of their private datasets without revealing any information about items that are not in the intersection.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
CRYPTOGRAPHIC PROTOCOL

What is Private Set Intersection?

Private set intersection (PSI) is a foundational secure multi-party computation protocol for privacy-preserving data collaboration.

Private set intersection (PSI) is a cryptographic protocol within secure multi-party computation that allows two or more parties, each holding a private dataset, to compute the intersection of their sets—discovering which items they have in common—without revealing any information about items that are not in the intersection. This ensures that parties learn only the overlapping elements and nothing else about the other's private data, providing a strong privacy guarantee for collaborative analysis, fraud detection, and contact tracing.

The protocol operates by having each party encrypt or cryptographically encode their set elements. Through a series of oblivious transfers and homomorphic operations, the parties can compare these encoded values to identify matches. Modern PSI protocols, such as those based on Diffie-Hellman key exchange or oblivious pseudorandom functions, are highly efficient, enabling intersections of million-item sets in seconds. This makes PSI a critical enabler for privacy-preserving machine learning, secure data sharing in regulated industries, and confidential database queries.

CRYPTOGRAPHIC GUARANTEES

Key Properties of PSI Protocols

Private Set Intersection protocols are defined by a core set of cryptographic properties that determine their security, efficiency, and suitability for different applications. These properties govern what information is revealed and what remains concealed during the computation.

01

Correctness

A PSI protocol is correct if, when all parties follow the protocol honestly, the output is guaranteed to be the exact intersection of the input sets. This is a fundamental requirement, ensuring the protocol's utility. Any deviation from the true intersection constitutes a failure. Protocols are mathematically proven to satisfy this property under standard cryptographic assumptions (e.g., the hardness of the Decisional Diffie-Hellman problem).

02

Privacy (Security)

This is the core security guarantee. A PSI protocol provides privacy if no party learns any information about elements in the other party's set that are not in the final intersection. Beyond the intersection itself, the protocol should reveal:

  • No information about the size of the other party's set (unless this is inherent to the use case).
  • No information about which specific non-intersecting elements the other party holds.

The formal security definition is typically simulation-based security, meaning an adversary's view of the protocol can be simulated using only the allowed output (the intersection), proving nothing else is leaked.

03

Unbalanced PSI Optimization

In many real-world scenarios (e.g., a client querying a large server database), set sizes are highly unbalanced. Specialized protocols optimize for this case, prioritizing the smaller party's computational cost. Key techniques include:

  • Cuckoo Hashing & Simple Hashing: The larger set is placed into a data structure (like a Cuckoo hash table), allowing the smaller party to perform work proportional mainly to its own set size.
  • Oblivious Transfer Extensions: Used in efficient protocols like KKRT16, these allow the retrieval of intersection information with communication cost linear in the smaller set. These optimizations make PSI practical for scenarios like checking a small list of compromised credentials against a billion-user database.
04

Malicious vs. Semi-Honest Security

PSI protocols are analyzed under different adversarial models:

  • Semi-Honest (Passive) Security: Assumes parties follow the protocol but may try to learn extra information from the messages they receive. Most practical, high-performance PSI protocols provide this level of security.
  • Malicious (Active) Security: Protects against parties who may arbitrarily deviate from the protocol (e.g., sending malformed messages) to cheat or extract more information. Malicious-secure protocols exist but incur significant performance overhead (often 10-100x) due to the need for zero-knowledge proofs or cut-and-choose techniques to enforce honest behavior.
05

Computational & Communication Complexity

The practical feasibility of PSI is determined by its resource requirements:

  • Computational Complexity: Measured in cryptographic operations (e.g., public-key operations, symmetric encryptions). Modern protocols aim for linear complexity O(n) in the set sizes, with the constant factors being critical. Fastest semi-honest protocols primarily use efficient symmetric cryptography (AES, hash functions).
  • Communication Complexity: The total data sent between parties. State-of-the-art protocols achieve communication that is linear in the set sizes. For example, the ECNRR18 protocol requires sending roughly 1-2 bits per item in the larger set. Low communication is essential for high-latency networks.
06

Intersection Size & Cardinality

PSI variants provide different output guarantees, trading privacy for functionality:

  • Standard PSI: Outputs the actual intersecting elements.
  • PSI-Cardinality (PSI-CA): Reveals only the number of intersecting items (|A ∩ B|), not the items themselves. This offers greater privacy for analytics (e.g., measuring audience overlap).
  • PSI with Data Transfer: Upon intersection, one party can also retrieve associated data for the intersecting items from the other party's set (e.g., not just that a patient ID matches, but also retrieving associated medical codes). This is crucial for many applied use cases.
COMPARISON

PSI vs. Related Privacy Techniques

A feature and application comparison of Private Set Intersection against other core privacy-preserving technologies used in machine learning and data analysis.

Feature / CharacteristicPrivate Set Intersection (PSI)Federated LearningHomomorphic EncryptionDifferential Privacy

Primary Goal

Compute intersection of private sets

Train a shared model on decentralized data

Compute on encrypted data

Limit privacy loss from aggregate queries

Data Movement

Parties exchange cryptographic messages

Only model updates (gradients) are shared

Encrypted data is sent to a server for processing

Raw or aggregated data is sent to a curator

Output Revealed

Only the intersection set

Only the final trained model parameters

Only the encrypted computation result

A noisy statistical answer

Trust Model

Distrustful parties (multi-party computation)

Semi-honest server, honest clients

Untrusted server, trusted client for decryption

Trusted data curator

Cryptographic Basis

Oblivious Transfer, Public-Key Crypto

Secure Aggregation, MPC optional

Lattice-based cryptography

Randomized algorithm (e.g., Laplace noise)

Typical Latency/Overhead

Moderate (seconds)

High (hours/days for training rounds)

Very High (orders of magnitude slower)

Low (negligible noise addition)

Use Case in RAG/Retrieval

Private deduplication, secure join for retrieval

Training a retriever on siloed data

Encrypted search over sensitive documents

Publishing anonymized query logs or metrics

Protects Against Honest-but-Curious Server?

N/A (assumes trusted curator)

PRIVATE SET INTERSECTION

Frequently Asked Questions

Private set intersection (PSI) is a foundational cryptographic protocol for secure, multi-party data collaboration. These FAQs address its core mechanisms, applications, and how it integrates with modern privacy-preserving machine learning architectures.

Private Set Intersection (PSI) is a cryptographic protocol within secure multi-party computation (MPC) that allows two or more parties, each holding a private set of data, to compute the intersection of their sets without revealing any information about items that are not in the intersection. It works by having parties encrypt or encode their data using a commutative cryptographic scheme, such as Diffie-Hellman key exchange or oblivious transfer, allowing them to compute an encrypted representation of the intersection that only the intended recipient can decrypt. For example, in a basic two-party PSI using Diffie-Hellman, each party hashes their items, raises them to a secret exponent, and exchanges the results; the intersection is revealed by comparing the transformed values after a second round of exponentiation with the other party's secret key.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.