Module D5 of 5 · Track 3D: Privacy-Preserving AI

Compute together. Learn nothing about each other.

Secure Multiparty Computation

SMPC lets multiple parties jointly compute a result on their combined private data without any party seeing the others' inputs. This module covers secret sharing, garbled circuits, oblivious transfer, the SPDZ protocol, private AI inference, and how SMPC fits alongside FHE and differential privacy to complete the privacy-preserving AI toolkit.

38 min read
Track 3D
Intermediate
Final module

Module Progress

1 2 3 4 5

Section 01

What is SMPC

Secure multiparty computation (SMPC, sometimes written MPC) lets a group of parties jointly compute a function on their private inputs without any party learning anything about the other parties' inputs beyond what the output itself reveals.

A classic example: three employees want to know whether they all earn above a certain salary threshold, without any of them learning each other's actual salaries. With SMPC, they can compute the answer (yes or no, or even the average salary) while keeping individual salaries completely private from one another.

In AI, SMPC solves a more powerful version of the same problem. Multiple hospitals want to train a diagnostic model on their combined patient data. Multiple banks want to compute a cross-institution fraud signal. Two companies want to find common customers without sharing their full customer lists. SMPC makes all of these possible without any party revealing their raw data.

Two properties must hold simultaneously. Correctness: the output of the protocol is the correct result of the function on the actual inputs. Privacy: each party learns only the output, not any other party's input. In strong versions, privacy holds even if some parties are actively trying to cheat.

🔑
Secret sharing
Split a private value into pieces so no single piece reveals anything, but enough pieces together reconstruct the original. Foundation of arithmetic SMPC protocols.
🔄
Garbled circuits
Evaluate any Boolean circuit jointly with one round of communication. One party encrypts the circuit, the other evaluates it. Neither learns the other's inputs. Introduced by Yao in 1982.
📦
Oblivious transfer
A sender has two messages. A receiver gets exactly one, without the sender learning which one was chosen. The cryptographic primitive that makes garbled circuits and many SMPC protocols possible.
📊
Secure aggregation
Sum multiple parties' values without the aggregator seeing any individual value. The version of SMPC used in federated learning (D4) to protect individual gradient updates.

SMPC and federated learning are not the same thing. Federated learning is a distributed training framework that reduces data movement. SMPC is a cryptographic protocol that provides formal privacy guarantees about what each party learns from the computation. Federated learning can use SMPC (specifically secure aggregation) to strengthen its privacy guarantees, but the two concepts are distinct.

Section 02

Adversary models

Every SMPC protocol is designed to be secure against a specific type of adversary. The adversary model determines how much an attacker can deviate from the protocol and what they can learn. Choosing the wrong model for your deployment scenario can result in a protocol that is theoretically secure but practically broken.

Semi-honest adversary
Also called: honest-but-curious, passive adversary
Follows the protocol steps exactly as written
Tries to learn as much as possible from messages received
Does not deviate, lie, or send modified messages
Easier to protect against: simpler protocols
Appropriate when parties are trusted organisations with legal agreements
Not appropriate if parties may actively cheat
Example: hospital consortium where members are vetted
Malicious adversary
Also called: active adversary
Can deviate from the protocol in any way
Can send false messages, abort early, or replay messages
Can coordinate with other malicious parties
Protocols provide guarantees even against cheating
More expensive: requires authentication and consistency checks
Higher communication and computation overhead
Example: open system where any party can participate

Most production SMPC deployments use semi-honest protocols combined with external trust mechanisms: legal agreements, participant vetting, and audit logging. The SPDZ protocol (Section 08) is one of the few practical protocols that provides security against malicious adversaries with acceptable performance overhead.

Section 03

Secret sharing

Secret sharing is the core building block of most arithmetic SMPC protocols. It allows a secret value to be split into multiple pieces called shares, distributed to different parties, such that no single share reveals anything about the secret, but a sufficient number of shares together can reconstruct it.

Additive secret sharing is the simplest scheme. To share a secret value s among three parties, pick two random values r1 and r2. Set the third share as s minus r1 minus r2. Each party receives one share. Each share looks like a random number. But the sum of all three shares equals the original secret s.

Additive secret sharing: splitting secret = 42 among three parties

Secret value (never revealed)
s = 42
Share 1
s₁ = 189
Held by Party A
Share 2
s₂ = −211
Held by Party B
Share 3
s₃ = 64
Held by Party C
189 + (−211) + 64 = 42  ✓   |    Each individual share is uniformly random and reveals nothing about 42  ✓

Shamir secret sharing (Shamir 1979) is a more flexible approach that uses polynomial interpolation. A degree k-1 polynomial is constructed with the secret as the constant term and random coefficients for higher terms. The n shares are points on this polynomial. Any k of the n shares can reconstruct the polynomial and thus the secret (via Lagrange interpolation). Fewer than k shares reveal nothing about the secret.

Shamir sharing supports a threshold structure: a secret can be reconstructed by any k of the n parties, not just all of them. This is useful when some parties may be unavailable. The parameter k is called the reconstruction threshold. Setting k equal to n gives all-or-nothing reconstruction (all parties must cooperate). Setting k to the majority gives tolerance to a minority of dropouts or malicious parties.

1979 Shamir · How to Share a Secret (Communications of the ACM)

Section 04

Addition and multiplication on shares

The power of secret sharing for SMPC comes from the ability to compute on shared values. Two key operations make arbitrary computation possible: addition and multiplication. Addition is free. Multiplication is where the communication cost lives.

Addition of two shared secrets
Party A holds: share of x (call it x_A) and share of y (call it y_A) x_A + y_A = share of (x+y) held by A
Party B holds: x_B and y_B x_B + y_B = share of (x+y) held by B
Party C holds: x_C and y_C x_C + y_C = share of (x+y) held by C
Sum of their new shares = (x_A+x_B+x_C) + (y_A+y_B+y_C) = x + y Correct result, no communication needed
Free: local operation only
Multiplication of two shared secrets
Multiplying shares locally does NOT give shares of x*y. x_A * y_A is not a valid share of x*y
Naive approach: reveal x and y, multiply, reshare. Breaks privacy.
SMPC solution: use a precomputed Beaver triple (a, b, c) where c=a*b. Reveal (x-a) and (y-b). These are masked values that hide x and y.
Compute x*y from the masked values and the triple without revealing x or y. x*y = c + (x-a)*b + (y-b)*a + (x-a)*(y-b)
Requires: one round of communication

Why this matters for AI. Neural network inference involves matrix multiplications followed by activation functions. Addition is free in SMPC. Multiplication costs one communication round per gate in the arithmetic circuit. Deep networks with many layers require many multiplication rounds. The total communication cost scales with the multiplicative depth of the network, which is why SMPC inference is slower than plaintext inference: you pay one network round trip per layer of multiplications.

Section 05

Garbled circuits

Garbled circuits, introduced by Andrew Yao in 1982, solve the two-party computation problem for any Boolean function. They allow two parties to evaluate a circuit jointly in a single round of communication (after setup) with no information leakage about either party's inputs.

The intuition: instead of computing the circuit on real values, the garbler encrypts the entire circuit. Each wire in the circuit gets two random labels instead of the actual values 0 and 1. The garbler produces an encrypted version of each gate's truth table so that an evaluator who holds the correct input labels can compute the output labels, without ever knowing whether a wire carries a 0 or a 1.

Garbled circuit protocol (Yao 1982)

Garbler (Party A)
Step 1
Assign two random wire labels (k0, k1) to each wire in the circuit
Step 2
For each gate, encrypt the output label under the two input labels. Permute the rows randomly.
Step 3
Send garbled circuit and own input wire labels to evaluator
Sent to evaluator
Step 4
Run OT with evaluator to give them their input wire labels without learning which input they chose
Via OT protocol
Garbled circuit + A's labels
OT for B's input labels
Output (optional)
Evaluator (Party B)
Step 5
Receive garbled circuit and A's input wire labels. Use OT to get own input wire labels.
Step 6
Evaluate gate by gate: try decrypting each row of the garbled gate until one succeeds. That gives the output label.
Step 7
Read final output labels. Decode to get the actual output bits.
Learns: output only
The evaluator learns only the output wire labels. They cannot distinguish whether a wire carried 0 or 1. The garbler never learns the evaluator's inputs. Privacy holds for both parties.

Garbled circuits are particularly efficient for Boolean functions with a fixed circuit structure and functions where one party's input is much larger than the other's. For arithmetic circuits (addition, multiplication over integers), secret-sharing approaches like SPDZ are typically more efficient.

1982 Yao · Protocols for Secure Computations (FOCS 1982)

Section 06

Oblivious transfer

Oblivious transfer (OT) is a two-party protocol where a sender holds two messages and a receiver wants exactly one of them. After the protocol, the receiver gets their chosen message, the sender does not learn which message was chosen, and the receiver does not learn the other message. It is a primitive so fundamental that it is called a "complete" primitive for SMPC: any secure two-party computation can be built from OT alone.

1-out-of-2 oblivious transfer (1-of-2 OT)

Sender
Holds: m₀ (message 0)
Holds: m₁ (message 1)
Does NOT learn: b
Encrypted m₀ and m₁
Selection commitment (hides b)
m_b decryption key
Receiver
Holds: private choice bit b
Receives: mₐ (the chosen message)
Guarantee: Sender learns nothing about b. Receiver learns only mₐ and nothing about m₁₋ₐ.

OT is used in garbled circuit protocols to give the evaluator their input wire labels without the garbler learning which input was chosen. For each input bit, one OT is run: the garbler is the sender (holding the two possible wire labels for that bit), and the evaluator is the receiver (choosing the label corresponding to their actual input bit).

OT extension (Ishai, Kilian, Nissim, Petrank 2003) makes OT efficient at scale. Running n independent OTs using public-key cryptography is expensive. OT extension uses a small number of public-key OTs (typically 128) to bootstrap millions of cheap symmetric-key OTs. This is what makes garbled circuits and SMPC protocols practical for large inputs like model weights.

2003 Ishai, Kilian, Nissim, Petrank · Extending Oblivious Transfers Efficiently (CRYPTO 2003)

Section 07

Beaver triples

Beaver triples (introduced by Donald Beaver in 1992) are the standard technique for handling multiplication in secret-sharing SMPC protocols. They split multiplication into two phases: an expensive offline phase that generates random triples, and a cheap online phase that uses those triples to compute the actual product.

Beaver triple multiplication protocol
Parties want to compute shares of x * y without revealing x or y
Offline phase (precomputation)
Generate random values a and b (secret-shared across parties) a, b chosen uniformly at random
Compute c = a * b using an expensive protocol (FHE or OT-based) c = a * b   (computed once, before any inputs are known)
Store triple (a, b, c) as shares across all parties. This triple is data-independent. Each party holds: [a]_i, [b]_i, [c]_i
Online phase (fast computation)
To compute x * y: reveal masked values (x - a) and (y - b) to all parties e = x - a, f = y - b   (masked, reveal without privacy loss)
Compute shares of x*y locally using the revealed masks and the triple x*y = c + e*[b] + f*[a] + e*f
Result: parties hold valid shares of x*y without ever seeing x or y One round of communication, symmetric operations only

The critical insight: (x minus a) and (y minus b) are safe to reveal. Because a and b are uniformly random, the masked values look uniformly random too. An observer who sees (x minus a) learns nothing about x. But the parties can still use this masked value together with the precomputed triple to get the correct result.

This offline/online separation is what makes protocols like SPDZ fast in practice. The expensive part (generating triples) is done when inputs are unknown and servers are idle. The online phase, which runs on actual sensitive data, uses only cheap local operations and one round of communication per multiplication.

1992 Beaver · Efficient Multiparty Protocols Using Circuit Randomization (CRYPTO 1991)

Section 08

The SPDZ protocol

SPDZ (pronounced "Speedz") is the most widely used practical SMPC protocol for arithmetic circuits. It was introduced by Damgard, Pastro, Smart, and Zakarias in 2012. Its key advantage is that it provides security against malicious adversaries, not just semi-honest ones, while keeping the online phase fast.

SPDZ extends Beaver triples with authentication. Each secret-shared value also carries a message authentication code (MAC) that lets parties verify that no one has tampered with their shares during the computation. If any party tries to send incorrect shares (as a malicious adversary would), the MAC check fails and the protocol aborts before any sensitive output is revealed.

Offline phase (preprocessing)
Generate Beaver triples using FHE or OT. This is the expensive part.
Generate authenticated shares: each value [x] carries a MAC tag [alpha*x] where alpha is a global secret key
Distribute precomputed material to all parties. No actual input data needed at this stage.
Can run during idle time, ahead of knowing what will be computed
Cost: public-key cryptography or OT-based. Run once per set of triples.
Online phase (computation)
Input values are secret-shared and authenticated using offline material
Addition is free: local share addition, MAC tags add correctly
Multiplication uses Beaver triples. One round of communication per multiplication gate.
Output: MAC verification before revealing any result. Cheating detected before output.
Cost: symmetric cryptography only. Very fast compared to offline phase.

SPDZ in practice. The offline phase dominates the total cost. Modern implementations pre-generate large batches of triples, amortising the public-key cryptography cost over many online computations. For AI inference, a SPDZ server can precompute all triples needed for a specific model architecture before any user queries arrive, then answer queries using only the fast online phase. The MP-SPDZ library implements many variants of SPDZ and related protocols.

2012 Damgard, Pastro, Smart, Zakarias · Multiparty Computation from Somewhat Homomorphic Encryption (CRYPTO 2012)

Section 09

Private set intersection

Private set intersection (PSI) is one of the most practically deployed applications of SMPC. It lets two parties find the common elements in their respective datasets without either party learning anything about elements that are not in the intersection.

This matters in many AI contexts. Two hospitals want to identify patients who appear in both their databases to share outcomes data for research, without either hospital learning which patients the other has that are not in common. Two companies want to find shared customers for a joint marketing analysis without exposing their full customer lists to each other. A bank and a retailer want to compute a cross-entity fraud signal on shared accounts without sharing all account data.

Hospital A's patients
Patient ID: 1042
Patient ID: 2891
Patient ID: 3307
Patient ID: 4112
Patient ID: 5499
PSI Protocol
Intersection:
1042, 3307
Neither learns the other's non-matching IDs
Hospital B's patients
Patient ID: 0781
Patient ID: 1042
Patient ID: 2200
Patient ID: 3307
Patient ID: 6645

PSI protocols are efficient enough for very large datasets. Modern PSI based on cuckoo hashing and OT extension can handle tens of millions of records from each party in seconds. Google's private join and compute system, used in their advertising measurement infrastructure, performs PSI on encrypted identifiers to measure ad effectiveness without either party sharing their full user databases.

Section 10

SMPC for AI inference

Private AI inference using SMPC lets a client query a model without the model provider learning the query, and without the client learning the model weights. Both are simultaneously private. This is useful when the query contains sensitive patient data, and the model is a proprietary commercial asset the provider does not want to expose.

The computation is split: the client secret-shares their input, the model provider holds secret shares of the model weights, and both parties run SMPC to evaluate the neural network on the shared values. Neither party needs to reveal their share to the other at any point. The output is revealed only to the authorised party at the end.

Performance reality: Private inference with SMPC is significantly slower than plaintext inference. A ResNet-50 inference that takes 1 millisecond in plaintext may take several hundred milliseconds over SMPC, depending on the number of parties, network latency, and the protocol used. This overhead is narrowing as hardware and protocol efficiency improve, but it remains the main barrier to production adoption for deep networks.

For simpler models, such as linear classifiers, logistic regression, and shallow neural networks, SMPC inference is already practical with latency in the range of a few milliseconds. The VectaX benchmarks from D2 (retrieval p95 under 8ms) show that even for vector search, encryption overhead can be kept production-viable with the right engineering.

Activation functions are expensive in SMPC. ReLU, sigmoid, and other non-linear activation functions are not native to arithmetic circuits. They require comparison operations which need Boolean circuit evaluation (garbled circuits or OT-based protocols), adding significant overhead per activation layer. Research into SMPC-friendly activation functions (like square activations) and layered protocol approaches is an active area.

Section 11

FHE vs SMPC

FHE and SMPC both provide encryption in use, but they solve different variants of the problem. Choosing between them depends on your trust model, the number of parties, and the performance requirements of your application.

DimensionFHESMPCBetter for
Number of parties One party holds encrypted data. One server computes. Multiple parties jointly compute. All must participate. FHE for 1 partySMPC for n parties
Trust model Server does not see data. Client holds keys. Server is honest-but-curious. No single party needs to be trusted. Distributed trust among all parties. SMPC for zero-trust multi-party
Communication Client sends encrypted data once. Server computes offline. Multiple rounds of communication between parties during computation. FHE for low-latency
Arithmetic performance CKKS: practical for ML with approximation. BFV: exact but slower. SPDZ: fast online phase after offline preprocessing. Addition is free. Comparable for many ML tasks
Malicious security Harder to achieve without active checking protocols. SPDZ provides malicious security with MAC-based authentication. SMPC for malicious adversaries
Encrypted vector search VectaX uses similarity-preserving FHE for single-party encrypted RAG. Could extend to multi-party joint queries using PSI + SMPC aggregation. FHE for single-party RAG
Best for Client sends private query to server holding a model. Encrypted inference. Encrypted RAG retrieval. Multiple hospitals training a model jointly. PSI for shared customer analysis. Cross-org analytics. FHE: single-partySMPC: multi-party

FHE and SMPC can be combined. The SPDZ offline phase uses FHE to generate multiplication triples efficiently. Federated learning uses SMPC-style secure aggregation on top of gradient noise (DP-FedAvg). Many production systems layer both techniques. VectaX uses FHE-based Similarity-Preserving Search. If a multi-party consortium needed to jointly query the VectaX-protected knowledge base, PSI and SMPC would handle the coordination layer while VectaX handles the retrieval layer.

Section 12

Production applications

SMPC has moved from theoretical research to production deployment in several industries where multi-party computation on sensitive data is a regulatory or competitive requirement.

🏥
Clinical trial analytics
Multiple pharmaceutical companies jointly analyse trial outcomes across their separate patient cohorts without pooling raw patient data. SMPC computes aggregate statistics on the shared population.
HealthcarePSI + aggregation
🏭
Cross-bank fraud detection
Banks compute joint fraud scores on shared account identifiers without revealing individual transaction records to other banks. Each bank inputs their local fraud signal; SMPC outputs a combined risk score.
FinanceSecure aggregation
📱
Advertising attribution
Google's Private Join and Compute performs PSI between advertiser purchase records and publisher impression logs to measure ad conversion without either party learning the other's full dataset.
AdTechPSI
🧬
Genomics research
Research institutions run genome-wide association studies (GWAS) across multiple hospitals' patient DNA databases using SMPC. Patients at each institution have no data exposed to other institutions.
GenomicsMulti-party analytics
🤖
Private model inference
Healthcare providers run inference on proprietary diagnostic models without exposing patient data to the model host. The model provider does not learn the patient record; the querier does not learn the model weights.
AI inferenceCrypTen / SPDZ
💰
Financial benchmarking
Banks participate in industry benchmarking (loan default rates, liquidity ratios) using secure aggregation. The industry body receives aggregate statistics without seeing any individual bank's data.
FinanceSecure aggregation

Section 13

Frameworks

Several mature frameworks implement SMPC for machine learning. They differ in their protocol support, ML framework integration, and target use case.

CrypTen
Meta AI · Python / PyTorch
SMPC framework built on top of PyTorch. Provides a PyTorch-like API where you can run standard model training and inference code with privacy. Uses additive secret sharing and Beaver triples internally. Supports semi-honest security. Designed so ML engineers can add SMPC without learning MPC theory.
PyTorch APISemi-honestInference + training
TF Encrypted
Cape Privacy · Python / TensorFlow
SMPC for TensorFlow. Wraps TensorFlow operations with secret-sharing based protocols. Supports the ABY3 protocol (three-party computation with malicious security) as well as semi-honest Pond protocol. Used in private prediction services and federated learning with SMPC aggregation.
TensorFlowABY3 / Pond3-party
MP-SPDZ
Alan Turing Institute · C++ / Python interface
Research-grade SMPC framework implementing over 30 different MPC protocols including many SPDZ variants, semi-honest and malicious security, different numbers of parties, and different corruption thresholds. The most complete protocol library available. Used for benchmarking and in production systems that need protocol flexibility.
30+ protocolsResearch + productionSPDZ variants
PySyft
OpenMined · Python
Privacy-preserving ML framework combining SMPC, differential privacy, and federated learning. Designed to make private AI accessible to ML engineers. Uses additive secret sharing and supports integration with PyTorch and TensorFlow. Good for experimenting with the full privacy-preserving AI stack that Track 3D covers.
FL + DP + SMPCEducationalFull stack

Section 14

Track 3D complete: putting it all together

These five modules form a complete toolkit for privacy-preserving AI. Each technique addresses a different part of the attack surface identified in D1. Together they cover the full span from protecting individual training records to securing multi-organisation collaborative computation.

D1
Why AI Privacy Differs
Membership inference, model inversion, attribute inference, property inference. Why traditional controls fail. This is the attack surface everything else in this track defends.
The problem
D2
FHE Deep Dive
Searchable encryption, PHE, SHE, FHE, CKKS, bootstrapping. Encryption in use for vector databases. Protects the inference and retrieval pipeline. VectaX implements this.
Inference pipeline
D3
Differential Privacy
Epsilon, Laplace and Gaussian mechanisms, sensitivity, DP-SGD, privacy budget composition. Protects individual training records. Directly reduces membership inference attack success from D1.
Model training
D4
Federated Learning
FedAvg, cross-silo deployment, poisoning attacks, gradient inversion, Byzantine fault tolerance, secure aggregation, DP-FedAvg. Enables multi-organisation training without sharing raw data.
Distributed training
D5
SMPC
Secret sharing, garbled circuits, OT, SPDZ, PSI, private inference. Enables joint computation across mutually distrusting parties. Completes the multi-party privacy stack.
Multi-party compute

In a typical production AI system, these techniques layer rather than replace each other. Federated learning with DP-FedAvg and secure aggregation trains the model across organisations. The trained model is deployed with VectaX-protected encrypted vector search for the retrieval layer. SMPC handles cross-organisation queries where multiple parties need to jointly interrogate the system. Differential privacy bounds what the model's outputs reveal about any individual training record.

No single technique covers everything. The practitioner's job is to understand which part of the attack surface each technique addresses and combine them appropriately for the threat model of the specific deployment.

🎉
Track 3D: Privacy-Preserving AI · Complete
You have finished Track 3D
You now have a working understanding of the five core privacy-preserving AI techniques: what problems each solves, how the cryptography works, where the tradeoffs lie, and how to combine them for different deployment scenarios.

Section 15

Frequently asked questions

What is secure multiparty computation (SMPC)?

Secure multiparty computation allows multiple parties to jointly compute a function on their private inputs such that each party learns only the output and nothing about the other parties' inputs. For example, two hospitals can compute the average age of their combined patient populations without either hospital learning any individual patient's age from the other's records. The protocol guarantees both correctness (the output is right) and privacy (inputs stay private).

What is secret sharing and how does it work?

Secret sharing splits a private value into pieces called shares such that no single share reveals anything about the secret, but a sufficient number together can reconstruct it. In additive secret sharing, the secret s is split into n shares that sum to s, with each share looking uniformly random. Addition of two shared secrets is free: each party adds their shares locally. Multiplication requires one communication round using Beaver triples. Shamir secret sharing uses polynomial interpolation: any k of n shares reconstruct the polynomial and thus the secret, while fewer than k shares reveal nothing.

What are garbled circuits and how do they enable private computation?

Garbled circuits, introduced by Yao in 1982, let two parties jointly evaluate any Boolean circuit in a single round of communication. The garbler encrypts the circuit by assigning random labels to wires and encrypting each gate's output labels under appropriate input label combinations. The evaluator uses oblivious transfer to obtain their input wire labels without the garbler learning which inputs they chose, then evaluates the circuit gate by gate. The evaluator learns only the output labels. Neither party learns the other's inputs.

What is the SPDZ protocol?

SPDZ (pronounced Speedz) is an SMPC protocol for arithmetic circuits that provides security against malicious adversaries. It splits into two phases. The offline phase precomputes random authenticated Beaver triples using FHE or OT. These are data-independent and computed before inputs are known. The online phase uses the triples to evaluate arithmetic circuits at high speed with MAC-based authentication. If any party sends incorrect shares, the MAC check fails and the protocol aborts before revealing any output. This provides malicious security without requiring all parties to be honest.

When should I use SMPC instead of FHE?

Use SMPC when multiple mutually distrusting parties need to jointly compute a result and all parties must participate, you need security where no single party holds all the encrypted data, or you need private set intersection. Use FHE when one party holds sensitive data and wants a server to compute on it without learning the data, or you need encrypted search and retrieval for a single party's inference pipeline. VectaX uses FHE-based Similarity-Preserving Search for single-party encrypted vector search. SMPC complements VectaX when multiple organisations need to jointly query a shared knowledge base.

What is private set intersection (PSI)?

Private set intersection lets two parties find the elements they have in common in their respective datasets without either party learning anything about elements in the other party's dataset that are not in the intersection. For example, two hospitals can identify shared patients without revealing the rest of their patient lists to each other. Modern PSI protocols based on cuckoo hashing and OT extension can handle tens of millions of records per party in seconds. Google uses PSI in their Private Join and Compute system for advertising attribution across publisher and advertiser datasets.