Privacy-Preserving Set Intersection Protocol Based on SM2 Oblivious Transfer

Abstract

Private Set Intersection (PSI) is a fundamental cryptographic primitive in privacy-preserving computation and has been widely applied in federated learning, secure data sharing, and privacy-aware data analytics. However, most existing PSI protocols rely on RSA or standard elliptic curve cryptography, which limits their applicability in scenarios requiring domestic cryptographic standards and often leads to high computational and communication overhead when processing large-scale datasets. In this paper, we propose a novel PSI protocol based on the Chinese commercial cryptographic standard SM2, referred to as SM2-OT-PSI. The proposed scheme constructs an oblivious transfer-based Oblivious Pseudorandom Function (OPRF) using SM2 public-key cryptography and the SM3 hash function, enabling efficient multi-point OPRF evaluation under the semi-honest adversary model. A formal security analysis demonstrates that the protocol satisfies privacy and correctness guarantees assuming the hardness of the Elliptic Curve Discrete Logarithm Problem. To further improve practical performance, we design a software–hardware co-design architecture that offloads SM2 scalar multiplication and SM3 hashing operations to a domestic reconfigurable cryptographic accelerator (RSP S20G). Experimental results show that, for datasets with up to millions of elements, the presented protocol significantly outperforms several representative PSI schemes in terms of execution time and communication efficiency, especially in medium and high-bandwidth network environments. The proposed SM2-OT-PSI protocol provides a practical and efficient solution for large-scale privacy-preserving set intersection under national cryptographic standards, making it suitable for deployment in real-world secure computing systems.

1. Introduction

With the accelerating pace of global digitalization, the issue of privacy information leakage has become increasingly prominent, ultimately emerging as a significant impediment to the healthy development of the digital economy. Privacy-preserving computation [1] has garnered substantial attention from both academia and industry. It refers to a suite of technologies that enable analytical computation without exposing the underlying data, thus achieving the goal of making the data “available but invisible” and facilitating the secure release of the value of the data. Owing to its considerable security advantages, privacy-preserving computation has increasingly become a central focus in both research and practical applications. Among the various paradigms of privacy-preserving computation protocols, the Private Set Intersection (PSI) protocol occupies a pivotal role. Through carefully designed cryptographic mechanisms, PSI ensures that participating parties obtain only the intersection of their respective input sets while preventing the disclosure of any additional information, thus effectively safeguarding the privacy rights of data owners. By integrating data utility with robust security guarantees, PSI enables secure information sharing without compromising privacy. To address the national need for localized, verifiable, and controllable information security, it is crucial to develop PSI protocols based on a national cryptographic system. This will help establish an autonomous and controllable technical ecosystem. This approach also has broad practical significance and promising application prospects. It has important practical value for promoting the compliant circulation and release of value of data elements.

In recent years, research on two-party PSI protocols has evolved into a field where theoretical innovation and engineering practice advance in tandem. To meet the performance requirements of practical applications, researchers have proposed a wide range of technical approaches and construction frameworks. As a fundamental component of many privacy-preserving computation workflows, PSI protocols play an indispensable role. For example, before performing Vertical Federated Learning (VFL) [2,3], PSI is used to align samples between participating parties; similarly, prior to index-based secure query execution, PSI commonly enables the secure acquisition of index data. Moreover, PSI has been independently applied in real-world scenarios such as remote diagnosis [4], record linkage [5], and online advertising effectiveness measurement [6], demonstrating its broad applicability and practical significance. Despite substantial research progress and early application successes, existing PSI protocols still encounter critical bottlenecks that hinder practical deployment. In particular, mainstream cryptographic systems adopted by these protocols, such as RSA and AES, exhibit well-documented algorithmic vulnerabilities, which introduce risks of cryptanalysis and potential privacy leakage.

To address these challenges, we propose the first PSI protocol fully based on the SM2 [7] elliptic curve cryptography (ECC) standard, thereby filling a critical research gap in the application of Secure Multi-Party Computation (SMPC) within Chinese national cryptographic ecosystem. Although SM2 is less widely adopted than NIST curves in Western cryptographic literature, it serves as a mandatory standard for China’s critical information infrastructure; anchored by the SM2 public-key cryptographic algorithm and the SM3 hash algorithm [8], the Chinese national cryptographic system boasts notable advantages in security, independent controllability and efficiency, acting as a robust alternative to internationally prevalent but potentially compromised algorithms like RSA. This study further establishes a foundational theoretical framework for privacy-preserving protocols under this regulatory regime, analogous to the role that Curve25519 plays in non-standardized high-performance cryptographic applications. Built on SM2 oblivious transfer (SM2-OT-PSI), the proposed protocol introduces an oblivious transfer extension mechanism tailored to PSI scenarios and constructs a multi-point Oblivious Pseudorandom Function (OPRF), enabling an efficient Private Set Intersection under the semi-honest adversary model. Through formal security analysis, we formally establish the security and correctness of the protocol under the Elliptic Curve Discrete Logarithm Problem (ECDLP) assumption.

At the engineering implementation level, this paper introduces a software–hardware co-design acceleration architecture combined with a domestically developed reconfigurable cryptographic security chip. Computationally intensive operations, such as SM2 point multiplication and SM3 hashing, are offloaded to hardware for execution, thereby reducing protocol runtime and system load. Experimental results demonstrate that under million-scale dataset sizes and medium-to-high bandwidth network environments, the proposed SM2-OT-PSI protocol outperforms representative PSI schemes in terms of runtime efficiency and scalability, demonstrating substantial practical engineering value. The main contributions of this paper can be summarized as follows:

• A PSI protocol fully built on Chinese national cryptographic SM2 and SM3 algorithms is presented, satisfying cryptographic compliance requirements for indepen- dent controllability.
• SM2-based oblivious transfer and multi-point OPRF constructions are developed to support an efficient PSI computation workflow.
• The protocol’s practical performance under large-scale datasets is substantially improved through a software–hardware co-design acceleration architecture, and its effectiveness is validated through experimental evaluation.

2. Related Work

To meet the requirements of diverse practical scenarios, current PSI protocols can be classified into two-party PSI protocols and multi-party PSI protocols, according to the number of participating entities. Two-party PSI, which involves exactly two participants, represents the canonical PSI scenario, and this section therefore focuses on related research in this category. PSI is a representative SMPC problem. However, due to the inherent computational complexity of PSI, directly applying generalMPC protocols leads to inefficient or sub-optimal performance. Consequently, both academia and industry have developed a variety of specialized PSI protocols. The core cryptographic primitives underlying existing PSI protocols can be broadly categorized into the following types: Garbled Circuits (GC) [9,10,11,12], Public Key Encryption (PKE) [13,14,15,16,17], Oblivious Transfer (OT) [18,19,20,21,22,23,24,25,26], and PSI schemes incorporating hardware-optimized designs [14,17,23]. GC-based PSI protocols follow the design philosophy of general MPC, constructing PSI schemes using techniques such as Yao’s Garbled Circuits [27] or GMW circuits [28], and subsequently optimizing them for practical deployment. In contrast, OT-based PSI protocols typically achieve significantly better performance. Specifically, OT-based PSI incurs lower computational overhead but generally requires higher communication bandwidth.

However, simply classifying PSI protocols according to their underlying cryptographic primitives does not adequately capture their core design principles or application scenarios. Two-party PSI involves two mutually distrustful participants holding datasets X and Y, who seek to compute the intersection $X\cap Y$ while preserving the confidentiality of the elements in their respective input sets. Meadows et al. [13] first proposed a two-party PSI protocol based on the Elliptic Curve Diffie–Hellman (ECDH) key exchange, which relies on the hardness of the Elliptic Curve Discrete Logarithm Problem. This protocol enables privacy-preserving verification of set overlap without revealing either party’s input. Nevertheless, when processing large-scale datasets, this scheme encounters significant computational bottlenecks due to the large number of elliptic curve point multiplications required, which limits its suitability for high-performance applications. To overcome this bottleneck, Wu et al. [14] proposed an optimized variant of the ECDH-based PSI protocol, referred to as DH-IPP PSI. This scheme introduces extensive optimizations to elliptic curve operations using the Intel Integrated Performance Primitives Cryptography (IPP-Crypto), achieving high compatibility and efficiency on Intel Central Processing Unit (CPU) architectures. Systematic testing on an Intel Xeon Platinum 8369B processor (2.70 GHz) demonstrated substantial improvements in computational efficiency. In this paper, we design a PSI protocol based on the SM2 elliptic curve cryptographic standard. Although SM2 is less widely adopted than NIST curves in Western cryptographic literature, it is a mandatory standard within China’s critical information infrastructure. This study establishes a theoretical foundation for privacy-preserving protocols within this regulatory context, serving a role analogous to that of Curve25519 in non-standardized high-performance applications. In our previous work, we designed and implemented a hardware-acceleration architecture for elliptic curve computations [29,30], aiming to mitigate algorithmic overhead through hardware-level optimization. However, despite these efficiency gains, the fundamental computational burden imposed by the protocol’s native algorithmic structure remains unresolved, and its performance bottleneck in large-scale dataset scenarios persists. The PSI protocol proposed by Cristofaro et al. [15] employs RSA-based homomorphic encryption, augmented by performance evaluations and the integration of Bloom filters (BFs) [16]. This protocol supports intersection computation, intersection-cardinality estimation, and verifiable computation, making it one of the most widely deployed PSI protocols to date. Because RSA is increasingly vulnerable to cryptanalytic advances, the protocol strengthens security by incorporating private-key blinding and 2048-bit key lengths. However, because the number of RSA encryption and decryption operations scales linearly with the set size, the resulting computational overhead becomes prohibitive, rendering RSA-based PSI protocols impractical for large real-world deployments. Zhang et al. [17] developed the robust federated-learning framework FLASH and implemented a FLASH-RSA-PSI hardware–software co-optimization architecture on the Xilinx VU13P FPGA. Experimental evaluations show that when both parties hold million-scale datasets, the privacy-preserving intersection computation time exceeds 400 s. Due to its relatively low hardware speedup—only a two-fold speedup compared with software execution—the framework cannot meet the real-time requirements of large-scale data scenarios.

At present, the development of high-performance PSI protocols is closely linked to advances in OT. First proposed by Rabin et al. [18] in 1981, OT is a secure two-party communication protocol in which the sender holds multiple input items, while the receiver obtains exactly one selected item. The protocol guarantees that the sender cannot infer the receiver’s selection, and the receiver cannot access any information about the unselected items. Pinkas et al. [19] initially proposed a method for privacy-preserving set intersection computation based on OT, and subsequent work [20] implemented this approach by constructing an OPRF using enhanced OT extension techniques. Extensive theoretical and experimental evaluationsshow that, among semi-honest PSI protocols, two-party PSI based on OT extension achieves higher efficiency. The GMR [21] protocol employs Multi-query Reverse Private Membership Testing (mqRPMT) and OT, preventing either party from linking test results to specific elements and thereby enabling secure, intersection-only computation; however, it exhibits limited performance in practice. The KKRT [22] protocol implements PSI using Cuckoo hashing combined with a single-point auxiliary OPRF, reducing the sender’s computational burden, but the single-point evaluation capability leads to substantially increased communication overhead. To address this limitation, Pinkas et al. [23] proposed the SpOT-Light PSI, which builds on OT extension techniques and functions as an efficient multi-point OPRF optimized for cloud-server CPUs. Nevertheless, its computational complexity $\mathcal{O}\left(n{log}^{2}n\right)$ is prohibitively high. PRTY19 [12] proposes a batch processing and amortization design scheme for OPPRF, which reduces the communication overhead. Other representative protocols include PaXoS (PRTY20) [24], which achieves security in the OT-hybrid model while maintaining linear communication complexity, and CM20 [25], which implements multi-point OPRF through matrix construction to avoid excessive communication costs. RA17 [26] leverages OT extension techniques and provides an efficient solution for balanced PSI scenarios, but incurs substantial communication overhead in unbalanced settings.

Table 1. Comparison of Representative Two-Party PSI Protocols.

Protocol	Cryptographic Primitive	Security Model	Main Advantages	Main Limitations
Meadows [13]	ECDH	Semi-honest	Simple construction; early use of ECC for PSI	Requires a large number of ECC scalar multiplications; poor scalability for large datasets
DH-IPP [14]	ECDH + ECC optimization	Semi-honest	Highly optimized ECC operations on Intel CPUs; improved runtime over naive ECDH-PSI	Still requires (2n) ECC multiplications; limited scalability and CPU-dependent optimization
FLASH-RSA [17]	RSA-based homomorphic encryption	Semi-honest	Hardware–software co-design; supports large-scale federated learning scenarios	RSA operations incur high computational cost; limited speedup and large runtime for million-scale datasets
RA17 [26]	Blinded OPRF (ECC-based)	Semi-honest	Efficient for unbalanced datasets; avoids expensive hashing structures	Communication overhead increases significantly in balanced or large-scale settings
KKRT [22]	Single-point OPRF + OT extension	Semi-honest	Low sender-side computation; well-studied OT-based construction	Single-point OPRF leads to high communication overhead and bandwidth sensitivity
SpOT-Light [23]	Sparse OT extension + multi-point OPRF	Semi-honest	Reduced sender computation; optimized for cloud CPU environments	Computational complexity grows as ($O(nlogn)$); still communication-intensive
PRTY19/PRTY20 [12,24]	Multi-point OPRF + OT extension	Semi-honest	Linear communication complexity; improved scalability over single-point OPRF	Complex protocol structure; communication overhead remains non-negligible
CM20 [25]	Lightweight OPRF + matrix construction	Semi-honest	Reduced communication compared to earlier OT-based PSI	Increased implementation complexity; relies on non-national cryptographic primitives
GMR21 [21]	mqRPMT + OT	Semi-honest	Strong privacy guarantees; intersection-only output	Very high communication overhead; limited practicality for large datasets
Proposed SM2-OT-PSI	SM2-based OT + SM3-based OPRF	Semi-honest	Fully compliant with Chinese national cryptographic standards; low communication complexity; efficient multi-point OPRF; hardware-accelerated implementation	Communication overhead higher than some lightweight OPRF schemes in very low-bandwidth networks

summarizes representative two-party PSI protocols and highlights their main advantages and limitations. Existing schemes typically face a trade-off between computational efficiency and communication overhead. RSA-based designs suffer from expensive public-key operations, while ECDH-based PSI requires a large number of elliptic curve multiplications. OT/OPRF-based PSI significantly improves performance but often incurs substantial communication costs. In contrast, the proposed SM2-OT-PSI protocol achieves a balanced trade-off between efficiency and communication while fully complying with Chinese national cryptographic standards, making it suitable for large-scale practical deployment.

3. Preliminaries

3.1. Semi-Honest Adversary Model

The protocol proposed in this paper is developed within the semi-honest adversary model, and it is provably secure within this framework, meaning that neither party learns the other party’s set contents [31]. The protocol includes a formal, simulation-based security proof to establish the security of SM-PSI. While the malicious model offers stronger security guarantees, recent comprehensive surveys on MPC security models indicate that the semi-honest assumption remains the dominant and most practical choice for large-scale industrial applications due to its superior efficiency [32]. Furthermore, cutting-edge research, such as the efficient PSI protocol presented at ACM CCS 2024, confirms that protocol designs under the semi-honest model can achieve orders-of-magnitude performance improvements, which is critical for supporting large-scale, high-concurrency real-time privacy services [33]. The semi-honest adversary model assumes that adversaries follow all protocol-specified steps while passively observing the execution to extract information such as inputs or outputs. Compared with the malicious adversary model, the semi-honest model presumes that adversaries do not actively alter information or deviate from the prescribed protocol during execution. The security definition of secure multi-party computation under the semi-honest adversary model is formally defined as follows: for n participants $P_1,P_2,\dots ,P_n$ each holding an input dataset $X_1,X_2,\dots ,X_n$ who jointly compute the function $f=f(X_1,X_2,\dots ,X_n)$ via Protocol $\mathrm{\Pi }$, a semi-honest adversary $\mathcal{A}$ controlling a subset I of one or more participants, the multi-party computation protocol is secure if and only if for any such adversary $\mathcal{A}$, there exists a simulator $\mathcal{S}$ such that the view ${\mathrm{View}}_{\mathcal{A}}^{\mathrm{\Pi }}(X_1,X_2,\dots ,X_n)$ generated by $\mathcal{A}$ during protocol execution is computationally indistinguishable from the simulated view output by $\mathcal{S}$, for all input datasets $X_1,X_2,\dots ,X_n$ and all adversary-controlled subsets I.

To formalize computational indistinguishability, we introduce a probability function $P_r$, which denotes the probability that adversary $\mathcal{A}$ observes a given view:

$$P_r\left\{{\mathrm{View}}_A^{\mathrm{\Pi }}\left(X_1,X_2,\dots ,X_n\right)\right\}=P_r\left\{S\left(f\left(X_1,X_2,\dots ,X_n\right)\right)\right\}$$

(1)

where $X_I$ represents the inputs of the participants controlled by adversary $\mathcal{A}$. The security of the SMPC model under the semi-honest adversary model ensures that adversary $\mathcal{A}$ cannot deduce the private inputs of honest participants from intercepted protocol data. Specifically, there exists a simulator $\mathcal{S}$ that produces a simulated view—computationally indistinguishable from the adversary’s real view—using only the protocol output and the inputs of the corrupted participants.

3.2. Oblivious Transfer

Oblivious Transfer (OT) is a core cryptographic primitive in the field of secure computation first introduced by Rabin [18]. The 1-out-of-2 OT protocol describes a scenario in which a sender holding two input strings $(m_0,m_1)$ interacts with a receiver who possesses a selection bit b. In this interaction, the receiver learns $m_b$ without learning $m_{1-b}$, and the sender remains unaware of the value of b. In 2003, Ishai et al. [34] proposed an OT extension protocol—commonly referred to as IKNP—which enables the execution of a large number of OT instances by performing only a small number of computationally expensive base OTs. In this paper, all OT implementations employed in the tests are based on the ALSZ scheme [28].

3.3. SM2 Algorithm

The SM2 algorithm is a public-key cryptographic algorithm based on elliptic curves whose security is primarily founded on the intractability of the Elliptic Curve Discrete Logarithm Problem (ECDLP). Compared with other public-key cryptographic schemes (e.g., RSA, Paillier) offering comparable security levels, SM2 provides advantages including shorter key lengths and smaller parameter sizes. Moreover, the number of logic gates required to implement SM2 in hardware (e.g., on chips) is significantly smaller than that required by RSA, resulting in reduced power consumption. This paper adopts the Chinese national cryptographic standard SM2, as defined in GB/T 32918-2016 [7], which specifies the use of an elliptic curve over a 256 bit prime field. Its security relies on the intractability of the Elliptic Curve Discrete Logarithm Problem (ECDLP). To ensure clarity and standardization, this paper adopts the recommended parameters defined in Part 4 of the standard:

• Curve Equation: The algorithm operates on an elliptic curve over a prime field ${\mathbb{F}}_p$, defined by the equation $y^2=x^3+ax+b$;
• Key Parameters: It utilizes a 256-bit prime field, offering security comparable to NIST P-256 but with independent parameter generation.
• Efficiency: Compared to RSA-2048, SM2 employs shorter 256-bit keys and requires fewer logic gates for hardware implementation, resulting in lower power consumption and higher processing speed.

3.4. SM3 Algorithm

SM3, a Chinese national cryptographic standard, is a cryptographic hash function independently developed in China and is primarily used in scenarios such as digital signatures, message authentication codes, and other data-integrity verification tasks. The parameters of the SM3 hash algorithm adopted in this paper are defined as follows:

• Input and Padding: The maximum input message length is $2^{64}$ bits. The message is padded and parsed into 512-bit message blocks;
• Compression Function: The algorithm utilizes a 32-bit word size and produces 132 message words from each block. The compression function executes 64 rounds of operations;
• Output Digest: After processing all blocks sequentially, the algorithm produces a fixed 256-bit hash value, which ensures high collision resistance and compatibility with the SM2 algorithm.

3.5. Non-Interactive Zero-Knowledge Proof (NIZK)

Non-interactive zero-knowledge proof (NIZK) is a specialized form of zero-knowledge proof in which only a single message is exchanged between the prover and the verifier, the prover sends a proof that the verifier can validate without any multi-round interaction. Based on the binary relation formed by points on the SM2 elliptic curve and their discrete logarithms, defined as $R_{DL}=\left\{(G,Q,P,w)\mid P=wG\right\}$, this paper constructs the non-interactive zero-knowledge functionality $F_{\mathrm{com}-\mathrm{ZK}}^R$ using SM2. Only a single message exchange via a program interface is required to implement key-correctness verification. For the non-interactive zero-knowledge functionality corresponding to relation R, the participating entities are $P_1$ and $P_2$, and the procedure is outlined as follows:

• Upon receiving the instruction $(\mathrm{prove},\mathrm{sid},x,w)$ from participant $P_i$($i\in \{1,2\}$), the system first checks whether the session identifier sid has been previously used. If it has, the message is ignored; if it has not, the system sends $(\mathrm{proof}\text{-}\mathrm{receipt},\mathrm{sid},x)$ to $P_{3-i}$. If $(x,w)\in R$, the system records ${(\mathrm{sid},i,x)}^{*}$.
• Upon receiving the instruction $(\mathrm{response}\text{-}\mathrm{proof},\mathrm{sid})$ from $P_i$, if a record of the form $(\mathrm{sid},i,x)$ exists, the system sends $(\mathrm{response}\text{-}\mathrm{proof},\mathrm{sid},x)$ to $P_{3-i}$.

4. Design of a Private Set Intersection Protocol Based on Chinese National Cryptographic Algorithm

4.1. Computational Problem Description of Private Set Intersection

This paper assumes the existence of two participants, Alice and Bob, each holding a dataset denoting $U_A$ and $U_B$, respectively. The datasets $U_A$ and $U_B$ store the unique identifiers (ID) of users in the sets owned by Alice and Bob, enabling each participant to locate the corresponding users within their respective collections. Specifically, $U_A$ contains i elements, denoted $U_{A_i}$, while $U_B$ contains j elements, denoted $U_{B_j}$. When Alice and Bob wish to compute the intersection of their respective sets without revealing the contents of $U_A$ or $U_B$, the overall framework of the SM2-OT-PSI protocol is shown in Figure 1.

Encryption Initialization Phase: Both parties generate the required encryption parameters based on SM2 and perform initial encryption and obfuscation of the user ID.

Oblivious Transfer Phase: Without direct communication, both parties verify the correctness of the submitted public and private keys via signature generation and verification mechanisms. This approach not only prevents man-in-the-middle attacks but also avoids the substantial communication overhead of interactive verification, thereby ensuring that no private-key information is leaked throughout the process.

Private Set Intersection Computation Phase: Since identical user ID encrypted using the SM3-based OPRF yield consistent ciphertexts, the two parties can directly compare the encrypted outputs. Thus, the intersection of the sets can be efficiently derived without requiring decryption of the ciphertexts.

4.2. Protocol Flow of SM2-Based Non-Interactive Zero-Knowledge Proof

This paper designs a Non-Interactive Zero-Knowledge (NIZK) proof functionality, denoted as $F_{com-ZK}^R$, based on the SM2 algorithm. Under this functionality, the Sender (S) transmits a ciphertext $c_1=\left[k\right]G=(x_1,y_1)$ containing the critical key information k to the Receiver (R) and proves the correctness of the key k via $F_{com-ZK}^R$.

• Proof Generation: Sender S first sends the instruction $\left(\mathrm{prove},\mathrm{sid}\right||1,c_1,k)$ to the functionality $F_{com-ZK}^R$, then selects a random number r and computes $R=\left[r\right]G$. Subsequently, Sender S sends the instruction $\left(\mathrm{response}\text{-}\mathrm{proof},\mathrm{sid}\right|\left|1\right)$ to $F_{com-ZK}^R$ again and computes the following based on the returned result:

  $$c^{\prime }=Hash(R,c_1,G).$$

  (2)

  $$s=r+k{c}^{\prime }.$$

  (3)
  This generates the proof ciphertext $c=(R,s)$. Finally, Sender S transmits the proof ciphertext c and the corresponding ciphertext set to Receiver R.
• Proof Reception and Recording: Upon receiving the ciphertext set and the proof ciphertext $c=(R,s)$ from Sender S, Receiver R simultaneously receives a return message $\left(\mathrm{proof}\text{-}\mathrm{receipt},\mathrm{sid}\right|\left|1\right)$ from the functionality $F_{com-ZK}^R$ and records $\left(\mathrm{sid}\right||1,1,c_1)$, where $c_1=\left[k\right]G=(x_1,y_1)$.
• Proof Verification: Receiver R verifies the ciphertext $c_1$ using the proof ciphertext $c=(R,s)$. First, R computes $c^{\prime }$ as defined in Equation (2). Subsequently, Receiver R receives the message $\left(\mathrm{response}\text{-}\mathrm{proof},\mathrm{sid}\right||1,c_1)$ returned by the functionality $F_{com-ZK}^R$. If this message is not received, the protocol is aborted; if received, the zero-knowledge proof $(G,R,c_1)\in R_{DL}$ is verified. If the verification fails, the protocol is likewise aborted.
• Result Determination: When all the aforementioned verifications pass, Receiver R further computes and checks whether the following equation holds:

  $$\left[s\right]G=R+\left[c^{\prime }\right]c_1.$$

  (4)
  If the equation does not hold, the protocol is aborted. If the equation holds, the correctness of $c_1=\left[k\right]G=(x_1,y_1)$ is accepted, thereby completing the verification of the discrete logarithm relationship.

4.3. Protocol Flow of SM2-Based Oblivious Transfer

This paper constructs a 1-out-of-i OT protocol using the SM2 public-key cryptographic algorithm. The sender, Alice, holds a message set $U_A=\{U_{A1},\dots ,U_{Ai}\}$, while the receiver, Bob, generates a private-key set $dB=\{d{B}_1,\dots ,d{B}_i\}$ and selects one key to obtain the corresponding message. The sender remains unaware of which message the receiver selects, and the receiver learns only the chosen message without obtaining any information about the remaining ones. OPRF enables two parties to jointly compute a pseudorandom function value while ensuring that neither party learns the other’s private input. In Section 4.4, the SM2-based OT scheme is extended to construct an SM2-OPRF scheme used within the PSI protocol. Protocol Flow is as follows:

• Operations of Bob
  • According to the GB/T 32918-2016 standard, Bob selects a private key $d{B}_i$ in the range $[1,n-2]$ and derives the corresponding public key $PB$ using the elliptic curve base point G.
• Operations of Alice
  • Alice obtains the public parameters.
  • For each message, she generates a random value $k_i$ and computes

    $$c_{1i}=\left[k_i\right]G=(x_{1i},y_{1i}).$$

    (5)
  • Alice computes

    $$\left[k_i\right]PB=(x_{2i},y_{2i}).$$

    (6)
  • Alice generates the key material

    $$t_i=(x_{2i}\parallel y_{2i},\mathrm{klen}).$$

    (7)
  • Alice encrypts each message $m_i\in U_A$ as

    $$c_{2i}=m_i\oplus t_i.$$

    (8)
  • Alice computes a signature-like verification tag

    $$c_{3i}=\mathrm{Hash}(x_{2i}\parallel m_i\parallel y_{2i}).$$

    (9)
  • Alice transmits the ciphertext tuple

    $$C_i=(c_{1i}\parallel c_{3i}\parallel c_{2i})$$

    (10)

    to Bob.
• Operations of Bob
  • Bob receives the ciphertexts and selects the ciphertext $C_i$ corresponding to the message he intends to obtain.
  • Bob computes

    $$(x_{2i}^{\prime },y_{2i}^{\prime })=\left[d{B}_i\right]c_{1i}=\left[k_i\right]PB.$$

    (11)
  • Bob recovers the message as

    $$c_{2i}\oplus t_i=m_i.$$

    (12)
  • Bob verifies the correctness of the message by checking whether

    $$(x_{2i}^{\prime }\parallel m_i\parallel y_{2i}^{\prime })=c_{3i}.$$

    (13)
    If the verification equation $(x_{2i}^{\prime }\parallel m_i\parallel y_{2i}^{\prime })=c_{3i}$ holds, the message is deemed valid and is accepted. Otherwise, this indicates that the ciphertext has been tampered with or the sender has failed to follow the protocol. In this case, the receiver will immediately execute the abort procedure, terminate the session, and return the failure identifier ⊥ to prevent any potential information leakage.

4.4. SM2-Based Oblivious Pseudorandom Function via OT Extension

This section builds upon the SM2 Oblivious Transfer (OT) protocol introduced in Section 4.3, extending it to an Oblivious Pseudorandom Function (OPRF) protocol. In the OPRF protocol, the sender, Alice, generates a pseudorandom output for each of her inputs, determined by the implicit choice derived from the receiver, Bob’s private key; meanwhile, Bob is only able to retrieve the output corresponding to the key he has selected. OPRF acts as a fundamental primitive in the construction of privacy-preserving protocols, including PSI.

Protocol Goal: Alice possesses an input set $(U_A=U_{A1},\dots ,U_{Aj})$, while Bob holds a private key $d_B$ and its corresponding public key $P_B$. Both parties collaborate to compute: Alice retrieves the OPRF values $c_{2i}$ corresponding to all inputs $U_{Aj}$, while Bob can only learn the plaintext $U_{Ai}$ corresponding to a specific value $c_{2i}$, and cannot gain any information about the other $c_{2i}$ where $(j\ne i)$. Moreover, Alice is unable to discern which index i Bob has selected. Protocol Flow is as follows:

• Operations of Bob
  • Bob selects (or generates) an SM2 private key $d{B}_i$ and computes the corresponding public key $PB=\left[d{B}_i\right]$. He transmits $PB$ to Alice while retaining $d{B}_i$ as confidential information.
• Operations of Alice
  • Alice obtains the public parameters.
  • For each message, Alice samples a random value $k_i$ and computes $c_{1i}$ as defined in Equation (5).
  • Alice computes $\left[k_i\right]PB$ as defined in Equation (6).
  • Alice derives the key material using the key-generation function:

    $$t_i=KDF(x_{2i}\parallel y_{2i},\mathrm{klen}).$$

    (14)
    Here, KDF is the key derivation function defined in the GB/T 32918.4-2016 standard [7], which generates one or more shared secret keys by operating on the shared secret and other parameters known to both participating parties.
  • Alice encrypts each message $m_i\in U_A=\{U_{A1},\dots ,U_{Ai}\}$ as

    $$c_{2i}=SM3\left(t\left|\right|U_{Ai}\right)$$

    (15)
    This step implements the specific instantiation of the pseudorandom function

    $$\mathrm{OPRF}(t_j,U_{Aj})$$

    (16)

    and the output $c_{2i}$ serves as the final OPRF value corresponding to the input $U_{Aj}$.

4.5. Protocol Flow of Private Set Intersection

This paper proposes a PSI protocol based on a public-key cryptosystem, in which the construction of the PSI protocol leverages the SM2 and SM3 throughout the computation process. This section provides a detailed description of the protocol steps and operational procedures, and the overall workflow of the national-cryptography-based PSI protocol is presented in

Table 2. Workflow of the Private Set Intersection protocol based on SM2-OT.

Stage	Description
Input	Alice and Bob hold private datasets $U_A=\{U_{A1},\dots ,U_{Ai}\}$ and $U_B=\{U_{B1},\dots ,U_{Bj}\}$, respectively.
Output	The intersection set $U_A\cap U_B$.
Preparation	Alice and Bob jointly select a common set of SM2 elliptic curve parameters. Specifically, a large prime p is chosen to define the finite field ${\mathbb{F}}_p$. An elliptic curve $E\left({\mathbb{F}}_p\right)$ is constructed over ${\mathbb{F}}_p$, and a generator $G=(x_G,y_G)$ of order n is selected. For $k\in {\mathbb{Z}}_n^{*}$, $\left[k\right]G$ denotes elliptic curve scalar multiplication. The cryptographic hash function SM3 is adopted. The symbol ‖ denotes concatenation of byte strings. All subsequent computations are performed without revealing any additional information.
Bob’s Operations	(1) Bob selects a random number $d_B\in {\mathbb{Z}}_n^{*}$ as his private key. (2) Bob computes the public key $P_B=\left[d_B\right]G$ and publishes $P_B$.
Alice’s Operations	(1) Alice receives $P_B$ and computes $S=\left[h\right]P_B$. If S is the point at infinity, the protocol aborts. (2) Alice samples a random number $k\in {\mathbb{Z}}_n^{*}$ and computes $c_1=\left[k\right]G=(x_1,y_1)$. (3) Alice computes the obfuscated point $\left[k\right]G=(x_2,y_2)$. (4) Alice derives the symmetric key $t=(x_2\parallel y_2,\mathrm{Klen})$. (5) Alice computes $c_{2A_i}=\mathrm{OPRF}(t,U_{A_i})$ and forms the ciphertext set $C_{2A}=\{c_{2A_1},\dots ,c_{2A_i}\}$. (6) Alice computes $c_{2A_i}=\mathrm{Hash}(x_2\parallel U_{A_i}\parallel y_2)$ (7) Alice sends an instruction $\left(\mathrm{prove},\mathrm{sid}\left|\right|1,c_1,k\right)$ to the Non-Interactive Zero-Knowledge Proof Functionality $F_{\mathrm{com}\text{-}\mathrm{ZK}}^R$.
Bob’s Operations	(1) Bob receives $F_{\mathrm{com}\text{-}\mathrm{ZK}}^R$ from the returned message $\left(\mathrm{proof}\text{-}\mathrm{receipt},\mathrm{sid}\left|\right|1\right)$.
Alice’s Operations	(1) Alice selects a random number r according to the zero-knowledge proof protocol and computes the commitment point $R=\left[r\right]G$. (2) Alice computes the challenge value $c^{\prime }=\mathrm{Hash}\left(R,c_1,G\right)$ and the response value $s=r+k{c}^{\prime }$, and obtains the proof pair $c_3=\left(R,s\right)$. (3) Alice sends $C_i=\left(c_1\left|\right|c_3\left|\right|c_{2Ai}\right)$ to the receiver Bob, and the sender Alice proves that $\left(G,R,c_1\right)\in R_{\mathrm{DL}}$ via a zero-knowledge proof.
Bob’s Operations	(1) Bob receives the ciphertext set $C_i$ from Alice and uses $c_3=\left(R,s\right)$ to prove $c_1=\left[k\right]G=(x_1,y_1)$ and computes the challenge value $c^{\prime }=\mathrm{Hash}\left(R,c_1,G\right)$. (2) Bob receives the message $\left(\mathrm{response}\text{-}\mathrm{proof},\mathrm{sid}\left|\right|1\right)$ returned by $F_{\mathrm{com}\text{-}\mathrm{ZK}}^R$. If he fails to receive the message or the zero-knowledge proof relation $\left(G,R,c_1\right)\notin R_{\mathrm{DL}}$ does not hold, Bob terminates the protocol; otherwise, Bob continues the execution. Compute and verify whether the $\left[s\right]G=R+\left[c^{\prime }\right]c_1$ equation holds. If it does not hold, the receiver terminates the protocol; otherwise, the receiver confirms that $c_1=\left[k\right]G=(x_1,y_1)$ is correct. (3) Bob computes $d_{B_j}{c}_1=\left[d_{B_j}k\right]G=(x_2,y_2)$. (4) Bob derives the symmetric key $t=\mathrm{KDF}(x_2\parallel y_2,\mathrm{Klen})$. (5) Bob computes $c_{2B_j}=\mathrm{OPRF}(t,U_{B_j})$. Obtain the ciphertext set $c_{2B_j}=\mathrm{Hash}(x_2\parallel U_{B_j}\parallel y_2)$. (6) Bob obtains the preliminary intersection $C=c_{2A}\cap c_{2B}$. (7) Bob verifies the result by checking $c_{3B_j}=c_{3A_i}$, where $c_{3B_j}=\mathrm{Hash}(x_2\parallel U_{B_j}\parallel y_2)$. (8) If the verification holds, the final intersection result $I=c_{2A}\cap c_{2B}$ is obtained and shared by both parties.

. In this protocol, computation scheduling for the national-cryptography-based PSI is performed on the software side, whereas the point-multiplication operations of the SM2 algorithm and the hash computations of the SM3 algorithm are executed on the hardware side. This software–hardware co-design approach improves computational efficiency and reduces communication overhead; it minimizes the number of communication rounds and transmitted data, offloads computationally intensive operations to the chip-integrated arithmetic module, and delegates branch-control logic to the software layer. Each participant in the PSI protocol deploys a server equipped with the domestic reconfigurable cryptographic security chip RSP S20G, which provides hardware acceleration for national cryptographic algorithms. Owing to its programmability, the RSP S20G chip can accommodate new computational requirements through algorithm updates or optimizations without necessitating hardware replacement. Its performance achieves throughput rates of 30 Gbps for SM3 hashing and 300,000 SM2 encryption operations per second. The protocol interacts with the security chip’s arithmetic module through the CAP interface on the software side, while the Linux kernel driver layer and PCIe 2.0 × 8 interface handle the transmission of data streams, control signals, and status signals. The eight-channel read/write mechanism supports a data rate of up to 4 GB/s, enabling tight software–hardware integration and facilitating highly efficient data flow within the system.

4.6. Security Analysis

The security of the SM2-OT-PSI protocol relies on the Chinese National Cryptographic Algorithms, non-interactive zero-knowledge proofs, and the security mechanisms provided by hardware security chips. In this section, under the semi-honest setting, we analyze the security of the SM2-OT-PSI protocol using a simulation-based security proof for the semi-honest adversary model. From the hardware perspective, the RSP S20G security chip incorporates physical attack-resistant features, such as anti-disassembly protections and countermeasures against side-channel attacks. Its operational logic and internal data-processing mechanisms have undergone rigorous security certification. By optimizing the implementations of the SM2 and SM3 algorithms, the chip prevents leakage of intermediate computational states. Additionally, private keys are generated internally and stored within a dedicated secure region, ensuring that they cannot be accessed or tampered with by external entities. From the software perspective, the protocol workflow is designed in accordance with the security guarantees required under the semi-honest adversary model. All ciphertexts transmitted during the protocol are encrypted using SM2—whose security is based on the intractability of the ECDLP—and further protected by the cryptographic hash function SM3. Data is transferred to the security chip through the high-speed and stable PCIe 2.0 × 8 interface, which supports encryption and identity authentication. Both parties establish a secure communication channel through a cryptographic handshake protocol, ensuring the confidentiality and integrity of transmitted data, providing resistance against collusion attacks, and preventing replay attacks. This architecture strictly follows the privacy-preserving computation model under the semi-honest adversary assumption: during protocol execution, a semi-honest adversary cannot obtain any information beyond the intended output. With the combined support of hardware security chips, national cryptographic algorithms, and the oblivious transfer mechanism, collusion among multiple adversaries to infer private data is effectively mitigated. The formal proofs of correctness and computational indistinguishability for the PSI protocol based on Chinese National Cryptographic Algorithms are presented below:

Theorem: Security. If the SM2-based Elliptic Curve Discrete Logarithm Problem is intractable and the SM3 hash function is cryptographically secure, then the Private Set Intersection protocol based on Chinese National Cryptographic Algorithms is computationally indistinguishable. Proof: Suppose there exists a probabilistic polynomial-time adversary $\mathcal{A}$ that can distinguish the ciphertexts of the Chinese National Cryptographic Algorithm-based PSI protocol with a non-negligible advantage. In that case, we can construct a challenger $\mathcal{C}$ that breaks the intercepted ciphertext with a non-negligible advantage. Below, we prove (following the security standards and methods specified in the privacy-preserving computation model against semi-honest adversary attacks) that during the secure computation of $U_A\cap U_B$, the adversary gains no private information about the other party beyond the intersection result $U_A\cap U_B$.

Construction of Simulator $S_1^{\mathrm{\Pi }}$: Let the input data of parties $P_1$ and $P_2$ be $X_1$ and $X_2$, respectively, and let $f=f(X_1,X_2)$ denote the function computed via the SM2-OT-PSI protocol. For the SM2-OT-PSI protocol with inputs $X_1$ and $X_2$. The view of party $P_1$ executing the SM2-OT-PSI protocol is given by ${\mathrm{View}}_1^{\mathrm{\Pi }}\left(X_1\right)=(X_1,c,m_1,\dots ,m_t)$, where c denotes the ciphertext set, and $m_t$ denotes the received messages. The view of party $P_2$ executing the SM2-OT-PSI protocol is given by ${\mathrm{View}}_2^{\mathrm{\Pi }}\left(X_2\right)=(X_2,dB,m_1,\dots ,m_t)$, where $dB$ denotes the private key. The challenger $\mathcal{C}$ runs the system setup algorithm to obtain system parameters and the public key $PB$, and then randomly selects a dataset of unique ID values for users that satisfy the intersection protocol strategy.

Challenge Phase: When the adversary knows the output of $\mathcal{C}$’s protocol, and the input of the participant controlled by $\mathcal{C}$ is $c=(c_1,c_3,c_2)$, $\mathcal{C}$ outputs an arbitrary ID value b from its dataset. $c_2$ is a hash value generated via the SM3 encryption algorithm, and the adversary cannot obtain b by decrypting $c_2$; When the adversary uses the same SM3 algorithm, given $c_1$, the private key $dB$ is unknown. Therefore, the adversary cannot compute $\left[dB\right]c_1=\left[dB\right]\left[k\right]G=(x_2,y_2)$, and thus cannot obtain b via brute-force methods (e.g., rainbow table attacks). When the adversary controls $\mathcal{C}$’s input, $\mathcal{C}$ does not output the obtained intersection result, thus preventing the adversary from learning b. For the security of $\mathcal{C}$’s private information, if under the control of the simulator $S_1^{\mathrm{\Pi }}$, the viewed information that an adversary $\mathcal{A}$ can obtain in polynomial time is less than or equal to the viewed information obtained by $\mathcal{C}$, and $P_r\left\{{\mathrm{View}}_A^{\mathrm{\Pi }}\left(X_1,X_2,c\right)\right\}=P_r\left\{S\left(f\left(X_1,X_2,c\right)\right)\right\}$, then $\mathcal{C}$’s private information remains secure. From the above, when a semi-honest adversary exists, the protocol can securely compute f with no information leakage, thereby satisfying the security requirement.

5. Performance Analysis

5.1. Experimental Setup

This section presents a comprehensive performance evaluation of the implementations of SM-PSI and several representative PSI protocols. The experiments are conducted on a server configured with an Intel(R) Core(TM) i5-12400F processor, 32 GB of memory, and the CentOS7 operating system. All implementations are developed using the C and Verilog programming languages, with the SM2/SM3 software libraries built on OpenSSL. To simulate real-world network conditions, bandwidth and RTT latency are manually configured using the Linux tc command. To clearly present the experimental design, we first summarize the salient features of the experimental setup. The evaluation covers both symmetric and asymmetric PSI scenarios, with dataset sizes ranging from $2^{12}$ to $2^{20}$, including a highly unbalanced setting with $2^{20}$ elements on one side and $2^{10}$ on the other. To reflect practical deployment conditions, experiments are conducted under multiple network environments, including a high-speed LAN (10 Gbps) and several WAN settings with different bandwidth and RTT configurations. Both single-threaded and multi-threaded executions are evaluated to examine scalability and parallelism. Representative PSI protocols from different design paradigms, including OT/OPRF-based, mqRPMT-based, and hardware-accelerated schemes, are selected as baselines for comparison. For the proposed protocol, computationally intensive SM2 scalar multiplication and SM3 hashing operations are offloaded to a reconfigurable cryptographic accelerator, enabling an accurate assessment of the benefits of software–hardware co-design.

In each experimental round, multiple PSI protocols are evaluated. The evaluation includes PSI protocols representing diverse technical paradigms as comparison baselines, including hardware-accelerated optimization schemes DH-IPP [14], FLASH-RSA [17], and SpOT-Light [23]; the blinding OPRF-based paradigm RA17 [26]; the single-point OPRF-based paradigm KKRT [22]; the multi-point OPRF-based paradigms PRTY19 [12], CM20 [25], and PRTY20 [24]; and the mqRPMT-based paradigm GMR21 [21]. All protocols are implemented and evaluated under the semi-honest security model. Among them, the hardware configurations adopted by DH-IPP, FLASH-RSA, and PRTY19 are summarized in

Table 3. Complexity Comparison of PSI Protocols.

PSI Protocol	Algorithm Framework	Hardware Architecture	Communication Complexity	Computational Complexity
SpOT-Low	OT	Intel Xeon vCPU	$O(\mathit{\ell }·t)$	$O\left(t{log}^{2}t\right)$
SpOT-Fast	OT	Intel Xeon vCPU	$O(\mathit{\ell }·t)$	$O(t·\lambda )$
DH-IPP	ECDH SHA256	Intel Xeon Platinum 8369B CPU	$O(t·\varphi )$	$O\left(2t\right)$
FLASH-RSA	RSA SHA256	Xilinx VU13P FPGA	$O(t·\lambda )$	$O(tlogt)$
Proposed	SM2 SM3	Muchuang RSPS20 Chip	$O(t·k)$	$O(t·k)$

, and their corresponding hardware speedup are illustrated in Figure 2. RA17 is implemented through the construction of a blinding OPRF based on ECC, and the SECP256 curve is selected to satisfy security requirements under the standard model. In the implementations of KKRT and GMR21, hash bucket partitioning employs a three-way cuckoo hashing scheme. The OT instances required by KKRT, PRTY19, CM20, GMR21, and PRTY20 are uniformly instantiated using the ALSZ [28] scheme.

All protocols may be categorized into two primary phases: the initialization phase and the online phase. The initialization phase entails one-time preprocessing procedures conducted prior to the execution of the actual PSI protocol, including key generation, baseline OT, and supplementary operations; the online phase implements the formal workflow of the PSI protocol on the basis of the input sets provided by both participating parties. To assess the scalability of PSI, the input set sizes deployed in the experiments include $2^{12}$, $2^{16}$, and $2^{20}$. Furthermore, we conducted tests on the scenario involving asymmetric dataset sizes between the two parties, in which the set sizes of the sender and receiver are $2^{20}$ and $2^{10}$, respectively. The network environments simulated by means of the tc command comprise a LAN environment (bandwidth: 10 Gbps, RTT: 0.02 ms) and three WAN environments (bandwidth: 1 Gbps/100 Mbps/10 Mbps; corresponding RTT: 20 ms/40 ms/80 ms). In the meantime, we assessed the performance under both single-threaded (T = 1) and multi-threaded (T = 7) configurations. The full performance test results for symmetric set sizes between the two parties are presented in Table 4 and Figure 3, where “R” and “S”, respectively, denote the communication volumes transmitted by the two participating parties. The running time is calculated by comparing the timestamps recorded at the initiation and termination of the protocol (with the receiver’s time adopted as the reference), whereas the communication volume is calculated by summing the sizes of data packets generated during the communication process. To achieve a more intuitive visualization of the data, Figure 3 illustrates the variations in running time with the reduction in bandwidth under general conditions. The axes of the figure employ a logarithmic scale, and the legend is shared across all subfigures: Subfigures (a, b, c) correspond to the single-threaded configuration, whereas Subfigures (d, e, f) correspond to the multi-threaded configuration. From left to right, each column corresponds to the set sizes $n=2^{12}$, $2^{16}$, and $2^{20}$, respectively. The full performance test results for asymmetric set sizes between the two parties are presented in Table 5 and Figure 4, where Subfigure (a) corresponds to the single-threaded configuration and Subfigure (b) corresponds to the multi-threaded configuration.

5.2. Experimental Data and Evaluation

Among semi-honest model protocols, the proposed protocol demonstrates notable advantages over SpOT-Light, DH-IPP, and FLASH-RSA with respect to computational and communication complexity. By reducing the frequency with which datasets are involved in complex encryption computations and decreasing the number of communication rounds that transmit encrypted datasets, the proposed protocol effectively reduces the communication data volume and the number of computational operations. This performance merit is particularly critical for applications handling large-scale datasets and operating in low-bandwidth environments, which is consistent with the demands of practical deployments. Notably, SM-PSI integrates the national cryptographic algorithms SM2 and SM3 into its operational workflow. This research furnishes critical support for the realization of independent and controllable cybersecurity within China’s cyberspace.

Table 3 presents a comparative analysis of the complexity of PSI protocols developed upon hardware-optimized architectures, where $N_X$ and $N_Y$ denote the sizes of the client-side and server-side datasets, respectively, with $t=N_X+N_Y$, $pk$ represents the number of asymmetric encryption operations; $\rho$ and $\varphi$ denote the asymmetric security parameter and elliptic curve size, respectively; ℓ denotes the width of the OT extension matrix; $\lambda$ is the statistical security parameter; and k denotes the security parameter employed for the hash function. SpOT-Low and SpOT-Fast exhibit an identical total communication complexity: $O\left((\lambda +logt)·N_X+\ell ·N_X\right)$. The computational complexity of SpOT-Low comprises $O\left(pk\right)$ asymmetric public-key operations, $O\left(t{log}^{2}t\right)$ finite field operations, and $O\left(tk\right)$ symmetric cryptographic operations; the computational complexity of SpOT-Fast comprises $O\left(pk\right)$ public-key operations, $O\left(t\lambda \right)$ finite field operations, and $O\left(tk\right)$ symmetric cryptographic operations. With respect to the DH-IPP PSI protocol, its communication complexity is $O\left((N_X+2N_Y)·\varphi \right)=O(t·\varphi )$, and it performs $2t$ ECC point multiplications, yielding a computational complexity of $O\left(2t\right)$. Regarding the FLASH-RSA PSI protocol, its communication complexity is $O\left(N_Y·(\lambda +{log}^{2}t)\right)=O(t·\lambda )$, and its computational complexity comprises $O(tlogt)$ cryptographic operations. For the proposed SM-PSI protocol, its communication complexity amounts to $O\left(N_X·k+\rho \right)=O(t·k)$, and its computational complexity amounts to $O(t·k)$.

In Figure 2, the hardware optimization acceleration performance of these protocols is comparatively analyzed across the input set sizes (ranging from 10 K to 50 K) adopted by both participating parties. Specifically, for SpOT-Light, a performance comparison is conducted between its execution on an Intel Xeon vCPU cloud server and that on an Intel Xeon E5-2699 v3 CPU; for the DH-IPP-PSI protocol (implemented with IPP-Crypto and adapted for the Intel Xeon Platinum 8369B CPU), an acceleration comparison is performed relative to the unadapted ECDH-PSI protocol running on the same Intel Xeon Platinum 8369B CPU; for the FLASH-RSA-PSI framework implemented on the Xilinx VU13P FPGA, an acceleration comparison is carried out relative to its execution on a general-purpose CPU; furthermore, an acceleration performance comparison is conducted between the proposed SM-PSI protocol (implemented on the RSP S20 chip) and its execution on a general-purpose Intel CPU. Overall, the performance of the proposed SM-PSI protocol consistently outperforms its counterpart executed on an Intel CPU, reaching a speedup of 9.0×. The performance-optimized DH-IPP attains a nearly 10× improvement; however, owing to its higher computational complexity, the overall computational speed of this protocol still remains significantly lower than that of SM-PSI.

Comparison of Communication Overhead for Equal-Size Datasets: As shown in Figure 3 and Table 4, the proposed SM-PSI protocol based on the multi-point OPRF paradigm demonstrates the optimal communication overhead performance in most test scenarios. As shown in Table 4, in the large-scale symmetric setting with n = $2^{20}$, the proposed SM2-OT-PSI protocol requires only 32 MB total communication and achieves an online runtime of 6.27 s under a 10 Gbps LAN environment with multi-threaded execution. Compared with representative baselines, this corresponds to a 2.9× speedup over KKRT, an 8.0× speedup over CM20, and more than an order-of-magnitude improvement over RA17 and GMR21.

Moreover, when transitioning from a 10 Gbps LAN to a 1 Gbps WAN environment, the multi-threaded runtime of the proposed protocol increases only from 6.27 s to 6.78 s, representing an $8.1\%$ increase, which demonstrates low sensitivity to bandwidth variations due to reduced communication complexity.

For the asymmetric setting reported in Table 5 ($2^{20}$ vs. $2^{10}$), the proposed protocol achieves an online runtime of 0.35 s under a 10 Gbps LAN environment with multi-threaded execution, significantly outperforming PRTY20 (4.41 s) and GMR21 (129.64 s). These results confirm that the proposed SM2-OT-PSI protocol maintains strong efficiency advantages in both balanced and unbalanced large-scale scenarios. The communication overhead of the evaluated schemes may be evaluated by observing the slope of the curves presented in the figure. Notably, PSI schemes utilizing single-point OPRF (e.g., KKRT16 and PRTY20) generally incur higher communication overhead, and their running time declines markedly with increasing bandwidth. For the experiment employing a large-scale dataset ($n=2^{20}$), the total communication volume of the proposed SM-PSI protocol is merely 32 MB: this corresponds to a $74.9\%$ reduction relative to KKRT16 (with a communication volume of 127.4 MB, roughly 4.0 times that of SM-PSI), a $79.9\%$ reduction relative to PRTY20 (159 MB, approximately 5.0 times that of SM-PSI), and a $97.4\%$ reduction relative to GMR21 (1239 MB, roughly 38.7 times that of SM-PSI). This communication overhead advantage remains consistent across varying dataset sizes.

Comparison of Single-Threaded vs. Multi-Threaded Performance for Equal-Size Datasets: By comparison, the other evaluated PSI schemes demonstrate lower bandwidth sensitivity. Among PSI schemes based on the multi-point OPRF paradigm, the proposed SM-PSI protocol demonstrates more stable computational efficiency, a trait that is particularly evident in experiments utilizing large-scale ID datasets. PSI schemes with distinct architectural designs exhibit varying degrees of sensitivity to multi-threaded execution environments. As illustrated in Figure 3, most OPRF-based PSI schemes achieve superior performance under multi-threaded execution compared to single-threaded execution; however, schemes with limited parallelism (e.g., KKRT16) yield better performance in single-threaded mode when the input dataset scale is small. In such cases, the latency reduction afforded by parallelism cannot even offset the overhead incurred by multi-thread scheduling. Furthermore, as the dataset size increases, parallelism generally yields more substantial performance improvements: when $n=2^{20}$, multi-threaded execution exhibits a more pronounced performance advantage over single-threaded execution (see Figure 3c,f); in contrast, when $n=2^{12}$, this performance advantage is nearly negligible (see Figure 3a,d).

Performance of Equal-Size Datasets in LAN Environment: In a 10 Gbps LAN environment, the proposed SM-PSI protocol demonstrates excellent computational efficiency in terms of running time. When $n=2^{12}$, the single-threaded running time of the proposed SM-PSI protocol is merely 0.03 s, attaining a roughly 11.3-fold performance improvement relative to the sub-optimal KKRT16 scheme (0.34 s). When $n=2^{20}$, the multi-threaded running time of the proposed SM-PSI protocol is 6.27 s. As shown in Table 6, this represents significant performance improvements ranging from 5.4-fold to 39.6-fold relative to other state-of-the-art schemes (RA17, PRTY19-F, CM20, PRTY20, and GMR21). Even when compared with KKRT16 (18.39 s), the scheme with the most comparable performance to the proposed SM-PSI protocol, the proposed SM-PSI protocol still retains a 2.9-fold performance advantage.

Performance of Equal-Size Datasets in WAN Environment: In a 1 Gbps WAN environment, the performance advantage of the proposed SM-PSI protocol is more pronounced. When $n=2^{20}$, the multi-threaded running time of the proposed SM-PSI protocol is 6.78 s, delivering performance improvements of 7.7-fold, 5.6-fold, and 3.3-fold relative to CM20 (51.95 s), PRTY20 (38.15 s), and KKRT16 (22.26 s), respectively. Notably, the multi-threaded running time of the proposed SM-PSI protocol merely increased by $8.1\%$ when transitioning from the LAN environment (6.27 s) to the WAN environment (6.78 s), indicating that the proposed SM-PSI protocol exhibits low sensitivity to variations in network bandwidth—a trait attributed to its low communication complexity.

The proposed SM-PSI protocol demonstrates favorable scalability for large-scale datasets. As the dataset size increases from $2^{12}$ to $2^{20}$ (a 256-fold increase), the multi-threaded running time of the proposed SM-PSI protocol increases from 0.05 s to 6.27 s (in the 10 Gbps LAN deployment environment), a roughly 125-fold increase—a growth magnitude lower than the linear growth rate of the dataset size, thus reflecting favorable asymptotic efficiency. By comparison, the running time of certain OPRF-based schemes (e.g., PRTY19-F) exhibits a more substantial increase on large-scale datasets.

Table 4. Performance Test Results of PSI Protocol under the Condition of $n_1=n_2$.

n	Protocol	Comm. (MB)				Total	Running Time (s)
		R		S			10 Gbps				1 Gbps				100 Mbps				10 Mbps
		Setup	Online	Setup	Online		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread
							Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online
$2^{12}$	RA17	0	0.14	0	0.19	0.33	0	1.55	0	1.03	0	1.68	0	1.86	0	1.59	0	1.75	0	2.01	0	1.90
	KKRT16	0.01	0.33	0.01	0.14	0.47	0.13	0.21	0.12	0.40	0.22	0.28	0.39	0.89	0.23	0.33	0.20	0.93	0.22	0.63	0.20	1.17
	PRTY19-L	0.01	0.23	0.01	0.05	0.28	0.03	24.00	1.24	15.04	0.03	24.17	1.30	15.14	0.03	24.30	1.19	15.38	0.03	24.48	1.23	15.79
	PRTY19-F	0.01	0.23	0.01	0.10	0.33	0.04	3.09	1.81	3.18	0.03	3.35	1.73	3.51	0.02	4.16	1.82	3.56	0.03	4.74	2.01	4.12
	PRTY20	0.01	0.56	0.01	0.05	0.62	0.21	0.40	0.18	0.62	0.37	0.43	0.55	0.98	0.37	0.51	0.71	1.19	0.39	0.76	0.72	1.59
	CM20	0.01	0.31	0.01	0.05	0.37	0.02	0.47	0.02	0.65	0.20	0.59	0.02	0.93	0.03	0.64	0.01	0.94	0.02	0.84	0.19	1.12
	GMR21	0.02	2.16	0.02	1.40	3.60	0.63	1.21	0.47	1.19	1.13	2.10	0.87	1.32	1.12	2.20	0.88	2.38	0.97	3.95	0.90	3.85
	SM-PSI (proposed)	0	0.0001	0	0.13	0.13	0	0.03	0	0.05	0	0.25	0	0.27	0	0.25	0	0.27	0	1.52	0	0.97
$2^{16}$	RA17	0	2.29	0	3.01	5.31	0	22.11	0	5.91	0	22.88	0	6.95	0	22.35	0	6.94	0	24.86	0	9.68
	KKRT16	0.01	5.31	0.01	2.16	7.48	0.13	1.63	0.12	1.98	0.21	1.61	0.22	2.82	0.21	1.85	0.20	3.27	0.21	7.08	0.20	8.12
	PRTY19-F	0.01	3.76	0.01	1.45	5.22	0.05	42.61	1.53	21.04	0.04	44.52	1.63	21.22	0.05	46.98	1.82	26.01	0.03	47.92	1.89	26.50
	PRTY20	0.01	8.82	0.01	0.72	9.55	0.21	2.21	0.39	2.81	0.37	2.66	0.71	4.00	0.37	3.62	0.72	4.53	0.56	10.54	0.55	11.15
	CM20	0.01	4.99	0.01	0.73	5.73	0.02	5.52	0.01	3.54	0.02	6.36	0.03	4.95	0.03	7.71	0.01	4.60	0.02	10.24	0.01	9.11
	GMR21	0.02	39.65	0.02	27.39	67.07	0.54	10.88	0.57	8.74	0.94	13.09	1.05	11.37	0.95	16.97	0.87	13.25	1.15	62.87	0.90	60.70
	SM-PSI (proposed)	0	0.0001	0	2.00	2.00	0	0.83	0	0.28	0	0.97	0	0.60	0	1.12	0	0.71	0	2.77	0	2.97
$2^{20}$	RA17	0	36.70	0	50.33	87.03	0	329.4	0	75.16	0	339.3	0	78.72	0	349.3	0	79.72	0	380.1	0	118.5
	KKRT16	0.01	86.51	0.01	40.89	127.4	0.13	20.25	0.15	18.24	0.22	23.73	0.21	22.05	0.21	27.33	0.20	26.44	0.21	84.55	0.19	82.64
	PRTY19-F	0.01	61.26	0.01	27.27	88.54	0.17	655.8	3.84	244.6	0.39	667.0	4.03	240.3	0.37	715.1	4.11	306.4	0.36	727.8	5.48	317.1
	PRTY20	0.01	145.3	0.01	13.63	159.0	0.21	37.74	0.50	33.40	0.39	44.17	0.72	37.43	0.38	48.99	0.72	45.22	0.41	159.8	0.87	157.4
	CM20	0.01	81.40	0.01	13.64	95.04	0.13	125.4	0.10	50.02	0.02	133.6	0.19	51.76	0.03	136.0	0.19	54.56	0.02	198.2	0.01	123.6
	GMR21	0.02	717.6	0.02	521.0	1239	0.65	205.7	0.51	136.4	1.12	228.9	0.87	160.7	1.12	277.1	0.87	213.1	–		0.91	1073
	SM-PSI (proposed)	0	0.0001	0	32.00	32.00	0	10.08	0	6.27	0	11.07	0	6.78	0	16.31	0	10.15	0	39.76	0	31.03

Table 4. Performance Test Results of PSI Protocol under the Condition of $n_1=n_2$.

n	Protocol	Comm. (MB)				Total	Running Time (s)
		R		S			10 Gbps				1 Gbps				100 Mbps				10 Mbps
		Setup	Online	Setup	Online		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread
							Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online
$2^{12}$	RA17	0	0.14	0	0.19	0.33	0	1.55	0	1.03	0	1.68	0	1.86	0	1.59	0	1.75	0	2.01	0	1.90
	KKRT16	0.01	0.33	0.01	0.14	0.47	0.13	0.21	0.12	0.40	0.22	0.28	0.39	0.89	0.23	0.33	0.20	0.93	0.22	0.63	0.20	1.17
	PRTY19-L	0.01	0.23	0.01	0.05	0.28	0.03	24.00	1.24	15.04	0.03	24.17	1.30	15.14	0.03	24.30	1.19	15.38	0.03	24.48	1.23	15.79
	PRTY19-F	0.01	0.23	0.01	0.10	0.33	0.04	3.09	1.81	3.18	0.03	3.35	1.73	3.51	0.02	4.16	1.82	3.56	0.03	4.74	2.01	4.12
	PRTY20	0.01	0.56	0.01	0.05	0.62	0.21	0.40	0.18	0.62	0.37	0.43	0.55	0.98	0.37	0.51	0.71	1.19	0.39	0.76	0.72	1.59
	CM20	0.01	0.31	0.01	0.05	0.37	0.02	0.47	0.02	0.65	0.20	0.59	0.02	0.93	0.03	0.64	0.01	0.94	0.02	0.84	0.19	1.12
	GMR21	0.02	2.16	0.02	1.40	3.60	0.63	1.21	0.47	1.19	1.13	2.10	0.87	1.32	1.12	2.20	0.88	2.38	0.97	3.95	0.90	3.85
	SM-PSI (proposed)	0	0.0001	0	0.13	0.13	0	0.03	0	0.05	0	0.25	0	0.27	0	0.25	0	0.27	0	1.52	0	0.97
$2^{16}$	RA17	0	2.29	0	3.01	5.31	0	22.11	0	5.91	0	22.88	0	6.95	0	22.35	0	6.94	0	24.86	0	9.68
	KKRT16	0.01	5.31	0.01	2.16	7.48	0.13	1.63	0.12	1.98	0.21	1.61	0.22	2.82	0.21	1.85	0.20	3.27	0.21	7.08	0.20	8.12
	PRTY19-F	0.01	3.76	0.01	1.45	5.22	0.05	42.61	1.53	21.04	0.04	44.52	1.63	21.22	0.05	46.98	1.82	26.01	0.03	47.92	1.89	26.50
	PRTY20	0.01	8.82	0.01	0.72	9.55	0.21	2.21	0.39	2.81	0.37	2.66	0.71	4.00	0.37	3.62	0.72	4.53	0.56	10.54	0.55	11.15
	CM20	0.01	4.99	0.01	0.73	5.73	0.02	5.52	0.01	3.54	0.02	6.36	0.03	4.95	0.03	7.71	0.01	4.60	0.02	10.24	0.01	9.11
	GMR21	0.02	39.65	0.02	27.39	67.07	0.54	10.88	0.57	8.74	0.94	13.09	1.05	11.37	0.95	16.97	0.87	13.25	1.15	62.87	0.90	60.70
	SM-PSI (proposed)	0	0.0001	0	2.00	2.00	0	0.83	0	0.28	0	0.97	0	0.60	0	1.12	0	0.71	0	2.77	0	2.97
$2^{20}$	RA17	0	36.70	0	50.33	87.03	0	329.4	0	75.16	0	339.3	0	78.72	0	349.3	0	79.72	0	380.1	0	118.5
	KKRT16	0.01	86.51	0.01	40.89	127.4	0.13	20.25	0.15	18.24	0.22	23.73	0.21	22.05	0.21	27.33	0.20	26.44	0.21	84.55	0.19	82.64
	PRTY19-F	0.01	61.26	0.01	27.27	88.54	0.17	655.8	3.84	244.6	0.39	667.0	4.03	240.3	0.37	715.1	4.11	306.4	0.36	727.8	5.48	317.1
	PRTY20	0.01	145.3	0.01	13.63	159.0	0.21	37.74	0.50	33.40	0.39	44.17	0.72	37.43	0.38	48.99	0.72	45.22	0.41	159.8	0.87	157.4
	CM20	0.01	81.40	0.01	13.64	95.04	0.13	125.4	0.10	50.02	0.02	133.6	0.19	51.76	0.03	136.0	0.19	54.56	0.02	198.2	0.01	123.6
	GMR21	0.02	717.6	0.02	521.0	1239	0.65	205.7	0.51	136.4	1.12	228.9	0.87	160.7	1.12	277.1	0.87	213.1	–		0.91	1073
	SM-PSI (proposed)	0	0.0001	0	32.00	32.00	0	10.08	0	6.27	0	11.07	0	6.78	0	16.31	0	10.15	0	39.76	0	31.03

The proposed SM-PSI protocol exhibits favorable responsiveness to multi-threaded parallelization. Under the conditions of $n=2^{20}$ and a 10 Gbps network bandwidth, switching the proposed SM-PSI protocol from single-threaded execution (10.08 s) to multi-threaded execution (6.27 s) delivers a $37.8\%$ performance improvement. Unlike single-point OPRF-based schemes (e.g., KKRT16), which incur negative returns from parallelization on small-scale datasets, the proposed SM-PSI protocol can derive performance benefits from parallelization across all tested scales.

In the unequal-size dataset scenario ($n_1=2^{10}$, $n_2=2^{20}$), the proposed SM-PSI protocol demonstrates notable performance advantages, especially in high-bandwidth network environments.

Comparison of Communication Overhead for Unequal-Size Datasets: The total communication volume of the proposed SM-PSI protocol is 32 MB, attaining a moderate ranking among all evaluated protocols. Compared with the GMR21 protocol (1087 MB), the scheme with the highest communication overhead among the evaluated protocols, the communication volume of the proposed SM-PSI protocol is reduced by $97.1\%$; relative to the KKRT16 protocol (37.84 MB), the communication volume of the proposed SM-PSI protocol is reduced by $15.4\%$. However, the communication volume of the proposed SM-PSI protocol is higher than that of other multi-point OPRF-based protocols including PRTY20 (12.75 MB), CM20 (12.68 MB), and PRTY19-L (12.65 MB), with an increase of approximately 151–$153\%$. This increase in communication overhead is primarily attributed to the higher ciphertext expansion rate of the SM2/SM3 cryptographic algorithms relative to other lightweight cryptographic primitives.

Comparison of Performance for Unequal-Size Datasets in LAN Environment: In the LAN environment (10 Gbps, RTT: 0.02 ms), the proposed SM-PSI protocol delivers the optimal operational efficiency. Under the single-threaded configuration, the online phase of the proposed SM-PSI protocol merely requires 0.74 s: compared with the PRTY20 protocol (6.03 s), the sub-optimal scheme among the evaluated protocols, the proposed SM-PSI protocol attains an 8.1-fold speedup ratio, reducing the running time by $87.7\%$; relative to the blinded OPRF-based RA17 protocol (109 s), the proposed SM-PSI protocol attains a 147.3-fold speedup ratio, reducing the running time by $99.3\%$; relative to the mqRPMT-based GMR21 protocol (129.64 s), the proposed SM-PSI protocol attains a 175.2-fold speedup ratio. Under the multi-threaded configuration $(T=7)$, the running time of the online phase of the proposed SM-PSI protocol is further reduced to 0.35 s: the speedup relative to PRTY20 (4.41 s) rises to 12.5-fold, and the speedup relative to GMR21 reaches 295.0-fold.

Table 5. Performance Test Results under the Condition of Unequal $n_1$ and $n_2$.

${\mathit{n}}_1$	${\mathit{n}}_2$	Protocol	Comm. (MB)				Total	Running Time (s)
			R		S			10 Gbps				1 Gbps				100 Mbps				10 Mbps
			Setup	Online	Setup	Online		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread
								Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online
$2^{10}$	$2^{20}$	RA17	0	0.04	0	12.62	12.65	0	7.86	0	23.77	0	8.90	0	24.44	0	10.14	0	24.16	0	34.18	0	31.92
		KKRT16	0.01	0.09	0.01	37.75	37.84	0.30	7.86	0.22	8.09	0.21	8.90	0.37	8.59	0.21	10.14	0.22	9.59	0.39	34.18	0.39	34.38
		PRTY19-L	0.01	0.06	0.01	12.59	12.65	0.12	832.9	0.02	177.9	0.09	868.3	0.20	182.8	0.03	843.0	0.01	162.8	0.07	850.5	0.02	170.5
		PRTY19-F	0.01	0.06	0.01	25.17	25.24	0.02	335.4	0.12	126.3	0.03	343.1	0.20	124.2	0.03	337.2	0.02	123.7	0.03	350.1	0.19	134.5
		PRTY20	0.01	0.15	0.01	12.58	12.75	0.35	5.68	0.39	4.02	0.38	5.91	0.71	4.99	0.37	6.15	0.72	5.75	0.49	17.19	0.72	14.49
		CM20	0.01	0.08	0.01	12.59	12.68	0.09	28.19	0.01	15.25	0.04	30.21	0.02	15.96	0.06	35.05	0.19	17.36	0.03	38.85	0.02	25.22
		GMR21	0.01	566	0.02	520.96	1087	0.09	129.1	0.47	103.8	0.94	151.0	0.90	126.8	1.12	193.3	0.88	163.2	–		0.92	919.8
		SM-PSI	0	0.0001	0	32.00	32.00	0	0.74	0	0.35	0	1.42	0	1.03	0	4.00	0	3.60	0	28.29	0	27.88

Table 5. Performance Test Results under the Condition of Unequal $n_1$ and $n_2$.

${\mathit{n}}_1$	${\mathit{n}}_2$	Protocol	Comm. (MB)				Total	Running Time (s)
			R		S			10 Gbps				1 Gbps				100 Mbps				10 Mbps
			Setup	Online	Setup	Online		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread		Single-Thread		Multi-Thread
								Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online	Setup	Online
$2^{10}$	$2^{20}$	RA17	0	0.04	0	12.62	12.65	0	7.86	0	23.77	0	8.90	0	24.44	0	10.14	0	24.16	0	34.18	0	31.92
		KKRT16	0.01	0.09	0.01	37.75	37.84	0.30	7.86	0.22	8.09	0.21	8.90	0.37	8.59	0.21	10.14	0.22	9.59	0.39	34.18	0.39	34.38
		PRTY19-L	0.01	0.06	0.01	12.59	12.65	0.12	832.9	0.02	177.9	0.09	868.3	0.20	182.8	0.03	843.0	0.01	162.8	0.07	850.5	0.02	170.5
		PRTY19-F	0.01	0.06	0.01	25.17	25.24	0.02	335.4	0.12	126.3	0.03	343.1	0.20	124.2	0.03	337.2	0.02	123.7	0.03	350.1	0.19	134.5
		PRTY20	0.01	0.15	0.01	12.58	12.75	0.35	5.68	0.39	4.02	0.38	5.91	0.71	4.99	0.37	6.15	0.72	5.75	0.49	17.19	0.72	14.49
		CM20	0.01	0.08	0.01	12.59	12.68	0.09	28.19	0.01	15.25	0.04	30.21	0.02	15.96	0.06	35.05	0.19	17.36	0.03	38.85	0.02	25.22
		GMR21	0.01	566	0.02	520.96	1087	0.09	129.1	0.47	103.8	0.94	151.0	0.90	126.8	1.12	193.3	0.88	163.2	–		0.92	919.8
		SM-PSI	0	0.0001	0	32.00	32.00	0	0.74	0	0.35	0	1.42	0	1.03	0	4.00	0	3.60	0	28.29	0	27.88

Comparison of Performance for Unequal-Size Datasets in WAN Environment: In the WAN deployment environment, the proposed SM-PSI protocol also retains leading operational performance. Under the condition of 1 Gbps bandwidth, the single-threaded running time of the online phase of the proposed SM-PSI protocol is 1.42 s: the proposed SM-PSI protocol attains a 4.4-fold speedup ratio relative to PRTY20 (6.29 s), and a 78.5-fold speedup ratio relative to RA17 (111.4 s); under the multi-threaded configuration, the running time of the online phase of the proposed SM-PSI protocol is reduced to 1.03 s, with a speedup of 5.5-fold relative to PRTY20. Under the condition of 100 Mbps bandwidth, the single-threaded running time of the online phase of the proposed SM-PSI protocol is 4.0 s, still retaining a 1.6-fold performance advantage relative to PRTY20 (6.52 s). The performance advantage of the proposed SM-PSI protocol gradually diminishes as bandwidth decreases. In the low-bandwidth environment of 10 Mbps, attributed to the higher communication volume of the proposed SM-PSI protocol (32 MB) relative to that of PRTY20 (12.75 MB), communication transmission emerges as a performance bottleneck, leading to the running time of the online phase of the proposed SM-PSI protocol (28.29 s) being marginally higher than that of PRTY20 (17.68 s). This phenomenon suggests that the proposed SM-PSI protocol is more suitable for deployment in medium-to-high bandwidth network environments.

Comprehensive analysis of all evaluated metrics reveals that the proposed SM-PSI protocol demonstrates outstanding operational performance in medium-to-high bandwidth network deployment environments. Across the network environments ranging from LAN to 1 Gbps WAN, the average speedups attained by the proposed SM-PSI protocol relative to each benchmark protocol are as follows: RA17 (58.6-fold), KKRT16 (9.1-fold), PRTY19-L (445.7-fold), PRTY19-F (215.3-fold), PRTY20 (5.7-fold), CM20 (22.0-fold), and GMR21 (132.6-fold). The proposed SM-PSI protocol delivers an order-of-magnitude improvement in operational computational efficiency at the expense of a moderate incremental communication overhead, and thus exhibits notable application advantages in scenarios equipped with sufficient bandwidth resources.

Table 6. Comparison of Performance Speedup of SM2-OT-PSI Relative to Other Protocols ($n=2^{20}$, LAN Environment).

Protocol	Protocol Type	Running Time (s)	Speedup
PRTY19-F	Multi-point OPRF	248.44	39.6×
GMR21	mqRPMT	136.91	21.8×
RA17	Blinded OPRF	75.16	12.0×
CM20	Multi-point OPRF	50.12	8.0×
PRTY20	Multi-point OPRF	33.9	5.4×
KKRT16	Single-point OPRF	18.39	2.9×
SM-PSI	Proposed	6.27	1.0× (Baseline)

Table 6. Comparison of Performance Speedup of SM2-OT-PSI Relative to Other Protocols ($n=2^{20}$, LAN Environment).

Protocol	Protocol Type	Running Time (s)	Speedup
PRTY19-F	Multi-point OPRF	248.44	39.6×
GMR21	mqRPMT	136.91	21.8×
RA17	Blinded OPRF	75.16	12.0×
CM20	Multi-point OPRF	50.12	8.0×
PRTY20	Multi-point OPRF	33.9	5.4×
KKRT16	Single-point OPRF	18.39	2.9×
SM-PSI	Proposed	6.27	1.0× (Baseline)

6. Conclusions

This paper proposes an efficient, practical PSI protocol based on the National Commercial Cryptography Standard of China (SM2), named SM2-OT-PSI. This scheme mitigates the limitations of existing PSI protocols that rely on RSA or standard elliptic curve cryptography, especially in scenarios requiring compliance with China’s national cryptographic specifications and high-performance processing of large-scale datasets. Through the construction of an OPRF built upon OT leveraging SM2 public-key cryptography and the SM3 hash function, the proposed protocol enables efficient multi-point OPRF evaluation under the semi-honest adversary model. Formal security analysis verifies that, under the intractability assumption of the ECDLP and the cryptographic security assumption of SM3, the protocol ensures the correctness and privacy properties. To further enhance practical operational performance, a software–hardware co-design architecture is incorporated into the protocol design, which employs domestically developed reconfigurable cryptographic accelerators to offload computationally intensive SM2 and SM3 cryptographic operations. Experimental assessments conducted in LAN and WAN environments show that, relative to several representative PSI schemes, the proposed SM2-OT-PSI protocol delivers notable performance enhancements in both execution time and scalability when handling million-scale datasets. These experimental results demonstrate that this protocol is highly suitable for deployment in medium-to-high bandwidth network environments. This work verifies that high-performance PSI can be efficiently realized under national cryptographic standards via meticulous protocol design and system-level optimization. Future research efforts will focus on extending the proposed scheme to support stronger adversary models (e.g., the malicious security model), and investigating additional optimizations for heterogeneous computing platforms and an expanded range of privacy-preserving data analysis applications.