In 5G networks, plaintext sharing of device identifiers (e.g., IMEI) with operators enables long-term tracking and cross-session linkage, severely compromising user privacy—yet existing Equipment Identity Register (EIR) mechanisms mandate identifier exposure for blacklist/graylist verification. To address this, we propose PEPSI, the first Private Set Membership (PSM) protocol enabling *controllable de-anonymization*, built upon a BFV homomorphic encryption adaptation. PEPSI allows operators to verify device identity validity without decryption, while authorized law enforcement agencies can selectively de-anonymize devices under strict policy control—reconciling strong privacy guarantees with regulatory accountability. Evaluation shows online verification completes in under 5 seconds, with per-transaction communication overhead of 15–16 MB; the scheme satisfies post-quantum security requirements. PEPSI provides a scalable, privacy-enhancing architectural foundation for device authentication in 6G systems.

Device identifiers like the International Mobile Equipment Identity (IMEI) are crucial for ensuring device integrity and meeting regulations in 4G and 5G networks. However, sharing these identifiers with Mobile Network Operators (MNOs) brings significant privacy risks by enabling long-term tracking and linking of user activities across sessions. In this work, we propose a privacy-preserving identifier checking method in 5G. This paper introduces a protocol for verifying device identifiers without exposing them to the network while maintaining the same functions as the 3GPP-defined Equipment Identity Register (EIR) process. The proposed solution modifies the PEPSI protocol for a Private Set Membership (PSM) setting using the BFV homomorphic encryption scheme. This lets User Equipment (UE) prove that its identifier is not on an operator's blacklist or greylist while ensuring that the MNO only learns the outcome of the verification. The protocol allows controlled deanonymization through an authorized Law Enforcement (LE) hook, striking a balance between privacy and accountability. Implementation results show that the system can perform online verification within five seconds and requires about 15 to 16 MB of communication per session. This confirms its practical use under post-quantum security standards. The findings highlight the promise of homomorphic encryption for managing identifiers while preserving privacy in 5G, laying the groundwork for scalable and compliant verification systems in future 6G networks.