Private set intersection (PSI) is a cryptographic protocol within secure multi-party computation that allows two or more parties, each holding a private dataset, to compute the intersection of their sets—discovering which items they have in common—without revealing any information about items that are not in the intersection. This ensures that parties learn only the overlapping elements and nothing else about the other's private data, providing a strong privacy guarantee for collaborative analysis, fraud detection, and contact tracing.
Glossary
Private Set Intersection

What is Private Set Intersection?
Private set intersection (PSI) is a foundational secure multi-party computation protocol for privacy-preserving data collaboration.
The protocol operates by having each party encrypt or cryptographically encode their set elements. Through a series of oblivious transfers and homomorphic operations, the parties can compare these encoded values to identify matches. Modern PSI protocols, such as those based on Diffie-Hellman key exchange or oblivious pseudorandom functions, are highly efficient, enabling intersections of million-item sets in seconds. This makes PSI a critical enabler for privacy-preserving machine learning, secure data sharing in regulated industries, and confidential database queries.
Key Properties of PSI Protocols
Private Set Intersection protocols are defined by a core set of cryptographic properties that determine their security, efficiency, and suitability for different applications. These properties govern what information is revealed and what remains concealed during the computation.
Correctness
A PSI protocol is correct if, when all parties follow the protocol honestly, the output is guaranteed to be the exact intersection of the input sets. This is a fundamental requirement, ensuring the protocol's utility. Any deviation from the true intersection constitutes a failure. Protocols are mathematically proven to satisfy this property under standard cryptographic assumptions (e.g., the hardness of the Decisional Diffie-Hellman problem).
Privacy (Security)
This is the core security guarantee. A PSI protocol provides privacy if no party learns any information about elements in the other party's set that are not in the final intersection. Beyond the intersection itself, the protocol should reveal:
- No information about the size of the other party's set (unless this is inherent to the use case).
- No information about which specific non-intersecting elements the other party holds.
The formal security definition is typically simulation-based security, meaning an adversary's view of the protocol can be simulated using only the allowed output (the intersection), proving nothing else is leaked.
Unbalanced PSI Optimization
In many real-world scenarios (e.g., a client querying a large server database), set sizes are highly unbalanced. Specialized protocols optimize for this case, prioritizing the smaller party's computational cost. Key techniques include:
- Cuckoo Hashing & Simple Hashing: The larger set is placed into a data structure (like a Cuckoo hash table), allowing the smaller party to perform work proportional mainly to its own set size.
- Oblivious Transfer Extensions: Used in efficient protocols like KKRT16, these allow the retrieval of intersection information with communication cost linear in the smaller set. These optimizations make PSI practical for scenarios like checking a small list of compromised credentials against a billion-user database.
Malicious vs. Semi-Honest Security
PSI protocols are analyzed under different adversarial models:
- Semi-Honest (Passive) Security: Assumes parties follow the protocol but may try to learn extra information from the messages they receive. Most practical, high-performance PSI protocols provide this level of security.
- Malicious (Active) Security: Protects against parties who may arbitrarily deviate from the protocol (e.g., sending malformed messages) to cheat or extract more information. Malicious-secure protocols exist but incur significant performance overhead (often 10-100x) due to the need for zero-knowledge proofs or cut-and-choose techniques to enforce honest behavior.
Computational & Communication Complexity
The practical feasibility of PSI is determined by its resource requirements:
- Computational Complexity: Measured in cryptographic operations (e.g., public-key operations, symmetric encryptions). Modern protocols aim for linear complexity O(n) in the set sizes, with the constant factors being critical. Fastest semi-honest protocols primarily use efficient symmetric cryptography (AES, hash functions).
- Communication Complexity: The total data sent between parties. State-of-the-art protocols achieve communication that is linear in the set sizes. For example, the ECNRR18 protocol requires sending roughly 1-2 bits per item in the larger set. Low communication is essential for high-latency networks.
Intersection Size & Cardinality
PSI variants provide different output guarantees, trading privacy for functionality:
- Standard PSI: Outputs the actual intersecting elements.
- PSI-Cardinality (PSI-CA): Reveals only the number of intersecting items (
|A ∩ B|), not the items themselves. This offers greater privacy for analytics (e.g., measuring audience overlap). - PSI with Data Transfer: Upon intersection, one party can also retrieve associated data for the intersecting items from the other party's set (e.g., not just that a patient ID matches, but also retrieving associated medical codes). This is crucial for many applied use cases.
PSI vs. Related Privacy Techniques
A feature and application comparison of Private Set Intersection against other core privacy-preserving technologies used in machine learning and data analysis.
| Feature / Characteristic | Private Set Intersection (PSI) | Federated Learning | Homomorphic Encryption | Differential Privacy |
|---|---|---|---|---|
Primary Goal | Compute intersection of private sets | Train a shared model on decentralized data | Compute on encrypted data | Limit privacy loss from aggregate queries |
Data Movement | Parties exchange cryptographic messages | Only model updates (gradients) are shared | Encrypted data is sent to a server for processing | Raw or aggregated data is sent to a curator |
Output Revealed | Only the intersection set | Only the final trained model parameters | Only the encrypted computation result | A noisy statistical answer |
Trust Model | Distrustful parties (multi-party computation) | Semi-honest server, honest clients | Untrusted server, trusted client for decryption | Trusted data curator |
Cryptographic Basis | Oblivious Transfer, Public-Key Crypto | Secure Aggregation, MPC optional | Lattice-based cryptography | Randomized algorithm (e.g., Laplace noise) |
Typical Latency/Overhead | Moderate (seconds) | High (hours/days for training rounds) | Very High (orders of magnitude slower) | Low (negligible noise addition) |
Use Case in RAG/Retrieval | Private deduplication, secure join for retrieval | Training a retriever on siloed data | Encrypted search over sensitive documents | Publishing anonymized query logs or metrics |
Protects Against Honest-but-Curious Server? | N/A (assumes trusted curator) |
Frequently Asked Questions
Private set intersection (PSI) is a foundational cryptographic protocol for secure, multi-party data collaboration. These FAQs address its core mechanisms, applications, and how it integrates with modern privacy-preserving machine learning architectures.
Private Set Intersection (PSI) is a cryptographic protocol within secure multi-party computation (MPC) that allows two or more parties, each holding a private set of data, to compute the intersection of their sets without revealing any information about items that are not in the intersection. It works by having parties encrypt or encode their data using a commutative cryptographic scheme, such as Diffie-Hellman key exchange or oblivious transfer, allowing them to compute an encrypted representation of the intersection that only the intended recipient can decrypt. For example, in a basic two-party PSI using Diffie-Hellman, each party hashes their items, raises them to a secret exponent, and exchanges the results; the intersection is revealed by comparing the transformed values after a second round of exponentiation with the other party's secret key.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Private Set Intersection (PSI) is a core cryptographic primitive within a broader ecosystem of techniques designed to compute on sensitive data without exposing it. These related protocols and frameworks enable secure collaboration, training, and inference.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us