ML Security PapersEfficient Privacy-Preserving Retrieval Augmented Generation with Distance-Preserving Encryption
Huanyi Ye , Jiale Guo , Ziyao Liu , Kwok-Yan Lam
Published on arXiv
2601.12331
Model Inversion Attack
OWASP ML Top 10 — ML03
Sensitive Information Disclosure
OWASP LLM Top 10 — LLM06
Key Finding
ppRAG defends against vector-to-text reconstruction, vector analysis, and query analysis attacks while maintaining efficient retrieval throughput and high accuracy in untrusted cloud RAG deployments.
CAPRISE (Conditional Approximate Distance-Comparison-Preserving Symmetric Encryption)
Novel technique introduced
RAG has emerged as a key technique for enhancing response quality of LLMs without high computational cost. In traditional architectures, RAG services are provided by a single entity that hosts the dataset within a trusted local environment. However, individuals or small organizations often lack the resources to maintain data storage servers, leading them to rely on outsourced cloud storage. This dependence on untrusted third-party services introduces privacy risks. Embedding-based retrieval mechanisms, commonly used in RAG systems, are vulnerable to privacy leakage such as vector-to-text reconstruction attacks and structural leakage via vector analysis. Several privacy-preserving RAG techniques have been proposed but most existing approaches rely on partially homomorphic encryption, which incurs substantial computational overhead. To address these challenges, we propose an efficient privacy-preserving RAG framework (ppRAG) tailored for untrusted cloud environments that defends against vector-to-text attack, vector analysis, and query analysis. We propose Conditional Approximate Distance-Comparison-Preserving Symmetric Encryption (CAPRISE) that encrypts embeddings while still allowing the cloud to compute similarity between an encrypted query and the encrypted database embeddings. CAPRISE preserves only the relative distance ordering between the encrypted query and each encrypted database embedding, without exposing inter-database distances, thereby enhancing both privacy and efficiency. To mitigate query analysis, we introduce DP by perturbing the query embedding prior to encryption, preventing the cloud from inferring sensitive patterns. Experimental results show that ppRAG achieves efficient processing throughput, high retrieval accuracy, strong privacy guarantees, making it a practical solution for resource-constrained users seeking secure cloud-augmented LLMs.
Key Contributions
- CAPRISE: a symmetric encryption scheme that enables top-k similarity search over encrypted embeddings while hiding inter-vector distances and preventing vector-to-text reconstruction
- ppRAG: an end-to-end privacy-preserving RAG framework for untrusted cloud environments combining CAPRISE with differentially private query perturbation (DistanceDP)
- Formal privacy analysis and empirical evaluation showing practical throughput, high retrieval accuracy, and resistance to vector-to-text, vector analysis, and query analysis attacks
🛡️ Threat Analysis
The paper's primary adversarial threat is the vector-to-text reconstruction attack, where an untrusted cloud server reconstructs private text from stored embedding vectors — a concrete embedding inversion attack. CAPRISE is designed to defeat this attack by encrypting embeddings while preserving only relative distance ordering, preventing the adversary from recovering original text or exploiting inter-vector structure.