Cryptology ePrint Archive: Report 2016/930

Scalable Private Set Intersection Based on OT Extension

Benny Pinkas and Thomas Schneider and Michael Zohner

Abstract: Private set intersection (PSI) allows two parties to compute the intersection of their sets without revealing any information about items that are not in the intersection. It is one of the best studied applications of secure computation and many PSI protocols have been proposed. However, the variety of existing PSI protocols makes it difficult to identify the solution that performs best in a respective scenario, especially since they were not compared in the same setting. In addition, existing PSI protocols are several orders of magnitude slower than an insecure naive hashing solution which is used in practice. In this work, we review the progress made on PSI protocols and give an overview of existing protocols in various security models. We then focus on PSI protocols that are secure against semi-honest adversaries and take advantage of the most recent efficiency improvements in OT extension and propose significant optimizations to previous PSI protocols and to suggest a new PSI protocol whose run-time is superior to that of existing protocols. We compare the performance of the protocols both theoretically and experimentally, by implementing all protocols on the same platform, give recommendations on which protocol to use in a particular setting, and evaluate the progress on PSI protocols by comparing them to the currently employed insecure naive hashing protocol. We demonstrate the feasibility of our new PSI protocol by processing two sets with a billion elements each.

Category / Keywords: implementation / oblivious transfer; private set intersection

Date: received 26 Sep 2016

Contact author: michael zohner at crisp-da de

Available format(s): PDF | BibTeX Citation

Note: This article is an extended and improved version of the conference publications at USENIX Security 2014 and 2015, online at and, respectively. We summarize our contributions over the conference papers in Section 1.4.

Version: 20160927:212448 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]