Private Set Intersection (PSI) is a cryptographic protocol that allows two or more parties, each holding a private set of data items, to compute the intersection of their sets without revealing any information about items not in the intersection. This provides a formal privacy guarantee, ensuring that the only information disclosed is the fact that certain items are common to all participants. It is a specialized form of Secure Multi-Party Computation (MPC) designed for set operations, enabling privacy-preserving data collaboration in scenarios like contact tracing, fraud detection, and secure data matching.
Glossary
Private Set Intersection (PSI)

What is Private Set Intersection (PSI)?
Private Set Intersection (PSI) is a foundational cryptographic protocol for secure, multi-party computation, enabling collaborative data analysis while preserving absolute input confidentiality.
Modern PSI protocols leverage advanced cryptographic primitives such as oblivious transfer, homomorphic encryption, and garbled circuits to achieve high efficiency and security. The protocol's output is deterministic—only the intersecting elements are revealed—making it superior to probabilistic techniques like Bloom filters for strong privacy. PSI is a critical tool in privacy-preserving machine learning and synthetic data generation workflows, allowing organizations to identify overlapping data points for joint model training without exposing their proprietary or sensitive source datasets to each other.
Key Characteristics of PSI Protocols
Private Set Intersection (PSI) protocols are defined by their core cryptographic properties and performance trade-offs. These characteristics determine their suitability for different applications, from contact tracing to secure data collaboration.
Privacy Guarantees
PSI protocols provide formal cryptographic security guarantees, typically defined under the semi-honest (honest-but-curious) or malicious adversarial models. The core guarantee is that parties learn only the intersection of their sets. For items not in the intersection, they learn nothing—not even the size of the other party's set, unless the protocol is specifically designed to reveal it. This is stronger than simple data masking, as it prevents inference from the protocol's output pattern.
Computational & Communication Complexity
A primary differentiator between PSI protocols is their scalability, measured in computation (CPU time) and communication (data transferred).
- Early protocols (e.g., based on Diffie-Hellman) had linear communication overhead relative to set size.
- Modern protocols leverage oblivious transfers (OT), homomorphic encryption, or garbled circuits to achieve sub-linear or even constant communication overhead for large sets. Computation is often the bottleneck, with faster protocols using symmetric-key operations (like hashing) instead of expensive public-key cryptography.
Revealed Information (Output)
While the core output is the intersecting items, protocol variants control what auxiliary information is revealed:
- Plain PSI: Reveals only the intersecting items to one or both parties.
- PSI-Cardinality: Reveals only the number of intersecting items, not the items themselves.
- PSI-Sum/PSI with Associated Data: For each intersecting item, also reveals a corresponding aggregated value (e.g., a sum of associated data) from the other party's set.
- Threshold PSI: Reveals the intersection only if its size exceeds a predefined threshold.
Number of Parties
PSI protocols are designed for different collaboration scales:
- Two-Party PSI: The most common and optimized scenario, involving exactly two entities (e.g., a hospital and a research institute).
- Multi-Party PSI (MPSI): Allows three or more parties to compute the common intersection across all their private sets. This is significantly more complex, often requiring a star topology with a central aggregator or sophisticated peer-to-peer cryptographic routines.
Asymmetry & Unbalanced Sets
In many real-world applications, one party has a large set (e.g., a service provider's user database) and the other a small set (e.g., a client's query list). Unbalanced PSI protocols are optimized for this scenario, shifting computational load to the party with the larger set to minimize work for the smaller, often client-side, party. This is crucial for mobile or edge computing applications where client resources are constrained.
Related Cryptographic Primitives
PSI is not an isolated construct; it builds upon and relates to other core privacy-enhancing technologies (PETs):
- Secure Multi-Party Computation (MPC): PSI is a specific function computed under MPC frameworks.
- Oblivious Transfer (OT): A fundamental building block for many high-performance PSI protocols.
- Homomorphic Encryption (HE): Allows set elements to be encrypted and compared without decryption.
- Private Information Retrieval (PIR): Complementary to PSI; PIR hides what is retrieved, while PSI hides everything else.
How Does Private Set Intersection Work?
Private Set Intersection (PSI) is a foundational cryptographic protocol for secure, multi-party computation that enables collaborative data analysis while preserving confidentiality.
Private Set Intersection (PSI) is a cryptographic protocol that allows two or more parties, each holding a private set of data items, to jointly compute the intersection of their sets without revealing any information about items not in the intersection. The core mechanism typically involves each party encrypting or hashing their set elements using a commutative cryptographic function, such as a Diffie-Hellman key exchange or oblivious pseudorandom functions. These transformed values are then exchanged and compared, allowing the intersecting items to be identified while the non-intersecting items remain cryptographically concealed from the other parties.
Modern PSI protocols are optimized for performance and security, often employing techniques like oblivious transfer and homomorphic encryption to minimize communication overhead. The primary security guarantee is that parties learn only the intersecting elements and nothing else, preventing membership inference attacks on the non-shared data. This makes PSI a critical tool for privacy-preserving applications such as contact tracing, fraud detection across financial institutions, and securely joining sensitive databases in compliance with regulations like GDPR, without requiring a trusted third party.
Real-World Applications of Private Set Intersection (PSI)
Private Set Intersection (PSI) moves beyond theory into critical, privacy-first operations. These applications demonstrate how PSI enables collaboration and analysis where data cannot be directly shared.
Contact Tracing for Pandemics
During health crises like COVID-19, PSI protocols enabled decentralized contact tracing without centralized surveillance. Individuals' device logs of proximity encounters could be compared to a health authority's list of diagnosed cases to determine exposure risk, revealing only a binary 'exposed' or 'not exposed' result. This preserved individual location history while providing vital public health information.
- Key Mechanism: Private Information Retrieval (PIR)-style PSI, where the individual's device queries the health authority's set.
- Privacy Guarantee: The health authority learns nothing about an individual's movement patterns unless they are a confirmed case.
- Example: The PACT protocol (Private Automated Contact Tracing) used in several exposure notification systems.
Fraud Detection in Financial Consortiums
Banks and financial institutions use PSI to collaboratively identify fraudulent actors or money laundering patterns without sharing their sensitive customer lists. Each bank holds a private set of account identifiers flagged for suspicious activity. By computing the intersection, the consortium can identify accounts or entities appearing across multiple institutions—a strong indicator of coordinated fraud—while keeping each bank's full internal watchlist confidential.
- Key Benefit: Enables cross-institutional threat intelligence while complying with data protection regulations like GDPR.
- Technical Nuance: Often employs Unbalanced PSI protocols optimized for the scenario where one party (e.g., a regulatory body) has a much smaller set than the other (a large bank).
Genomic Research & Patient Matching
In medical research, PSI allows hospitals or biobanks to find common patients or genomic sequences across institutions to enable larger cohort studies. For instance, a researcher can discover if patients with a specific rare genetic variant exist in multiple private genomic databases. Only the identifiers of matching patients are revealed (with consent), not the full genetic data of non-matches, preserving patient privacy and institutional data sovereignty.
- Application: Accelerating rare disease research by finding sufficient patients across fragmented healthcare systems.
- Related Protocol: Private Set Intersection-Cardinality (PSI-CA) can be used first to determine if a statistically significant overlap exists before revealing specific matches.
Ad Conversion Measurement & Attribution
PSI solves a core privacy challenge in digital advertising: measuring which users who saw an ad later made a purchase, without the advertiser and publisher fully merging their customer lists. The advertiser provides a set of user identifiers who converted (e.g., purchased a product). The publisher (e.g., a social media platform) provides a set of identifiers who were shown the ad. PSI computes the overlap—the conversion rate—without either party learning the other's full list.
- Industry Shift: A foundational technology for privacy-centric advertising models post third-party cookie deprecation.
- Efficiency Requirement: Demands high-performance PSI capable of intersecting sets with millions of entries in near real-time.
Credential & Password Breach Checking
Services like 'Have I Been Pwned' use a form of PSI to allow users to safely check if their passwords or email addresses have been exposed in a data breach. The user submits a transformed version of their credential (e.g., a hash prefix). The service, which holds billions of breached records, performs a private lookup and returns only the information relevant to that user's query. The user's full credential is never sent to the service in plaintext, and the service learns nothing about the user's query if there is no match.
- Protocol Used: Often a client-server PSI with hashing and bloom filters for efficient, private membership testing.
- Security Impact: Prevents users from inadvertently exposing their current passwords to a third-party service during a breach check.
Secure Supply Chain Intelligence
Competing companies in a shared supply chain can use PSI to identify common, high-risk vendors or geopolitical exposures without disclosing their full supplier lists. For example, automotive manufacturers could privately determine if they all rely on a single sub-component factory in a region prone to disruptions. This enables collective risk mitigation and business continuity planning while protecting strategic supplier relationships and competitive information.
- Multi-Party Use Case: Often extends beyond two parties to Multi-Party PSI (MPSI), involving several entities.
- Integration: Can be combined with Secure Multi-Party Computation (MPC) to privately compute aggregate statistics (e.g., total spend) on the intersecting set.
PSI vs. Related Privacy Technologies
A technical comparison of Private Set Intersection (PSI) against other cryptographic and statistical methods for privacy-preserving data analysis, highlighting core mechanisms, security guarantees, and primary use cases.
| Feature / Characteristic | Private Set Intersection (PSI) | Secure Multi-Party Computation (MPC) | Federated Learning | Differential Privacy | Homomorphic Encryption |
|---|---|---|---|---|---|
Core Privacy Goal | Compute set intersection without revealing non-intersecting items. | Jointly compute any function without revealing private inputs. | Train a shared model without centralizing raw training data. | Limit inference about any individual in a dataset from outputs. | Perform computations on encrypted data without decryption. |
Primary Cryptographic/Technical Basis | Oblivious Transfer, Public-Key Cryptography, or Garbled Circuits. | Secret Sharing, Garbled Circuits, or Oblivious Transfer. | Distributed Optimization (e.g., Federated Averaging). | Mathematical noise addition (Laplace, Gaussian). | Algebraic schemes (e.g., BFV, BGV, CKKS). |
Formal Security Guarantee | Computational or information-theoretic security against semi-honest/malicious adversaries. | Computational security defined by ideal/real simulation paradigm. | No inherent formal privacy guarantee; relies on auxiliary techniques. | Mathematically quantifiable (ε, δ) privacy loss bound. | Semantic security of the underlying encryption scheme. |
Data Disclosure | Reveals only the intersection (cardinality or elements). | Reveals only the agreed-upon function output. | Reveals model parameter updates (gradients). | Reveals noisy aggregate statistics or models. | Reveals only encrypted results; decryption reveals final output. |
Typical Computation Overhead | Moderate to High (cryptographic operations per element). | Very High (complexity scales with function circuit size). | Low to Moderate (primarily communication and local training cost). | Low (primarily noise addition). | Extremely High (ciphertext expansion & multiplicative depth). |
Primary Interaction Pattern | Multi-party, often two-party, protocol with direct communication. | Multi-party protocol with interactive rounds of communication. | Central server orchestrating multiple client rounds. | Centralized curator or local (non-interactive). | Non-interactive; client encrypts, server computes, client decrypts. |
Common Use Case | Privacy-preserving contact tracing, fraud detection, data cleanroom matching. | Privacy-preserving auctions, genomic analysis, joint financial calculations. | Training on decentralized data from mobile devices or hospitals. | Releasing aggregate census data or privacy-preserving ML model training. | Outsourced cloud computation on sensitive financial or health data. |
Protects Against Data Reconstruction | |||||
Supports Arbitrary Computations | |||||
Preserves Data Format for Downstream Use |
Frequently Asked Questions
Private Set Intersection (PSI) is a foundational cryptographic protocol for privacy-preserving data collaboration. These questions address its core mechanisms, applications, and relationship to other privacy-enhancing technologies.
Private Set Intersection (PSI) is a cryptographic protocol that allows two or more mutually distrusting parties, each holding a private set of items, to compute the intersection of their sets without revealing any information about items not in the intersection. It works by having each party transform their set elements using a sequence of commutative cryptographic operations, such as applying a hash function and then encrypting the result with a commutative cipher or using oblivious transfer and Diffie-Hellman key exchange-based techniques. The transformed sets are then exchanged and compared, allowing the intersection to be identified while the non-intersecting elements remain indistinguishable from random data to the other party. The core security guarantee is that nothing is learned beyond the agreed-upon output (the intersection itself).
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Private Set Intersection (PSI) is a core cryptographic protocol within privacy-preserving machine learning. These related concepts define the broader ecosystem of techniques for secure, multi-party computation and data protection.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us