In the naive private set intersection (NPSI) [1], both parties agree on a non-cryptographic hash function, apply it to their inputs and then compare the resulting hashes. It is the most commonly used protocol due to its efficiency and ease for implementation, but it is insecure. The protocol has a major security flaw if the elements are taken from a small domain or a domain that does not have high entropy. In that case, P2 (the receiver) can recover all elements in the set of P1 (the sender) by running a brute force attack.
In the protocol, P2 samples a random 32 bytes salt K and sends it to P1. Both parties then use a non-cryptographic hash function (MetroHash) to hash their input identifiers seeded with K. P1 sends the hash values Hx to P2, who computes the intersection of both hashed identifiers.
Sender (P1) Receiver (P2)
X Y
receive K <------------------------------ generate K (32 bytes)
mh(K,X) -> H_X ------------------------------> intersect(H_X, mh(K,Y) -> H_Y))
mh(K,I): Metro hash of input I seeded with K
[1] B. Pinkas, T. Schneider, G. Segev, M. Zohner. Phasing: Private Set Intersection using Permutation-based Hashing. USENIX Security 2015. Full version available at http://eprint.iacr.org/2015/634.