Scalable private set intersection based on ot extension

Benny Pinkas, Thomas Schneider, Michael Zohner

Research output: Contribution to journalArticlepeer-review

182 Scopus citations


Private set intersection (PSI) allows two parties to compute the intersection of their sets without revealing any information about items that are not in the intersection. It is one of the best studied applications of secure computation and many PSI protocols have been proposed. However, the variety of existing PSI protocols makes it difficult to identify the solution that performs best in a respective scenario, especially since they were not compared in the same setting. In addition, existing PSI protocols are several orders of magnitude slower than an insecure naive hashing solution, which is used in practice. In this article, we review the progress made on PSI protocols and give an overview of existing protocols in various security models. We then focus on PSI protocols that are secure against semi-honest adversaries and take advantage of the most recent efficiency improvements in Oblivious Transfer (OT) extension, propose significant optimizations to previous PSI protocols, and suggest a new PSI protocol whose runtime is superior to that of existing protocols. We compare the performance of the protocols, both theoretically and experimentally, by implementing all protocols on the same platform, give recommendations on which protocol to use in a particular setting, and evaluate the progress on PSI protocols by comparing them to the currently employed insecure naive hashing protocol. We demonstrate the feasibility of our new PSI protocol by processing two sets with a billion elements each.

Original languageEnglish
Article number7
JournalACM Transactions on Privacy and Security
Issue number2
StatePublished - Jan 2018

Bibliographical note

Publisher Copyright:
© 2018 ACM.


This article is a combined and extended version of Pinkas et al. (2014) (USENIX’14) and Pinkas et al. (2015) (USENIX 2015) with substantial improvements summarized in Section 1.4. This article was supported by the European Union’s 7th Framework Program (FP7/2007-2013) under Grant Agreement No. 609611 (PRACTICE), by the DFG as part of Project E4 within the CRC 1119 CROSSING, by the German Federal Ministry of Education and Research (BMBF) within EC SPRIDE and CRISP, by the Hessian LOEWE excellence initiative within CASED, by a grant from the Israel Ministry of Science and Technology (Grant No. 3-9094), by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office, and by the National Science Foundation, under Grant No. CNS-0435060, Grant No. CCR-0325197 and Grant EN-CS-0329609. We thank Oleksandr Tkachenko for the implementation of the PSI protocol for billion-element sets. Authors’ addresses: B. Pinkas, Center for Research in Applied Cryptography and Cyber Security, Bar-Ilan University, 5290002, Ramat-Gan, Israel; T. Schneider and M. Zohner, Center for Research in Security and Privacy, TU Darmstadt, Mornewegstraße 30, 64289 Darmstadt, Germany. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. © 2018 ACM 2471-2566/2018/01-ART7 $15.00

FundersFunder number
National Science FoundationCCR-0325197, CNS-0435060, EN-CS-0329609
Seventh Framework Programme609611
European Commission
Deutsche Forschungsgemeinschaft
Bundesministerium für Bildung und Forschung
Ministry of science and technology, Israel3-9094


    • Anonymity and untraceability
    • Privacy-preserving protocols
    • Pseudonymity


    Dive into the research topics of 'Scalable private set intersection based on ot extension'. Together they form a unique fingerprint.

    Cite this